What is WindowsServiceUpdate.exe?
WindowsServiceUpdate.exe is part of Windows Driver System Update and developed by System Updates according to the WindowsServiceUpdate.exe version information.
WindowsServiceUpdate.exe's description is "Windows Driver System Update Installer"
WindowsServiceUpdate.exe is digitally signed by EDH Systems Limited.
WindowsServiceUpdate.exe is usually located in the 'c:\downloads\' folder.
Some of the anti-virus scanners at VirusTotal detected WindowsServiceUpdate.exe.
If you have additional information about the file, please share it with the FreeFixer users by posting a comment at the bottom of this page.
Vendor and version information [?]
The following is the available information on WindowsServiceUpdate.exe:
| Property | Value |
|---|---|
| Product name | Windows Driver System Update |
| Company name | System Updates |
| File description | Windows Driver System Update Installer |
| Internal name | WindowsServiceUpdate |
| Original filename | WindowsServiceUpdate.exe |
| Legal copyright | Copyright (C) 2018 System Updates |
| Product version | 4.1.121 |
| File version | 4.1.121 |
Here's a screenshot of the file properties when displayed by Windows Explorer:
| Product name | Windows Driver System Update |
| Company name | System Updates |
| File description | Windows Driver System Update Installer |
| Internal name | WindowsServiceUpdate |
| Original filename | WindowsServiceUpdate.exe |
| Legal copyright | Copyright (C) 2018 System Updates |
| Product version | 4.1.121 |
| File version | 4.1.121 |
Digital signatures [?]
WindowsServiceUpdate.exe has a valid digital signature.
| Property | Value |
|---|---|
| Signer name | EDH Systems Limited |
| Certificate issuer name | COMODO RSA Code Signing CA |
| Certificate serial number | 2b6959c8887810960b984798cab2b314 |
VirusTotal report
28 of the 65 anti-virus programs at VirusTotal detected the WindowsServiceUpdate.exe file. That's a 43% detection rate.
| Scanner | Detection Name |
|---|---|
| AhnLab-V3 | PUP/Win32.Installer.R247997 |
| Avast | Win32:Trojan-gen |
| AVG | Win32:Trojan-gen |
| CAT-QuickHeal | Trojan.Driverupdater |
| Comodo | Malware@#21ry5b68igaw5 |
| CrowdStrike | win/malicious_confidence_100% (W) |
| Cyren | W32/Trojan.LZIF-0531 |
| DrWeb | Trojan.DownLoad4.11772 |
| ESET-NOD32 | a variant of Win32/TrojanDownloader.Agent.SJS.gen |
| Fortinet | W32/SysUpdate.SJS!tr.dldr |
| GData | Win32.Trojan.Agent.WFE8D1 |
| Ikarus | Trojan.Win32.DriverUpdater |
| Jiangmin | RiskTool.BitCoinMiner.jne |
| K7AntiVirus | Trojan-Downloader ( 005421fc1 ) |
| K7GW | Trojan-Downloader ( 005421fc1 ) |
| Kaspersky | HEUR:Trojan-Downloader.Win32.SysUpdate.gen |
| Malwarebytes | RiskWare.BitCoinMiner |
| MAX | malware (ai score=100) |
| McAfee | Trojan-FQFM!928BF79AF36A |
| McAfee-GW-Edition | Trojan-FQFM!928BF79AF36A |
| Microsoft | Trojan:Win32/DriverUpdater.A |
| Panda | Trj/CI.A |
| Qihoo-360 | HEUR/QVM41.2.900D.Malware.Gen |
| Sophos | Mal/Generic-S |
| Symantec | ML.Attribute.HighConfidence |
| Tencent | Win32.Trojan-downloader.Agent.Hsil |
| Webroot | W32.Rogue.Gen |
| ZoneAlarm | HEUR:Trojan-Downloader.Win32.SysUpdate.gen |
Sandbox Report
The following information was gathered by executing the file inside Cuckoo Sandbox.
Summary
Successfully executed process in sandbox.
Summary
{
"file_created": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar79CC.tmp",
"C:\\Users\\cuck\\AppData\\Roaming\\System Updates\\Windows Driver System Update 4.1.121\\install\\F71FCF6\\exe.msi",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\MSI7B35.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab79CB.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab6576.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab6555.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar6577.tmp",
"C:\\Users\\cuck\\AppData\\Roaming\\System Updates\\Windows Driver System Update 4.1.121\\install\\F71FCF6\\unrar.exe",
"C:\\Users\\cuck\\AppData\\Roaming\\System Updates\\Windows Driver System Update 4.1.121\\install\\F71FCF6\\exe.x64.msi",
"C:\\Users\\cuck\\AppData\\Roaming\\System Updates\\Windows Driver System Update 4.1.121\\install\\decoder.dll",
"C:\\Users\\cuck\\AppData\\Roaming\\System Updates\\Windows Driver System Update 4.1.121\\install\\holder0.aiph",
"C:\\Users\\cuck\\AppData\\Roaming\\System Updates\\Windows Driver System Update 4.1.121\\install\\F71FCF6\\Windows Driver System Updater.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar6556.tmp"
],
"file_recreated": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar79CC.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab79CB.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab6576.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab6555.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar6577.tmp",
"\\Device\\KsecDD",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar6556.tmp"
],
"directory_created": [
"C:\\Users\\cuck\\AppData\\Roaming\\System Updates\\Windows Driver System Update 4.1.121\\install",
"C:\\Users\\cuck\\AppData\\Roaming\\System Updates",
"C:\\Users\\cuck\\AppData\\Roaming\\System Updates\\Windows Driver System Update 4.1.121\\install\\F71FCF6",
"C:\\Users\\cuck\\AppData",
"C:\\Users\\cuck\\AppData\\Roaming\\System Updates\\Windows Driver System Update 4.1.121",
"C:\\Users\\cuck",
"C:\\Users\\cuck\\AppData\\Roaming",
"C:\\Users"
],
"dll_loaded": [
"C:\\Windows\\system32\\wininet.dll",
"cryptnet.dll",
"API-MS-Win-Security-LSALookup-L1-1-0.dll",
"api-ms-win-appmodel-runtime-l1-1-1",
"C:\\Windows\\system32\\urlmon.dll",
"api-ms-win-core-localization-l1-2-1",
"DNSAPI.dll",
"C:\\Windows\\SysWOW64\\SHLWAPI.DLL",
"cryptsp.dll",
"C:\\Windows\\system32\\uxtheme.dll",
"ncrypt.dll",
"C:\\Windows\\system32\\RICHED20.DLL",
"API-MS-WIN-Service-Management-L2-1-0.dll",
"C:\\Windows\\system32\\propsys.dll",
"crypt32.dll",
"C:\\Windows\\SysWOW64\\bcryptprimitives.dll",
"SspiCli.dll",
"advapi32.dll",
"COMCTL32",
"C:\\Windows\\system32\\bcrypt.dll",
"SHLWAPI.dll",
"USER32.dll",
"C:\\Windows\\system32\\comctl32.dll",
"C:\\Windows\\system32\\shlwapi.dll",
"C:\\Windows\\syswow64\\CRYPT32.dll",
"WINTRUST.dll",
"C:\\Windows\\system32\\version.dll",
"SHELL32.dll",
"C:\\Windows\\System32\\wship6.dll",
"C:\\Windows\\system32\\user32.dll",
"setupapi.dll",
"C:\\Windows\\system32\\shell32.dll",
"CFGMGR32.dll",
"C:\\Windows\\SysWOW64\\RPCRT4.DLL",
"C:\\Windows\\system32\\crypt32.dll",
"C:\\Windows\\SysWOW64\\KERNEL32.DLL",
"rpcrt4.dll",
"C:\\Windows\\System32\\wshtcpip.dll",
"C:\\Windows\\system32\\dbghelp.dll",
"C:\\Windows\\system32\\shcore.dll",
"C:\\Windows\\system32\\setupapi.dll",
"kernel32.dll",
"API-MS-Win-Security-SDDL-L1-1-0.dll",
"SensApi.dll",
"ntdll.dll",
"C:\\Windows\\system32\\USP10.dll",
"C:\\Windows\\system32\\apphelp.dll",
"API-MS-Win-Core-LocalRegistry-L1-1-0.dll",
"C:\\Windows\\system32\\gdiplus.dll",
"IPHLPAPI.DLL",
"C:\\Windows\\SysWOW64\\NTDLL.DLL",
"C:\\Windows\\system32\\gdi32.dll",
"profapi.dll",
"COMCTL32.dll",
"VERSION.dll",
"C:\\Windows\\system32\\advapi32.dll",
"C:\\Windows\\system32\\cryptnet.dll",
"C:\\Windows\\SysWOW64\\MSCOREE.DLL",
"C:\\Windows\\SysWOW64\\SHELL32.DLL",
"DEVRTL.dll",
"Cabinet.dll",
"WINHTTP.dll",
"C:\\Windows\\system32\\usp10.dll",
"api-ms-win-core-sysinfo-l1-2-1",
"C:\\Windows\\system32\\rsaenh.dll",
"C:\\Windows\\system32\\mpr.dll",
"C:\\Windows\\system32\\davhlpr.dllole32.dll",
"C:\\Windows\\SysWOW64\\OLE32.DLL",
"C:\\Windows\\SysWOW64\\ADVAPI32.DLL",
"C:\\Windows\\system32\\cabinet.dll",
"C:\\Windows\\system32\\msasn1.dll",
"C:\\Windows\\system32\\msls31.dll",
"CRYPTSP.dll",
"ext-ms-win-kernel32-package-current-l1-1-0",
"C:\\Windows\\system32\\msimg32.dll",
"API-MS-WIN-Service-winsvc-L1-1-0.dll",
"C:\\Windows\\SysWOW64\\APPHELP.DLL",
"C:\\Windows\\system32\\kernel32.dll",
"C:\\Windows\\SysWOW64\\SAGE.DLL",
"ole32.dll",
"NSI.dll",
"api-ms-win-core-fibers-l1-1-1",
"msi.dll",
"ADVAPI32.dll",
"SETUPAPI.dll",
"WS2_32.dll",
"gdiplus.dll",
"C:\\Windows\\system32\\lpk.dll",
"kernel32",
"credssp.dll",
"C:\\Windows\\system32\\msi.dll",
"C:\\Windows\\SysWOW64\\NETAPI32.DLL",
"C:\\Windows\\WinSxS\\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\\gdiplus.dll",
"C:\\Windows\\system32\\WindowsCodecs.dll",
"api-ms-win-core-synch-l1-2-0",
"imm32.dll",
"C:\\Windows\\system32\\secur32.dll",
"API-MS-WIN-Service-Management-L1-1-0.dll",
"C:\\Windows\\system32\\wintrust.dll",
"C:\\Windows\\system32\\comdlg32.dll",
"C:\\Windows\\SysWOW64\\msi.dll",
"MSISIP.DLL",
"winhttp.dll",
"C:\\Windows\\system32\\cryptsp.dll",
"C:\\Windows\\system32\\IMM32.DLL",
"C:\\Windows\\system32\\dwmapi.dll",
"C:\\Windows\\system32\\profapi.dll",
"C:\\Windows\\SysWOW64\\VERSION.DLL",
"C:\\Windows\\system32\\msihnd.dll",
"OLEAUT32.dll",
"RPCRT4.dll",
"C:\\Windows\\system32\\oleaut32.dll",
"C:\\Windows\\system32\\userenv.dll",
"C:\\Windows\\system32\\psapi.dll",
"\\\\?\\C:\\Users\\cuck\\AppData\\Roaming\\System Updates\\Windows Driver System Update 4.1.121\\install\\decoder.dll",
"C:\\Windows\\SysWOW64\\TSAPPCMP.DLL",
"C:\\Windows\\SysWOW64\\USER32.DLL",
"C:\\Windows\\system32\\mswsock.dll",
"Ntdll.dll"
],
"file_opened": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar79CC.tmp",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\fusion.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab79CB.tmp",
"C:\\Windows\\SysWOW64\\en-US\\sxs.DLL.mui",
"C:\\Users\\cuck\\AppData\\LocalLow",
"C:\\",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar6556.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab6576.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\ddaec43639c5a4ff9d1c64c14514bc3e60e20bed4f8ca280c55107745bda4436.bin",
"C:\\Windows\\System32\\en-US\\WINHTTP.dll.mui",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab6555.tmp",
"C:\\Windows\\System32\\msimsg.dll",
"C:\\Users\\cuck\\AppData\\Roaming\\System Updates\\Windows Driver System Update 4.1.121\\install\\F71FCF6\\exe.x64.msi",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar6577.tmp",
"C:\\Windows\\AppPatch\\msimain.sdb",
"C:\\Windows\\SysWOW64\\sxs.dll",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\94308059B57B3142E455B38A6EB92015",
"C:\\Windows\\SysWOW64\\msimsg.dll",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\94308059B57B3142E455B38A6EB92015",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\MSI7B35.tmp"
],
"command_line": [
"\"C:\\Windows\\system32\\msiexec.exe\" \/i \"C:\\Users\\cuck\\AppData\\Roaming\\System Updates\\Windows Driver System Update 4.1.121\\install\\F71FCF6\\exe.x64.msi\" \/quiet \/qn AI_SETUPEXEPATH=C:\\Users\\cuck\\AppData\\Local\\Temp\\ddaec43639c5a4ff9d1c64c14514bc3e60e20bed4f8ca280c55107745bda4436.bin SETUPEXEDIR=C:\\Users\\cuck\\AppData\\Local\\Temp\\ EXE_CMD_LINE=\"\/exenoupdates \" "
],
"regkey_opened": [
"HKEY_CURRENT_USER\\CLSID\\{000C103E-0000-0000-C000-000000000046}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Installer\\Managed\\S-1-5-21-699399860-4089948139-3198924279-1001\\Installer\\Products\\0F744DF3340967E4280DCA89F117CF6F",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Installer\\UserData",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager",
"HKEY_LOCAL_MACHINE\\Software\\Classes\\Installer\\UpgradeCodes\\50F070082576EA547AD19C9D033CD618",
"HKEY_CURRENT_USER\\Interface\\{000C101D-0000-0000-C000-000000000046}",
"HKEY_CURRENT_USER\\Interface\\{000C101C-0000-0000-C000-000000000046}",
"HKEY_CLASSES_ROOT\\CLSID\\{000C101D-0000-0000-C000-000000000046}\\DllVersion",
"HKEY_CURRENT_USER\\Control Panel\\Desktop",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Installer\\UpgradeCodes\\50F070082576EA547AD19C9D033CD618",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\AppPatch\\v2.0.50727.00000\\ddaec43639c5a4ff9d1c64c14514bc3e60e20bed4f8ca280c55107745bda4436.bin",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\AppPatch",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{000C101C-0000-0000-C000-000000000046}\\ProxyStubClsid32",
"HKEY_LOCAL_MACHINE\\Software\\Classes\\Installer\\Products\\0F744DF3340967E4280DCA89F117CF6F",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Installer\\Managed\\S-1-5-21-699399860-4089948139-3198924279-1001\\Installer\\UpgradeCodes\\50F070082576EA547AD19C9D033CD618",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\Standards",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Installer\\UserData\\S-1-5-18\\Products\\0F744DF3340967E4280DCA89F117CF6F\\InstallProperties",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\AppPatch\\v2.0.50727.00000",
"HKEY_CURRENT_USER\\Software\\Microsoft\\MS Setup (ACME)\\User Info",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{000C103E-0000-0000-C000-000000000046}\\TreatAs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{000C101D-0000-0000-C000-000000000046}\\ProxyStubClsid32",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\Policy\\",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\msiexec.exe",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\Policy\\AppPatch",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\ProductOptions",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Class\\{4d36e972-e325-11ce-bfc1-08002be10318}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\Installer",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\Installer",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\msiexec.exe",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Installer\\InProgress",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Installer\\Products\\0F744DF3340967E4280DCA89F117CF6F",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\FileSystem",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{000C103E-0000-0000-C000-000000000046}\\InprocServer32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\Upgrades",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\v2.0",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run"
],
"resolves_host": [
"www.download.windowsupdate.com",
"crt.comodoca.com"
],
"file_written": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar79CC.tmp",
"C:\\Users\\cuck\\AppData\\Roaming\\System Updates\\Windows Driver System Update 4.1.121\\install\\F71FCF6\\exe.msi",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\MSI7B35.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab79CB.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab6576.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab6555.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar6577.tmp",
"C:\\Users\\cuck\\AppData\\Roaming\\System Updates\\Windows Driver System Update 4.1.121\\install\\F71FCF6\\unrar.exe",
"C:\\Users\\cuck\\AppData\\Roaming\\System Updates\\Windows Driver System Update 4.1.121\\install\\F71FCF6\\exe.x64.msi",
"C:\\Users\\cuck\\AppData\\Roaming\\System Updates\\Windows Driver System Update 4.1.121\\install\\decoder.dll",
"C:\\Users\\cuck\\AppData\\Roaming\\System Updates\\Windows Driver System Update 4.1.121\\install\\F71FCF6\\Windows Driver System Updater.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar6556.tmp"
],
"regkey_deleted": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\8F43288AD272F3103B6FB1428485EA3014C0BCFE"
],
"file_deleted": [
"",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar79CC.tmp",
"C:\\Users\\cuck\\AppData\\Roaming\\System Updates\\Windows Driver System Update 4.1.121\\install\\F71FCF6\\exe.msi",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\MSI7B35.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab79CB.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab6576.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab6555.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar6577.tmp",
"C:\\Users\\cuck\\AppData\\Roaming\\System Updates\\Windows Driver System Update 4.1.121\\install\\F71FCF6\\unrar.exe",
"C:\\Users\\cuck\\AppData\\Roaming\\System Updates\\Windows Driver System Update 4.1.121\\install\\F71FCF6\\exe.x64.msi",
"C:\\Users\\cuck\\AppData\\Roaming\\System Updates\\Windows Driver System Update 4.1.121\\install\\decoder.dll",
"C:\\Users\\cuck\\AppData\\Roaming\\System Updates\\Windows Driver System Update 4.1.121\\install\\holder0.aiph",
"C:\\Users\\cuck\\AppData\\Roaming\\System Updates\\Windows Driver System Update 4.1.121\\install\\F71FCF6\\Windows Driver System Updater.exe",
"C:\\Users\\cuck\\AppData\\Roaming\\System Updates\\Windows Driver System Update 4.1.121\\install\\F71FCF6\\FILES.7z",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar6556.tmp",
"C:\\Windows\\Tasks\\C__Users_cuck_AppData_Local_Temp_ddaec43639c5a4ff9d1c64c14514bc3e60e20bed4f8ca280c55107745bda4436.bin.job",
"C:\\Users\\cuck\\AppData\\Roaming\\System Updates\\Windows Driver System Update 4.1.121\\install\\F71FCF6\\exe.7z"
],
"directory_removed": [
"C:\\Users\\cuck\\AppData\\Roaming\\System Updates\\Windows Driver System Update 4.1.121\\install",
"C:\\Users\\cuck\\AppData\\Roaming\\System Updates",
"C:\\Users\\cuck\\AppData\\Roaming\\System Updates\\Windows Driver System Update 4.1.121\\install\\F71FCF6",
"C:\\Users\\cuck\\AppData\\Roaming\\System Updates\\Windows Driver System Update 4.1.121"
],
"file_exists": [
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\fusion.dll",
"C:\\ProgramData",
"C:\\",
"C:\\Users\\cuck\\AppData\\Local\\Temp",
"C:\\Users\\cuck\\AppData\\Roaming\\System Updates\\Windows Driver System Update 4.1.121\\install\\F71FCF6\\Windows Driver System Updater.exe",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorwks.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\MSI7B35.tmp",
"C:\\Config.Msi",
"C:\\Windows\\System32\\qagentrt.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\",
"C:\\cuckoo_1788.ini",
"C:\\Windows\\inf\\",
"C:\\Users\\cuck\\AppData\\Roaming\\System Updates\\Windows Driver System Update 4.1.121\\install\\F71FCF6\\exe.msi",
"C:\\Windows\\SysWOW64\\MSCOREE.DLL.local",
"C:\\Windows\\System32\\dnsapi.dll",
"C:\\Windows\\System32\\p2pcollab.dll",
"C:\\Users\\cuck\\AppData\\LocalLow",
"C:\\Users\\cuck\\AppData\\Roaming\\System Updates\\Windows Driver System Update 4.1.121\\install\\F71FCF6\\exe.x64.msi",
"C:\\Windows\\System32\\msi.dll",
"C:\\Windows\\SysWOW64\\sxs.dll",
"C:\\Users\\cuck\\AppData\\Roaming\\System Updates\\Windows Driver System Update 4.1.121\\install\\F71FCF6\\unrar.exe"
],
"mutex": [
"Global\\_MSIExecute"
],
"file_failed": [
"C:\\Windows\\SysWOW64\\zh-HK\\sxs.DLL.mui",
"C:\\Windows\\SysWOW64\\pt-BR\\sxs.DLL.mui",
"\\??\\L:",
"C:\\Windows\\SysWOW64\\de-DE\\sxs.DLL.mui",
"\\??\\N:",
"\\??\\U:",
"C:\\Windows\\SysWOW64\\hr-HR\\sxs.DLL.mui",
"\\??\\H:",
"\\??\\W:",
"\\??\\J:",
"C:\\Windows\\SysWOW64\\pl-PL\\sxs.DLL.mui",
"C:\\Windows\\SysWOW64\\ar-SA\\sxs.DLL.mui",
"\\??\\E:",
"\\??\\Z:",
"\\??\\P:",
"\\??\\D:",
"\\??\\S:",
"C:\\Windows\\SysWOW64\\nb-NO\\sxs.DLL.mui",
"C:\\Windows\\SysWOW64\\et-EE\\sxs.DLL.mui",
"C:\\Windows\\SysWOW64\\sr-Latn-CS\\sxs.DLL.mui",
"C:\\Windows\\SysWOW64\\th-TH\\sxs.DLL.mui",
"C:\\Windows\\SysWOW64\\hu-HU\\sxs.DLL.mui",
"C:\\Config.Msi",
"\\??\\B:",
"C:\\Windows\\SysWOW64\\bg-BG\\sxs.DLL.mui",
"C:\\cuckoo_1788.ini",
"C:\\Windows\\SysWOW64\\en\\sxs.DLL.mui",
"C:\\Windows\\SysWOW64\\el-GR\\sxs.DLL.mui",
"C:\\Windows\\SysWOW64\\ko-KR\\sxs.DLL.mui",
"C:\\Windows\\SysWOW64\\fi-FI\\sxs.DLL.mui",
"C:\\Windows\\SysWOW64\\tr-TR\\sxs.DLL.mui",
"\\??\\X:",
"\\??\\F:",
"\\??\\Q:",
"C:\\Windows\\SysWOW64\\fr-FR\\sxs.DLL.mui",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\ddaec43639c5a4ff9d1c64c14514bc3e60e20bed4f8ca280c55107745bda4436.bin.config",
"C:\\Windows\\SysWOW64\\lv-LV\\sxs.DLL.mui",
"\\??\\O:",
"C:\\Windows\\SysWOW64\\nl-NL\\sxs.DLL.mui",
"\\??\\T:",
"\\??\\I:",
"\\??\\V:",
"C:\\Windows\\SysWOW64\\he-IL\\sxs.DLL.mui",
"C:\\Windows\\SysWOW64\\ja-JP\\sxs.DLL.mui",
"\\??\\G:",
"C:\\Windows\\SysWOW64\\pt-PT\\sxs.DLL.mui",
"\\??\\K:",
"C:\\Windows\\SysWOW64\\da-DK\\sxs.DLL.mui",
"C:\\Windows\\SysWOW64\\sl-SI\\sxs.DLL.mui",
"\\??\\R:",
"C:\\Windows\\SysWOW64\\lt-LT\\sxs.DLL.mui",
"C:\\Windows\\SysWOW64\\es-ES\\sxs.DLL.mui",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\74FBF93595CFC8459196065CE54AD928",
"C:\\Windows\\SysWOW64\\zh-CN\\sxs.DLL.mui",
"\\??\\A:",
"\\??\\M:",
"C:\\Windows\\SysWOW64\\zh-TW\\sxs.DLL.mui",
"C:\\Windows\\SysWOW64\\uk-UA\\sxs.DLL.mui",
"C:\\Windows\\SysWOW64\\sv-SE\\sxs.DLL.mui",
"C:\\Windows\\SysWOW64\\sk-SK\\sxs.DLL.mui",
"C:\\Windows\\SysWOW64\\cs-CZ\\sxs.DLL.mui",
"C:\\Windows\\SysWOW64\\ru-RU\\sxs.DLL.mui",
"C:\\Windows\\SysWOW64\\ro-RO\\sxs.DLL.mui",
"\\??\\Y:",
"C:\\Windows\\SysWOW64\\it-IT\\sxs.DLL.mui"
],
"guid": [
"{00000323-0000-0000-c000-000000000046}",
"{148bd527-a2ab-11ce-b11f-00aa00530503}",
"{00000146-0000-0000-c000-000000000046}",
"{000c101c-0000-0000-c000-000000000046}",
"{00000000-0000-0000-c000-000000000046}",
"{148bd52a-a2ab-11ce-b11f-00aa00530503}"
],
"file_read": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar79CC.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab79CB.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab6576.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\ddaec43639c5a4ff9d1c64c14514bc3e60e20bed4f8ca280c55107745bda4436.bin",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar6577.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab6555.tmp",
"C:\\Users\\cuck\\AppData\\Roaming\\System Updates\\Windows Driver System Update 4.1.121\\install\\F71FCF6\\exe.x64.msi",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\94308059B57B3142E455B38A6EB92015",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\94308059B57B3142E455B38A6EB92015",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar6556.tmp"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{000C103E-0000-0000-C000-000000000046}\\(Default)",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Local\\Temp\\ddaec43639c5a4ff9d1c64c14514bc3e60e20bed4f8ca280c55107745bda4436.bin",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\MaxRpcSize",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\\DefaultConnectionSettings",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Initialization\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$Function",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\com",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\WinSock2\\Parameters\\Protocol_Catalog9\\Serial_Access_Num",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\FxsTmp",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\UseDelayedAcceptance",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\manifeststore",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\UseDelayedAcceptance",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\LogFiles",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SecurityProviders\\SecurityProviders",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Signature\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$DLL",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\Recovery",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Msi.Package\\BrowseInPlace",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\CurrentMinorVersionNumber",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\SystemSetupInProgress",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\wdi",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.44.3.4!7\\Name",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\crypt32\\DiagMatchAnyMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ProgramFilesDir",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\.",
"HKEY_CURRENT_USER\\Control Panel\\International\\LocaleName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\SourcePath",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\Generation",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{000C1033-0000-0000-C000-000000000046}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RegisteredOrganization",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\CryptnetPreFetchTriggerPeriodSeconds",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Msi.Package\\DocObject",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\safer\\codeidentifiers\\SaferFlags",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\DisableImprovedZoneCheck",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\LoadAppInit_DLLs",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\ProductOptions\\ProductSuite",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\CLRLoadLogDir",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\..",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledProcesses\\4F74C5EF",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\MaxAIAUrlRetrievalCountPerChain",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{000C103E-0000-0000-C000-000000000046}\\InProcServer32\\InprocServer32",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\EMPTY",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\ProductOptions\\ProductType",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winsock\\Setup Migration\\Providers\\Tcpip6\\WinSock 2.0 Provider ID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ProxySettingsPerUser",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SESSION MANAGER\\PendingFileRenameOperations",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\DriverStore",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winsock\\Parameters\\Transports",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\CertCheck\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$DLL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.msi\\Content Type",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.64.1.1!7\\Name",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\Tasks",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{000C103E-0000-0000-C000-000000000046}\\InProcServer32\\ThreadingModel",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Signature\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$Function",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\ChainCacheResyncFiletime",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\catroot",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\migwiz",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\inetsrv",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\GroupPolicy",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language\\InstallLanguageFallback",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\CurrentBuildNumber",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\WpadOverride",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\crypt32\\DebugHeapFlags",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\sppui",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\MaxAIAUrlRetrievalCertCount",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\safer\\codeidentifiers\\DefaultLevel",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\slmgr",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Local AppData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\MaxAIAUrlRetrievalByteCount",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winsock\\Setup Migration\\Providers\\Tcpip\\WinSock 2.0 Provider ID",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\Data",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\InstallShield",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\ras",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\Msdtc",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\8F43288AD272F3103B6FB1428485EA3014C0BCFE\\Blob",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\crypt32\\DebugFlags",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Comment",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\DisableUnsupportedCriticalExtensions",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\LogLevel",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\\WinHttpSettings",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\wbem",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Message\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$DLL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\OnlyUseLatestCLR",
"HKEY_CURRENT_USER\\Control Panel\\Desktop\\MuiCached\\MachinePreferredUILanguages",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledSessions\\MachineThrottling",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\FinalPolicy\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$Function",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\HelperDllName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-699399860-4089948139-3198924279-1001\\ProfileImagePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{000C1025-0000-0000-C000-000000000046}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Certificate\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$Function",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\migration",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\UILanguages\\en-US\\Type",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\Mapping",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Type",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\AdvancedInstallers",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Cleanup\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$DLL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RegisteredOwner",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\RegisteredOrganization",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\EnableInetUnknownAuth",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\restore",
"HKEY_CURRENT_USER\\Control Panel\\Desktop\\PreferredUILanguages",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\LsaExtensionConfig\\SspiCli\\CheckSignatureRoutine",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\UILanguages\\en-US\\AlternateCodePage",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\catroot2",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\DisableCANameConstraints",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\MinSockaddrLength",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\DisableMandatoryBasicConstraints",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\8F43288AD272F3103B6FB1428485EA3014C0BCFE",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\spp",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\p2pcollab.dll,-8042",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Initialization\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$DLL",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\MinSockaddrLength",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\RegisteredOwner",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\LsaExtensionConfig\\SspiCli\\CheckSignatureDll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{000C101C-0000-0000-C000-000000000046}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\config",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Msi.Package\\IsShortcut",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\OOBEInProgress",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Msi.Package\\AlwaysShowExt",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{000C101D-0000-0000-C000-000000000046}\\DllVersion\\(Default)",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\icsxml",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\oobe",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\FileSystem\\Win31FileSystem",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Name",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\CurrentMajorVersionNumber",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{000C103E-0000-0000-C000-000000000046}\\InProcServer32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\safer\\codeidentifiers\\LogFileName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\MaxSockaddrLength",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\FinalPolicy\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$DLL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE\\PageAllocatorSystemHeapIsPrivate",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\Dism",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Srp\\GP\\RuleCount",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\MaxSockaddrLength",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\GroupPolicyUsers",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\HelperDllName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.msi\\(Default)",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing\\State",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\NDF",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\safer\\codeidentifiers\\Levels",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\dnsapi.dll,-103",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Certificate\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$DLL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Msi.Package\\NeverShowExt",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Security_HKLM_only",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\DevicePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\TokenSize",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\WCN",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\MaxUrlRetrievalByteCount",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\IME",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE\\PageAllocatorUseSystemHeap",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\InstallRoot",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\Data",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Capabilities",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\MaxAIAUrlCountInCert",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\CertCheck\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$Function",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\ProgramFilesDir (x86)",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\MUI",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\Speech",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\0409",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Message\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$Function",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ShareCredsWithWinHttp",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\WinHttp\\Tracing\\Enabled",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\crypt32\\DiagLevel",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CommonFilesDir",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\Setup",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{000C101D-0000-0000-C000-000000000046}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Cleanup\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$Function",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\LogMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledSessions\\GlobalSession",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\Generation",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\NetworkList",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\LogMaxFileSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\WinHttp\\DisableBranchCache",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CEIPEnable",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\drivers",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Version",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\winrm",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\safer\\codeidentifiers\\PolicyScope",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\ComputerName\\ActiveComputerName\\ComputerName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\CommonFilesDir (x86)",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\Enabled",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\EnableWeakSignatureFlags",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\WindowsPowerShell",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.47.1.1!7\\Name",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE\\MaximumAllowedAllocationSize",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\Printing_Admin_Scripts",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Security\\Safety Warning Level",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\Mapping",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\sysprep",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\StringCacheSettings\\StringCacheGeneration",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\RpcId",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\Cache",
"HKEY_CURRENT_USER\\Control Panel\\Desktop\\ScreenSaverIsSecure",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\CSDVersion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\CurrentVersion"
],
"directory_enumerated": [
"C:\\Users\\cuck\\AppData\\Roaming\\System Updates\\Windows Driver System Update 4.1.121\\install",
"C:\\Windows\\Microsoft.NET\\Framework\\Upgrades.2.0.50727\\mscoreei.dll",
"C:\\Users\\cuck\\AppData\\Roaming\\System Updates\\Windows Driver System Update 4.1.121\\install\\F71FCF6",
"C:\\Users\\cuck\\AppData",
"C:\\Users\\cuck\\AppData\\Roaming\\System Updates\\Windows Driver System Update 4.1.121\\install\\",
"C:\\Users\\cuck",
"C:\\Users\\cuck\\AppData\\Roaming\\System Updates\\Windows Driver System Update 4.1.121\\install\\F71FCF6\\*",
"C:\\Users\\cuck\\AppData\\Roaming\\System Updates\\Windows Driver System Update 4.1.121\\install\\F71FCF6\\",
"C:\\Users\\cuck\\AppData\\Roaming\\System Updates\\Windows Driver System Update 4.1.121\\install\\decoder.dll",
"C:\\Users\\cuck\\AppData\\Roaming\\System Updates\\Windows Driver System Update 4.1.121\\install\\F71FCF6\\exe.x64.msi",
"C:\\Users\\cuck\\AppData\\Roaming",
"C:\\Users",
"C:\\Users\\cuck\\AppData\\Roaming\\System Updates\\Windows Driver System Update 4.1.121\\install\\WindowsServiceUpdate.ini",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscoreei.dll",
"C:\\Windows\\SysWOW64\\*"
],
"regkey_written": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\8F43288AD272F3103B6FB1428485EA3014C0BCFE\\Blob",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\LanguageList"
]
}Dropped
[
{
"yara": [],
"sha1": "cf925fc512b936fe7d44ceb6e999e4a020ed6ff0",
"name": "4c9c4d831d61c8c3_Cab6555.tmp",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab6555.tmp",
"type": "Microsoft Cabinet archive data, 56952 bytes, 1 file",
"sha256": "4c9c4d831d61c8c38b2513f9b431ef4f4cf6af9fb18a2317cd2178d6e0997822",
"urls": [],
"crc32": "5168F337",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/9989\/files\/4c9c4d831d61c8c3_Cab6555.tmp",
"ssdeep": null,
"size": 56952,
"sha512": "65dc435f6d3e1afd347ba1617a3eee59c6660f221faa36456a09e307d434d7276e8095e8aa34d59933e685a9f84564ec783e59ae9658791f7ebdbbc2eda32f7a",
"pids": [
2392
],
"md5": "04d79a0dc77a8f449cbff6252862d398"
},
{
"yara": [],
"sha1": "cf6f8a1414a680d45e5a7f792fa169f9470d7a50",
"name": "03dfd3403dabaeea_MSI7B35.tmp",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\MSI7B35.tmp",
"type": "PE32 executable (DLL) (GUI) Intel 80386, for MS Windows",
"sha256": "03dfd3403dabaeea35b89fb9bdab847fb36a62ce3329d589e6ee2f21bf8cb85a",
"urls": [
"http:\/\/s.symcb.com\/universal-root.crl0",
"https:\/\/www.thawte.com\/cps0\/",
"https:\/\/d.symcb.com\/cps0%",
"https:\/\/www.advancedinstaller.com",
"http:\/\/ts-ocsp.ws.symantec.com0",
"http:\/\/s.symcd.com06",
"http:\/\/ts-aia.ws.symantec.com\/sha256-tss-ca.cer0(",
"http:\/\/tl.symcb.com\/tl.crl0",
"https:\/\/d.symcb.com\/rpa0.",
"http:\/\/t2.symcb.com0",
"http:\/\/t1.symcb.com\/ThawtePCA.crl0",
"http:\/\/tl.symcb.com\/tl.crt0",
"https:\/\/www.thawte.com\/repository0W",
"https:\/\/d.symcb.com\/rpa0",
"http:\/\/tl.symcd.com0",
"http:\/\/ts-crl.ws.symantec.com\/sha256-tss-ca.crl0"
],
"crc32": "4BE95FEB",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/9989\/files\/03dfd3403dabaeea_MSI7B35.tmp",
"ssdeep": null,
"size": 345248,
"sha512": "c8a174fef61c73c4a0f0cd20f2478aaf8e0417665d60dc860505c806454eaba849b04971c1501894a345f819d914d67165990190fe660574cc4e9b779cb44d18",
"pids": [
2392
],
"md5": "b971c7904fe6fae559d9579ce088f847"
},
{
"yara": [],
"sha1": "85b2fc7b2413d9efe3bb2aeb72a92d2549674c4c",
"name": "8ca473d360a66a22_Windows Driver System Updater.exe",
"filepath": "C:\\Users\\cuck\\AppData\\Roaming\\System Updates\\Windows Driver System Update 4.1.121\\install\\F71FCF6\\Windows Driver System Updater.exe",
"type": "PE32 executable (GUI) Intel 80386, for MS Windows",
"sha256": "8ca473d360a66a22313148e269ebd22527f5620c5c545f02066f9267afca4668",
"urls": [
"http:\/\/crl4.digicert.com\/sha2-assured-ts.crl0",
"http:\/\/cacerts.digicert.com\/DigiCertSHA2AssuredIDTimestampingCA.crt0",
"http:\/\/crl3.digicert.com\/DigiCertAssuredIDRootCA.crl0P",
"http:\/\/ocsp.comodoca.com0",
"http:\/\/ocsp.digicert.com0O",
"http:\/\/crl.comodoca.com\/COMODORSACertificationAuthority.crl0q",
"http:\/\/crl.comodoca.com\/COMODORSACodeSigningCA.crl0t",
"http:\/\/crl4.digicert.com\/DigiCertAssuredIDRootCA.crl0:",
"https:\/\/secure.comodo.net\/CPS0C",
"http:\/\/cacerts.digicert.com\/DigiCertAssuredIDRootCA.crt0",
"http:\/\/crt.comodoca.com\/COMODORSACodeSigningCA.crt0",
"http:\/\/ocsp.digicert.com0C",
"http:\/\/crl3.digicert.com\/sha2-assured-ts.crl02",
"https:\/\/www.digicert.com\/CPS0",
"http:\/\/crt.comodoca.com\/COMODORSAAddTrustCA.crt0"
],
"crc32": "82AAE98C",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/9989\/files\/8ca473d360a66a22_Windows Driver System Updater.exe",
"ssdeep": null,
"size": 881456,
"sha512": "0e3b014999ce05690ce26e1e452f900f5ffb0e3c233e8909f00b0b4a3e982a5bcce11175ceb49b085042cbdc0eedc20c7e4c3ed13f069e64d2eb7884112ec349",
"pids": [
2392
],
"md5": "d9cddb9a20436d08d8ceb0f8519cee91"
},
{
"yara": [],
"sha1": "c64ad224b877cd5bbdcdb1799b71f3682602d231",
"name": "b0a39e28d93f7822_Tar6556.tmp",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar6556.tmp",
"type": "data",
"sha256": "b0a39e28d93f7822fe6cac1e082c7adc581dcd2b61eb9f536e74bd14a75b27bc",
"urls": [
"http:\/\/www.microsoft.com\/pkiops\/certs\/Microsoft%20Certificate%20Trust%20List%20PCA(3).crt0",
"http:\/\/www.microsoft.com\/pki\/certs\/MicRooCerAut_2010-06-23.crt07",
"http:\/\/www.microsoft.com\/pki\/certs\/MicCerLisCA2011_2011-03-29.crt0",
"http:\/\/www.microsoft.com\/pki\/certs\/MicrosoftRootCert.crt0",
"http:\/\/www.microsoft.com\/pkiops\/crl\/Microsoft%20Certificate%20Trust%20List%20PCA(3).crl0u"
],
"crc32": "B495BE07",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/9989\/files\/b0a39e28d93f7822_Tar6556.tmp",
"ssdeep": null,
"size": 138525,
"sha512": "0663fb22bcefd0ac5f090104322a8c0dc1ceb77a168b589d7dbb9a74d109daf38beac97dab715220abab08c355496f5719159e17995248caa19eff45bc2a5d46",
"pids": [
2392
],
"md5": "0e34ebf89b843b303f0fb5f194be9d28"
},
{
"yara": [],
"sha1": "71845adfec8c3dfb37cd4a88eee33eb199d14360",
"name": "a2ee3d312c4d9234_unrar.exe",
"filepath": "C:\\Users\\cuck\\AppData\\Roaming\\System Updates\\Windows Driver System Update 4.1.121\\install\\F71FCF6\\unrar.exe",
"type": "PE32 executable (console) Intel 80386, for MS Windows",
"sha256": "a2ee3d312c4d92346d47c35346276db10b525452e88c11142bd2ea72a9f035f5",
"urls": [
"http:\/\/s.symcb.com\/universal-root.crl0",
"http:\/\/ts-crl.ws.symantec.com\/sha256-tss-ca.crl0",
"http:\/\/ts-crl.ws.symantec.com\/tss-ca-g2.crl0(",
"https:\/\/d.symcb.com\/cps0%",
"http:\/\/ocsp.comodoca.com0",
"http:\/\/crl.thawte.com\/ThawteTimestampingCA.crl0",
"http:\/\/ts-ocsp.ws.symantec.com0",
"http:\/\/s.symcd.com06",
"http:\/\/crl.comodoca.com\/COMODORSACertificationAuthority.crl0q",
"http:\/\/crl.comodoca.com\/COMODORSACodeSigningCA.crl0t",
"http:\/\/ts-aia.ws.symantec.com\/sha256-tss-ca.cer0(",
"http:\/\/ocsp.thawte.com0",
"https:\/\/secure.comodo.net\/CPS0C",
"http:\/\/ts-aia.ws.symantec.com\/tss-ca-g2.cer0",
"http:\/\/crt.comodoca.com\/COMODORSACodeSigningCA.crt0",
"https:\/\/d.symcb.com\/rpa0.",
"https:\/\/d.symcb.com\/rpa0",
"http:\/\/crt.comodoca.com\/COMODORSAAddTrustCA.crt0",
"http:\/\/ts-ocsp.ws.symantec.com07"
],
"crc32": "D630B32E",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/9989\/files\/a2ee3d312c4d9234_unrar.exe",
"ssdeep": null,
"size": 371416,
"sha512": "8744f6dfccb817d205799db3a8ae1e0cba966d7b8a124e91b65bbfa2dd7c98eddb1a8d76a7eb33437cd733381000096f01b539b719c4e74b33ffb937d5f2ed5c",
"pids": [
2392
],
"md5": "99f5f4642140f01cdae3b50395826e7d"
},
{
"yara": [],
"sha1": "65ba6a5adec6851c34e7cd3c4c41306dfe2dcbc1",
"name": "b30f5050828197bb_holder0.aiph",
"filepath": "C:\\Users\\cuck\\AppData\\Roaming\\System Updates\\Windows Driver System Update 4.1.121\\install\\holder0.aiph",
"type": "data",
"sha256": "b30f5050828197bb283dcb143952795c9d5885c23f66d8ec22c3ea6806d1ece9",
"urls": [],
"crc32": "799F948F",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/9989\/files\/b30f5050828197bb_holder0.aiph",
"ssdeep": null,
"size": 1252872,
"sha512": "294fbfcde49b6de7851f991dbba6f63d8597f28c0f4a679f5e35fc897adaa6e72b5f63cc19751b10cb1740568e40d6a058c30d83aaea64d92bd9803708e8d08b",
"pids": [],
"md5": "2e7c53b3c483d65d0fffb684eaceffd1"
},
{
"yara": [
{
"meta": {
"description": "Contains an embedded PE32 file",
"author": "nex"
},
"name": "embedded_pe",
"offsets": {
"b": [
[
117326,
0
],
[
752206,
0
],
[
768590,
0
],
[
1121870,
0
],
[
1711694,
0
]
]
},
"strings": [
"VGhpcyBwcm9ncmFt"
]
},
{
"meta": {
"description": "A non-Windows executable contains win32 API functions names",
"author": "nex"
},
"name": "embedded_win_api",
"offsets": {
"api6": [
[
711276,
5
],
[
1083598,
5
],
[
1667144,
5
],
[
2168154,
5
]
],
"api7": [
[
712118,
4
],
[
756252,
4
],
[
1082578,
4
],
[
1082664,
4
],
[
1668428,
4
]
],
"api2": [
[
710752,
0
],
[
1083000,
0
],
[
1666808,
0
],
[
2167798,
0
]
],
"api8": [
[
1667252,
1
]
],
"api14": [
[
1667252,
1
]
],
"api12": [
[
711288,
3
],
[
712872,
3
],
[
1083566,
3
],
[
1086172,
3
],
[
1667110,
3
],
[
1669430,
3
],
[
2167922,
3
],
[
2169532,
3
]
],
"api13": [
[
711058,
2
],
[
1083786,
2
],
[
1666756,
2
],
[
2168056,
2
]
]
},
"strings": [
"R2V0UHJvY0FkZHJlc3M=",
"R2V0V2luZG93c0RpcmVjdG9yeQ==",
"R2V0VGVtcFBhdGg=",
"U2V0RmlsZVBvaW50ZXI=",
"U2hlbGxFeGVjdXRl",
"V3JpdGVGaWxl"
]
},
{
"meta": {
"description": "Matched shellcode byte patterns",
"author": "nex"
},
"name": "shellcode",
"offsets": {
"shell5": [
[
504544,
1
],
[
504567,
1
],
[
937616,
1
],
[
937639,
1
],
[
1461760,
1
],
[
1461783,
1
],
[
1987024,
1
],
[
1987047,
1
]
],
"shell6": [
[
457584,
2
],
[
457845,
2
],
[
460044,
2
],
[
471854,
2
],
[
473119,
2
],
[
473508,
2
],
[
483186,
2
],
[
506864,
2
],
[
508069,
2
],
[
511245,
2
],
[
520914,
2
],
[
892535,
2
],
[
892796,
2
],
[
894911,
2
],
[
906865,
2
],
[
907564,
2
],
[
907953,
2
],
[
916786,
2
],
[
939936,
2
],
[
941141,
2
],
[
944487,
2
],
[
954146,
2
],
[
1411710,
2
],
[
1411971,
2
],
[
1413971,
2
],
[
1426849,
2
],
[
1429313,
2
],
[
1429702,
2
],
[
1435842,
2
],
[
1464080,
2
],
[
1465285,
2
],
[
1469108,
2
],
[
1478130,
2
],
[
1887744,
2
],
[
1898928,
2
],
[
1907804,
2
],
[
1908065,
2
],
[
1910111,
2
],
[
1927041,
2
],
[
1929241,
2
],
[
1929621,
2
],
[
1930010,
2
],
[
1938610,
2
],
[
1958647,
2
],
[
1960136,
2
],
[
1960877,
2
],
[
1982420,
2
],
[
1989344,
2
],
[
1990549,
2
],
[
1996815,
2
],
[
1997249,
2
],
[
1997995,
2
],
[
1999068,
2
],
[
1999608,
2
],
[
2000200,
2
],
[
2001714,
2
],
[
2014274,
2
]
],
"shell7": [
[
456925,
0
],
[
457395,
0
],
[
465761,
0
],
[
484941,
0
],
[
486787,
0
],
[
891841,
0
],
[
892311,
0
],
[
899489,
0
],
[
920009,
0
],
[
1410966,
0
],
[
1411436,
0
],
[
1420465,
0
],
[
1443913,
0
],
[
1907108,
0
],
[
1907578,
0
],
[
1917016,
0
],
[
1952345,
0
]
],
"shell2": [
[
486799,
3
],
[
920021,
3
],
[
1443925,
3
],
[
1952357,
3
]
]
},
"strings": [
"VYvs6A==",
"VYvsg8Q=",
"VYvsgew=",
"ZKEw"
]
}
],
"sha1": "ed8038a3f25b7e7c851b87d01fc11214e9a82914",
"name": "4c51b0a23cb6ba32_exe.x64.msi",
"filepath": "C:\\Users\\cuck\\AppData\\Roaming\\System Updates\\Windows Driver System Update 4.1.121\\install\\F71FCF6\\exe.x64.msi",
"type": "Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time\/Date: Fri Dec 11 11:47:44 2009, Last Saved Time\/Date: Fri Dec 11 11:47:44 2009, Security: 0, Code page: 1252, Revision Number: {60A27EE1-F320-4B66-88C6-6FF9C19D8CE2}, Number of Words: 0, Subject: Windows Driver System Update, Author: System Updates, Name of Creating Application: Advanced Installer 15.3 build 36112661f6, Template: x64;1033, Comments: This installer database contains the logic and data required to install Windows Driver System Update., Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200",
"sha256": "4c51b0a23cb6ba3286a88b569d01dc6a8eb03c5029d1205656f6e5e4bd3a19dd",
"urls": [
"http:\/\/s.symcb.com\/universal-root.crl0",
"https:\/\/www.thawte.com\/cps0\/",
"http:\/\/crl.comodoca.com\/COMODORSACertificationAuthority.crl0q",
"http:\/\/cacerts.digicert.com\/DigiCertSHA2AssuredIDTimestampingCA.crt0",
"http:\/\/cacerts.digicert.com\/DigiCertAssuredIDRootCA.crt0",
"http:\/\/ocsp.digicert.com0C",
"http:\/\/tl.symcb.com\/tl.crt0",
"http:\/\/crt.comodoca.com\/COMODORSAAddTrustCA.crt0",
"http:\/\/ts-crl.ws.symantec.com\/sha256-tss-ca.crl0",
"https:\/\/d.symcb.com\/cps0%",
"http:\/\/s.symcd.com06",
"http:\/\/purl.org\/dc\/elements\/1.1\/",
"https:\/\/www.thawte.com\/repository0W",
"http:\/\/ns.adobe.com\/xap\/1.0\/mm\/",
"https:\/\/d.symcb.com\/rpa0",
"http:\/\/t2.symcb.com0",
"http:\/\/tl.symcb.com\/tl.crl0",
"http:\/\/ocsp.comodoca.com0",
"http:\/\/ocsp.digicert.com0O",
"http:\/\/crl3.digicert.com\/DigiCertAssuredIDRootCA.crl0P",
"http:\/\/t1.symcb.com\/ThawtePCA.crl0",
"http:\/\/www.",
"https:\/\/secure.comodo.net\/CPS0C",
"http:\/\/ns.adobe.com\/xap\/1.0\/sType\/ResourceRef",
"http:\/\/crt.comodoca.com\/COMODORSACodeSigningCA.crt0",
"http:\/\/crl3.digicert.com\/sha2-assured-ts.crl02",
"https:\/\/d.symcb.com\/rpa0.",
"http:\/\/tl.symcd.com0",
"http:\/\/ns.adobe.com\/xap\/1.0\/",
"http:\/\/crl4.digicert.com\/sha2-assured-ts.crl0",
"https:\/\/www.advancedinstaller.com",
"http:\/\/ns.adobe.com\/xap\/1.0\/sType\/ResourceEvent",
"http:\/\/ts-ocsp.ws.symantec.com0",
"http:\/\/crl.comodoca.com\/COMODORSACodeSigningCA.crl0t",
"http:\/\/www.winimage.com\/zLibDll",
"http:\/\/crl4.digicert.com\/DigiCertAssuredIDRootCA.crl0:",
"http:\/\/ts-aia.ws.symantec.com\/sha256-tss-ca.cer0(",
"http:\/\/ns.adobe.com\/photoshop\/1.0\/",
"https:\/\/www.digicert.com\/CPS0"
],
"crc32": "32910FAF",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/9989\/files\/4c51b0a23cb6ba32_exe.x64.msi",
"ssdeep": null,
"size": 2311680,
"sha512": "df8b336c42121c61abae36756779ea319e2704e879a449ad9f989ca47f42cbbb1dbf8e95883d30bdba447bc68e30d4cdef83050fc929024b152191c640932a4a",
"pids": [
2392
],
"md5": "e6281abee62e8b8286a997bb2ece6cce"
},
{
"yara": [],
"sha1": "040bbc5da78c31d8d532bd2c4d4f59381ef6e7ba",
"name": "aad6a0fb453e7e21_decoder.dll",
"filepath": "C:\\Users\\cuck\\AppData\\Roaming\\System Updates\\Windows Driver System Update 4.1.121\\install\\decoder.dll",
"type": "PE32 executable (DLL) (GUI) Intel 80386, for MS Windows",
"sha256": "aad6a0fb453e7e21e44fc6ae7f19a3dea3b7154d28d1e9242e05aef8304848ac",
"urls": [],
"crc32": "BF894692",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/9989\/files\/aad6a0fb453e7e21_decoder.dll",
"ssdeep": null,
"size": 181248,
"sha512": "7eddea99a3e3d11c1ec7ddaefa59f1bc1e5e12b9b6b01557463fcdc944c93f80e0a646f412d359695b702bba11c2efa76b94323482a07dedb341500c1f66c109",
"pids": [
2392
],
"md5": "b951bdc05ddac63d32a4514b52a38861"
},
{
"yara": [
{
"meta": {
"description": "Contains an embedded PE32 file",
"author": "nex"
},
"name": "embedded_pe",
"offsets": {
"b": [
[
114766,
0
],
[
749646,
0
],
[
766030,
0
],
[
1119310,
0
],
[
1708622,
0
]
]
},
"strings": [
"VGhpcyBwcm9ncmFt"
]
},
{
"meta": {
"description": "A non-Windows executable contains win32 API functions names",
"author": "nex"
},
"name": "embedded_win_api",
"offsets": {
"api6": [
[
708716,
5
],
[
1081038,
5
],
[
1664584,
5
],
[
2165082,
5
]
],
"api7": [
[
709558,
4
],
[
753692,
4
],
[
1080018,
4
],
[
1080104,
4
],
[
1665868,
4
]
],
"api2": [
[
708192,
0
],
[
1080440,
0
],
[
1664248,
0
],
[
2164726,
0
]
],
"api8": [
[
1664692,
1
]
],
"api14": [
[
1664692,
1
]
],
"api12": [
[
708728,
3
],
[
710312,
3
],
[
1081006,
3
],
[
1083612,
3
],
[
1664550,
3
],
[
1666870,
3
],
[
2164850,
3
],
[
2166460,
3
]
],
"api13": [
[
708498,
2
],
[
1081226,
2
],
[
1664196,
2
],
[
2164984,
2
]
]
},
"strings": [
"R2V0UHJvY0FkZHJlc3M=",
"R2V0V2luZG93c0RpcmVjdG9yeQ==",
"R2V0VGVtcFBhdGg=",
"U2V0RmlsZVBvaW50ZXI=",
"U2hlbGxFeGVjdXRl",
"V3JpdGVGaWxl"
]
},
{
"meta": {
"description": "Matched shellcode byte patterns",
"author": "nex"
},
"name": "shellcode",
"offsets": {
"shell5": [
[
501984,
1
],
[
502007,
1
],
[
935056,
1
],
[
935079,
1
],
[
1459200,
1
],
[
1459223,
1
],
[
1983952,
1
],
[
1983975,
1
]
],
"shell6": [
[
455024,
2
],
[
455285,
2
],
[
457484,
2
],
[
469294,
2
],
[
470559,
2
],
[
470948,
2
],
[
480626,
2
],
[
504304,
2
],
[
505509,
2
],
[
508685,
2
],
[
518354,
2
],
[
889975,
2
],
[
890236,
2
],
[
892351,
2
],
[
904305,
2
],
[
905004,
2
],
[
905393,
2
],
[
914226,
2
],
[
937376,
2
],
[
938581,
2
],
[
941927,
2
],
[
951586,
2
],
[
1409150,
2
],
[
1409411,
2
],
[
1411411,
2
],
[
1424289,
2
],
[
1426753,
2
],
[
1427142,
2
],
[
1433282,
2
],
[
1461520,
2
],
[
1462725,
2
],
[
1466548,
2
],
[
1475570,
2
],
[
1884672,
2
],
[
1895856,
2
],
[
1904732,
2
],
[
1904993,
2
],
[
1907039,
2
],
[
1923969,
2
],
[
1926169,
2
],
[
1926549,
2
],
[
1926938,
2
],
[
1935538,
2
],
[
1955575,
2
],
[
1957064,
2
],
[
1957805,
2
],
[
1979348,
2
],
[
1986272,
2
],
[
1987477,
2
],
[
1993743,
2
],
[
1994177,
2
],
[
1994923,
2
],
[
1995996,
2
],
[
1996536,
2
],
[
1997128,
2
],
[
1998642,
2
],
[
2011202,
2
]
],
"shell7": [
[
454365,
0
],
[
454835,
0
],
[
463201,
0
],
[
482381,
0
],
[
484227,
0
],
[
889281,
0
],
[
889751,
0
],
[
896929,
0
],
[
917449,
0
],
[
1408406,
0
],
[
1408876,
0
],
[
1417905,
0
],
[
1441353,
0
],
[
1904036,
0
],
[
1904506,
0
],
[
1913944,
0
],
[
1949273,
0
]
],
"shell2": [
[
484239,
3
],
[
917461,
3
],
[
1441365,
3
],
[
1949285,
3
]
]
},
"strings": [
"VYvs6A==",
"VYvsg8Q=",
"VYvsgew=",
"ZKEw"
]
}
],
"sha1": "2f4451ec7ee088bde93b65860d5ead952cd4a29c",
"name": "7d9f9623d24918aa_exe.msi",
"filepath": "C:\\Users\\cuck\\AppData\\Roaming\\System Updates\\Windows Driver System Update 4.1.121\\install\\F71FCF6\\exe.msi",
"type": "Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time\/Date: Fri Dec 11 11:47:44 2009, Last Saved Time\/Date: Fri Dec 11 11:47:44 2009, Security: 0, Code page: 1252, Revision Number: {4489BEDB-5272-44C1-B4B2-0FEF82C331A0}, Number of Words: 0, Subject: Windows Driver System Update, Author: System Updates, Name of Creating Application: Advanced Installer 15.3 build 36112661f6, Template: ;1033, Comments: This installer database contains the logic and data required to install Windows Driver System Update., Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200",
"sha256": "7d9f9623d24918aa8e3f51e348ffc5a689498ebfc9655ceb4cfb0b28ba30db7b",
"urls": [
"http:\/\/s.symcb.com\/universal-root.crl0",
"https:\/\/www.thawte.com\/cps0\/",
"http:\/\/crl.comodoca.com\/COMODORSACertificationAuthority.crl0q",
"http:\/\/cacerts.digicert.com\/DigiCertSHA2AssuredIDTimestampingCA.crt0",
"http:\/\/cacerts.digicert.com\/DigiCertAssuredIDRootCA.crt0",
"http:\/\/ocsp.digicert.com0C",
"http:\/\/tl.symcb.com\/tl.crt0",
"http:\/\/crt.comodoca.com\/COMODORSAAddTrustCA.crt0",
"http:\/\/ts-crl.ws.symantec.com\/sha256-tss-ca.crl0",
"https:\/\/d.symcb.com\/cps0%",
"http:\/\/s.symcd.com06",
"http:\/\/purl.org\/dc\/elements\/1.1\/",
"https:\/\/www.thawte.com\/repository0W",
"http:\/\/ns.adobe.com\/xap\/1.0\/mm\/",
"https:\/\/d.symcb.com\/rpa0",
"http:\/\/t2.symcb.com0",
"http:\/\/tl.symcb.com\/tl.crl0",
"http:\/\/ocsp.comodoca.com0",
"http:\/\/ocsp.digicert.com0O",
"http:\/\/crl3.digicert.com\/DigiCertAssuredIDRootCA.crl0P",
"http:\/\/t1.symcb.com\/ThawtePCA.crl0",
"http:\/\/www.",
"https:\/\/secure.comodo.net\/CPS0C",
"http:\/\/ns.adobe.com\/xap\/1.0\/sType\/ResourceRef",
"http:\/\/crt.comodoca.com\/COMODORSACodeSigningCA.crt0",
"http:\/\/crl3.digicert.com\/sha2-assured-ts.crl02",
"https:\/\/d.symcb.com\/rpa0.",
"http:\/\/tl.symcd.com0",
"http:\/\/ns.adobe.com\/xap\/1.0\/",
"http:\/\/crl4.digicert.com\/sha2-assured-ts.crl0",
"https:\/\/www.advancedinstaller.com",
"http:\/\/ns.adobe.com\/xap\/1.0\/sType\/ResourceEvent",
"http:\/\/ts-ocsp.ws.symantec.com0",
"http:\/\/crl.comodoca.com\/COMODORSACodeSigningCA.crl0t",
"http:\/\/www.winimage.com\/zLibDll",
"http:\/\/crl4.digicert.com\/DigiCertAssuredIDRootCA.crl0:",
"http:\/\/ts-aia.ws.symantec.com\/sha256-tss-ca.cer0(",
"http:\/\/ns.adobe.com\/photoshop\/1.0\/",
"https:\/\/www.digicert.com\/CPS0"
],
"crc32": "9C55F8A5",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/9989\/files\/7d9f9623d24918aa_exe.msi",
"ssdeep": null,
"size": 2307072,
"sha512": "2f8070ea56df0c6332b1b91b15d6a4b64e55198a9030df9977c46a803f06c3dea019ba2d374fb304a1c16ebb1475f04619f3aeb1e91eac929b7fed1ea3cf4d18",
"pids": [
2392
],
"md5": "3242fa751921294425833dafc8ff25b4"
}
]Generic
[
{
"process_path": "C:\\Users\\cuck\\AppData\\Local\\Temp\\ddaec43639c5a4ff9d1c64c14514bc3e60e20bed4f8ca280c55107745bda4436.bin",
"process_name": "ddaec43639c5a4ff9d1c64c14514bc3e60e20bed4f8ca280c55107745bda4436.bin",
"pid": 2392,
"summary": {
"file_created": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar79CC.tmp",
"C:\\Users\\cuck\\AppData\\Roaming\\System Updates\\Windows Driver System Update 4.1.121\\install\\F71FCF6\\exe.msi",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\MSI7B35.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab79CB.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab6576.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab6555.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar6577.tmp",
"C:\\Users\\cuck\\AppData\\Roaming\\System Updates\\Windows Driver System Update 4.1.121\\install\\F71FCF6\\unrar.exe",
"C:\\Users\\cuck\\AppData\\Roaming\\System Updates\\Windows Driver System Update 4.1.121\\install\\F71FCF6\\exe.x64.msi",
"C:\\Users\\cuck\\AppData\\Roaming\\System Updates\\Windows Driver System Update 4.1.121\\install\\decoder.dll",
"C:\\Users\\cuck\\AppData\\Roaming\\System Updates\\Windows Driver System Update 4.1.121\\install\\holder0.aiph",
"C:\\Users\\cuck\\AppData\\Roaming\\System Updates\\Windows Driver System Update 4.1.121\\install\\F71FCF6\\Windows Driver System Updater.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar6556.tmp"
],
"file_recreated": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar79CC.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab79CB.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab6576.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab6555.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar6577.tmp",
"\\Device\\KsecDD",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar6556.tmp"
],
"directory_created": [
"C:\\Users\\cuck\\AppData\\Roaming\\System Updates\\Windows Driver System Update 4.1.121\\install",
"C:\\Users\\cuck\\AppData\\Roaming\\System Updates",
"C:\\Users\\cuck\\AppData\\Roaming\\System Updates\\Windows Driver System Update 4.1.121\\install\\F71FCF6",
"C:\\Users\\cuck\\AppData",
"C:\\Users\\cuck\\AppData\\Roaming\\System Updates\\Windows Driver System Update 4.1.121",
"C:\\Users\\cuck",
"C:\\Users\\cuck\\AppData\\Roaming",
"C:\\Users"
],
"dll_loaded": [
"C:\\Windows\\system32\\wininet.dll",
"API-MS-Win-Security-LSALookup-L1-1-0.dll",
"api-ms-win-appmodel-runtime-l1-1-1",
"C:\\Windows\\system32\\urlmon.dll",
"api-ms-win-core-localization-l1-2-1",
"DNSAPI.dll",
"C:\\Windows\\SysWOW64\\SHLWAPI.DLL",
"cryptsp.dll",
"C:\\Windows\\system32\\uxtheme.dll",
"ncrypt.dll",
"C:\\Windows\\system32\\RICHED20.DLL",
"API-MS-WIN-Service-Management-L2-1-0.dll",
"C:\\Windows\\system32\\propsys.dll",
"crypt32.dll",
"C:\\Windows\\SysWOW64\\bcryptprimitives.dll",
"SspiCli.dll",
"advapi32.dll",
"COMCTL32",
"C:\\Windows\\system32\\bcrypt.dll",
"SHLWAPI.dll",
"USER32.dll",
"C:\\Windows\\system32\\comctl32.dll",
"C:\\Windows\\system32\\shlwapi.dll",
"C:\\Windows\\system32\\comdlg32.dll",
"C:\\Windows\\syswow64\\CRYPT32.dll",
"WINTRUST.dll",
"C:\\Windows\\system32\\version.dll",
"SHELL32.dll",
"C:\\Windows\\System32\\wship6.dll",
"C:\\Windows\\system32\\user32.dll",
"setupapi.dll",
"C:\\Windows\\system32\\shell32.dll",
"CFGMGR32.dll",
"C:\\Windows\\SysWOW64\\RPCRT4.DLL",
"C:\\Windows\\system32\\crypt32.dll",
"C:\\Windows\\SysWOW64\\KERNEL32.DLL",
"rpcrt4.dll",
"C:\\Windows\\System32\\wshtcpip.dll",
"C:\\Windows\\system32\\dbghelp.dll",
"C:\\Windows\\system32\\shcore.dll",
"C:\\Windows\\system32\\setupapi.dll",
"kernel32.dll",
"API-MS-Win-Security-SDDL-L1-1-0.dll",
"SensApi.dll",
"ntdll.dll",
"C:\\Windows\\system32\\USP10.dll",
"C:\\Windows\\system32\\apphelp.dll",
"API-MS-Win-Core-LocalRegistry-L1-1-0.dll",
"C:\\Windows\\system32\\gdiplus.dll",
"IPHLPAPI.DLL",
"C:\\Windows\\SysWOW64\\NTDLL.DLL",
"C:\\Windows\\system32\\gdi32.dll",
"profapi.dll",
"COMCTL32.dll",
"VERSION.dll",
"C:\\Windows\\system32\\advapi32.dll",
"C:\\Windows\\system32\\cryptnet.dll",
"C:\\Windows\\SysWOW64\\MSCOREE.DLL",
"C:\\Windows\\SysWOW64\\msi.dll",
"DEVRTL.dll",
"Cabinet.dll",
"WINHTTP.dll",
"C:\\Windows\\system32\\usp10.dll",
"api-ms-win-core-sysinfo-l1-2-1",
"C:\\Windows\\system32\\rsaenh.dll",
"C:\\Windows\\system32\\mpr.dll",
"C:\\Windows\\system32\\davhlpr.dllole32.dll",
"C:\\Windows\\SysWOW64\\OLE32.DLL",
"C:\\Windows\\SysWOW64\\ADVAPI32.DLL",
"C:\\Windows\\system32\\cabinet.dll",
"C:\\Windows\\system32\\msasn1.dll",
"C:\\Windows\\system32\\msls31.dll",
"CRYPTSP.dll",
"ext-ms-win-kernel32-package-current-l1-1-0",
"C:\\Windows\\system32\\msimg32.dll",
"API-MS-WIN-Service-winsvc-L1-1-0.dll",
"C:\\Windows\\SysWOW64\\APPHELP.DLL",
"C:\\Windows\\system32\\kernel32.dll",
"ole32.dll",
"NSI.dll",
"api-ms-win-core-fibers-l1-1-1",
"msi.dll",
"ADVAPI32.dll",
"SETUPAPI.dll",
"WS2_32.dll",
"gdiplus.dll",
"C:\\Windows\\system32\\lpk.dll",
"kernel32",
"credssp.dll",
"C:\\Windows\\system32\\msi.dll",
"C:\\Windows\\WinSxS\\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\\gdiplus.dll",
"C:\\Windows\\system32\\WindowsCodecs.dll",
"api-ms-win-core-synch-l1-2-0",
"imm32.dll",
"C:\\Windows\\system32\\secur32.dll",
"API-MS-WIN-Service-Management-L1-1-0.dll",
"C:\\Windows\\system32\\wintrust.dll",
"cryptnet.dll",
"C:\\Windows\\SysWOW64\\SHELL32.DLL",
"MSISIP.DLL",
"winhttp.dll",
"C:\\Windows\\system32\\cryptsp.dll",
"C:\\Windows\\system32\\IMM32.DLL",
"C:\\Windows\\system32\\dwmapi.dll",
"C:\\Windows\\system32\\profapi.dll",
"C:\\Windows\\SysWOW64\\VERSION.DLL",
"C:\\Windows\\system32\\msihnd.dll",
"OLEAUT32.dll",
"RPCRT4.dll",
"C:\\Windows\\system32\\oleaut32.dll",
"C:\\Windows\\system32\\userenv.dll",
"C:\\Windows\\system32\\psapi.dll",
"\\\\?\\C:\\Users\\cuck\\AppData\\Roaming\\System Updates\\Windows Driver System Update 4.1.121\\install\\decoder.dll",
"C:\\Windows\\SysWOW64\\TSAPPCMP.DLL",
"C:\\Windows\\SysWOW64\\USER32.DLL",
"C:\\Windows\\system32\\mswsock.dll",
"Ntdll.dll"
],
"file_opened": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar79CC.tmp",
"C:\\Windows\\SysWOW64\\en-US\\sxs.DLL.mui",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\fusion.dll",
"C:\\Users\\cuck\\AppData\\LocalLow",
"C:\\",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab79CB.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab6576.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\ddaec43639c5a4ff9d1c64c14514bc3e60e20bed4f8ca280c55107745bda4436.bin",
"C:\\Windows\\System32\\en-US\\WINHTTP.dll.mui",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab6555.tmp",
"C:\\Windows\\System32\\msimsg.dll",
"C:\\Users\\cuck\\AppData\\Roaming\\System Updates\\Windows Driver System Update 4.1.121\\install\\F71FCF6\\exe.x64.msi",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar6577.tmp",
"C:\\Windows\\AppPatch\\msimain.sdb",
"C:\\Windows\\SysWOW64\\sxs.dll",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\94308059B57B3142E455B38A6EB92015",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\94308059B57B3142E455B38A6EB92015",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar6556.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\MSI7B35.tmp"
],
"command_line": [
"\"C:\\Windows\\system32\\msiexec.exe\" \/i \"C:\\Users\\cuck\\AppData\\Roaming\\System Updates\\Windows Driver System Update 4.1.121\\install\\F71FCF6\\exe.x64.msi\" \/quiet \/qn AI_SETUPEXEPATH=C:\\Users\\cuck\\AppData\\Local\\Temp\\ddaec43639c5a4ff9d1c64c14514bc3e60e20bed4f8ca280c55107745bda4436.bin SETUPEXEDIR=C:\\Users\\cuck\\AppData\\Local\\Temp\\ EXE_CMD_LINE=\"\/exenoupdates \" "
],
"regkey_opened": [
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Installer\\Managed\\S-1-5-21-699399860-4089948139-3198924279-1001\\Installer\\Products\\0F744DF3340967E4280DCA89F117CF6F",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Installer\\UserData",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager",
"HKEY_LOCAL_MACHINE\\Software\\Classes\\Installer\\UpgradeCodes\\50F070082576EA547AD19C9D033CD618",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\Policy\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\AppPatch",
"HKEY_CLASSES_ROOT\\CLSID\\{000C101D-0000-0000-C000-000000000046}\\DllVersion",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Installer\\UpgradeCodes\\50F070082576EA547AD19C9D033CD618",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\AppPatch\\v2.0.50727.00000\\ddaec43639c5a4ff9d1c64c14514bc3e60e20bed4f8ca280c55107745bda4436.bin",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",
"HKEY_LOCAL_MACHINE\\Software\\Classes\\Installer\\Products\\0F744DF3340967E4280DCA89F117CF6F",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Installer\\Managed\\S-1-5-21-699399860-4089948139-3198924279-1001\\Installer\\UpgradeCodes\\50F070082576EA547AD19C9D033CD618",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\Standards",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Installer\\UserData\\S-1-5-18\\Products\\0F744DF3340967E4280DCA89F117CF6F\\InstallProperties",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\AppPatch\\v2.0.50727.00000",
"HKEY_CURRENT_USER\\Software\\Microsoft\\MS Setup (ACME)\\User Info",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\Policy\\AppPatch",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\ProductOptions",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Class\\{4d36e972-e325-11ce-bfc1-08002be10318}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\Installer",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\Installer",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\Upgrades",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Installer\\InProgress",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Installer\\Products\\0F744DF3340967E4280DCA89F117CF6F",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\FileSystem",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\v2.0",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run"
],
"resolves_host": [
"www.download.windowsupdate.com",
"crt.comodoca.com"
],
"file_written": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar79CC.tmp",
"C:\\Users\\cuck\\AppData\\Roaming\\System Updates\\Windows Driver System Update 4.1.121\\install\\F71FCF6\\exe.msi",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\MSI7B35.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab79CB.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab6576.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab6555.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar6577.tmp",
"C:\\Users\\cuck\\AppData\\Roaming\\System Updates\\Windows Driver System Update 4.1.121\\install\\F71FCF6\\unrar.exe",
"C:\\Users\\cuck\\AppData\\Roaming\\System Updates\\Windows Driver System Update 4.1.121\\install\\F71FCF6\\exe.x64.msi",
"C:\\Users\\cuck\\AppData\\Roaming\\System Updates\\Windows Driver System Update 4.1.121\\install\\decoder.dll",
"C:\\Users\\cuck\\AppData\\Roaming\\System Updates\\Windows Driver System Update 4.1.121\\install\\F71FCF6\\Windows Driver System Updater.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar6556.tmp"
],
"regkey_deleted": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\8F43288AD272F3103B6FB1428485EA3014C0BCFE"
],
"file_deleted": [
"",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar79CC.tmp",
"C:\\Users\\cuck\\AppData\\Roaming\\System Updates\\Windows Driver System Update 4.1.121\\install\\F71FCF6\\exe.msi",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\MSI7B35.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab79CB.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab6576.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab6555.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar6577.tmp",
"C:\\Users\\cuck\\AppData\\Roaming\\System Updates\\Windows Driver System Update 4.1.121\\install\\F71FCF6\\unrar.exe",
"C:\\Users\\cuck\\AppData\\Roaming\\System Updates\\Windows Driver System Update 4.1.121\\install\\F71FCF6\\exe.x64.msi",
"C:\\Users\\cuck\\AppData\\Roaming\\System Updates\\Windows Driver System Update 4.1.121\\install\\decoder.dll",
"C:\\Users\\cuck\\AppData\\Roaming\\System Updates\\Windows Driver System Update 4.1.121\\install\\holder0.aiph",
"C:\\Users\\cuck\\AppData\\Roaming\\System Updates\\Windows Driver System Update 4.1.121\\install\\F71FCF6\\Windows Driver System Updater.exe",
"C:\\Users\\cuck\\AppData\\Roaming\\System Updates\\Windows Driver System Update 4.1.121\\install\\F71FCF6\\FILES.7z",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar6556.tmp",
"C:\\Windows\\Tasks\\C__Users_cuck_AppData_Local_Temp_ddaec43639c5a4ff9d1c64c14514bc3e60e20bed4f8ca280c55107745bda4436.bin.job",
"C:\\Users\\cuck\\AppData\\Roaming\\System Updates\\Windows Driver System Update 4.1.121\\install\\F71FCF6\\exe.7z"
],
"directory_removed": [
"C:\\Users\\cuck\\AppData\\Roaming\\System Updates\\Windows Driver System Update 4.1.121\\install",
"C:\\Users\\cuck\\AppData\\Roaming\\System Updates",
"C:\\Users\\cuck\\AppData\\Roaming\\System Updates\\Windows Driver System Update 4.1.121\\install\\F71FCF6",
"C:\\Users\\cuck\\AppData\\Roaming\\System Updates\\Windows Driver System Update 4.1.121"
],
"file_exists": [
"C:\\Windows\\inf\\",
"C:\\Users\\cuck\\AppData\\Roaming\\System Updates\\Windows Driver System Update 4.1.121\\install\\F71FCF6\\exe.msi",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\fusion.dll",
"C:\\Users\\cuck\\AppData\\LocalLow",
"C:\\",
"C:\\Windows\\SysWOW64\\MSCOREE.DLL.local",
"C:\\Windows\\System32\\qagentrt.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\",
"C:\\Users\\cuck\\AppData\\Roaming\\System Updates\\Windows Driver System Update 4.1.121\\install\\F71FCF6\\exe.x64.msi",
"C:\\Windows\\System32\\dnsapi.dll",
"C:\\Windows\\System32\\msi.dll",
"C:\\Windows\\SysWOW64\\sxs.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\MSI7B35.tmp",
"C:\\Users\\cuck\\AppData\\Roaming\\System Updates\\Windows Driver System Update 4.1.121\\install\\F71FCF6\\Windows Driver System Updater.exe",
"C:\\Users\\cuck\\AppData\\Roaming\\System Updates\\Windows Driver System Update 4.1.121\\install\\F71FCF6\\unrar.exe",
"C:\\Windows\\System32\\p2pcollab.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorwks.dll"
],
"file_failed": [
"C:\\Windows\\SysWOW64\\zh-HK\\sxs.DLL.mui",
"C:\\Windows\\SysWOW64\\pt-BR\\sxs.DLL.mui",
"\\??\\L:",
"C:\\Windows\\SysWOW64\\de-DE\\sxs.DLL.mui",
"\\??\\N:",
"\\??\\U:",
"C:\\Windows\\SysWOW64\\hr-HR\\sxs.DLL.mui",
"\\??\\H:",
"\\??\\W:",
"\\??\\J:",
"C:\\Windows\\SysWOW64\\pl-PL\\sxs.DLL.mui",
"C:\\Windows\\SysWOW64\\ar-SA\\sxs.DLL.mui",
"\\??\\E:",
"\\??\\Z:",
"\\??\\P:",
"\\??\\D:",
"\\??\\S:",
"C:\\Windows\\SysWOW64\\nb-NO\\sxs.DLL.mui",
"C:\\Windows\\SysWOW64\\et-EE\\sxs.DLL.mui",
"C:\\Windows\\SysWOW64\\sr-Latn-CS\\sxs.DLL.mui",
"C:\\Windows\\SysWOW64\\th-TH\\sxs.DLL.mui",
"C:\\Windows\\SysWOW64\\hu-HU\\sxs.DLL.mui",
"\\??\\B:",
"C:\\Windows\\SysWOW64\\bg-BG\\sxs.DLL.mui",
"C:\\Windows\\SysWOW64\\en\\sxs.DLL.mui",
"C:\\Windows\\SysWOW64\\el-GR\\sxs.DLL.mui",
"C:\\Windows\\SysWOW64\\ko-KR\\sxs.DLL.mui",
"C:\\Windows\\SysWOW64\\fi-FI\\sxs.DLL.mui",
"C:\\Windows\\SysWOW64\\tr-TR\\sxs.DLL.mui",
"\\??\\X:",
"\\??\\F:",
"\\??\\Q:",
"C:\\Windows\\SysWOW64\\fr-FR\\sxs.DLL.mui",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\ddaec43639c5a4ff9d1c64c14514bc3e60e20bed4f8ca280c55107745bda4436.bin.config",
"C:\\Windows\\SysWOW64\\lv-LV\\sxs.DLL.mui",
"\\??\\O:",
"C:\\Windows\\SysWOW64\\nl-NL\\sxs.DLL.mui",
"\\??\\T:",
"\\??\\I:",
"\\??\\V:",
"C:\\Windows\\SysWOW64\\he-IL\\sxs.DLL.mui",
"C:\\Windows\\SysWOW64\\ja-JP\\sxs.DLL.mui",
"\\??\\G:",
"C:\\Windows\\SysWOW64\\pt-PT\\sxs.DLL.mui",
"\\??\\K:",
"C:\\Windows\\SysWOW64\\da-DK\\sxs.DLL.mui",
"C:\\Windows\\SysWOW64\\sl-SI\\sxs.DLL.mui",
"\\??\\R:",
"C:\\Windows\\SysWOW64\\lt-LT\\sxs.DLL.mui",
"C:\\Windows\\SysWOW64\\es-ES\\sxs.DLL.mui",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\74FBF93595CFC8459196065CE54AD928",
"C:\\Windows\\SysWOW64\\zh-CN\\sxs.DLL.mui",
"\\??\\A:",
"\\??\\M:",
"C:\\Windows\\SysWOW64\\zh-TW\\sxs.DLL.mui",
"C:\\Windows\\SysWOW64\\uk-UA\\sxs.DLL.mui",
"C:\\Windows\\SysWOW64\\sv-SE\\sxs.DLL.mui",
"C:\\Windows\\SysWOW64\\sk-SK\\sxs.DLL.mui",
"C:\\Windows\\SysWOW64\\cs-CZ\\sxs.DLL.mui",
"C:\\Windows\\SysWOW64\\ru-RU\\sxs.DLL.mui",
"C:\\Windows\\SysWOW64\\ro-RO\\sxs.DLL.mui",
"\\??\\Y:",
"C:\\Windows\\SysWOW64\\it-IT\\sxs.DLL.mui"
],
"guid": [
"{00000323-0000-0000-c000-000000000046}",
"{148bd527-a2ab-11ce-b11f-00aa00530503}",
"{00000146-0000-0000-c000-000000000046}",
"{000c101c-0000-0000-c000-000000000046}",
"{00000000-0000-0000-c000-000000000046}",
"{148bd52a-a2ab-11ce-b11f-00aa00530503}"
],
"file_read": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar79CC.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab79CB.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab6576.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\ddaec43639c5a4ff9d1c64c14514bc3e60e20bed4f8ca280c55107745bda4436.bin",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar6577.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab6555.tmp",
"C:\\Users\\cuck\\AppData\\Roaming\\System Updates\\Windows Driver System Update 4.1.121\\install\\F71FCF6\\exe.x64.msi",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\94308059B57B3142E455B38A6EB92015",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\94308059B57B3142E455B38A6EB92015",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar6556.tmp"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{000C103E-0000-0000-C000-000000000046}\\(Default)",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Local\\Temp\\ddaec43639c5a4ff9d1c64c14514bc3e60e20bed4f8ca280c55107745bda4436.bin",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\MaxRpcSize",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\\DefaultConnectionSettings",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Initialization\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$Function",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\com",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\WinSock2\\Parameters\\Protocol_Catalog9\\Serial_Access_Num",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\FxsTmp",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\UseDelayedAcceptance",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\manifeststore",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\UseDelayedAcceptance",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\LogFiles",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SecurityProviders\\SecurityProviders",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Signature\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$DLL",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\Recovery",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\CurrentMinorVersionNumber",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\SystemSetupInProgress",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\wdi",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.44.3.4!7\\Name",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\crypt32\\DiagMatchAnyMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ProgramFilesDir",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\.",
"HKEY_CURRENT_USER\\Control Panel\\International\\LocaleName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\SourcePath",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\Generation",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RegisteredOrganization",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\CryptnetPreFetchTriggerPeriodSeconds",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\safer\\codeidentifiers\\SaferFlags",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\DisableImprovedZoneCheck",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\LoadAppInit_DLLs",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\ProductOptions\\ProductSuite",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\CLRLoadLogDir",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\..",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledProcesses\\4F74C5EF",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\MaxAIAUrlRetrievalCountPerChain",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{000C103E-0000-0000-C000-000000000046}\\InProcServer32\\InprocServer32",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\EMPTY",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\ProductOptions\\ProductType",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ProxySettingsPerUser",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SESSION MANAGER\\PendingFileRenameOperations",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\DriverStore",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winsock\\Parameters\\Transports",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\CertCheck\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$DLL",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\restore",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.64.1.1!7\\Name",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\Tasks",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{000C103E-0000-0000-C000-000000000046}\\InProcServer32\\ThreadingModel",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Signature\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$Function",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\ChainCacheResyncFiletime",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\catroot",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\migwiz",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\inetsrv",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\GroupPolicy",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language\\InstallLanguageFallback",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\CurrentBuildNumber",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\WpadOverride",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\Enabled",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\sppui",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\MaxAIAUrlRetrievalCertCount",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\safer\\codeidentifiers\\DefaultLevel",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\slmgr",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Local AppData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\MaxAIAUrlRetrievalByteCount",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winsock\\Setup Migration\\Providers\\Tcpip\\WinSock 2.0 Provider ID",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\Data",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\InstallShield",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\ras",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\Msdtc",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-699399860-4089948139-3198924279-1001\\ProfileImagePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\DisableUnsupportedCriticalExtensions",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Comment",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\crypt32\\DebugFlags",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\LogLevel",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\\WinHttpSettings",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\wbem",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Message\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$DLL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\8F43288AD272F3103B6FB1428485EA3014C0BCFE\\Blob",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\OnlyUseLatestCLR",
"HKEY_CURRENT_USER\\Control Panel\\Desktop\\MuiCached\\MachinePreferredUILanguages",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledSessions\\MachineThrottling",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\FinalPolicy\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$Function",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\HelperDllName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winsock\\Setup Migration\\Providers\\Tcpip6\\WinSock 2.0 Provider ID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{000C1025-0000-0000-C000-000000000046}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Certificate\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$Function",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\migration",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\UILanguages\\en-US\\Type",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\Mapping",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Type",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\AdvancedInstallers",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Cleanup\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$DLL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RegisteredOwner",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\RegisteredOrganization",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\EnableInetUnknownAuth",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{000C1033-0000-0000-C000-000000000046}\\ProxyStubClsid32\\(Default)",
"HKEY_CURRENT_USER\\Control Panel\\Desktop\\PreferredUILanguages",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\LsaExtensionConfig\\SspiCli\\CheckSignatureRoutine",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\UILanguages\\en-US\\AlternateCodePage",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\catroot2",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\DisableCANameConstraints",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\MinSockaddrLength",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\DisableMandatoryBasicConstraints",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\8F43288AD272F3103B6FB1428485EA3014C0BCFE",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\spp",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\p2pcollab.dll,-8042",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Initialization\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$DLL",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\MinSockaddrLength",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\RegisteredOwner",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\LsaExtensionConfig\\SspiCli\\CheckSignatureDll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{000C101C-0000-0000-C000-000000000046}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\config",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\GroupPolicyUsers",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\OOBEInProgress",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\NDF",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{000C101D-0000-0000-C000-000000000046}\\DllVersion\\(Default)",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\icsxml",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\oobe",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\FileSystem\\Win31FileSystem",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Name",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\CurrentMajorVersionNumber",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{000C103E-0000-0000-C000-000000000046}\\InProcServer32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\safer\\codeidentifiers\\LogFileName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\MaxSockaddrLength",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\FinalPolicy\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$DLL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE\\PageAllocatorSystemHeapIsPrivate",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\Dism",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Srp\\GP\\RuleCount",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\MaxSockaddrLength",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\HelperDllName",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing\\State",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\safer\\codeidentifiers\\Levels",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\dnsapi.dll,-103",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Certificate\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$DLL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Security_HKLM_only",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\DevicePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\TokenSize",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\WCN",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\MaxUrlRetrievalByteCount",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\IME",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE\\PageAllocatorUseSystemHeap",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\InstallRoot",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\Data",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Capabilities",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\MaxAIAUrlCountInCert",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\CertCheck\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$Function",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\ProgramFilesDir (x86)",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\MUI",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\Speech",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\0409",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ShareCredsWithWinHttp",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\WinHttp\\Tracing\\Enabled",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\crypt32\\DiagLevel",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CommonFilesDir",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\Setup",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Cleanup\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$Function",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\LogMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledSessions\\GlobalSession",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\Generation",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\NetworkList",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\LogMaxFileSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\WinHttp\\DisableBranchCache",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CEIPEnable",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\drivers",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\RpcId",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\winrm",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\safer\\codeidentifiers\\PolicyScope",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\ComputerName\\ActiveComputerName\\ComputerName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Message\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$Function",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\CommonFilesDir (x86)",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\crypt32\\DebugHeapFlags",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\EnableWeakSignatureFlags",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\WindowsPowerShell",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.47.1.1!7\\Name",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE\\MaximumAllowedAllocationSize",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\Printing_Admin_Scripts",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Security\\Safety Warning Level",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\Mapping",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\sysprep",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\StringCacheSettings\\StringCacheGeneration",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Version",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\Cache",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\CSDVersion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\CurrentVersion"
],
"directory_enumerated": [
"C:\\Users\\cuck\\AppData\\Roaming\\System Updates\\Windows Driver System Update 4.1.121\\install",
"C:\\Windows\\Microsoft.NET\\Framework\\Upgrades.2.0.50727\\mscoreei.dll",
"C:\\Users\\cuck\\AppData\\Roaming\\System Updates\\Windows Driver System Update 4.1.121\\install\\F71FCF6",
"C:\\Users\\cuck\\AppData",
"C:\\Users\\cuck\\AppData\\Roaming\\System Updates\\Windows Driver System Update 4.1.121\\install\\",
"C:\\Users\\cuck",
"C:\\Users\\cuck\\AppData\\Roaming\\System Updates\\Windows Driver System Update 4.1.121\\install\\F71FCF6\\*",
"C:\\Users\\cuck\\AppData\\Roaming\\System Updates\\Windows Driver System Update 4.1.121\\install\\F71FCF6\\",
"C:\\Users\\cuck\\AppData\\Roaming\\System Updates\\Windows Driver System Update 4.1.121\\install\\decoder.dll",
"C:\\Users\\cuck\\AppData\\Roaming\\System Updates\\Windows Driver System Update 4.1.121\\install\\F71FCF6\\exe.x64.msi",
"C:\\Users\\cuck\\AppData\\Roaming",
"C:\\Users",
"C:\\Users\\cuck\\AppData\\Roaming\\System Updates\\Windows Driver System Update 4.1.121\\install\\WindowsServiceUpdate.ini",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscoreei.dll",
"C:\\Windows\\SysWOW64\\*"
],
"regkey_written": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\8F43288AD272F3103B6FB1428485EA3014C0BCFE\\Blob",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\LanguageList"
]
},
"first_seen": 1602366787.9375,
"ppid": 2124
},
{
"process_path": "C:\\Windows\\explorer.exe",
"process_name": "explorer.exe",
"pid": 1788,
"summary": {
"file_opened": [
"C:\\"
],
"file_exists": [
"C:\\Config.Msi",
"C:\\cuckoo_1788.ini",
"C:\\ProgramData"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.msi\\Content Type",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Msi.Package\\BrowseInPlace",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.msi\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Msi.Package\\DocObject",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Msi.Package\\NeverShowExt",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Msi.Package\\AlwaysShowExt",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Msi.Package\\IsShortcut"
],
"file_failed": [
"C:\\Config.Msi",
"C:\\cuckoo_1788.ini"
]
},
"first_seen": 1602366811.31225,
"ppid": 1740
},
{
"process_path": "C:\\Windows\\SysWOW64\\msiexec.exe",
"process_name": "msiexec.exe",
"pid": 2844,
"summary": {
"dll_loaded": [
"C:\\Windows\\SysWOW64\\OLE32.DLL",
"C:\\Windows\\SysWOW64\\SAGE.DLL",
"C:\\Windows\\SysWOW64\\msi.dll",
"C:\\Windows\\SysWOW64\\TSAPPCMP.DLL",
"kernel32.dll",
"Ntdll.dll",
"C:\\Windows\\SysWOW64\\KERNEL32.DLL",
"C:\\Windows\\SysWOW64\\SHLWAPI.DLL",
"C:\\Windows\\SysWOW64\\NETAPI32.DLL",
"COMCTL32",
"ole32.dll",
"C:\\Windows\\SysWOW64\\SHELL32.DLL",
"CRYPTSP.dll"
],
"file_opened": [
"C:\\Users\\cuck\\AppData\\Roaming\\System Updates\\Windows Driver System Update 4.1.121\\install\\F71FCF6\\exe.x64.msi",
"C:\\Windows\\SysWOW64\\msimsg.dll",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls"
],
"regkey_opened": [
"HKEY_CURRENT_USER\\CLSID\\{000C103E-0000-0000-C000-000000000046}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{000C101C-0000-0000-C000-000000000046}\\ProxyStubClsid32",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\msiexec.exe",
"HKEY_LOCAL_MACHINE\\Software\\Classes\\Installer\\Products\\0F744DF3340967E4280DCA89F117CF6F",
"HKEY_CURRENT_USER\\Interface\\{000C101C-0000-0000-C000-000000000046}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{000C103E-0000-0000-C000-000000000046}\\TreatAs",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Installer\\Products\\0F744DF3340967E4280DCA89F117CF6F",
"HKEY_CURRENT_USER\\Interface\\{000C101D-0000-0000-C000-000000000046}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{000C103E-0000-0000-C000-000000000046}\\InprocServer32",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Installer\\Managed\\S-1-5-21-699399860-4089948139-3198924279-1001\\Installer\\Products\\0F744DF3340967E4280DCA89F117CF6F",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{000C101D-0000-0000-C000-000000000046}\\ProxyStubClsid32",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\msiexec.exe",
"HKEY_CLASSES_ROOT\\CLSID\\{000C101D-0000-0000-C000-000000000046}\\DllVersion",
"HKEY_CURRENT_USER\\Control Panel\\Desktop",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\Installer"
],
"mutex": [
"Global\\_MSIExecute"
],
"guid": [
"{000c101c-0000-0000-c000-000000000046}",
"{00000000-0000-0000-c000-000000000046}"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{000C103E-0000-0000-C000-000000000046}\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{000C103E-0000-0000-C000-000000000046}\\InProcServer32\\InprocServer32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{000C103E-0000-0000-C000-000000000046}\\InProcServer32\\ThreadingModel",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{000C103E-0000-0000-C000-000000000046}\\InProcServer32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CEIPEnable",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{000C101D-0000-0000-C000-000000000046}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{000C101C-0000-0000-C000-000000000046}\\ProxyStubClsid32\\(Default)",
"HKEY_CURRENT_USER\\Control Panel\\Desktop\\ScreenSaverIsSecure",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{000C101D-0000-0000-C000-000000000046}\\DllVersion\\(Default)"
]
},
"first_seen": 1602366797.202875,
"ppid": 2392
},
{
"process_path": "C:\\Windows\\System32\\lsass.exe",
"process_name": "lsass.exe",
"pid": 476,
"summary": {},
"first_seen": 1602366787.5625,
"ppid": 376
}
]Signatures
[
{
"markcount": 3,
"families": [],
"description": "Queries for the computername",
"severity": 1,
"marks": [
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "GetComputerNameW",
"return_value": 1,
"arguments": {
"computer_name": "CUCKPC"
},
"time": 1602366796.9055,
"tid": 460,
"flags": {}
},
"pid": 2392,
"type": "call",
"cid": 4637
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "GetComputerNameA",
"return_value": 1,
"arguments": {
"computer_name": "CUCKPC"
},
"time": 1602366811.3435,
"tid": 3172,
"flags": {}
},
"pid": 2392,
"type": "call",
"cid": 5289
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "GetComputerNameW",
"return_value": 1,
"arguments": {
"computer_name": "CUCKPC"
},
"time": 1602366811.3435,
"tid": 3172,
"flags": {}
},
"pid": 2392,
"type": "call",
"cid": 5290
}
],
"references": [],
"name": "antivm_queries_computername"
},
{
"markcount": 1,
"families": [],
"description": "This executable has a PDB path",
"severity": 1,
"marks": [
{
"category": "pdb_path",
"ioc": "C:\\JobRelease\\win\\Release\\stubs\\x86\\ExternalUi.pdb",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "has_pdb"
},
{
"markcount": 1,
"families": [],
"description": "Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available",
"severity": 1,
"marks": [
{
"call": {
"category": "system",
"status": 1,
"stacktrace": [],
"api": "GlobalMemoryStatusEx",
"return_value": 1,
"arguments": {},
"time": 1602366788.1085,
"tid": 2872,
"flags": {}
},
"pid": 2392,
"type": "call",
"cid": 586
}
],
"references": [],
"name": "antivm_memory_available"
},
{
"markcount": 2,
"families": [],
"description": "The file contains an unknown PE resource name possibly indicative of a packer",
"severity": 1,
"marks": [
{
"category": "resource name",
"ioc": "IMAGE_FILE",
"type": "ioc",
"description": null
},
{
"category": "resource name",
"ioc": "RTF_FILE",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "pe_unknown_resource_name"
},
{
"markcount": 1,
"families": [],
"description": "One or more processes crashed",
"severity": 1,
"marks": [
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "R\np\nc\nR\na\ni\ns\ne\nE\nx\nc\ne\np\nt\ni\no\nn\n+\n0\nx\n4\n2\n \nI\n_\nR\np\nc\nE\nx\nc\ne\np\nt\ni\no\nn\nF\ni\nl\nt\ne\nr\n-\n0\nx\n1\n2\n \nr\np\nc\nr\nt\n4\n+\n0\nx\n2\n3\n7\n4\nb\n \n@\n \n0\nx\n7\n7\n6\nc\n3\n7\n4\nb\n\n\nD\nl\nl\nD\ne\nb\nu\ng\nO\nb\nj\ne\nc\nt\nR\nP\nC\nH\no\no\nk\n+\n0\nx\n1\n0\n8\n \nH\nA\nC\nC\nE\nL\n_\nU\ns\ne\nr\nF\nr\ne\ne\n-\n0\nx\n5\n \no\nl\ne\n3\n2\n+\n0\nx\n1\n3\nf\n7\n7\n7\n \n@\n \n0\nx\n7\n5\nb\n3\nf\n7\n7\n7\n\n\nN\nd\nr\nP\no\ni\nn\nt\ne\nr\nF\nr\ne\ne\n+\n0\nx\n1\nb\n9\n \nI\nU\nn\nk\nn\no\nw\nn\n_\nR\ne\nl\ne\na\ns\ne\n_\nP\nr\no\nx\ny\n-\n0\nx\nb\n \nr\np\nc\nr\nt\n4\n+\n0\nx\n3\n4\n1\n9\na\n \n@\n \n0\nx\n7\n7\n6\nd\n4\n1\n9\na\n\n\nN\nd\nr\nC\nl\ni\ne\nn\nt\nC\na\nl\nl\n2\n+\n0\nx\n1\n1\n8\n \nR\np\nc\nA\ns\ny\nn\nc\nI\nn\ni\nt\ni\na\nl\ni\nz\ne\nH\na\nn\nd\nl\ne\n-\n0\nx\nf\n1\n \nr\np\nc\nr\nt\n4\n+\n0\nx\nb\n0\n1\n1\nd\n \n@\n \n0\nx\n7\n7\n7\n5\n0\n1\n1\nd\n\n\nW\nd\nt\np\nI\nn\nt\ne\nr\nf\na\nc\ne\nP\no\ni\nn\nt\ne\nr\n_\nU\ns\ne\nr\nU\nn\nm\na\nr\ns\nh\na\nl\n+\n0\nx\n1\n6\n6\nb\n \nD\nl\nl\nD\ne\nb\nu\ng\nO\nb\nj\ne\nc\nt\nR\nP\nC\nH\no\no\nk\n-\n0\nx\n2\nd\n8\nd\n \no\nl\ne\n3\n2\n+\n0\nx\n1\n3\nc\n8\ne\n2\n \n@\n \n0\nx\n7\n5\nb\n3\nc\n8\ne\n2\n\n\nC\no\nR\ne\ng\ni\ns\nt\ne\nr\nM\ne\ns\ns\na\ng\ne\nF\ni\nl\nt\ne\nr\n+\n0\nx\n3\n2\nb\n4\n \nO\nb\nj\ne\nc\nt\nS\nt\nu\nb\nl\ne\ns\ns\nC\nl\ni\ne\nn\nt\n5\n-\n0\nx\n1\nd\nb\n5\n \no\nl\ne\n3\n2\n+\n0\nx\n3\n9\n8\na\nd\n \n@\n \n0\nx\n7\n5\na\n3\n9\n8\na\nd\n\n\nC\no\nR\ne\ng\ni\ns\nt\ne\nr\nM\ne\ns\ns\na\ng\ne\nF\ni\nl\nt\ne\nr\n+\n0\nx\n5\n0\n4\n8\n \nO\nb\nj\ne\nc\nt\nS\nt\nu\nb\nl\ne\ns\ns\nC\nl\ni\ne\nn\nt\n5\n-\n0\nx\n2\n1\n \no\nl\ne\n3\n2\n+\n0\nx\n3\nb\n6\n4\n1\n \n@\n \n0\nx\n7\n5\na\n3\nb\n6\n4\n1\n\n\nC\no\nR\ne\ng\ni\ns\nt\ne\nr\nM\ne\ns\ns\na\ng\ne\nF\ni\nl\nt\ne\nr\n+\n0\nx\n4\nf\nf\n4\n \nO\nb\nj\ne\nc\nt\nS\nt\nu\nb\nl\ne\ns\ns\nC\nl\ni\ne\nn\nt\n5\n-\n0\nx\n7\n5\n \no\nl\ne\n3\n2\n+\n0\nx\n3\nb\n5\ne\nd\n \n@\n \n0\nx\n7\n5\na\n3\nb\n5\ne\nd\n\n\nC\no\nR\ne\ng\ni\ns\nt\ne\nr\nM\ne\ns\ns\na\ng\ne\nF\ni\nl\nt\ne\nr\n+\n0\nx\n4\nb\n7\n9\n \nO\nb\nj\ne\nc\nt\nS\nt\nu\nb\nl\ne\ns\ns\nC\nl\ni\ne\nn\nt\n5\n-\n0\nx\n4\nf\n0\n \no\nl\ne\n3\n2\n+\n0\nx\n3\nb\n1\n7\n2\n \n@\n \n0\nx\n7\n5\na\n3\nb\n1\n7\n2\n\n\nC\no\nR\ne\ng\ni\ns\nt\ne\nr\nM\ne\ns\ns\na\ng\ne\nF\ni\nl\nt\ne\nr\n+\n0\nx\n4\n0\n7\n5\n \nO\nb\nj\ne\nc\nt\nS\nt\nu\nb\nl\ne\ns\ns\nC\nl\ni\ne\nn\nt\n5\n-\n0\nx\nf\nf\n4\n \no\nl\ne\n3\n2\n+\n0\nx\n3\na\n6\n6\ne\n \n@\n \n0\nx\n7\n5\na\n3\na\n6\n6\ne\n\n\nC\no\nR\ne\ng\ni\ns\nt\ne\nr\nM\ne\ns\ns\na\ng\ne\nF\ni\nl\nt\ne\nr\n+\n0\nx\n4\n2\n1\ne\n \nO\nb\nj\ne\nc\nt\nS\nt\nu\nb\nl\ne\ns\ns\nC\nl\ni\ne\nn\nt\n5\n-\n0\nx\ne\n4\nb\n \no\nl\ne\n3\n2\n+\n0\nx\n3\na\n8\n1\n7\n \n@\n \n0\nx\n7\n5\na\n3\na\n8\n1\n7\n\n\nC\no\nR\ne\ng\ni\ns\nt\ne\nr\nM\ne\ns\ns\na\ng\ne\nF\ni\nl\nt\ne\nr\n+\n0\nx\n4\n1\n8\n8\n \nO\nb\nj\ne\nc\nt\nS\nt\nu\nb\nl\ne\ns\ns\nC\nl\ni\ne\nn\nt\n5\n-\n0\nx\ne\ne\n1\n \no\nl\ne\n3\n2\n+\n0\nx\n3\na\n7\n8\n1\n \n@\n \n0\nx\n7\n5\na\n3\na\n7\n8\n1\n\n\nC\no\nR\ne\ng\ni\ns\nt\ne\nr\nM\ne\ns\ns\na\ng\ne\nF\ni\nl\nt\ne\nr\n+\n0\nx\n4\n4\nf\na\n \nO\nb\nj\ne\nc\nt\nS\nt\nu\nb\nl\ne\ns\ns\nC\nl\ni\ne\nn\nt\n5\n-\n0\nx\nb\n6\nf\n \no\nl\ne\n3\n2\n+\n0\nx\n3\na\na\nf\n3\n \n@\n \n0\nx\n7\n5\na\n3\na\na\nf\n3\n\n\nW\nd\nt\np\nI\nn\nt\ne\nr\nf\na\nc\ne\nP\no\ni\nn\nt\ne\nr\n_\nU\ns\ne\nr\nU\nn\nm\na\nr\ns\nh\na\nl\n+\n0\nx\n2\n1\n0\n9\n \nD\nl\nl\nD\ne\nb\nu\ng\nO\nb\nj\ne\nc\nt\nR\nP\nC\nH\no\no\nk\n-\n0\nx\n2\n2\ne\nf\n \no\nl\ne\n3\n2\n+\n0\nx\n1\n3\nd\n3\n8\n0\n \n@\n \n0\nx\n7\n5\nb\n3\nd\n3\n8\n0\n\n\nD\nl\nl\nG\ne\nt\nC\nl\na\ns\ns\nO\nb\nj\ne\nc\nt\n+\n0\nx\n5\n4\n0\n3\n \nM\ns\ni\nC\nr\ne\na\nt\ne\nA\nn\nd\nV\ne\nr\ni\nf\ny\nI\nn\ns\nt\na\nl\nl\ne\nr\nD\ni\nr\ne\nc\nt\no\nr\ny\n-\n0\nx\n4\n6\n4\nc\n \nm\ns\ni\n+\n0\nx\n2\n6\nc\n4\n1\n \n@\n \n0\nx\n7\n4\nb\n4\n6\nc\n4\n1\n\n\nD\nl\nl\nG\ne\nt\nC\nl\na\ns\ns\nO\nb\nj\ne\nc\nt\n+\n0\nx\n5\n4\na\n2\n \nM\ns\ni\nC\nr\ne\na\nt\ne\nA\nn\nd\nV\ne\nr\ni\nf\ny\nI\nn\ns\nt\na\nl\nl\ne\nr\nD\ni\nr\ne\nc\nt\no\nr\ny\n-\n0\nx\n4\n5\na\nd\n \nm\ns\ni\n+\n0\nx\n2\n6\nc\ne\n0\n \n@\n \n0\nx\n7\n4\nb\n4\n6\nc\ne\n0\n\n\nM\ns\ni\nI\nn\nv\na\nl\ni\nd\na\nt\ne\nF\ne\na\nt\nu\nr\ne\nC\na\nc\nh\ne\n+\n0\nx\n3\n0\na\ne\n6\n \nD\nl\nl\nR\ne\ng\ni\ns\nt\ne\nr\nS\ne\nr\nv\ne\nr\n-\n0\nx\na\n1\n5\n4\n \nm\ns\ni\n+\n0\nx\n9\nd\nb\n2\n1\n \n@\n \n0\nx\n7\n4\nb\nb\nd\nb\n2\n1\n\n\nM\ns\ni\nD\ne\nt\ne\nr\nm\ni\nn\ne\nP\na\nt\nc\nh\nS\ne\nq\nu\ne\nn\nc\ne\nA\n+\n0\nx\n5\n3\nf\n \nM\ns\ni\nC\nl\no\ns\ne\nH\na\nn\nd\nl\ne\n-\n0\nx\n2\n0\nf\nd\n \nm\ns\ni\n+\n0\nx\nc\nd\nd\n9\n8\n \n@\n \n0\nx\n7\n4\nb\ne\nd\nd\n9\n8\n\n\nM\ns\ni\nD\ne\nt\ne\nr\nm\ni\nn\ne\nP\na\nt\nc\nh\nS\ne\nq\nu\ne\nn\nc\ne\nA\n+\n0\nx\n2\n4\nd\nd\n \nM\ns\ni\nC\nl\no\ns\ne\nH\na\nn\nd\nl\ne\n-\n0\nx\n1\n5\nf\n \nm\ns\ni\n+\n0\nx\nc\nf\nd\n3\n6\n \n@\n \n0\nx\n7\n4\nb\ne\nf\nd\n3\n6\n\n\nM\ns\ni\nC\nl\no\ns\ne\nH\na\nn\nd\nl\ne\n+\n0\nx\n5\n1\n \nM\ns\ni\nC\nl\no\ns\ne\nA\nl\nl\nH\na\nn\nd\nl\ne\ns\n-\n0\nx\n5\nd\n \nm\ns\ni\n+\n0\nx\nc\nf\ne\ne\n6\n \n@\n \n0\nx\n7\n4\nb\ne\nf\ne\ne\n6\n\n\nd\nd\na\ne\nc\n4\n3\n6\n3\n9\nc\n5\na\n4\nf\nf\n9\nd\n1\nc\n6\n4\nc\n1\n4\n5\n1\n4\nb\nc\n3\ne\n6\n0\ne\n2\n0\nb\ne\nd\n4\nf\n8\nc\na\n2\n8\n0\nc\n5\n5\n1\n0\n7\n7\n4\n5\nb\nd\na\n4\n4\n3\n6\n+\n0\nx\n1\n0\n0\n6\nc\n9\n \n@\n \n0\nx\n1\n0\n1\n0\n6\nc\n9\n\n\nd\nd\na\ne\nc\n4\n3\n6\n3\n9\nc\n5\na\n4\nf\nf\n9\nd\n1\nc\n6\n4\nc\n1\n4\n5\n1\n4\nb\nc\n3\ne\n6\n0\ne\n2\n0\nb\ne\nd\n4\nf\n8\nc\na\n2\n8\n0\nc\n5\n5\n1\n0\n7\n7\n4\n5\nb\nd\na\n4\n4\n3\n6\n+\n0\nx\n2\nd\n8\n2\ne\n \n@\n \n0\nx\nf\n3\nd\n8\n2\ne\n\n\nR\nt\nl\nI\nn\ni\nt\ni\na\nl\ni\nz\ne\nE\nx\nc\ne\np\nt\ni\no\nn\nC\nh\na\ni\nn\n+\n0\nx\n6\n3\n \nR\nt\nl\nA\nl\nl\no\nc\na\nt\ne\nA\nc\nt\ni\nv\na\nt\ni\no\nn\nC\no\nn\nt\ne\nx\nt\nS\nt\na\nc\nk\n-\n0\nx\na\n1\n \nn\nt\nd\nl\nl\n+\n0\nx\n3\n9\ne\nd\n2\n \n@\n \n0\nx\n7\n7\nb\nc\n9\ne\nd\n2\n\n\nR\nt\nl\nI\nn\ni\nt\ni\na\nl\ni\nz\ne\nE\nx\nc\ne\np\nt\ni\no\nn\nC\nh\na\ni\nn\n+\n0\nx\n3\n6\n \nR\nt\nl\nA\nl\nl\no\nc\na\nt\ne\nA\nc\nt\ni\nv\na\nt\ni\no\nn\nC\no\nn\nt\ne\nx\nt\nS\nt\na\nc\nk\n-\n0\nx\nc\ne\n \nn\nt\nd\nl\nl\n+\n0\nx\n3\n9\ne\na\n5\n \n@\n \n0\nx\n7\n7\nb\nc\n9\ne\na\n5",
"registers": {
"esp": 76018700,
"edi": 1973746192,
"eax": 76018700,
"ebp": 76018780,
"edx": 1973779464,
"ebx": 6297356,
"esi": 2147746288,
"ecx": 1973743872
},
"exception": {
"instruction_r": "c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b",
"symbol": "RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727",
"instruction": "leave",
"module": "KERNELBASE.dll",
"exception_code": "0x800401f0",
"offset": 46887,
"address": "0x75dbb727"
}
},
"time": 1602366811.3435,
"tid": 3172,
"flags": {}
},
"pid": 2392,
"type": "call",
"cid": 5297
}
],
"references": [],
"name": "raises_exception"
},
{
"markcount": 0,
"families": [],
"description": "One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.",
"severity": 2,
"marks": [],
"references": [],
"name": "dumped_buffer"
},
{
"markcount": 7,
"families": [],
"description": "Allocates read-write-execute memory (usually to unpack itself)",
"severity": 2,
"marks": [
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2392,
"region_size": 720896,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 8192,
"base_address": "0x04590000"
},
"time": 1602366796.7805,
"tid": 460,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_RESERVE"
}
},
"pid": 2392,
"type": "call",
"cid": 4286
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2392,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x04600000"
},
"time": 1602366796.7805,
"tid": 460,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2392,
"type": "call",
"cid": 4288
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2844,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffff",
"base_address": "0x744d1000"
},
"time": 1602366797.280875,
"tid": 2440,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2844,
"type": "call",
"cid": 2
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2844,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffff",
"base_address": "0x749f1000"
},
"time": 1602366797.296875,
"tid": 2440,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2844,
"type": "call",
"cid": 67
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2844,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffff",
"base_address": "0x71321000"
},
"time": 1602366797.327875,
"tid": 2784,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2844,
"type": "call",
"cid": 254
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2844,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffff",
"base_address": "0x71311000"
},
"time": 1602366797.327875,
"tid": 2784,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2844,
"type": "call",
"cid": 256
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2844,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffff",
"base_address": "0x712f1000"
},
"time": 1602366797.327875,
"tid": 2784,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2844,
"type": "call",
"cid": 258
}
],
"references": [],
"name": "allocates_rwx"
},
{
"markcount": 0,
"families": [],
"description": "Checks whether any human activity is being performed by constantly checking whether the foreground window changed",
"severity": 2,
"marks": [],
"references": [
"https:\/\/www.virusbtn.com\/virusbulletin\/archive\/2015\/09\/vb201509-custom-packer.dkb"
],
"name": "antisandbox_foregroundwindows"
},
{
"markcount": 11,
"families": [],
"description": "Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation",
"severity": 2,
"marks": [
{
"call": {
"category": "misc",
"status": 0,
"stacktrace": [],
"last_error": 3,
"nt_status": -1073741766,
"api": "GetDiskFreeSpaceExW",
"return_value": 0,
"arguments": {
"root_path": "\\\\?\\C:\\Users\\cuck\\AppData\\Roaming\\System Updates\\Windows Driver System Update 4.1.121\\install\\",
"free_bytes_available": 0,
"total_number_of_free_bytes": 0,
"total_number_of_bytes": 0
},
"time": 1602366788.1085,
"tid": 2592,
"flags": {}
},
"pid": 2392,
"type": "call",
"cid": 604
},
{
"call": {
"category": "misc",
"status": 0,
"stacktrace": [],
"last_error": 3,
"nt_status": -1073741766,
"api": "GetDiskFreeSpaceExW",
"return_value": 0,
"arguments": {
"root_path": "\\\\?\\C:\\Users\\cuck\\AppData\\Roaming\\System Updates\\Windows Driver System Update 4.1.121\\",
"free_bytes_available": 0,
"total_number_of_free_bytes": 0,
"total_number_of_bytes": 0
},
"time": 1602366788.1085,
"tid": 2592,
"flags": {}
},
"pid": 2392,
"type": "call",
"cid": 605
},
{
"call": {
"category": "misc",
"status": 0,
"stacktrace": [],
"last_error": 3,
"nt_status": -1073741772,
"api": "GetDiskFreeSpaceExW",
"return_value": 0,
"arguments": {
"root_path": "\\\\?\\C:\\Users\\cuck\\AppData\\Roaming\\System Updates\\",
"free_bytes_available": 0,
"total_number_of_free_bytes": 0,
"total_number_of_bytes": 0
},
"time": 1602366788.1085,
"tid": 2592,
"flags": {}
},
"pid": 2392,
"type": "call",
"cid": 606
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "GetDiskFreeSpaceExW",
"return_value": 1,
"arguments": {
"root_path": "\\\\?\\C:\\Users\\cuck\\AppData\\Roaming\\",
"free_bytes_available": 23510654976,
"total_number_of_free_bytes": 23510654976,
"total_number_of_bytes": 23510654976
},
"time": 1602366788.1085,
"tid": 2592,
"flags": {}
},
"pid": 2392,
"type": "call",
"cid": 607
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "GetDiskFreeSpaceExW",
"return_value": 1,
"arguments": {
"root_path": "\\\\?\\C:\\Users\\cuck\\AppData\\Roaming\\System Updates\\Windows Driver System Update 4.1.121\\install\\",
"free_bytes_available": 23510470656,
"total_number_of_free_bytes": 23510470656,
"total_number_of_bytes": 23510470656
},
"time": 1602366788.1245,
"tid": 2592,
"flags": {}
},
"pid": 2392,
"type": "call",
"cid": 663
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "GetDiskFreeSpaceExW",
"return_value": 1,
"arguments": {
"root_path": "\\\\?\\C:\\Users\\cuck\\AppData\\Roaming\\System Updates\\Windows Driver System Update 4.1.121\\install\\F71FCF6\\",
"free_bytes_available": 23509217280,
"total_number_of_free_bytes": 23509217280,
"total_number_of_bytes": 23509217280
},
"time": 1602366788.1715,
"tid": 1516,
"flags": {}
},
"pid": 2392,
"type": "call",
"cid": 734
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "GetDiskFreeSpaceExW",
"return_value": 1,
"arguments": {
"root_path": "\\\\?\\C:\\Users\\cuck\\AppData\\Roaming\\System Updates\\Windows Driver System Update 4.1.121\\install\\F71FCF6\\",
"free_bytes_available": 23506907136,
"total_number_of_free_bytes": 23506907136,
"total_number_of_bytes": 23506907136
},
"time": 1602366788.1875,
"tid": 1516,
"flags": {}
},
"pid": 2392,
"type": "call",
"cid": 740
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "GetDiskFreeSpaceExW",
"return_value": 1,
"arguments": {
"root_path": "C:\\",
"free_bytes_available": 23503831040,
"total_number_of_free_bytes": 23503831040,
"total_number_of_bytes": 34252779520
},
"time": 1602366796.8905,
"tid": 460,
"flags": {}
},
"pid": 2392,
"type": "call",
"cid": 4550
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "GetDiskFreeSpaceW",
"return_value": 1,
"arguments": {
"root_path": "C:\\",
"sectors_per_cluster": 8,
"number_of_free_clusters": 5738240,
"total_number_of_clusters": 8362495,
"bytes_per_sector": 512
},
"time": 1602366796.8905,
"tid": 460,
"flags": {}
},
"pid": 2392,
"type": "call",
"cid": 4551
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "GetDiskFreeSpaceExW",
"return_value": 1,
"arguments": {
"root_path": "\\\\?\\C:\\Users\\cuck\\AppData\\Roaming\\System Updates\\Windows Driver System Update 4.1.121\\install\\F71FCF6\\",
"free_bytes_available": 23499116544,
"total_number_of_free_bytes": 23499116544,
"total_number_of_bytes": 23499116544
},
"time": 1602366810.8275,
"tid": 816,
"flags": {}
},
"pid": 2392,
"type": "call",
"cid": 5217
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "GetDiskFreeSpaceExW",
"return_value": 1,
"arguments": {
"root_path": "\\\\?\\C:\\Users\\cuck\\AppData\\Roaming\\System Updates\\Windows Driver System Update 4.1.121\\install\\F71FCF6\\",
"free_bytes_available": 23498743808,
"total_number_of_free_bytes": 23498743808,
"total_number_of_bytes": 23498743808
},
"time": 1602366810.8275,
"tid": 816,
"flags": {}
},
"pid": 2392,
"type": "call",
"cid": 5222
}
],
"references": [],
"name": "antivm_disk_size"
},
{
"markcount": 4,
"families": [],
"description": "Drops an executable to the user AppData folder",
"severity": 2,
"marks": [
{
"category": "file",
"ioc": "C:\\Users\\cuck\\AppData\\Local\\Temp\\MSI7B35.tmp",
"type": "ioc",
"description": null
},
{
"category": "file",
"ioc": "C:\\Users\\cuck\\AppData\\Roaming\\System Updates\\Windows Driver System Update 4.1.121\\install\\F71FCF6\\Windows Driver System Updater.exe",
"type": "ioc",
"description": null
},
{
"category": "file",
"ioc": "C:\\Users\\cuck\\AppData\\Roaming\\System Updates\\Windows Driver System Update 4.1.121\\install\\F71FCF6\\unrar.exe",
"type": "ioc",
"description": null
},
{
"category": "file",
"ioc": "C:\\Users\\cuck\\AppData\\Roaming\\System Updates\\Windows Driver System Update 4.1.121\\install\\decoder.dll",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "exe_appdata"
},
{
"markcount": 1,
"families": [],
"description": "Checks adapter addresses which can be used to detect virtual network interfaces",
"severity": 2,
"marks": [
{
"call": {
"category": "network",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": -1073741772,
"api": "GetAdaptersAddresses",
"return_value": 111,
"arguments": {
"flags": 15,
"family": 0
},
"time": 1602366788.4215,
"tid": 2384,
"flags": {}
},
"pid": 2392,
"type": "call",
"cid": 2651
}
],
"references": [],
"name": "antivm_network_adapters"
},
{
"markcount": 31,
"families": [],
"description": "Checks for the Locally Unique Identifier on the system for a suspicious privilege",
"severity": 2,
"marks": [
{
"call": {
"category": "system",
"status": 1,
"stacktrace": [],
"api": "LookupPrivilegeValueW",
"return_value": 1,
"arguments": {
"system_name": "",
"privilege_name": "SeCreateTokenPrivilege"
},
"time": 1602366796.7025,
"tid": 460,
"flags": {}
},
"pid": 2392,
"type": "call",
"cid": 3893
},
{
"call": {
"category": "system",
"status": 1,
"stacktrace": [],
"api": "LookupPrivilegeValueW",
"return_value": 1,
"arguments": {
"system_name": "",
"privilege_name": "SeAssignPrimaryTokenPrivilege"
},
"time": 1602366796.7025,
"tid": 460,
"flags": {}
},
"pid": 2392,
"type": "call",
"cid": 3894
},
{
"call": {
"category": "system",
"status": 1,
"stacktrace": [],
"api": "LookupPrivilegeValueW",
"return_value": 1,
"arguments": {
"system_name": "",
"privilege_name": "SeMachineAccountPrivilege"
},
"time": 1602366796.7025,
"tid": 460,
"flags": {}
},
"pid": 2392,
"type": "call",
"cid": 3898
},
{
"call": {
"category": "system",
"status": 1,
"stacktrace": [],
"api": "LookupPrivilegeValueW",
"return_value": 1,
"arguments": {
"system_name": "",
"privilege_name": "SeTcbPrivilege"
},
"time": 1602366796.7025,
"tid": 460,
"flags": {}
},
"pid": 2392,
"type": "call",
"cid": 3899
},
{
"call": {
"category": "system",
"status": 1,
"stacktrace": [],
"api": "LookupPrivilegeValueW",
"return_value": 1,
"arguments": {
"system_name": "",
"privilege_name": "SeSecurityPrivilege"
},
"time": 1602366796.7025,
"tid": 460,
"flags": {}
},
"pid": 2392,
"type": "call",
"cid": 3900
},
{
"call": {
"category": "system",
"status": 1,
"stacktrace": [],
"api": "LookupPrivilegeValueW",
"return_value": 1,
"arguments": {
"system_name": "",
"privilege_name": "SeTakeOwnershipPrivilege"
},
"time": 1602366796.7025,
"tid": 460,
"flags": {}
},
"pid": 2392,
"type": "call",
"cid": 3901
},
{
"call": {
"category": "system",
"status": 1,
"stacktrace": [],
"api": "LookupPrivilegeValueW",
"return_value": 1,
"arguments": {
"system_name": "",
"privilege_name": "SeLoadDriverPrivilege"
},
"time": 1602366796.7025,
"tid": 460,
"flags": {}
},
"pid": 2392,
"type": "call",
"cid": 3902
},
{
"call": {
"category": "system",
"status": 1,
"stacktrace": [],
"api": "LookupPrivilegeValueW",
"return_value": 1,
"arguments": {
"system_name": "",
"privilege_name": "SeBackupPrivilege"
},
"time": 1602366796.7025,
"tid": 460,
"flags": {}
},
"pid": 2392,
"type": "call",
"cid": 3909
},
{
"call": {
"category": "system",
"status": 1,
"stacktrace": [],
"api": "LookupPrivilegeValueW",
"return_value": 1,
"arguments": {
"system_name": "",
"privilege_name": "SeRestorePrivilege"
},
"time": 1602366796.7025,
"tid": 460,
"flags": {}
},
"pid": 2392,
"type": "call",
"cid": 3910
},
{
"call": {
"category": "system",
"status": 1,
"stacktrace": [],
"api": "LookupPrivilegeValueW",
"return_value": 1,
"arguments": {
"system_name": "",
"privilege_name": "SeShutdownPrivilege"
},
"time": 1602366796.7025,
"tid": 460,
"flags": {}
},
"pid": 2392,
"type": "call",
"cid": 3911
},
{
"call": {
"category": "system",
"status": 1,
"stacktrace": [],
"api": "LookupPrivilegeValueW",
"return_value": 1,
"arguments": {
"system_name": "",
"privilege_name": "SeDebugPrivilege"
},
"time": 1602366796.7025,
"tid": 460,
"flags": {}
},
"pid": 2392,
"type": "call",
"cid": 3912
},
{
"call": {
"category": "system",
"status": 1,
"stacktrace": [],
"api": "LookupPrivilegeValueW",
"return_value": 1,
"arguments": {
"system_name": "",
"privilege_name": "SeRemoteShutdownPrivilege"
},
"time": 1602366796.7025,
"tid": 460,
"flags": {}
},
"pid": 2392,
"type": "call",
"cid": 3916
},
{
"call": {
"category": "system",
"status": 1,
"stacktrace": [],
"api": "LookupPrivilegeValueW",
"return_value": 1,
"arguments": {
"system_name": "",
"privilege_name": "SeEnableDelegationPrivilege"
},
"time": 1602366796.7025,
"tid": 460,
"flags": {}
},
"pid": 2392,
"type": "call",
"cid": 3919
},
{
"call": {
"category": "system",
"status": 1,
"stacktrace": [],
"api": "LookupPrivilegeValueW",
"return_value": 1,
"arguments": {
"system_name": "",
"privilege_name": "SeManageVolumePrivilege"
},
"time": 1602366796.7025,
"tid": 460,
"flags": {}
},
"pid": 2392,
"type": "call",
"cid": 3920
},
{
"call": {
"category": "system",
"status": 1,
"stacktrace": [],
"api": "LookupPrivilegeValueW",
"return_value": 1,
"arguments": {
"system_name": "",
"privilege_name": "SeCreateGlobalPrivilege"
},
"time": 1602366796.7025,
"tid": 460,
"flags": {}
},
"pid": 2392,
"type": "call",
"cid": 3922
},
{
"call": {
"category": "system",
"status": 1,
"stacktrace": [],
"api": "LookupPrivilegeValueW",
"return_value": 1,
"arguments": {
"system_name": "",
"privilege_name": "SeShutdownPrivilege"
},
"time": 1602366797.327875,
"tid": 2784,
"flags": {}
},
"pid": 2844,
"type": "call",
"cid": 279
},
{
"call": {
"category": "system",
"status": 1,
"stacktrace": [],
"api": "LookupPrivilegeValueW",
"return_value": 1,
"arguments": {
"system_name": "",
"privilege_name": "SeCreateTokenPrivilege"
},
"time": 1602366797.343875,
"tid": 2784,
"flags": {}
},
"pid": 2844,
"type": "call",
"cid": 383
},
{
"call": {
"category": "system",
"status": 1,
"stacktrace": [],
"api": "LookupPrivilegeValueW",
"return_value": 1,
"arguments": {
"system_name": "",
"privilege_name": "SeAssignPrimaryTokenPrivilege"
},
"time": 1602366797.343875,
"tid": 2784,
"flags": {}
},
"pid": 2844,
"type": "call",
"cid": 384
},
{
"call": {
"category": "system",
"status": 1,
"stacktrace": [],
"api": "LookupPrivilegeValueW",
"return_value": 1,
"arguments": {
"system_name": "",
"privilege_name": "SeMachineAccountPrivilege"
},
"time": 1602366797.343875,
"tid": 2784,
"flags": {}
},
"pid": 2844,
"type": "call",
"cid": 388
},
{
"call": {
"category": "system",
"status": 1,
"stacktrace": [],
"api": "LookupPrivilegeValueW",
"return_value": 1,
"arguments": {
"system_name": "",
"privilege_name": "SeTcbPrivilege"
},
"time": 1602366797.343875,
"tid": 2784,
"flags": {}
},
"pid": 2844,
"type": "call",
"cid": 389
},
{
"call": {
"category": "system",
"status": 1,
"stacktrace": [],
"api": "LookupPrivilegeValueW",
"return_value": 1,
"arguments": {
"system_name": "",
"privilege_name": "SeSecurityPrivilege"
},
"time": 1602366797.343875,
"tid": 2784,
"flags": {}
},
"pid": 2844,
"type": "call",
"cid": 390
},
{
"call": {
"category": "system",
"status": 1,
"stacktrace": [],
"api": "LookupPrivilegeValueW",
"return_value": 1,
"arguments": {
"system_name": "",
"privilege_name": "SeTakeOwnershipPrivilege"
},
"time": 1602366797.343875,
"tid": 2784,
"flags": {}
},
"pid": 2844,
"type": "call",
"cid": 391
},
{
"call": {
"category": "system",
"status": 1,
"stacktrace": [],
"api": "LookupPrivilegeValueW",
"return_value": 1,
"arguments": {
"system_name": "",
"privilege_name": "SeLoadDriverPrivilege"
},
"time": 1602366797.343875,
"tid": 2784,
"flags": {}
},
"pid": 2844,
"type": "call",
"cid": 392
},
{
"call": {
"category": "system",
"status": 1,
"stacktrace": [],
"api": "LookupPrivilegeValueW",
"return_value": 1,
"arguments": {
"system_name": "",
"privilege_name": "SeBackupPrivilege"
},
"time": 1602366797.343875,
"tid": 2784,
"flags": {}
},
"pid": 2844,
"type": "call",
"cid": 399
},
{
"call": {
"category": "system",
"status": 1,
"stacktrace": [],
"api": "LookupPrivilegeValueW",
"return_value": 1,
"arguments": {
"system_name": "",
"privilege_name": "SeRestorePrivilege"
},
"time": 1602366797.343875,
"tid": 2784,
"flags": {}
},
"pid": 2844,
"type": "call",
"cid": 400
},
{
"call": {
"category": "system",
"status": 1,
"stacktrace": [],
"api": "LookupPrivilegeValueW",
"return_value": 1,
"arguments": {
"system_name": "",
"privilege_name": "SeShutdownPrivilege"
},
"time": 1602366797.343875,
"tid": 2784,
"flags": {}
},
"pid": 2844,
"type": "call",
"cid": 401
},
{
"call": {
"category": "system",
"status": 1,
"stacktrace": [],
"api": "LookupPrivilegeValueW",
"return_value": 1,
"arguments": {
"system_name": "",
"privilege_name": "SeDebugPrivilege"
},
"time": 1602366797.343875,
"tid": 2784,
"flags": {}
},
"pid": 2844,
"type": "call",
"cid": 402
},
{
"call": {
"category": "system",
"status": 1,
"stacktrace": [],
"api": "LookupPrivilegeValueW",
"return_value": 1,
"arguments": {
"system_name": "",
"privilege_name": "SeRemoteShutdownPrivilege"
},
"time": 1602366797.343875,
"tid": 2784,
"flags": {}
},
"pid": 2844,
"type": "call",
"cid": 406
},
{
"call": {
"category": "system",
"status": 1,
"stacktrace": [],
"api": "LookupPrivilegeValueW",
"return_value": 1,
"arguments": {
"system_name": "",
"privilege_name": "SeEnableDelegationPrivilege"
},
"time": 1602366797.343875,
"tid": 2784,
"flags": {}
},
"pid": 2844,
"type": "call",
"cid": 409
},
{
"call": {
"category": "system",
"status": 1,
"stacktrace": [],
"api": "LookupPrivilegeValueW",
"return_value": 1,
"arguments": {
"system_name": "",
"privilege_name": "SeManageVolumePrivilege"
},
"time": 1602366797.343875,
"tid": 2784,
"flags": {}
},
"pid": 2844,
"type": "call",
"cid": 410
},
{
"call": {
"category": "system",
"status": 1,
"stacktrace": [],
"api": "LookupPrivilegeValueW",
"return_value": 1,
"arguments": {
"system_name": "",
"privilege_name": "SeCreateGlobalPrivilege"
},
"time": 1602366797.343875,
"tid": 2784,
"flags": {}
},
"pid": 2844,
"type": "call",
"cid": 412
}
],
"references": [],
"name": "privilege_luid_check"
},
{
"markcount": 5,
"families": [],
"description": "One or more of the buffers contains an embedded PE file",
"severity": 3,
"marks": [
{
"category": "buffer",
"ioc": "Buffer with sha1: 5165f3c7b767382b695ddb4b772a3ca0dff0cbbb",
"type": "ioc",
"description": null
},
{
"category": "buffer",
"ioc": "Buffer with sha1: c93e7d67474dc28465031b38f1d5c2e3d4b10fb9",
"type": "ioc",
"description": null
},
{
"category": "buffer",
"ioc": "Buffer with sha1: c1b086b7977b225c9bb55f0173243818358dddc8",
"type": "ioc",
"description": null
},
{
"category": "buffer",
"ioc": "Buffer with sha1: 1f50846aca1edaa94b4ddc83fd789d4844247e4c",
"type": "ioc",
"description": null
},
{
"category": "buffer",
"ioc": "Buffer with sha1: efb86d659870487abbbaa0860d8ecda372fbc23c",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "dumped_buffer2"
},
{
"markcount": 2,
"families": [],
"description": "Deletes executed files from disk",
"severity": 3,
"marks": [
{
"category": "file",
"ioc": "",
"type": "ioc",
"description": null
},
{
"category": "file",
"ioc": "C:\\Users\\cuck\\AppData\\Roaming\\System Updates\\Windows Driver System Update 4.1.121\\install\\F71FCF6\\exe.x64.msi",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "deletes_executed_files"
},
{
"markcount": 1,
"families": [],
"description": "Creates a windows hook that monitors keyboard input (keylogger)",
"severity": 3,
"marks": [
{
"call": {
"category": "system",
"status": 1,
"stacktrace": [],
"api": "SetWindowsHookExW",
"return_value": 6881671,
"arguments": {
"thread_identifier": 0,
"callback_function": "0x00000000ffe9ae10",
"module_address": "0x00000000ffdf0000",
"hook_identifier": 13
},
"time": 1602366846.71825,
"tid": 1828,
"flags": {
"hook_identifier": "WH_KEYBOARD_LL"
}
},
"pid": 1788,
"type": "call",
"cid": 2237
}
],
"references": [],
"name": "infostealer_keylogger"
},
{
"markcount": 1,
"families": [],
"description": "Attempts to create or modify system certificates",
"severity": 3,
"marks": [
{
"category": "registry",
"ioc": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\8F43288AD272F3103B6FB1428485EA3014C0BCFE\\Blob",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "modifies_certificates"
}
]Yara
The Yara rules did not detect anything in the file.
Network
{
"tls": [],
"udp": [
{
"src": "192.168.56.101",
"dst": "192.168.56.255",
"offset": 662,
"time": 6.227148056030273,
"dport": 137,
"sport": 137
},
{
"src": "192.168.56.101",
"dst": "192.168.56.255",
"offset": 10526,
"time": 12.227001905441284,
"dport": 138,
"sport": 138
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 12370,
"time": 6.18586802482605,
"dport": 5355,
"sport": 49840
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 12690,
"time": 5.82961106300354,
"dport": 5355,
"sport": 51001
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 13010,
"time": 11.424190044403076,
"dport": 5355,
"sport": 52259
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 13330,
"time": 4.164795875549316,
"dport": 5355,
"sport": 53595
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 13658,
"time": 6.165143013000488,
"dport": 5355,
"sport": 53848
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 13986,
"time": 25.43855595588684,
"dport": 5355,
"sport": 54237
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 14306,
"time": 4.764715909957886,
"dport": 5355,
"sport": 54255
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 14634,
"time": 17.365982055664062,
"dport": 5355,
"sport": 54335
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 14954,
"time": 3.0653579235076904,
"dport": 5355,
"sport": 55314
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 15282,
"time": 6.165378093719482,
"dport": 5355,
"sport": 55880
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 15610,
"time": 22.5066339969635,
"dport": 5355,
"sport": 58989
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 15930,
"time": 19.93431305885315,
"dport": 5355,
"sport": 59548
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 16250,
"time": 14.79464602470398,
"dport": 5355,
"sport": 63506
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 16570,
"time": 8.822999000549316,
"dport": 5355,
"sport": 64017
},
{
"src": "192.168.56.101",
"dst": "239.255.255.250",
"offset": 16890,
"time": 4.281291961669922,
"dport": 1900,
"sport": 1900
},
{
"src": "192.168.56.101",
"dst": "239.255.255.250",
"offset": 36300,
"time": 4.24266791343689,
"dport": 3702,
"sport": 49152
},
{
"src": "192.168.56.101",
"dst": "239.255.255.250",
"offset": 44684,
"time": 6.2428789138793945,
"dport": 1900,
"sport": 53598
}
],
"dns_servers": [],
"http": [],
"icmp": [],
"smtp": [],
"tcp": [],
"smtp_ex": [],
"mitm": [],
"hosts": [],
"pcap_sha256": "bf204e8498d94a6e58f89ebbc065fabf8c281dee1545845a81cc3db56df9804c",
"dns": [],
"http_ex": [],
"domains": [],
"dead_hosts": [],
"sorted_pcap_sha256": "4d256984b52a131dd15ced4eb67d854d83ce2f05675aae4dc5fdfd7acea89767",
"irc": [],
"https_ex": []
}Screenshots
WindowsServiceUpdate.exe removal instructions
The instructions below shows how to remove WindowsServiceUpdate.exe with help from the FreeFixer removal tool. Basically, you install FreeFixer, scan your computer, check the WindowsServiceUpdate.exe file for removal, restart your computer and scan it again to verify that WindowsServiceUpdate.exe has been successfully removed. Here are the removal instructions in more detail:
- Download and install FreeFixer: http://www.freefixer.com/download.html
- Start FreeFixer and press the Start Scan button. The scan will finish in approximately five minutes.
- When the scan is finished, locate WindowsServiceUpdate.exe in the scan result and tick the checkbox next to the WindowsServiceUpdate.exe file. Do not check any other file for removal unless you are 100% sure you want to delete it. Tip: Press CTRL-F to open up FreeFixer's search dialog to quickly locate WindowsServiceUpdate.exe in the scan result.
c:\downloads\WindowsServiceUpdate.exe 
- Scroll down to the bottom of the scan result and press the Fix button. FreeFixer will now delete the WindowsServiceUpdate.exe file.
- Restart your computer.
- Start FreeFixer and scan your computer again. If WindowsServiceUpdate.exe still remains in the scan result, proceed with the next step. If WindowsServiceUpdate.exe is gone from the scan result you're done.
- If WindowsServiceUpdate.exe still remains in the scan result, check its checkbox again in the scan result and click Fix.
- Restart your computer.
- Start FreeFixer and scan your computer again. Verify that WindowsServiceUpdate.exe no longer appear in the scan result.
Hashes [?]
| Property | Value |
|---|---|
| MD5 | 928bf79af36ab690c301ceae15a5aa1f |
| SHA256 | ddaec43639c5a4ff9d1c64c14514bc3e60e20bed4f8ca280c55107745bda4436 |
Error Messages
These are some of the error messages that can appear related to windowsserviceupdate.exe:
windowsserviceupdate.exe has encountered a problem and needs to close. We are sorry for the inconvenience.
windowsserviceupdate.exe - Application Error. The instruction at "0xXXXXXXXX" referenced memory at "0xXXXXXXXX". The memory could not be "read/written". Click on OK to terminate the program.
Windows Driver System Update Installer has stopped working.
End Program - windowsserviceupdate.exe. This program is not responding.
windowsserviceupdate.exe is not a valid Win32 application.
windowsserviceupdate.exe - Application Error. The application failed to initialize properly (0xXXXXXXXX). Click OK to terminate the application.
What will you do with the file?
To help other users, please let us know what you will do with the file:
Comments
Please share with the other users what you think about this file. What does this file do? Is it legitimate or something that your computer is better without? Do you know how it was installed on your system? Did you install it yourself or did it come bundled with some other software? Is it running smoothly or do you get some error message? Any information that will help to document this file is welcome. Thank you for your contributions.
I'm reading all new comments so don't hesitate to post a question about the file. If I don't have the answer perhaps another user can help you.
No comments posted yet.