What is astrill.exe?
astrill.exe is part of Astrill - Way to Stars and developed by Astrill according to the astrill.exe version information.
astrill.exe's description is "Astrill - Way to Stars"
astrill.exe is digitally signed by Astrill Systems Corp..
astrill.exe is usually located in the 'C:\Program Files (x86)\Astrill\' folder.
None of the anti-virus scanners at VirusTotal reports anything malicious about astrill.exe.
If you have additional information about the file, please share it with the FreeFixer users by posting a comment at the bottom of this page.
Vendor and version information [?]
The following is the available information on astrill.exe:
| Property | Value |
|---|---|
| Product name | Astrill - Way to Stars |
| Company name | Astrill |
| File description | Astrill - Way to Stars |
| Comments | Win32 Edition |
| Legal copyright | Copyright (c) 2009-2018 Astrill Systems Corp. |
| Legal trademark | Copyright (c) 2009-2018 Astrill Systems Corp. |
| Product version | 2.7.0.0 |
| File version | 3.6.0.2134 |
Here's a screenshot of the file properties when displayed by Windows Explorer:
| Product name | Astrill - Way to Stars |
| Company name | Astrill |
| File description | Astrill - Way to Stars |
| Comments | Win32 Edition |
| Legal copyright | Copyright (c) 2009-2018 Astrill Syst.. |
| Legal trademark | Copyright (c) 2009-2018 Astrill Syst.. |
| Product version | 2.7.0.0 |
| File version | 3.6.0.2134 |
Digital signatures [?]
astrill.exe has a valid digital signature.
| Property | Value |
|---|---|
| Signer name | Astrill Systems Corp. |
| Certificate issuer name | GlobalSign Extended Validation CodeSigning CA - SHA256 - G2 |
| Certificate serial number | 1121459530733d3a9f5c640d09d224cc8ea3 |
VirusTotal report
None of the 71 anti-virus programs at VirusTotal detected the astrill.exe file.
Sandbox Report
The following information was gathered by executing the file inside Cuckoo Sandbox.
Summary
Successfully executed process in sandbox.
Summary
{
"file_created": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Astrill.ini"
],
"file_recreated": [
"\\??\\Nsi"
],
"regkey_written": [
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Astrill",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_MAXCONNECTIONSPER1_0SERVER\\iexplore.exe",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_MAXCONNECTIONSPERSERVER\\iexplore.exe",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\MaxConnectionsPerServer",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\MaxConnectionsPer1_0Server"
],
"dll_loaded": [
"libssl32.dll",
"gdi32.dll",
"Fwpuclnt.dll",
"kernel32.dll",
"UxTheme.dll",
"oleaut32.dll",
"C:\\Windows\\system32\\ole32.dll",
"dwmapi.dll",
"shlwapi.dll",
"WS2_32.DLL",
"msimg32.dll",
"libeay32.dll",
"C:\\Windows\\syswow64\\MSCTF.dll",
"KERNEL32.DLL",
"SHFolder.dll",
"OLEAUT32.DLL",
"advapi32.dll",
"comctl32",
"ole32.dll",
"CRYPTSP.dll",
"IMM32.dll",
"comdlg32.dll",
"version.dll",
"wininet.dll",
"ADVAPI32.dll",
"uxtheme.dll",
"ssleay32.dll",
"comctl32.dll",
"SHELL32.dll",
"iphlpapi.dll",
"s",
"zlib1.dll",
"shell32.dll",
"user32.dll",
"ws2_32.dll"
],
"file_opened": [
"C:\\Windows\\System32\\wshqos.dll",
"C:\\Windows\\Fonts\\staticcache.dat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\a09921cff39357624890c3ca3be4d5973c4a1a4347c3f9596ef5f295153bcd32.bin",
"C:\\Users\\cuck\\Desktop",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\",
"\\??\\PhysicalDrive0",
"C:\\Windows\\System32\\WSHTCPIP.DLL",
"C:\\Windows\\System32\\wship6.dll"
],
"regkey_opened": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Segoe UI",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\PropertyBag",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\UnInstall\\DirectDrawEx",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\CTF\\LayoutIcon\\0409\\0000041d",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\LanguageProfile\\0x00000000\\{0001bea3-ed56-483d-a2e2-aeae25577436}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\PropertyBag",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\UnInstall\\IE40",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\services\\Tcpip\\Parameters\\Interfaces\\",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Network\\{4D36E972-E325-11CE-BFC1-08002BE10318}\\Connection",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\UnInstall",
"HKEY_CURRENT_USER\\Control Panel\\Keyboard",
"HKEY_CURRENT_USER\\Software\\Microsoft\\CTF\\DirectSwitchHotkeys",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_MAXCONNECTIONSPER1_0SERVER",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_MAXCONNECTIONSPERSERVER",
"HKEY_LOCAL_MACHINE\\Software\\Astrill",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\UnInstall\\IE5BAKEX",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\PropertyBag",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\UnInstall\\Fontcore",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\UnInstall\\SchedulingAgent",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{3697C5FA-60DD-4B56-92D4-74A569205C16}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\DataStore_V1.0",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\Compatibility\\a09921cff39357624890c3ca3be4d5973c4a1a4347c3f9596ef5f295153bcd32.bin",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\UnInstall\\MobileOptionPack",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\UnInstall\\AddressBook",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\UnInstall\\Mozilla Firefox 60.0.2 (x86 sv-SE)",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\UnInstall\\Connection Manager",
"HKEY_CURRENT_USER\\Control Panel\\Accessibility\\Blind Access",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\UnInstall\\IEData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\KnownClasses",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\UnInstall\\WIC",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\UnInstall\\IE4Data"
],
"file_written": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Astrill.ini"
],
"regkey_deleted": [
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Astrill"
],
"connects_ip": [
"192.168.56.101"
],
"file_exists": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aswgvpnc.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\openweb.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Astrill.ini",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\asovpnc.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\a09921cff39357624890c3ca3be4d5973c4a1a4347c3f9596ef5f295153bcd32.bin",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\adsblock.txt",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\ASProxy.exe",
"C:\\Windows\\SysWOW64\\Macromed\\Flash",
"C:\\Users\\cuck\\AppData\\Local\\Temp"
],
"mutex": [
"Global\\MX_Astrill"
],
"file_read": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\a09921cff39357624890c3ca3be4d5973c4a1a4347c3f9596ef5f295153bcd32.bin",
"C:\\Windows\\Fonts\\staticcache.dat"
],
"regkey_read": [
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Language Hotkey",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\LocalizedName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Category",
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Hotkey",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\LocalRedirectOnly",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\InfoTip",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\LanguageProfile\\0x00000000\\{0001bea3-ed56-483d-a2e2-aeae25577436}\\Enable",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\ProgramFilesDir",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Stream",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\ParentFolder",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Attributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\DataStore_V1.0\\DataFilePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\PreCreate",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\StreamResourceType",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Connection Manager\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Security",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Icon",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\RelativePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Description",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\InitFolderHandler",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\ParsingName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\CTF\\EnableAnchorContext",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\LocalRedirectOnly",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Attributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane9",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language Groups\\1",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane10",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane11",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane12",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane13",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane14",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane15",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane16",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\AddressBook\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\ParentFolder",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\RelativePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Attributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\PublishExpandedPath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Stream",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Name",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Name",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Name",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\StreamResourceType",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\IEData\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\DirectDrawEx\\DisplayName",
"HKEY_CURRENT_USER\\Control Panel\\Accessibility\\Blind Access\\LeftToRight",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Locale\\00000409",
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Layout Hotkey",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\PublishExpandedPath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\RelativePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Roamable",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Mozilla Firefox 60.0.2 (x86 sv-SE)\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\Windows Error Reporting\\WMR\\Disable",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\FolderTypeID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\InitFolderHandler",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Icon",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\FolderTypeID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\InitFolderHandler",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\LocalRedirectOnly",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\PreCreate",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\StreamResourceType",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\IE40\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\ParsingName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Fontcore\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Description",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Stream",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\InfoTip",
"HKEY_CURRENT_USER\\Control Panel\\Keyboard\\KeybaordLayout",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\InfoTip",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\MaxConnectionsPerServer",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\ParsingName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Security",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Icon",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Interfaces\\NameServer",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Roamable",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\MobileOptionPack\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\StreamResource",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\PublishExpandedPath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\StreamResource",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\FolderTypeID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\DataStore_V1.0\\Disable",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\LocalizedName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\PreCreate",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane8",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\IE4Data\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane6",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane7",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane4",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane5",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane2",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane3",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane1",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\IE5BAKEX\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\LocalizedName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\StreamResource",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Roamable",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Category",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Description",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\WIC\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Security",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Category",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\SchedulingAgent\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\ParentFolder"
],
"directory_enumerated": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\*.old",
"C:\\Users\\cuck\\AppData",
"C:\\Users\\cuck\\AppData\\Local\\Temp",
"C:\\Users\\cuck",
"C:\\Users",
"C:\\Users\\cuck\\AppData\\Local"
]
}Dropped
[
{
"yara": [],
"sha1": "3b9bf6f0907850d579f585727947cc63f4fcbbd3",
"name": "345a02e48ad79d99_astrill.ini",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\Astrill.ini",
"type": "data",
"sha256": "345a02e48ad79d99ac25066e1c670c5f10ec8a33dbca1aae40640bab05f73837",
"urls": [],
"crc32": "5550A508",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/458\/files\/345a02e48ad79d99_astrill.ini",
"ssdeep": null,
"size": 1618,
"sha512": "a5564d916b525379da4940ca19b17921fcc185aee2bc7cf09d1fc54f13da53dfb89f191bb5a1a490463966ff26ab58dd82a213494947ece8c37e9db2a93f662c",
"pids": [
2856
],
"md5": "63520f7ee142cc25bdccca761c54626e"
}
]Generic
[
{
"process_path": "C:\\Users\\cuck\\AppData\\Local\\Temp\\a09921cff39357624890c3ca3be4d5973c4a1a4347c3f9596ef5f295153bcd32.bin",
"process_name": "a09921cff39357624890c3ca3be4d5973c4a1a4347c3f9596ef5f295153bcd32.bin",
"pid": 2856,
"summary": {
"file_created": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Astrill.ini"
],
"file_recreated": [
"\\??\\Nsi"
],
"regkey_written": [
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Astrill",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_MAXCONNECTIONSPER1_0SERVER\\iexplore.exe",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_MAXCONNECTIONSPERSERVER\\iexplore.exe",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\MaxConnectionsPerServer",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\MaxConnectionsPer1_0Server"
],
"dll_loaded": [
"libssl32.dll",
"gdi32.dll",
"Fwpuclnt.dll",
"kernel32.dll",
"UxTheme.dll",
"oleaut32.dll",
"C:\\Windows\\system32\\ole32.dll",
"dwmapi.dll",
"shlwapi.dll",
"WS2_32.DLL",
"msimg32.dll",
"libeay32.dll",
"C:\\Windows\\syswow64\\MSCTF.dll",
"KERNEL32.DLL",
"SHFolder.dll",
"OLEAUT32.DLL",
"advapi32.dll",
"comctl32",
"ole32.dll",
"CRYPTSP.dll",
"IMM32.dll",
"comdlg32.dll",
"version.dll",
"wininet.dll",
"ADVAPI32.dll",
"uxtheme.dll",
"ssleay32.dll",
"comctl32.dll",
"SHELL32.dll",
"iphlpapi.dll",
"s",
"zlib1.dll",
"shell32.dll",
"user32.dll",
"ws2_32.dll"
],
"file_opened": [
"C:\\Windows\\System32\\wshqos.dll",
"C:\\Windows\\Fonts\\staticcache.dat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\a09921cff39357624890c3ca3be4d5973c4a1a4347c3f9596ef5f295153bcd32.bin",
"C:\\Users\\cuck\\Desktop",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\",
"\\??\\PhysicalDrive0",
"C:\\Windows\\System32\\WSHTCPIP.DLL",
"C:\\Windows\\System32\\wship6.dll"
],
"regkey_opened": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Segoe UI",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\PropertyBag",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\UnInstall\\DirectDrawEx",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\CTF\\LayoutIcon\\0409\\0000041d",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\LanguageProfile\\0x00000000\\{0001bea3-ed56-483d-a2e2-aeae25577436}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\PropertyBag",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\UnInstall\\IE40",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\services\\Tcpip\\Parameters\\Interfaces\\",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Network\\{4D36E972-E325-11CE-BFC1-08002BE10318}\\Connection",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\UnInstall",
"HKEY_CURRENT_USER\\Control Panel\\Keyboard",
"HKEY_CURRENT_USER\\Software\\Microsoft\\CTF\\DirectSwitchHotkeys",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_MAXCONNECTIONSPER1_0SERVER",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_MAXCONNECTIONSPERSERVER",
"HKEY_LOCAL_MACHINE\\Software\\Astrill",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\UnInstall\\IE5BAKEX",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\PropertyBag",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\UnInstall\\Fontcore",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\UnInstall\\SchedulingAgent",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{3697C5FA-60DD-4B56-92D4-74A569205C16}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\DataStore_V1.0",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\Compatibility\\a09921cff39357624890c3ca3be4d5973c4a1a4347c3f9596ef5f295153bcd32.bin",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\UnInstall\\MobileOptionPack",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\UnInstall\\AddressBook",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\UnInstall\\Mozilla Firefox 60.0.2 (x86 sv-SE)",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\UnInstall\\Connection Manager",
"HKEY_CURRENT_USER\\Control Panel\\Accessibility\\Blind Access",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\UnInstall\\IEData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\KnownClasses",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\UnInstall\\WIC",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\UnInstall\\IE4Data"
],
"file_written": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Astrill.ini"
],
"regkey_deleted": [
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Astrill"
],
"connects_ip": [
"192.168.56.101"
],
"file_exists": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aswgvpnc.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\openweb.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Astrill.ini",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\asovpnc.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\a09921cff39357624890c3ca3be4d5973c4a1a4347c3f9596ef5f295153bcd32.bin",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\adsblock.txt",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\ASProxy.exe",
"C:\\Windows\\SysWOW64\\Macromed\\Flash",
"C:\\Users\\cuck\\AppData\\Local\\Temp"
],
"mutex": [
"Global\\MX_Astrill"
],
"file_read": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\a09921cff39357624890c3ca3be4d5973c4a1a4347c3f9596ef5f295153bcd32.bin",
"C:\\Windows\\Fonts\\staticcache.dat"
],
"regkey_read": [
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Language Hotkey",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\LocalizedName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Category",
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Hotkey",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\LocalRedirectOnly",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\InfoTip",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\LanguageProfile\\0x00000000\\{0001bea3-ed56-483d-a2e2-aeae25577436}\\Enable",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\ProgramFilesDir",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Stream",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\ParentFolder",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Attributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\DataStore_V1.0\\DataFilePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\PreCreate",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\StreamResourceType",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Connection Manager\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Security",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Icon",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\RelativePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Description",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\InitFolderHandler",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\ParsingName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\CTF\\EnableAnchorContext",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\LocalRedirectOnly",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Attributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane9",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language Groups\\1",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane10",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane11",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane12",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane13",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane14",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane15",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane16",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\AddressBook\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\ParentFolder",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\RelativePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Attributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\PublishExpandedPath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Stream",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Name",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Name",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Name",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\StreamResourceType",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\IEData\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\DirectDrawEx\\DisplayName",
"HKEY_CURRENT_USER\\Control Panel\\Accessibility\\Blind Access\\LeftToRight",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Locale\\00000409",
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Layout Hotkey",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\PublishExpandedPath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\RelativePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Roamable",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Mozilla Firefox 60.0.2 (x86 sv-SE)\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\Windows Error Reporting\\WMR\\Disable",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\FolderTypeID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\InitFolderHandler",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Icon",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\FolderTypeID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\InitFolderHandler",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\LocalRedirectOnly",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\PreCreate",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\StreamResourceType",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\IE40\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\ParsingName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Fontcore\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Description",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Stream",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\InfoTip",
"HKEY_CURRENT_USER\\Control Panel\\Keyboard\\KeybaordLayout",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\InfoTip",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\MaxConnectionsPerServer",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\ParsingName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Security",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Icon",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Interfaces\\NameServer",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Roamable",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\MobileOptionPack\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\StreamResource",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\PublishExpandedPath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\StreamResource",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\FolderTypeID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\DataStore_V1.0\\Disable",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\LocalizedName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\PreCreate",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane8",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\IE4Data\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane6",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane7",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane4",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane5",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane2",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane3",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane1",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\IE5BAKEX\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\LocalizedName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\StreamResource",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Roamable",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Category",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Description",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\WIC\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Security",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Category",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\SchedulingAgent\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\ParentFolder"
],
"directory_enumerated": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\*.old",
"C:\\Users\\cuck\\AppData",
"C:\\Users\\cuck\\AppData\\Local\\Temp",
"C:\\Users\\cuck",
"C:\\Users",
"C:\\Users\\cuck\\AppData\\Local"
]
},
"first_seen": 1561042386.6562,
"ppid": 1776
},
{
"process_path": "C:\\Windows\\System32\\lsass.exe",
"process_name": "lsass.exe",
"pid": 476,
"summary": {},
"first_seen": 1561042386.4062,
"ppid": 376
}
]Signatures
[
{
"markcount": 1,
"families": [],
"description": "The executable uses a known packer",
"severity": 1,
"marks": [
{
"category": "packer",
"ioc": "UPX 2.93 - 3.00 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "peid_packer"
},
{
"markcount": 2,
"families": [],
"description": "One or more processes crashed",
"severity": 1,
"marks": [
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "a\n0\n9\n9\n2\n1\nc\nf\nf\n3\n9\n3\n5\n7\n6\n2\n4\n8\n9\n0\nc\n3\nc\na\n3\nb\ne\n4\nd\n5\n9\n7\n3\nc\n4\na\n1\na\n4\n3\n4\n7\nc\n3\nf\n9\n5\n9\n6\ne\nf\n5\nf\n2\n9\n5\n1\n5\n3\nb\nc\nd\n3\n2\n+\n0\nx\n6\nd\ne\n8\n6\n \n@\n \n0\nx\n4\n6\nd\ne\n8\n6\n\n\na\n0\n9\n9\n2\n1\nc\nf\nf\n3\n9\n3\n5\n7\n6\n2\n4\n8\n9\n0\nc\n3\nc\na\n3\nb\ne\n4\nd\n5\n9\n7\n3\nc\n4\na\n1\na\n4\n3\n4\n7\nc\n3\nf\n9\n5\n9\n6\ne\nf\n5\nf\n2\n9\n5\n1\n5\n3\nb\nc\nd\n3\n2\n+\n0\nx\n1\n0\n3\n8\n4\n \n@\n \n0\nx\n4\n1\n0\n3\n8\n4\n\n\na\n0\n9\n9\n2\n1\nc\nf\nf\n3\n9\n3\n5\n7\n6\n2\n4\n8\n9\n0\nc\n3\nc\na\n3\nb\ne\n4\nd\n5\n9\n7\n3\nc\n4\na\n1\na\n4\n3\n4\n7\nc\n3\nf\n9\n5\n9\n6\ne\nf\n5\nf\n2\n9\n5\n1\n5\n3\nb\nc\nd\n3\n2\n+\n0\nx\n1\n4\na\n0\n1\n \n@\n \n0\nx\n4\n1\n4\na\n0\n1",
"registers": {
"esp": 1113560,
"edi": 188,
"eax": 1447909480,
"ebp": 1113676,
"edx": 22104,
"ebx": 0,
"esi": 188,
"ecx": 10
},
"exception": {
"instruction_r": "ed 81 fb 68 58 4d 56 0f 94 45 f4 5b 59 5a 80 7d",
"symbol": "a09921cff39357624890c3ca3be4d5973c4a1a4347c3f9596ef5f295153bcd32+0x6d7c6",
"instruction": "in eax, dx",
"module": "a09921cff39357624890c3ca3be4d5973c4a1a4347c3f9596ef5f295153bcd32.bin",
"exception_code": "0xc0000096",
"offset": 448454,
"address": "0x46d7c6"
}
},
"time": 1561042387.2192,
"tid": 856,
"flags": {}
},
"pid": 2856,
"type": "call",
"cid": 782
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "a\n0\n9\n9\n2\n1\nc\nf\nf\n3\n9\n3\n5\n7\n6\n2\n4\n8\n9\n0\nc\n3\nc\na\n3\nb\ne\n4\nd\n5\n9\n7\n3\nc\n4\na\n1\na\n4\n3\n4\n7\nc\n3\nf\n9\n5\n9\n6\ne\nf\n5\nf\n2\n9\n5\n1\n5\n3\nb\nc\nd\n3\n2\n+\n0\nx\n6\nd\ne\n8\n6\n \n@\n \n0\nx\n4\n6\nd\ne\n8\n6\n\n\na\n0\n9\n9\n2\n1\nc\nf\nf\n3\n9\n3\n5\n7\n6\n2\n4\n8\n9\n0\nc\n3\nc\na\n3\nb\ne\n4\nd\n5\n9\n7\n3\nc\n4\na\n1\na\n4\n3\n4\n7\nc\n3\nf\n9\n5\n9\n6\ne\nf\n5\nf\n2\n9\n5\n1\n5\n3\nb\nc\nd\n3\n2\n+\n0\nx\n1\n0\n3\n8\n4\n \n@\n \n0\nx\n4\n1\n0\n3\n8\n4\n\n\na\n0\n9\n9\n2\n1\nc\nf\nf\n3\n9\n3\n5\n7\n6\n2\n4\n8\n9\n0\nc\n3\nc\na\n3\nb\ne\n4\nd\n5\n9\n7\n3\nc\n4\na\n1\na\n4\n3\n4\n7\nc\n3\nf\n9\n5\n9\n6\ne\nf\n5\nf\n2\n9\n5\n1\n5\n3\nb\nc\nd\n3\n2\n+\n0\nx\n1\n4\na\n0\n1\n \n@\n \n0\nx\n4\n1\n4\na\n0\n1",
"registers": {
"esp": 1113572,
"edi": 188,
"eax": 1,
"ebp": 1113676,
"edx": 1113652,
"ebx": 0,
"esi": 188,
"ecx": 2130563072
},
"exception": {
"instruction_r": "0f 3f 07 0b c6 45 f4 01 80 7d f4 00 75 11 e8 65",
"symbol": "a09921cff39357624890c3ca3be4d5973c4a1a4347c3f9596ef5f295153bcd32+0x6d818",
"address": "0x46d818",
"module": "a09921cff39357624890c3ca3be4d5973c4a1a4347c3f9596ef5f295153bcd32.bin",
"exception_code": "0xc000001d",
"offset": 448536
}
},
"time": 1561042387.2192,
"tid": 856,
"flags": {}
},
"pid": 2856,
"type": "call",
"cid": 783
}
],
"references": [],
"name": "raises_exception"
},
{
"markcount": 7,
"families": [],
"description": "Starts servers listening",
"severity": 2,
"marks": [
{
"call": {
"category": "network",
"status": 1,
"stacktrace": [],
"api": "bind",
"return_value": 0,
"arguments": {
"ip_address": "0.0.0.0",
"socket": 392,
"port": 55888
},
"time": 1561042393.9852,
"tid": 856,
"flags": {}
},
"pid": 2856,
"type": "call",
"cid": 43206
},
{
"call": {
"category": "network",
"status": 1,
"stacktrace": [],
"api": "bind",
"return_value": 0,
"arguments": {
"ip_address": "",
"socket": 396,
"port": 0
},
"time": 1561042393.9852,
"tid": 856,
"flags": {}
},
"pid": 2856,
"type": "call",
"cid": 43212
},
{
"call": {
"category": "network",
"status": 1,
"stacktrace": [],
"api": "listen",
"return_value": 0,
"arguments": {
"socket": 392,
"backlog": 25
},
"time": 1561042393.9852,
"tid": 856,
"flags": {}
},
"pid": 2856,
"type": "call",
"cid": 43215
},
{
"call": {
"category": "network",
"status": 1,
"stacktrace": [],
"api": "listen",
"return_value": 0,
"arguments": {
"socket": 396,
"backlog": 25
},
"time": 1561042393.9852,
"tid": 856,
"flags": {}
},
"pid": 2856,
"type": "call",
"cid": 43222
},
{
"call": {
"category": "network",
"status": 1,
"stacktrace": [],
"api": "bind",
"return_value": 0,
"arguments": {
"ip_address": "0.0.0.0",
"socket": 488,
"port": 0
},
"time": 1561042394.0003,
"tid": 856,
"flags": {}
},
"pid": 2856,
"type": "call",
"cid": 43280
},
{
"call": {
"category": "network",
"status": 0,
"stacktrace": [],
"last_error": 10038,
"nt_status": -1073741811,
"api": "accept",
"return_value": 4294967295,
"arguments": {
"ip_address": "",
"socket": 392,
"port": 0
},
"time": 1561042394.0003,
"tid": 2284,
"flags": {}
},
"pid": 2856,
"type": "call",
"cid": 43310
},
{
"call": {
"category": "network",
"status": 0,
"stacktrace": [],
"last_error": 10038,
"nt_status": -1073741811,
"api": "accept",
"return_value": 4294967295,
"arguments": {
"ip_address": "",
"socket": 396,
"port": 0
},
"time": 1561042394.0003,
"tid": 2792,
"flags": {}
},
"pid": 2856,
"type": "call",
"cid": 43319
}
],
"references": [],
"name": "network_bind"
},
{
"markcount": 6,
"families": [],
"description": "Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping",
"severity": 2,
"marks": [
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "Process32NextW",
"return_value": 1,
"arguments": {
"process_name": "mobsync.exe",
"snapshot_handle": "0x00000174",
"process_identifier": 2708
},
"time": 1561042393.8912,
"tid": 856,
"flags": {}
},
"pid": 2856,
"type": "call",
"cid": 42676
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "Process32NextW",
"return_value": 1,
"arguments": {
"process_name": "python.exe",
"snapshot_handle": "0x00000174",
"process_identifier": 1584
},
"time": 1561042393.8912,
"tid": 856,
"flags": {}
},
"pid": 2856,
"type": "call",
"cid": 42677
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "Process32NextW",
"return_value": 1,
"arguments": {
"process_name": "taskhost.exe",
"snapshot_handle": "0x00000174",
"process_identifier": 2308
},
"time": 1561042393.8912,
"tid": 856,
"flags": {}
},
"pid": 2856,
"type": "call",
"cid": 42678
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "Process32NextW",
"return_value": 1,
"arguments": {
"process_name": "SearchProtocolHost.exe",
"snapshot_handle": "0x00000174",
"process_identifier": 2816
},
"time": 1561042393.8912,
"tid": 856,
"flags": {}
},
"pid": 2856,
"type": "call",
"cid": 42679
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "Process32NextW",
"return_value": 1,
"arguments": {
"process_name": "a09921cff39357624890c3ca3be4d5973c4a1a4347c3f9596ef5f295153bcd32.bin",
"snapshot_handle": "0x00000174",
"process_identifier": 2856
},
"time": 1561042393.8912,
"tid": 856,
"flags": {}
},
"pid": 2856,
"type": "call",
"cid": 42680
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "Process32NextW",
"return_value": 1,
"arguments": {
"process_name": "SearchFilterHost.exe",
"snapshot_handle": "0x00000174",
"process_identifier": 2204
},
"time": 1561042393.8912,
"tid": 856,
"flags": {}
},
"pid": 2856,
"type": "call",
"cid": 42681
}
],
"references": [],
"name": "injection_process_search"
},
{
"markcount": 2,
"families": [],
"description": "The binary likely contains encrypted or compressed data indicative of a packer",
"severity": 2,
"marks": [
{
"entropy": 7.999893797386,
"section": {
"size_of_data": "0x00259200",
"virtual_address": "0x0070f000",
"entropy": 7.999893797386,
"name": "UPX1",
"virtual_size": "0x0025a000"
},
"type": "generic",
"description": "A section with a high entropy has been found"
},
{
"entropy": 0.9405437121064,
"type": "generic",
"description": "Overall entropy of this PE file is high"
}
],
"references": [
"http:\/\/www.forensickb.com\/2013\/03\/file-entropy-explained.html",
"http:\/\/virii.es\/U\/Using%20Entropy%20Analysis%20to%20Find%20Encrypted%20and%20Packed%20Malware.pdf"
],
"name": "packer_entropy"
},
{
"markcount": 13,
"families": [],
"description": "Queries for potentially installed applications",
"severity": 2,
"marks": [
{
"call": {
"category": "registry",
"status": 1,
"stacktrace": [],
"api": "RegOpenKeyExA",
"return_value": 0,
"arguments": {
"access": "0x00020019",
"base_handle": "0x80000002",
"key_handle": "0x00000124",
"regkey": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\UnInstall",
"regkey_r": "Software\\Microsoft\\Windows\\CurrentVersion\\UnInstall",
"options": 0
},
"time": 1561042387.2192,
"tid": 856,
"flags": {}
},
"pid": 2856,
"type": "call",
"cid": 784
},
{
"call": {
"category": "registry",
"status": 1,
"stacktrace": [],
"api": "RegOpenKeyExA",
"return_value": 0,
"arguments": {
"access": "0x00020019",
"base_handle": "0x80000002",
"key_handle": "0x00000124",
"regkey": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\UnInstall\\AddressBook",
"regkey_r": "Software\\Microsoft\\Windows\\CurrentVersion\\UnInstall\\AddressBook",
"options": 0
},
"time": 1561042387.2192,
"tid": 856,
"flags": {}
},
"pid": 2856,
"type": "call",
"cid": 799
},
{
"call": {
"category": "registry",
"status": 1,
"stacktrace": [],
"api": "RegOpenKeyExA",
"return_value": 0,
"arguments": {
"access": "0x00020019",
"base_handle": "0x80000002",
"key_handle": "0x00000124",
"regkey": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\UnInstall\\Connection Manager",
"regkey_r": "Software\\Microsoft\\Windows\\CurrentVersion\\UnInstall\\Connection Manager",
"options": 0
},
"time": 1561042387.2192,
"tid": 856,
"flags": {}
},
"pid": 2856,
"type": "call",
"cid": 802
},
{
"call": {
"category": "registry",
"status": 1,
"stacktrace": [],
"api": "RegOpenKeyExA",
"return_value": 0,
"arguments": {
"access": "0x00020019",
"base_handle": "0x80000002",
"key_handle": "0x00000124",
"regkey": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\UnInstall\\DirectDrawEx",
"regkey_r": "Software\\Microsoft\\Windows\\CurrentVersion\\UnInstall\\DirectDrawEx",
"options": 0
},
"time": 1561042387.2192,
"tid": 856,
"flags": {}
},
"pid": 2856,
"type": "call",
"cid": 805
},
{
"call": {
"category": "registry",
"status": 1,
"stacktrace": [],
"api": "RegOpenKeyExA",
"return_value": 0,
"arguments": {
"access": "0x00020019",
"base_handle": "0x80000002",
"key_handle": "0x00000124",
"regkey": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\UnInstall\\Fontcore",
"regkey_r": "Software\\Microsoft\\Windows\\CurrentVersion\\UnInstall\\Fontcore",
"options": 0
},
"time": 1561042387.2192,
"tid": 856,
"flags": {}
},
"pid": 2856,
"type": "call",
"cid": 808
},
{
"call": {
"category": "registry",
"status": 1,
"stacktrace": [],
"api": "RegOpenKeyExA",
"return_value": 0,
"arguments": {
"access": "0x00020019",
"base_handle": "0x80000002",
"key_handle": "0x00000124",
"regkey": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\UnInstall\\IE40",
"regkey_r": "Software\\Microsoft\\Windows\\CurrentVersion\\UnInstall\\IE40",
"options": 0
},
"time": 1561042387.2192,
"tid": 856,
"flags": {}
},
"pid": 2856,
"type": "call",
"cid": 811
},
{
"call": {
"category": "registry",
"status": 1,
"stacktrace": [],
"api": "RegOpenKeyExA",
"return_value": 0,
"arguments": {
"access": "0x00020019",
"base_handle": "0x80000002",
"key_handle": "0x00000124",
"regkey": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\UnInstall\\IE4Data",
"regkey_r": "Software\\Microsoft\\Windows\\CurrentVersion\\UnInstall\\IE4Data",
"options": 0
},
"time": 1561042387.2192,
"tid": 856,
"flags": {}
},
"pid": 2856,
"type": "call",
"cid": 814
},
{
"call": {
"category": "registry",
"status": 1,
"stacktrace": [],
"api": "RegOpenKeyExA",
"return_value": 0,
"arguments": {
"access": "0x00020019",
"base_handle": "0x80000002",
"key_handle": "0x00000124",
"regkey": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\UnInstall\\IE5BAKEX",
"regkey_r": "Software\\Microsoft\\Windows\\CurrentVersion\\UnInstall\\IE5BAKEX",
"options": 0
},
"time": 1561042387.2192,
"tid": 856,
"flags": {}
},
"pid": 2856,
"type": "call",
"cid": 817
},
{
"call": {
"category": "registry",
"status": 1,
"stacktrace": [],
"api": "RegOpenKeyExA",
"return_value": 0,
"arguments": {
"access": "0x00020019",
"base_handle": "0x80000002",
"key_handle": "0x00000124",
"regkey": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\UnInstall\\IEData",
"regkey_r": "Software\\Microsoft\\Windows\\CurrentVersion\\UnInstall\\IEData",
"options": 0
},
"time": 1561042387.2192,
"tid": 856,
"flags": {}
},
"pid": 2856,
"type": "call",
"cid": 820
},
{
"call": {
"category": "registry",
"status": 1,
"stacktrace": [],
"api": "RegOpenKeyExA",
"return_value": 0,
"arguments": {
"access": "0x00020019",
"base_handle": "0x80000002",
"key_handle": "0x00000124",
"regkey": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\UnInstall\\MobileOptionPack",
"regkey_r": "Software\\Microsoft\\Windows\\CurrentVersion\\UnInstall\\MobileOptionPack",
"options": 0
},
"time": 1561042387.2192,
"tid": 856,
"flags": {}
},
"pid": 2856,
"type": "call",
"cid": 823
},
{
"call": {
"category": "registry",
"status": 1,
"stacktrace": [],
"api": "RegOpenKeyExA",
"return_value": 0,
"arguments": {
"access": "0x00020019",
"base_handle": "0x80000002",
"key_handle": "0x00000124",
"regkey": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\UnInstall\\Mozilla Firefox 60.0.2 (x86 sv-SE)",
"regkey_r": "Software\\Microsoft\\Windows\\CurrentVersion\\UnInstall\\Mozilla Firefox 60.0.2 (x86 sv-SE)",
"options": 0
},
"time": 1561042387.2192,
"tid": 856,
"flags": {}
},
"pid": 2856,
"type": "call",
"cid": 826
},
{
"call": {
"category": "registry",
"status": 1,
"stacktrace": [],
"api": "RegOpenKeyExA",
"return_value": 0,
"arguments": {
"access": "0x00020019",
"base_handle": "0x80000002",
"key_handle": "0x00000124",
"regkey": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\UnInstall\\SchedulingAgent",
"regkey_r": "Software\\Microsoft\\Windows\\CurrentVersion\\UnInstall\\SchedulingAgent",
"options": 0
},
"time": 1561042387.2192,
"tid": 856,
"flags": {}
},
"pid": 2856,
"type": "call",
"cid": 831
},
{
"call": {
"category": "registry",
"status": 1,
"stacktrace": [],
"api": "RegOpenKeyExA",
"return_value": 0,
"arguments": {
"access": "0x00020019",
"base_handle": "0x80000002",
"key_handle": "0x00000124",
"regkey": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\UnInstall\\WIC",
"regkey_r": "Software\\Microsoft\\Windows\\CurrentVersion\\UnInstall\\WIC",
"options": 0
},
"time": 1561042387.2192,
"tid": 856,
"flags": {}
},
"pid": 2856,
"type": "call",
"cid": 834
}
],
"references": [],
"name": "queries_programs"
},
{
"markcount": 2,
"families": [],
"description": "The executable is compressed using UPX",
"severity": 2,
"marks": [
{
"section": "UPX0",
"type": "generic",
"description": "Section name indicates UPX"
},
{
"section": "UPX1",
"type": "generic",
"description": "Section name indicates UPX"
}
],
"references": [],
"name": "packer_upx"
},
{
"markcount": 27,
"families": [],
"description": "Installs itself for autorun at Windows startup",
"severity": 3,
"marks": [
{
"type": "generic",
"reg_key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Astrill",
"reg_value": "\"C:\\Users\\cuck\\AppData\\Local\\Temp\\a09921cff39357624890c3ca3be4d5973c4a1a4347c3f9596ef5f295153bcd32.bin\" \/autostart"
},
{
"type": "generic",
"reg_key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Astrill",
"reg_value": "\"C:\\Users\\cuck\\AppData\\Local\\Temp\\a09921cff39357624890c3ca3be4d5973c4a1a4347c3f9596ef5f295153bcd32.bin\" \/autostart"
},
{
"type": "generic",
"reg_key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Astrill",
"reg_value": "\"C:\\Users\\cuck\\AppData\\Local\\Temp\\a09921cff39357624890c3ca3be4d5973c4a1a4347c3f9596ef5f295153bcd32.bin\" \/autostart"
},
{
"type": "generic",
"reg_key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Astrill",
"reg_value": "\"C:\\Users\\cuck\\AppData\\Local\\Temp\\a09921cff39357624890c3ca3be4d5973c4a1a4347c3f9596ef5f295153bcd32.bin\" \/autostart"
},
{
"type": "generic",
"reg_key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Astrill",
"reg_value": "\"C:\\Users\\cuck\\AppData\\Local\\Temp\\a09921cff39357624890c3ca3be4d5973c4a1a4347c3f9596ef5f295153bcd32.bin\" \/autostart"
},
{
"type": "generic",
"reg_key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Astrill",
"reg_value": "\"C:\\Users\\cuck\\AppData\\Local\\Temp\\a09921cff39357624890c3ca3be4d5973c4a1a4347c3f9596ef5f295153bcd32.bin\" \/autostart"
},
{
"type": "generic",
"reg_key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Astrill",
"reg_value": "\"C:\\Users\\cuck\\AppData\\Local\\Temp\\a09921cff39357624890c3ca3be4d5973c4a1a4347c3f9596ef5f295153bcd32.bin\" \/autostart"
},
{
"type": "generic",
"reg_key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Astrill",
"reg_value": "\"C:\\Users\\cuck\\AppData\\Local\\Temp\\a09921cff39357624890c3ca3be4d5973c4a1a4347c3f9596ef5f295153bcd32.bin\" \/autostart"
},
{
"type": "generic",
"reg_key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Astrill",
"reg_value": "\"C:\\Users\\cuck\\AppData\\Local\\Temp\\a09921cff39357624890c3ca3be4d5973c4a1a4347c3f9596ef5f295153bcd32.bin\" \/autostart"
},
{
"type": "generic",
"reg_key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Astrill",
"reg_value": "\"C:\\Users\\cuck\\AppData\\Local\\Temp\\a09921cff39357624890c3ca3be4d5973c4a1a4347c3f9596ef5f295153bcd32.bin\" \/autostart"
},
{
"type": "generic",
"reg_key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Astrill",
"reg_value": "\"C:\\Users\\cuck\\AppData\\Local\\Temp\\a09921cff39357624890c3ca3be4d5973c4a1a4347c3f9596ef5f295153bcd32.bin\" \/autostart"
},
{
"type": "generic",
"reg_key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Astrill",
"reg_value": "\"C:\\Users\\cuck\\AppData\\Local\\Temp\\a09921cff39357624890c3ca3be4d5973c4a1a4347c3f9596ef5f295153bcd32.bin\" \/autostart"
},
{
"type": "generic",
"reg_key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Astrill",
"reg_value": "\"C:\\Users\\cuck\\AppData\\Local\\Temp\\a09921cff39357624890c3ca3be4d5973c4a1a4347c3f9596ef5f295153bcd32.bin\" \/autostart"
},
{
"type": "generic",
"reg_key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Astrill",
"reg_value": "\"C:\\Users\\cuck\\AppData\\Local\\Temp\\a09921cff39357624890c3ca3be4d5973c4a1a4347c3f9596ef5f295153bcd32.bin\" \/autostart"
},
{
"type": "generic",
"reg_key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Astrill",
"reg_value": "\"C:\\Users\\cuck\\AppData\\Local\\Temp\\a09921cff39357624890c3ca3be4d5973c4a1a4347c3f9596ef5f295153bcd32.bin\" \/autostart"
},
{
"type": "generic",
"reg_key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Astrill",
"reg_value": "\"C:\\Users\\cuck\\AppData\\Local\\Temp\\a09921cff39357624890c3ca3be4d5973c4a1a4347c3f9596ef5f295153bcd32.bin\" \/autostart"
},
{
"type": "generic",
"reg_key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Astrill",
"reg_value": "\"C:\\Users\\cuck\\AppData\\Local\\Temp\\a09921cff39357624890c3ca3be4d5973c4a1a4347c3f9596ef5f295153bcd32.bin\" \/autostart"
},
{
"type": "generic",
"reg_key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Astrill",
"reg_value": "\"C:\\Users\\cuck\\AppData\\Local\\Temp\\a09921cff39357624890c3ca3be4d5973c4a1a4347c3f9596ef5f295153bcd32.bin\" \/autostart"
},
{
"type": "generic",
"reg_key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Astrill",
"reg_value": "\"C:\\Users\\cuck\\AppData\\Local\\Temp\\a09921cff39357624890c3ca3be4d5973c4a1a4347c3f9596ef5f295153bcd32.bin\" \/autostart"
},
{
"type": "generic",
"reg_key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Astrill",
"reg_value": "\"C:\\Users\\cuck\\AppData\\Local\\Temp\\a09921cff39357624890c3ca3be4d5973c4a1a4347c3f9596ef5f295153bcd32.bin\" \/autostart"
},
{
"type": "generic",
"reg_key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Astrill",
"reg_value": "\"C:\\Users\\cuck\\AppData\\Local\\Temp\\a09921cff39357624890c3ca3be4d5973c4a1a4347c3f9596ef5f295153bcd32.bin\" \/autostart"
},
{
"type": "generic",
"reg_key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Astrill",
"reg_value": "\"C:\\Users\\cuck\\AppData\\Local\\Temp\\a09921cff39357624890c3ca3be4d5973c4a1a4347c3f9596ef5f295153bcd32.bin\" \/autostart"
},
{
"type": "generic",
"reg_key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Astrill",
"reg_value": "\"C:\\Users\\cuck\\AppData\\Local\\Temp\\a09921cff39357624890c3ca3be4d5973c4a1a4347c3f9596ef5f295153bcd32.bin\" \/autostart"
},
{
"type": "generic",
"reg_key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Astrill",
"reg_value": "\"C:\\Users\\cuck\\AppData\\Local\\Temp\\a09921cff39357624890c3ca3be4d5973c4a1a4347c3f9596ef5f295153bcd32.bin\" \/autostart"
},
{
"type": "generic",
"reg_key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Astrill",
"reg_value": "\"C:\\Users\\cuck\\AppData\\Local\\Temp\\a09921cff39357624890c3ca3be4d5973c4a1a4347c3f9596ef5f295153bcd32.bin\" \/autostart"
},
{
"type": "generic",
"reg_key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Astrill",
"reg_value": "\"C:\\Users\\cuck\\AppData\\Local\\Temp\\a09921cff39357624890c3ca3be4d5973c4a1a4347c3f9596ef5f295153bcd32.bin\" \/autostart"
},
{
"type": "generic",
"reg_key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Astrill",
"reg_value": "\"C:\\Users\\cuck\\AppData\\Local\\Temp\\a09921cff39357624890c3ca3be4d5973c4a1a4347c3f9596ef5f295153bcd32.bin\" \/autostart"
}
],
"references": [],
"name": "persistence_autorun"
},
{
"markcount": 2,
"families": [],
"description": "Attempts to modify browser security settings",
"severity": 3,
"marks": [
{
"category": "registry",
"ioc": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_MAXCONNECTIONSPER1_0SERVER\\iexplore.exe",
"type": "ioc",
"description": null
},
{
"category": "registry",
"ioc": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_MAXCONNECTIONSPERSERVER\\iexplore.exe",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "browser_security"
},
{
"markcount": 1,
"families": [],
"description": "Collects information about installed applications",
"severity": 3,
"marks": [
{
"call": {
"category": "registry",
"status": 1,
"stacktrace": [],
"api": "RegQueryValueExA",
"return_value": 0,
"arguments": {
"key_handle": "0x00000124",
"value": "Mozilla Firefox 60.0.2 (x86 sv-SE)",
"regkey_r": "DisplayName",
"reg_type": 1,
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Mozilla Firefox 60.0.2 (x86 sv-SE)\\DisplayName"
},
"time": 1561042387.2192,
"tid": 856,
"flags": {
"reg_type": "REG_SZ"
}
},
"pid": 2856,
"type": "call",
"cid": 829
}
],
"references": [],
"name": "recon_programs"
},
{
"markcount": 1,
"families": [],
"description": "Detects VMWare through the in instruction feature",
"severity": 3,
"marks": [
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "a\n0\n9\n9\n2\n1\nc\nf\nf\n3\n9\n3\n5\n7\n6\n2\n4\n8\n9\n0\nc\n3\nc\na\n3\nb\ne\n4\nd\n5\n9\n7\n3\nc\n4\na\n1\na\n4\n3\n4\n7\nc\n3\nf\n9\n5\n9\n6\ne\nf\n5\nf\n2\n9\n5\n1\n5\n3\nb\nc\nd\n3\n2\n+\n0\nx\n6\nd\ne\n8\n6\n \n@\n \n0\nx\n4\n6\nd\ne\n8\n6\n\n\na\n0\n9\n9\n2\n1\nc\nf\nf\n3\n9\n3\n5\n7\n6\n2\n4\n8\n9\n0\nc\n3\nc\na\n3\nb\ne\n4\nd\n5\n9\n7\n3\nc\n4\na\n1\na\n4\n3\n4\n7\nc\n3\nf\n9\n5\n9\n6\ne\nf\n5\nf\n2\n9\n5\n1\n5\n3\nb\nc\nd\n3\n2\n+\n0\nx\n1\n0\n3\n8\n4\n \n@\n \n0\nx\n4\n1\n0\n3\n8\n4\n\n\na\n0\n9\n9\n2\n1\nc\nf\nf\n3\n9\n3\n5\n7\n6\n2\n4\n8\n9\n0\nc\n3\nc\na\n3\nb\ne\n4\nd\n5\n9\n7\n3\nc\n4\na\n1\na\n4\n3\n4\n7\nc\n3\nf\n9\n5\n9\n6\ne\nf\n5\nf\n2\n9\n5\n1\n5\n3\nb\nc\nd\n3\n2\n+\n0\nx\n1\n4\na\n0\n1\n \n@\n \n0\nx\n4\n1\n4\na\n0\n1",
"registers": {
"esp": 1113560,
"edi": 188,
"eax": 1447909480,
"ebp": 1113676,
"edx": 22104,
"ebx": 0,
"esi": 188,
"ecx": 10
},
"exception": {
"instruction_r": "ed 81 fb 68 58 4d 56 0f 94 45 f4 5b 59 5a 80 7d",
"symbol": "a09921cff39357624890c3ca3be4d5973c4a1a4347c3f9596ef5f295153bcd32+0x6d7c6",
"instruction": "in eax, dx",
"module": "a09921cff39357624890c3ca3be4d5973c4a1a4347c3f9596ef5f295153bcd32.bin",
"exception_code": "0xc0000096",
"offset": 448454,
"address": "0x46d7c6"
}
},
"time": 1561042387.2192,
"tid": 856,
"flags": {}
},
"pid": 2856,
"type": "call",
"cid": 782
}
],
"references": [],
"name": "antivm_vmware_in_instruction"
}
]Yara
The Yara rules did not detect anything in the file.
Network
{
"tls": [],
"udp": [
{
"src": "192.168.56.101",
"dst": "192.168.56.255",
"offset": 662,
"time": 6.2085630893707,
"dport": 137,
"sport": 137
},
{
"src": "192.168.56.101",
"dst": "192.168.56.255",
"offset": 5342,
"time": 12.208680152893,
"dport": 138,
"sport": 138
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 7186,
"time": 6.1397330760956,
"dport": 5355,
"sport": 51001
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 7514,
"time": 4.1465470790863,
"dport": 5355,
"sport": 53595
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 7842,
"time": 6.1484141349792,
"dport": 5355,
"sport": 53848
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 8170,
"time": 4.6484191417694,
"dport": 5355,
"sport": 54255
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 8498,
"time": 3.0259511470795,
"dport": 5355,
"sport": 55314
},
{
"src": "192.168.56.101",
"dst": "239.255.255.250",
"offset": 8826,
"time": 4.6634402275085,
"dport": 1900,
"sport": 1900
},
{
"src": "192.168.56.101",
"dst": "239.255.255.250",
"offset": 28236,
"time": 4.1687290668488,
"dport": 3702,
"sport": 49152
},
{
"src": "192.168.56.101",
"dst": "239.255.255.250",
"offset": 36620,
"time": 6.3026452064514,
"dport": 1900,
"sport": 53598
}
],
"dns_servers": [],
"http": [],
"icmp": [],
"smtp": [],
"tcp": [],
"smtp_ex": [],
"mitm": [],
"hosts": [],
"pcap_sha256": "112b81bb1e7063ebec390eaa8288ea24af243e05a34f959de8f2f866d48b6468",
"dns": [],
"http_ex": [],
"domains": [],
"dead_hosts": [],
"sorted_pcap_sha256": "6534b97fec395b3abd10c97040810615ba1e07db137b2765c18df6d288e6a81c",
"irc": [],
"https_ex": []
}Screenshots
Hashes [?]
| Property | Value |
|---|---|
| MD5 | 9725a84882369276d3ffa47822b4a5bb |
| SHA256 | a09921cff39357624890c3ca3be4d5973c4a1a4347c3f9596ef5f295153bcd32 |
Error Messages
These are some of the error messages that can appear related to astrill.exe:
astrill.exe has encountered a problem and needs to close. We are sorry for the inconvenience.
astrill.exe - Application Error. The instruction at "0xXXXXXXXX" referenced memory at "0xXXXXXXXX". The memory could not be "read/written". Click on OK to terminate the program.
Astrill - Way to Stars has stopped working.
End Program - astrill.exe. This program is not responding.
astrill.exe is not a valid Win32 application.
astrill.exe - Application Error. The application failed to initialize properly (0xXXXXXXXX). Click OK to terminate the application.
What will you do with astrill.exe?
To help other users, please let us know what you will do with astrill.exe:
Malware or legitimate?
If you feel that you need more information to determine if your should keep this file or remove it, please read this guide.
And now some shameless self promotion ;)
Hi, my name is Roger Karlsson. I've been running this website since 2006. I want to let you know about the FreeFixer program. FreeFixer is a freeware tool that analyzes your system and let you manually identify unwanted programs. Once you've identified some malware files, FreeFixer is pretty good at removing them. You can download FreeFixer here. It runs on Windows 2000/XP/2003/2008/2016/2019/Vista/7/8/8.1/10. Supports both 32- and 64-bit Windows.
If you have questions, feedback on FreeFixer or the freefixer.com website, need help analyzing FreeFixer's scan result or just want to say hello, please contact me. You can find my email address at the contact page.
Comments
Please share with the other users what you think about this file. What does this file do? Is it legitimate or something that your computer is better without? Do you know how it was installed on your system? Did you install it yourself or did it come bundled with some other software? Is it running smoothly or do you get some error message? Any information that will help to document this file is welcome. Thank you for your contributions.
I'm reading all new comments so don't hesitate to post a question about the file. If I don't have the answer perhaps another user can help you.
No comments posted yet.