What is clerk.exe?
clerk.exe is usually located in the 'c:\downloads\' folder.
Some of the anti-virus scanners at VirusTotal detected clerk.exe.
If you have additional information about the file, please share it with the FreeFixer users by posting a comment at the bottom of this page.
Digital signatures [?]
clerk.exe is not signed.
VirusTotal report
20 of the 67 anti-virus programs at VirusTotal detected the clerk.exe file. That's a 30% detection rate.
| Scanner | Detection Name |
|---|---|
| Antiy-AVL | Trojan/Generic.ASVCS3S.1E5 |
| Arcabit | AIT:Trojan.Nymeria.D6FA |
| Avira | HEUR/AGEN.1038817 |
| BitDefender | AIT:Trojan.Nymeria.1786 |
| CrowdStrike | win/malicious_confidence_80% (D) |
| Emsisoft | AIT:Trojan.Nymeria.1786 (B) |
| F-Secure | Heuristic.HEUR/AGEN.1038817 |
| GData | AIT:Trojan.Nymeria.1786 |
| Ikarus | Trojan.Autoit |
| Invincea | heuristic |
| Kaspersky | Trojan.Win32.Inject.aliev |
| McAfee-GW-Edition | BehavesLike.Win32.Downloader.vh |
| Microsoft | Trojan:Win32/Fuery.C!cl |
| MicroWorld-eScan | AIT:Trojan.Nymeria.1786 |
| Paloalto | generic.ml |
| Qihoo-360 | HEUR/QVM10.2.A5D3.Malware.Gen |
| SentinelOne | static engine - malicious |
| Symantec | ML.Attribute.HighConfidence |
| Tencent | Win32.Trojan.Inject.Auto |
| ZoneAlarm | UDS:DangerousObject.Multi.Generic |
Sandbox Report
The following information was gathered by executing the file inside Cuckoo Sandbox.
Summary
Successfully executed process in sandbox.
Summary
{
"file_created": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\tmp789B.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\tmp8A04.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\add9dc6e-4f56-9414-e2a0-56a2950ab58f"
],
"file_recreated": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\tmp789B.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\tmp8A04.tmp",
"\\Device\\KsecDD"
],
"dll_loaded": [
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\Microsoft.VisualBas#\\08d608378aa405adc844f3cf36974b8c\\Microsoft.VisualBasic.ni.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\culture.dll",
"kernel32",
"C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\oleaut32.dll",
"ntdll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\ntdll.dll",
"gdi32.dll",
"Advapi32.dll",
"kernel32.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\/nssckbi.dll",
"oleaut32.dll",
"dwmapi.dll",
"ntdll.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\ole32.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Drawing\\dbfe8642a8ed7b2b103ad28e0c96418a\\System.Drawing.ni.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System\\9e0a3b9b9f457233a335d7fba8f95419\\System.ni.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorwks.dll",
"UxTheme.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\OLEAUT32.dll",
"bcrypt.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorjit.dll",
"C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.dll",
"crypt32.dll",
"pstorec.dll",
"cryptbase.dll",
"AdvApi32.dll",
"advapi32.dll",
"C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.dll",
"psapi.dll",
"SHLWAPI.dll",
"CRYPTSP.dll",
"IMM32.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\vbc.exe",
"C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\bcrypt.dll",
"shell32.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\\\wminet_utils.dll",
"OLEAUT32.dll",
"comctl32",
"vaultcli.dll",
"ole32.dll",
"comctl32.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\mscorlib\\62a0b3e4b40ec0e8c5cfaa0c8848e64a\\mscorlib.ni.dll",
"C:\\Program Files (x86)\\Mozilla Firefox\\nss3.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Management\\6f3b99ed0b791ff4d8aa52f2f0cd0bcf\\System.Management.ni.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Windows.Forms\\3afcd5168c7a6cb02eab99d7fd71e102\\System.Windows.Forms.ni.dll",
"mscoree.dll",
"RpcRtRemote.dll",
"shfolder.dll",
"ADVAPI32.dll",
"rpcrt4.dll",
"user32.dll"
],
"file_failed": [
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\enterprisesec.config.cch",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\security.config.cch",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\pkcs11.txt",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\enterprisesec.config",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\vbc.cfg",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\security.config.cch",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\security.config",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\security.config"
],
"regkey_opened": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Mozilla\\Mozilla Firefox\\bin",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.Accessibility__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Mozilla\\Mozilla Firefox 60.0.2\\bin",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Deployment__b03f5f7f11d50a3a",
"HKEY_CURRENT_USER\\Identities\\{183045C5-6B41-4C94-A7FA-BE70B5E7A9D3}",
"HKEY_CURRENT_USER\\Software\\Yahoo\\Pager",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Runtime.Remoting__b77a5c561934e089",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets\\LocalIntranet",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\index127",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\COM3",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Installer\\Assemblies\\Global",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\BFE",
"HKEY_CURRENT_USER\\Software\\Google\\Google Desktop\\Mailboxes",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Fusion",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\Standards\\v2.0.50727",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-699399860-4089948139-3198924279-1001",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\5a8de2c3\\2b1a4e4",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Security__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\6f1da7aa\\88",
"HKEY_CURRENT_USER\\Control Panel\\Mouse",
"HKEY_CURRENT_USER\\Software\\Microsoft\\IdentityCRL",
"HKEY_CURRENT_USER\\Software\\IncrediMail\\Identities",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\Upgrades",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Account Manager\\Accounts",
"HKEY_CURRENT_USER\\Software\\Qualcomm\\Eudora\\CommandLine",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\Policy\\Standards",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Web__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\1c83327b\\86",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Outlook\\Profiles",
"HKEY_LOCAL_MACHINE\\Software\\Mozilla\\Mozilla Thunderbird",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\Policy\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\Compatibility\\83b69375b9d6bf5b5bd833d499a3971efd89cfa7a03685648c705d2c3c0b9c7e.bin",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles",
"HKEY_LOCAL_MACHINE\\Software\\Group Mail",
"HKEY_CURRENT_USER\\Interface\\{00000134-0000-0000-C000-000000000046}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\77815aaa\\6ead34a5",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\163e1f5e\\80",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\73843e06\\43a920ef\\66",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\c991064\\2bd33e1c\\79",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2b1a4e4\\38a3212c\\44",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Installer\\Assemblies\\C:|Windows|Microsoft.NET|Framework|v2.0.50727|RegAsm.exe.Config",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\77815aaa\\18fc2e07",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\5a8de2c3\\2b1a4e4\\47",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{423EC01E-2E35-11D2-B604-00104B703EFD}\\ProxyStubClsid32",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\v2.0.50727\\Security\\Policy",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System__b77a5c561934e089",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\StrongName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5",
"HKEY_CURRENT_USER\\Identities",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Xml__b77a5c561934e089",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{00000134-0000-0000-C000-000000000046}\\ProxyStubClsid32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.8.0.Microsoft.JScript__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Installer\\Assemblies\\C:|Windows|Microsoft.NET|Framework|v2.0.50727|RegAsm.exe.Config",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Runtime.Serialization.Formatters.Soap__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion\\PublisherPolicy\\Default",
"HKEY_LOCAL_MACHINE\\Software\\IncrediMail\\Identities",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Configuration.Install__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\Rpc",
"HKEY_CURRENT_USER\\Identities\\{183045C5-6B41-4C94-A7FA-BE70B5E7A9D3}\\Software\\Microsoft\\Internet Account Manager\\Accounts",
"HKEY_CURRENT_USER\\Interface\\{423EC01E-2E35-11D2-B604-00104B703EFD}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\IntelliForms\\Storage2",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\a5cd4db\\7e",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\24bf93f6\\455bab30\\6e",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\1b2590b1\\7c",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Installer\\Assemblies\\Global",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\Standards",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\f6e8397\\46ad0879\\6f",
"HKEY_CURRENT_USER\\Software\\AutoIt v3\\AutoIt",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Drawing__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\\ProxyStubClsid32",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\Outlook\\OMI Account Manager\\Accounts",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Mozilla",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\141dfd70\\6b79efab\\43",
"HKEY_CURRENT_USER\\Software\\Microsoft\\MSNMessenger",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\RegAsm.exe",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion\\GACChangeNotification\\Default",
"HKEY_CURRENT_USER\\Software\\Microsoft\\.NETFramework",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\599c5972\\43073772",
"HKEY_CURRENT_USER\\Identities\\{183045C5-6B41-4C94-A7FA-BE70B5E7A9D3}\\Software\\Microsoft\\Office\\Outlook\\OMI Account Manager\\Accounts",
"HKEY_CURRENT_USER\\Software\\Google\\Google Talk\\Accounts",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\Policy\\APTCA",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\v2.0",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\Managed\\S-1-5-21-699399860-4089948139-3198924279-1001\\Installer\\Assemblies\\Global",
"HKEY_CURRENT_USER\\Software\\Microsoft\\MessengerService",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\41c04c7e\\7f3b6ac4\\78",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\AppPatch",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\2d382ce6\\85",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Paths\\seamonkey.exe",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\4f99a7c9\\53bea2b0\\2e",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9",
"HKEY_CURRENT_USER\\Software\\Microsoft\\.NETFramework\\Policy\\Standards",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\crypt32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Windows.Forms__b77a5c561934e089",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets\\Internet",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\2facbc93\\5f865945",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\Managed\\S-1-5-21-699399860-4089948139-3198924279-1001\\Installer\\Assemblies\\C:|Windows|Microsoft.NET|Framework|v2.0.50727|RegAsm.exe.Config",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Rpc",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Configuration__b03f5f7f11d50a3a",
"HKEY_CURRENT_USER\\Interface\\{1C1C45EE-4395-11D2-B60B-00104B703EFD}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\1bd7b0d8\\87",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Management__b03f5f7f11d50a3a",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows Live Mail",
"HKEY_LOCAL_MACHINE\\Software\\Classes\\Software\\Qualcomm\\Eudora\\CommandLine\\current",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.8.0.Microsoft.VisualBasic__b03f5f7f11d50a3a"
],
"command_line": [
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe",
"\"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\vbc.exe\" \/stext \"C:\\Users\\cuck\\AppData\\Local\\Temp\\tmp8A04.tmp\"",
"\"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\vbc.exe\" \/stext \"C:\\Users\\cuck\\AppData\\Local\\Temp\\tmp789B.tmp\""
],
"file_written": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\tmp8A04.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\add9dc6e-4f56-9414-e2a0-56a2950ab58f"
],
"file_deleted": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\tmp8A04.tmp"
],
"file_exists": [
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\cert9.db",
"C:\\Windows\\Globalization\\en-us.nlp",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\secmod.db",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Profiles",
"C:\\Users\\cuck\\AppData\\Roaming\\Opera\\Opera7\\profile\\wand.dat",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\WebCache\\WebCacheV01.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Opera Software\\Opera Stable\\Login Data",
"C:\\Users\\cuck\\AppData\\Local\\Temp",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\cert6.db",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\machine.config",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\cert5.db",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\SeaMonkey\\profiles.ini",
"C:\\Users\\cuck\\AppData\\Roaming\\Opera\\Opera\\wand.dat",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\cert2.db",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\add9dc6e-4f56-9414-e2a0-56a2950ab58f",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\profiles.ini",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\fusion.localgac",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\places.sqlite",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\GpJmmfYBHDiNqFjcVKSNxCwyuuWmA\\GpJmmfYBHDiNqFjcVKSNxCwyuuWmA.exe",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\logins.json",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\83b69375b9d6bf5b5bd833d499a3971efd89cfa7a03685648c705d2c3c0b9c7e.bin",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\cert4.db",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\tmp8A04.tmp",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\GpJmmfYBHDiNqFjcVKSNxCwyuuWmA.dll",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\key3.db",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\signons2.txt",
"C:\\Program Files (x86)\\Mozilla Thunderbird",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\key4.db-journal",
"C:\\Users\\cuck\\AppData\\Roaming\\Thunderbird\\Profiles",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\key2.db",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\key4.db-wal",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\cert9.db-wal",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\cert7.db",
"C:\\Windows\\assembly\\GAC\\PublisherPolicy.tme",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\en\\Reborn Stub.resources\\Reborn Stub.resources.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\GpJmmfYBHDiNqFjcVKSNxCwyuuWmA\\GpJmmfYBHDiNqFjcVKSNxCwyuuWmA.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\en\\Reborn Stub.resources\\Reborn Stub.resources.exe",
"C:\\Users\\cuck\\AppData\\Roaming\\Apple Computer\\Preferences\\keychain.plist",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\83b69375b9d6bf5b5bd833d499a3971efd89cfa7a03685648c705d2c3c0b9c7e.bin:Zone.Identifier",
"C:\\Users\\cuck\\AppData\\Local\\Vivaldi\\User Data\\Default\\Login Data",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\en\\Reborn Stub.resources.dll",
"C:\\Windows\\Globalization\\en.nlp",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\GpJmmfYBHDiNqFjcVKSNxCwyuuWmA.exe",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\en-US\\Reborn Stub.resources.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\en\\Reborn Stub.resources.exe",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\cert8.db",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\signons.sqlite",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\WebCache\\WebCacheV24.dat",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\en-US\\Reborn Stub.resources.exe",
"C:\\Program Files (x86)\\Sea Monkey\\nss3.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\vbc_lng.ini",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe.Config",
"C:\\Windows\\winsxs\\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\\msvcr80.dll",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\history.dat",
"C:\\Program Files (x86)\\Mozilla Firefox\\nss3.dll",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\key4.db",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\en-US\\Reborn Stub.resources\\Reborn Stub.resources.dll",
"C:\\Windows\\System32\\MSCOREE.DLL.local",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\cert9.db",
"C:\\Users\\cuck\\AppData\\Local\\Yandex\\YandexBrowser\\User Data\\Default\\Login Data",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\signons.txt",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\cert9.db-journal",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\en-US\\Reborn Stub.resources\\Reborn Stub.resources.exe",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\cert3.db",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\signons3.txt"
],
"mutex": [
"bridgeres",
"85b57344-aa28-4dee-95fc-0592709d00a9"
],
"file_opened": [
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\cert9.db",
"C:\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Mail\\account{E8B20193-B324-4F69-85C3-A585C87B3B69}.oeaccount",
"C:\\Users\\cuck\\AppData\\Local\\Temp",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\machine.config",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Mail\\account{3F157EAB-C371-449F-8817-DE062D63E39B}.oeaccount",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Mail\\account{9505C2E7-137C-4315-8EBB-D4AE26FFA58D}.oeaccount",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\profiles.ini",
"C:\\Windows\\System32\\wbem\\en-US\\wmiutils.dll.mui",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\places.sqlite",
"C:\\Windows\\assembly\\pubpol4.dat",
"C:\\Windows\\System32\\l_intl.nls",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\tmp8A04.tmp",
"C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\sorttbls.nlp",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorrc.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\index127.dat",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\MSHist012019040920190410\\index.dat",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe.config",
"C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\sortkey.nlp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\83b69375b9d6bf5b5bd833d499a3971efd89cfa7a03685648c705d2c3c0b9c7e.bin",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe.Config",
"C:\\Program Files (x86)\\Mozilla Firefox",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\key4.db",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\tmp789B.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\index.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\pkcs11.txt"
],
"wmi_query": [
"SELECT MacAddress FROM Win32_NetworkAdapterConfiguration ",
"SELECT ProcessorId FROM Win32_Processor "
],
"guid": [
"{eb87e1bd-3233-11d2-aec9-00c04fb68820}",
"{4590f811-1d3a-11d0-891f-00aa004b2e24}",
"{44aca674-e8fc-11d0-a07c-00c04fb68820}",
"{cf4cc405-e2c5-4ddd-b3ce-5e7582d8c9fa}",
"{674b6698-ee92-11d0-ad71-00c04fd8fdff}",
"{8bc3f05e-d86b-11d0-a075-00c04fb68820}",
"{7c857801-7381-11cf-884d-00aa004b2e24}",
"{d5f569d0-593b-101a-b569-08002b2dbf7a}",
"{f309ad18-d86a-11d0-a075-00c04fb68820}",
"{00000001-0000-0000-c000-000000000046}",
"{dc12a687-737f-11cf-884d-00aa004b2e24}"
],
"file_read": [
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\profiles.ini",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe.Config",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\cert9.db",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Mail\\account{3F157EAB-C371-449F-8817-DE062D63E39B}.oeaccount",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\MSHist012019040920190410\\index.dat",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe.config",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Mail\\account{E8B20193-B324-4F69-85C3-A585C87B3B69}.oeaccount",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\tmp8A04.tmp",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\machine.config",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\key4.db",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\index.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\pkcs11.txt",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Mail\\account{9505C2E7-137C-4315-8EBB-D4AE26FFA58D}.oeaccount"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2b1a4e4\\38a3212c\\44\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\DbgJITDebugLaunchSetting",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\LatestIndex",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\ILDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\c991064\\2bd33e1c\\79\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\MaxRpcSize",
"HKEY_CURRENT_USER\\Identities\\{183045C5-6B41-4C94-A7FA-BE70B5E7A9D3}\\Username",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\24bf93f6\\455bab30\\6e\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\COM3\\FinalizerActivityBypass",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\73843e06\\43a920ef\\66\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Drawing,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\2d382ce6\\85\\DisplayName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\SystemSetupInProgress",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2b1a4e4\\38a3212c\\44\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\41c04c7e\\7f3b6ac4\\78\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e\\EvalationData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\163e1f5e\\80\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\ConfigString",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledProcesses\\1DF4D951",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\5a8de2c3\\2b1a4e4\\47\\EvalationData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\73843e06\\43a920ef\\66\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\1c83327b\\86\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\Extensions\\RemoteRpcDll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\ConfigString",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Domain",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language Groups\\1",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\Extensions\\NdrOleExtDLL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\CLRLoadLogDir",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\a5cd4db\\7e\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Mozilla\\Mozilla Firefox 60.0.2\\bin\\PathToExe",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\2d382ce6\\85\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\5a8de2c3\\2b1a4e4\\47\\ConfigMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\DevOverrideEnable",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2b1a4e4\\38a3212c\\44\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\EvalationData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\a5cd4db\\7e\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\2d382ce6\\85\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NoClientChecks",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\1b2590b1\\7c\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\DownloadCacheQuotaInKB",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Management,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\1b2590b1\\7c\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\f6e8397\\46ad0879\\6f\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\LoggingLevel",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\6f1da7aa\\88\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\ConfigString",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\MVID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\ConfigMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\141dfd70\\6b79efab\\43\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\LogFailures",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\MissingDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Deployment,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\crypt32\\DebugHeapFlags",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\Status",
"HKEY_CURRENT_USER\\Control Panel\\Mouse\\SwapMouseButtons",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\NIDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\24bf93f6\\455bab30\\6e\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\141dfd70\\6b79efab\\43\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\NIDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{00000134-0000-0000-C000-000000000046}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\Microsoft.VisualBasic,8.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\c991064\\2bd33e1c\\79\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\index127\\ILUsageMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\UseLegacyIdentityFormat",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\73843e06\\43a920ef\\66\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\MissingDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\GCStressStart",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\1bd7b0d8\\87\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledSessions\\MachineThrottling",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\OnlyUseLatestCLR",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\6f1da7aa\\88\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\2d382ce6\\85\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\DbgManagedDebugger",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\4f99a7c9\\53bea2b0\\2e\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\141dfd70\\6b79efab\\43\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\1c83327b\\86\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\f6e8397\\46ad0879\\6f\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Xml,2.0.0.0,,b77a5c561934e089,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\index127\\NIUsageMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\5a8de2c3\\2b1a4e4\\47\\ILDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\4f99a7c9\\53bea2b0\\2e\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\NIDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\NIDependencies",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Locale\\00000409",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\EvalationData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2b1a4e4\\38a3212c\\44\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\24bf93f6\\455bab30\\6e\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\163e1f5e\\80\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Security,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\6f1da7aa\\88\\Status",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\2d382ce6\\85\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\24bf93f6\\455bab30\\6e\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{423EC01E-2E35-11D2-B604-00104B703EFD}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\CacheLocation",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\41c04c7e\\7f3b6ac4\\78\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Runtime.Remoting,2.0.0.0,,b77a5c561934e089,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\5a8de2c3\\2b1a4e4\\47\\MVID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e\\MissingDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\1c83327b\\86\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\MVID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e\\ConfigString",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\LegacyPolicyTimeStamp",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\5a8de2c3\\2b1a4e4\\47\\DisplayName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Hostname",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\6f1da7aa\\88\\SIG",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\OOBEInProgress",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\73843e06\\43a920ef\\66\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\EvalationData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\f6e8397\\46ad0879\\6f\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\1bd7b0d8\\87\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\24bf93f6\\455bab30\\6e\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\f6e8397\\46ad0879\\6f\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\MVID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\41c04c7e\\7f3b6ac4\\78\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\VersioningLog",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\GCStressStartAtJit",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\mscorlib,2.0.0.0,,b77a5c561934e089,x86",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\a5cd4db\\7e\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Configuration.Install,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\ILDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\c991064\\2bd33e1c\\79\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\ConfigMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\1bd7b0d8\\87\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\f6e8397\\46ad0879\\6f\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\5a8de2c3\\2b1a4e4\\47\\MissingDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\Microsoft.JScript,8.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2b1a4e4\\38a3212c\\44\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\4f99a7c9\\53bea2b0\\2e\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\1b2590b1\\7c\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\Latest",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\73843e06\\43a920ef\\66\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\4f99a7c9\\53bea2b0\\2e\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\1b2590b1\\7c\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\MVID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\5a8de2c3\\2b1a4e4\\47\\NIDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\163e1f5e\\80\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\1bd7b0d8\\87\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\InstallRoot",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\Accessibility,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\MissingDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e\\MVID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\6f1da7aa\\88\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\163e1f5e\\80\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\ILDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\c991064\\2bd33e1c\\79\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\LogResourceBinds",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System,2.0.0.0,,b77a5c561934e089,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\1c83327b\\86\\LastModTime",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\5a8de2c3\\2b1a4e4\\47\\ConfigString",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\EnableLog",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\ConfigMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\1c83327b\\86\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e\\ILDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Configuration,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\DisableConfigCache",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\ILDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\ForceLog",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledSessions\\GlobalSession",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\163e1f5e\\80\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e\\ConfigMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\c991064\\2bd33e1c\\79\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\ConfigMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\MissingDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Windows.Forms,2.0.0.0,,b77a5c561934e089,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CEIPEnable",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\41c04c7e\\7f3b6ac4\\78\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\ConfigString",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\41c04c7e\\7f3b6ac4\\78\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Web,2.0.0.0,,b03f5f7f11d50a3a,x86",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\ComputerName\\ActiveComputerName\\ComputerName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\Enabled",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\1bd7b0d8\\87\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\EvalationData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\4f99a7c9\\53bea2b0\\2e\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\DisableMSIPeek",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\5a8de2c3\\2b1a4e4\\47\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\a5cd4db\\7e\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\141dfd70\\6b79efab\\43\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e\\NIDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Runtime.Serialization.Formatters.Soap,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\1b2590b1\\7c\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\141dfd70\\6b79efab\\43\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\a5cd4db\\7e\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\index4"
],
"directory_enumerated": [
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\MSHist012019040920190410\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Mail\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\mozilla-temp-files\\*.oeaccount",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\mozilla-temp-files\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\Low\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Low\\*.oeaccount",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\*.oeaccount",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Live Mail\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WPDNSE\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\SeaMonkey\\Profiles\\*.*",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscoreei.dll",
"C:\\Users\\cuck\\AppData\\Roaming\\Opera\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WPDNSE\\*.oeaccount",
"C:\\Users",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\*.*",
"C:\\Users\\cuck\\AppData\\Local",
"C:\\Users\\cuck\\AppData",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\*.*",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.INI",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Mail\\*.oeaccount",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorwks.dll",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Live Mail\\*.oeaccount",
"C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.VisualBasic\\8.0.0.0__b03f5f7f11d50a3a\\Microsoft.VisualBasic.INI",
"C:\\Windows\\Microsoft.NET\\Framework\\Upgrades.2.0.50727\\mscoreei.dll",
"C:\\Windows",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\SeaMonkey\\Profiles\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\83b69375b9d6bf5b5bd833d499a3971efd89cfa7a03685648c705d2c3c0b9c7e.bin:Zone.Identifier",
"C:\\Windows\\assembly\\GAC_MSIL\\System.Management\\2.0.0.0__b03f5f7f11d50a3a\\System.Management.INI",
"C:\\Users\\cuck",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Profiles\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome SxS\\User Data\\*.*",
"C:\\Windows\\assembly\\GAC_MSIL\\System.Windows.Forms\\2.0.0.0__b77a5c561934e089\\System.Windows.Forms.INI",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Low\\*.*",
"C:\\Program Files (x86)\\Mozilla Firefox\\nss3.dll",
"C:\\Windows\\winsxs\\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\\msvcr80.dll",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\*.oeaccount",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe",
"C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\mscorlib.INI",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\*.oeaccount",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\*.*",
"C:\\Windows\\winsxs",
"C:\\Users\\cuck\\AppData\\Local\\Temp",
"C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\System.INI",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\*.oeaccount",
"C:\\Windows\\assembly\\GAC_MSIL\\System.Drawing\\2.0.0.0__b03f5f7f11d50a3a\\System.Drawing.INI"
]
}Dropped
[
{
"yara": [],
"sha1": "d62636d8caec13f04e28442a0a6fa1afeb024bbb",
"name": "b3d510ef04275ca8_tmp8A04.tmp",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\tmp8A04.tmp",
"type": "Little-endian UTF-16 Unicode text, with no line terminators",
"sha256": "b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209",
"urls": [],
"crc32": "88F83096",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/8917\/files\/b3d510ef04275ca8_tmp8A04.tmp",
"ssdeep": null,
"size": 2,
"sha512": "98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84",
"pids": [
1996,
2872
],
"md5": "f3b25701fe362ec84616a93a45ce9998"
},
{
"yara": [],
"sha1": "c559163c23e5f878be85d05f3edeeaa620173c3d",
"name": "2df94dc1c58e952a_add9dc6e-4f56-9414-e2a0-56a2950ab58f",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\add9dc6e-4f56-9414-e2a0-56a2950ab58f",
"type": "ASCII text, with no line terminators",
"sha256": "2df94dc1c58e952a1ebd1ae1185a291a8a573982ca90ec1bbb87b81126002668",
"urls": [],
"crc32": "BA9960EE",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/8917\/files\/2df94dc1c58e952a_add9dc6e-4f56-9414-e2a0-56a2950ab58f",
"ssdeep": null,
"size": 88,
"sha512": "c8912da4654c735f7618b0abea7ec0197b17e6e072718b825b5799b2e88cc0e8ae8245ca95e1e5955c3ab8f649ca4ed6529975b142b061ecc402d935401b84de",
"pids": [
2872
],
"md5": "454353131947d1483ff5470107478978"
}
]Generic
[
{
"process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\vbc.exe",
"process_name": "vbc.exe",
"pid": 984,
"summary": {
"file_recreated": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\tmp789B.tmp"
],
"dll_loaded": [
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\vbc.exe",
"crypt32.dll",
"pstorec.dll",
"advapi32.dll",
"shell32.dll",
"rpcrt4.dll",
"comctl32.dll"
],
"file_failed": [
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\vbc.cfg"
],
"regkey_opened": [
"HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles",
"HKEY_CURRENT_USER\\Identities\\{183045C5-6B41-4C94-A7FA-BE70B5E7A9D3}\\Software\\Microsoft\\Internet Account Manager\\Accounts",
"HKEY_CURRENT_USER\\Software\\Microsoft\\MessengerService",
"HKEY_LOCAL_MACHINE\\Software\\Mozilla\\Mozilla Thunderbird",
"HKEY_CURRENT_USER\\Identities\\{183045C5-6B41-4C94-A7FA-BE70B5E7A9D3}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles",
"HKEY_LOCAL_MACHINE\\Software\\Group Mail",
"HKEY_CURRENT_USER\\Software\\Yahoo\\Pager",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\crypt32",
"HKEY_CURRENT_USER\\Software\\Google\\Google Desktop\\Mailboxes",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Outlook\\Profiles",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\Outlook\\OMI Account Manager\\Accounts",
"HKEY_CURRENT_USER\\Software\\Microsoft\\MSNMessenger",
"HKEY_CURRENT_USER\\Software\\Qualcomm\\Eudora\\CommandLine",
"HKEY_CURRENT_USER\\Identities",
"HKEY_CURRENT_USER\\Software\\Microsoft\\IdentityCRL",
"HKEY_CURRENT_USER\\Software\\IncrediMail\\Identities",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Account Manager\\Accounts",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows Live Mail",
"HKEY_CURRENT_USER\\Identities\\{183045C5-6B41-4C94-A7FA-BE70B5E7A9D3}\\Software\\Microsoft\\Office\\Outlook\\OMI Account Manager\\Accounts",
"HKEY_CURRENT_USER\\Software\\Google\\Google Talk\\Accounts",
"HKEY_LOCAL_MACHINE\\Software\\Classes\\Software\\Qualcomm\\Eudora\\CommandLine\\current",
"HKEY_LOCAL_MACHINE\\Software\\IncrediMail\\Identities"
],
"file_exists": [
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\vbc_lng.ini",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Profiles",
"C:\\Program Files (x86)\\Mozilla Thunderbird",
"C:\\Users\\cuck\\AppData\\Roaming\\Thunderbird\\Profiles"
],
"file_opened": [
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Mail\\account{E8B20193-B324-4F69-85C3-A585C87B3B69}.oeaccount",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Mail\\account{3F157EAB-C371-449F-8817-DE062D63E39B}.oeaccount",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Mail\\account{9505C2E7-137C-4315-8EBB-D4AE26FFA58D}.oeaccount"
],
"file_read": [
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Mail\\account{E8B20193-B324-4F69-85C3-A585C87B3B69}.oeaccount",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Mail\\account{3F157EAB-C371-449F-8817-DE062D63E39B}.oeaccount",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Mail\\account{9505C2E7-137C-4315-8EBB-D4AE26FFA58D}.oeaccount"
],
"regkey_read": [
"HKEY_CURRENT_USER\\Identities\\{183045C5-6B41-4C94-A7FA-BE70B5E7A9D3}\\Username",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\crypt32\\DebugHeapFlags"
],
"directory_enumerated": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WPDNSE\\*.oeaccount",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Live Mail\\*.oeaccount",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Low\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Mail\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\mozilla-temp-files\\*.oeaccount",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\*.oeaccount",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Low\\*.oeaccount",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Live Mail\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\*.oeaccount",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WPDNSE\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\*.oeaccount",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Mail\\*.oeaccount",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\*.oeaccount",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\mozilla-temp-files\\*.*"
]
},
"first_seen": 1597348460.796625,
"ppid": 2872
},
{
"process_path": "C:\\Windows\\System32\\lsass.exe",
"process_name": "lsass.exe",
"pid": 476,
"summary": {},
"first_seen": 1597348386.34375,
"ppid": 376
},
{
"process_path": "C:\\Users\\cuck\\AppData\\Local\\Temp\\83b69375b9d6bf5b5bd833d499a3971efd89cfa7a03685648c705d2c3c0b9c7e.bin",
"process_name": "83b69375b9d6bf5b5bd833d499a3971efd89cfa7a03685648c705d2c3c0b9c7e.bin",
"pid": 1664,
"summary": {
"dll_loaded": [
"kernel32",
"Advapi32.dll",
"kernel32.dll",
"UxTheme.dll",
"dwmapi.dll",
"comctl32",
"comctl32.dll",
"CRYPTSP.dll",
"IMM32.dll"
],
"file_opened": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\83b69375b9d6bf5b5bd833d499a3971efd89cfa7a03685648c705d2c3c0b9c7e.bin",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls"
],
"regkey_opened": [
"HKEY_CURRENT_USER\\Control Panel\\Mouse",
"HKEY_CURRENT_USER\\Software\\AutoIt v3\\AutoIt",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\Compatibility\\83b69375b9d6bf5b5bd833d499a3971efd89cfa7a03685648c705d2c3c0b9c7e.bin"
],
"file_exists": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\83b69375b9d6bf5b5bd833d499a3971efd89cfa7a03685648c705d2c3c0b9c7e.bin",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\83b69375b9d6bf5b5bd833d499a3971efd89cfa7a03685648c705d2c3c0b9c7e.bin:Zone.Identifier"
],
"mutex": [
"bridgeres"
],
"command_line": [
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Locale\\00000409",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language Groups\\1",
"HKEY_CURRENT_USER\\Control Panel\\Mouse\\SwapMouseButtons",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US"
],
"directory_enumerated": [
"C:\\Users\\cuck\\AppData",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\83b69375b9d6bf5b5bd833d499a3971efd89cfa7a03685648c705d2c3c0b9c7e.bin:Zone.Identifier",
"C:\\Users\\cuck\\AppData\\Local\\Temp",
"C:\\Users\\cuck",
"C:\\Users",
"C:\\Users\\cuck\\AppData\\Local"
]
},
"first_seen": 1597348386.625,
"ppid": 2448
},
{
"process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\vbc.exe",
"process_name": "vbc.exe",
"pid": 1996,
"summary": {
"file_recreated": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\tmp8A04.tmp"
],
"dll_loaded": [
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\vbc.exe",
"cryptbase.dll",
"C:\\Program Files (x86)\\Mozilla Firefox\\nss3.dll",
"C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.dll",
"pstorec.dll",
"advapi32.dll",
"vaultcli.dll",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\/nssckbi.dll",
"C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.dll",
"shell32.dll",
"rpcrt4.dll",
"psapi.dll",
"CRYPTSP.dll",
"comctl32.dll"
],
"file_failed": [
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\pkcs11.txt",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\vbc.cfg"
],
"regkey_opened": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Mozilla\\Mozilla Firefox\\bin",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Paths\\seamonkey.exe",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\Rpc",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Mozilla",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Mozilla\\Mozilla Firefox 60.0.2\\bin",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Rpc",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\IntelliForms\\Storage2"
],
"file_written": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\tmp8A04.tmp"
],
"file_exists": [
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\cert9.db",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\secmod.db",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\key4.db-journal",
"C:\\Users\\cuck\\AppData\\Roaming\\Opera\\Opera7\\profile\\wand.dat",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\WebCache\\WebCacheV01.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Opera Software\\Opera Stable\\Login Data",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\cert6.db",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\cert5.db",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\SeaMonkey\\profiles.ini",
"C:\\Users\\cuck\\AppData\\Roaming\\Opera\\Opera\\wand.dat",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\cert2.db",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\profiles.ini",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\places.sqlite",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\logins.json",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\cert4.db",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\key3.db",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\signons2.txt",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\key2.db",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\key4.db-wal",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\cert9.db-wal",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\cert7.db",
"C:\\Users\\cuck\\AppData\\Roaming\\Apple Computer\\Preferences\\keychain.plist",
"C:\\Users\\cuck\\AppData\\Local\\Vivaldi\\User Data\\Default\\Login Data",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\cert8.db",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\signons.sqlite",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\WebCache\\WebCacheV24.dat",
"C:\\Program Files (x86)\\Sea Monkey\\nss3.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\vbc_lng.ini",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\history.dat",
"C:\\Program Files (x86)\\Mozilla Firefox\\nss3.dll",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\key4.db",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\cert9.db",
"C:\\Users\\cuck\\AppData\\Local\\Yandex\\YandexBrowser\\User Data\\Default\\Login Data",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\signons.txt",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\cert9.db-journal",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\cert3.db",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\signons3.txt"
],
"file_opened": [
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\profiles.ini",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\places.sqlite",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\MSHist012019040920190410\\index.dat",
"C:\\",
"C:\\Program Files (x86)\\Mozilla Firefox",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\cert9.db",
"C:\\Users\\cuck\\AppData\\Local\\Temp",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\key4.db",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\index.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\pkcs11.txt"
],
"file_read": [
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\profiles.ini",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\cert9.db",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\MSHist012019040920190410\\index.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\key4.db",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\index.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\pkcs11.txt"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\MaxRpcSize",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\SystemSetupInProgress",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CEIPEnable",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Mozilla\\Mozilla Firefox 60.0.2\\bin\\PathToExe",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\OOBEInProgress",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\ComputerName\\ActiveComputerName\\ComputerName"
],
"directory_enumerated": [
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\MSHist012019040920190410\\*.*",
"C:\\Program Files (x86)\\Mozilla Firefox\\nss3.dll",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\Low\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\SeaMonkey\\Profiles\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome SxS\\User Data\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Profiles\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\SeaMonkey\\Profiles\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Opera\\*.*"
]
},
"first_seen": 1597348399.734125,
"ppid": 2872
},
{
"process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe",
"process_name": "RegAsm.exe",
"pid": 2872,
"summary": {
"file_created": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\tmp789B.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\tmp8A04.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\add9dc6e-4f56-9414-e2a0-56a2950ab58f"
],
"file_recreated": [
"\\Device\\KsecDD"
],
"dll_loaded": [
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\Microsoft.VisualBas#\\08d608378aa405adc844f3cf36974b8c\\Microsoft.VisualBasic.ni.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\culture.dll",
"C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\oleaut32.dll",
"ntdll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\ntdll.dll",
"gdi32.dll",
"kernel32.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Windows.Forms\\3afcd5168c7a6cb02eab99d7fd71e102\\System.Windows.Forms.ni.dll",
"oleaut32.dll",
"dwmapi.dll",
"ntdll.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System\\9e0a3b9b9f457233a335d7fba8f95419\\System.ni.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Drawing\\dbfe8642a8ed7b2b103ad28e0c96418a\\System.Drawing.ni.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\ole32.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorwks.dll",
"ADVAPI32.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\OLEAUT32.dll",
"bcrypt.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorjit.dll",
"advapi32.dll",
"ole32.dll",
"SHLWAPI.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Management\\6f3b99ed0b791ff4d8aa52f2f0cd0bcf\\System.Management.ni.dll",
"C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\bcrypt.dll",
"AdvApi32.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\\\wminet_utils.dll",
"OLEAUT32.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\mscorlib\\62a0b3e4b40ec0e8c5cfaa0c8848e64a\\mscorlib.ni.dll",
"CRYPTSP.dll",
"mscoree.dll",
"RpcRtRemote.dll",
"shfolder.dll",
"shell32.dll",
"user32.dll"
],
"file_opened": [
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorrc.dll",
"C:\\Windows\\System32\\wbem\\en-US\\wmiutils.dll.mui",
"C:\\Windows\\System32\\l_intl.nls",
"C:\\Windows\\assembly\\pubpol4.dat",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe.config",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\index127.dat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\tmp8A04.tmp",
"C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\sortkey.nlp",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\machine.config",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\tmp789B.tmp",
"C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\sorttbls.nlp",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe.Config"
],
"regkey_opened": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.Accessibility__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Configuration.Install__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Web__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\5a8de2c3\\2b1a4e4\\47",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{423EC01E-2E35-11D2-B604-00104B703EFD}\\ProxyStubClsid32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\41c04c7e\\7f3b6ac4\\78",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\1c83327b\\86",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\RegAsm.exe",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\\ProxyStubClsid32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Deployment__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\Policy\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Configuration__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets\\LocalIntranet",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\AppPatch",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\77815aaa\\6ead34a5",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\599c5972\\43073772",
"HKEY_CURRENT_USER\\Interface\\{00000134-0000-0000-C000-000000000046}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\a5cd4db\\7e",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Runtime.Remoting__b77a5c561934e089",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\24bf93f6\\455bab30\\6e",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\2d382ce6\\85",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\163e1f5e\\80",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\1b2590b1\\7c",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\77815aaa\\18fc2e07",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\c991064\\2bd33e1c\\79",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Windows.Forms__b77a5c561934e089",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets\\Internet",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\index127",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Management__b03f5f7f11d50a3a",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Installer\\Assemblies\\C:|Windows|Microsoft.NET|Framework|v2.0.50727|RegAsm.exe.Config",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\2facbc93\\5f865945",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\Managed\\S-1-5-21-699399860-4089948139-3198924279-1001\\Installer\\Assemblies\\C:|Windows|Microsoft.NET|Framework|v2.0.50727|RegAsm.exe.Config",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\COM3",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\f6e8397\\46ad0879\\6f",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Installer\\Assemblies\\Global",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Security__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Installer\\Assemblies\\Global",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\BFE",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\Standards",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Drawing__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\Standards\\v2.0.50727",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-699399860-4089948139-3198924279-1001",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Installer\\Assemblies\\C:|Windows|Microsoft.NET|Framework|v2.0.50727|RegAsm.exe.Config",
"HKEY_CURRENT_USER\\Interface\\{1C1C45EE-4395-11D2-B60B-00104B703EFD}",
"HKEY_CURRENT_USER\\Interface\\{423EC01E-2E35-11D2-B604-00104B703EFD}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\141dfd70\\6b79efab\\43",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\v2.0.50727\\Security\\Policy",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System__b77a5c561934e089",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\StrongName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Fusion",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion\\PublisherPolicy\\Default",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Xml__b77a5c561934e089",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\6f1da7aa\\88",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion\\GACChangeNotification\\Default",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\5a8de2c3\\2b1a4e4",
"HKEY_CURRENT_USER\\Software\\Microsoft\\.NETFramework",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2b1a4e4\\38a3212c\\44",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\Managed\\S-1-5-21-699399860-4089948139-3198924279-1001\\Installer\\Assemblies\\Global",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{00000134-0000-0000-C000-000000000046}\\ProxyStubClsid32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.8.0.Microsoft.JScript__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\Upgrades",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\4f99a7c9\\53bea2b0\\2e",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Runtime.Serialization.Formatters.Soap__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\Policy\\Standards",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\73843e06\\43a920ef\\66",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\1bd7b0d8\\87",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\Policy\\APTCA",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\v2.0",
"HKEY_CURRENT_USER\\Software\\Microsoft\\.NETFramework\\Policy\\Standards",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.8.0.Microsoft.VisualBasic__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064"
],
"command_line": [
"\"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\vbc.exe\" \/stext \"C:\\Users\\cuck\\AppData\\Local\\Temp\\tmp8A04.tmp\"",
"\"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\vbc.exe\" \/stext \"C:\\Users\\cuck\\AppData\\Local\\Temp\\tmp789B.tmp\""
],
"file_written": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\add9dc6e-4f56-9414-e2a0-56a2950ab58f"
],
"file_deleted": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\tmp8A04.tmp"
],
"file_exists": [
"C:\\Windows\\Globalization\\en-us.nlp",
"C:\\Users\\cuck\\AppData\\Local\\Temp",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\machine.config",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\add9dc6e-4f56-9414-e2a0-56a2950ab58f",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\fusion.localgac",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\GpJmmfYBHDiNqFjcVKSNxCwyuuWmA\\GpJmmfYBHDiNqFjcVKSNxCwyuuWmA.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\tmp8A04.tmp",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\en-US\\Reborn Stub.resources\\Reborn Stub.resources.exe",
"C:\\Windows\\assembly\\GAC\\PublisherPolicy.tme",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\en\\Reborn Stub.resources\\Reborn Stub.resources.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\GpJmmfYBHDiNqFjcVKSNxCwyuuWmA\\GpJmmfYBHDiNqFjcVKSNxCwyuuWmA.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\en\\Reborn Stub.resources\\Reborn Stub.resources.exe",
"C:\\Windows\\Globalization\\en.nlp",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\GpJmmfYBHDiNqFjcVKSNxCwyuuWmA.exe",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\en-US\\Reborn Stub.resources.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\en\\Reborn Stub.resources.exe",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\en-US\\Reborn Stub.resources.exe",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe.Config",
"C:\\Windows\\winsxs\\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\\msvcr80.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\en-US\\Reborn Stub.resources\\Reborn Stub.resources.dll",
"C:\\Windows\\System32\\MSCOREE.DLL.local",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\en\\Reborn Stub.resources.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\GpJmmfYBHDiNqFjcVKSNxCwyuuWmA.dll"
],
"mutex": [
"85b57344-aa28-4dee-95fc-0592709d00a9"
],
"file_failed": [
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\enterprisesec.config.cch",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\security.config.cch",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\enterprisesec.config",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\security.config.cch",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\security.config",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\security.config"
],
"wmi_query": [
"SELECT MacAddress FROM Win32_NetworkAdapterConfiguration ",
"SELECT ProcessorId FROM Win32_Processor "
],
"guid": [
"{eb87e1bd-3233-11d2-aec9-00c04fb68820}",
"{4590f811-1d3a-11d0-891f-00aa004b2e24}",
"{44aca674-e8fc-11d0-a07c-00c04fb68820}",
"{cf4cc405-e2c5-4ddd-b3ce-5e7582d8c9fa}",
"{674b6698-ee92-11d0-ad71-00c04fd8fdff}",
"{8bc3f05e-d86b-11d0-a075-00c04fb68820}",
"{7c857801-7381-11cf-884d-00aa004b2e24}",
"{d5f569d0-593b-101a-b569-08002b2dbf7a}",
"{f309ad18-d86a-11d0-a075-00c04fb68820}",
"{00000001-0000-0000-c000-000000000046}",
"{dc12a687-737f-11cf-884d-00aa004b2e24}"
],
"file_read": [
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe.Config",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe.config",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\tmp8A04.tmp",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\machine.config"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2b1a4e4\\38a3212c\\44\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\DbgJITDebugLaunchSetting",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\LatestIndex",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\ILDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\c991064\\2bd33e1c\\79\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\163e1f5e\\80\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\24bf93f6\\455bab30\\6e\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\COM3\\FinalizerActivityBypass",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\73843e06\\43a920ef\\66\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Drawing,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\2d382ce6\\85\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2b1a4e4\\38a3212c\\44\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\41c04c7e\\7f3b6ac4\\78\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e\\EvalationData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\ConfigString",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledProcesses\\1DF4D951",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\5a8de2c3\\2b1a4e4\\47\\EvalationData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\73843e06\\43a920ef\\66\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\1c83327b\\86\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\Extensions\\RemoteRpcDll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\ConfigString",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Domain",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\Extensions\\NdrOleExtDLL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\CLRLoadLogDir",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\a5cd4db\\7e\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\2d382ce6\\85\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\5a8de2c3\\2b1a4e4\\47\\ConfigMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\DevOverrideEnable",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2b1a4e4\\38a3212c\\44\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\EvalationData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\a5cd4db\\7e\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\2d382ce6\\85\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NoClientChecks",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\1b2590b1\\7c\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\DownloadCacheQuotaInKB",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Management,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\1b2590b1\\7c\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\f6e8397\\46ad0879\\6f\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\LoggingLevel",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\6f1da7aa\\88\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\ConfigString",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\MVID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\ConfigMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\141dfd70\\6b79efab\\43\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\163e1f5e\\80\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\MissingDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Deployment,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\Enabled",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\NIDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\24bf93f6\\455bab30\\6e\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\141dfd70\\6b79efab\\43\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\NIDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{00000134-0000-0000-C000-000000000046}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\Microsoft.VisualBasic,8.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\c991064\\2bd33e1c\\79\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\index127\\ILUsageMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\UseLegacyIdentityFormat",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\73843e06\\43a920ef\\66\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\MissingDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\GCStressStart",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\1bd7b0d8\\87\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledSessions\\MachineThrottling",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\OnlyUseLatestCLR",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\6f1da7aa\\88\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\2d382ce6\\85\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\DbgManagedDebugger",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\4f99a7c9\\53bea2b0\\2e\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\141dfd70\\6b79efab\\43\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\1c83327b\\86\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\f6e8397\\46ad0879\\6f\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Xml,2.0.0.0,,b77a5c561934e089,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\index127\\NIUsageMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\5a8de2c3\\2b1a4e4\\47\\ILDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\4f99a7c9\\53bea2b0\\2e\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\1c83327b\\86\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\NIDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\EvalationData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2b1a4e4\\38a3212c\\44\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\24bf93f6\\455bab30\\6e\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\163e1f5e\\80\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Security,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\6f1da7aa\\88\\Status",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\MVID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\2d382ce6\\85\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\24bf93f6\\455bab30\\6e\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{423EC01E-2E35-11D2-B604-00104B703EFD}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\CacheLocation",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\41c04c7e\\7f3b6ac4\\78\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Runtime.Remoting,2.0.0.0,,b77a5c561934e089,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\5a8de2c3\\2b1a4e4\\47\\MVID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e\\MissingDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\1c83327b\\86\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e\\ConfigString",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\LegacyPolicyTimeStamp",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\5a8de2c3\\2b1a4e4\\47\\DisplayName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Hostname",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\6f1da7aa\\88\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\73843e06\\43a920ef\\66\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\EvalationData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\f6e8397\\46ad0879\\6f\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\1bd7b0d8\\87\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\24bf93f6\\455bab30\\6e\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\f6e8397\\46ad0879\\6f\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\MVID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\41c04c7e\\7f3b6ac4\\78\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\VersioningLog",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\GCStressStartAtJit",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\mscorlib,2.0.0.0,,b77a5c561934e089,x86",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\a5cd4db\\7e\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Configuration.Install,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\ILDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\c991064\\2bd33e1c\\79\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\ConfigMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\1bd7b0d8\\87\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\f6e8397\\46ad0879\\6f\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\5a8de2c3\\2b1a4e4\\47\\MissingDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\Microsoft.JScript,8.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2b1a4e4\\38a3212c\\44\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\4f99a7c9\\53bea2b0\\2e\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\1b2590b1\\7c\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\Latest",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\73843e06\\43a920ef\\66\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\4f99a7c9\\53bea2b0\\2e\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\1b2590b1\\7c\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\MVID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\5a8de2c3\\2b1a4e4\\47\\NIDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\1bd7b0d8\\87\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\InstallRoot",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\Accessibility,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\MissingDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e\\MVID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\6f1da7aa\\88\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\163e1f5e\\80\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\ILDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\c991064\\2bd33e1c\\79\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\LogResourceBinds",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System,2.0.0.0,,b77a5c561934e089,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\1c83327b\\86\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\5a8de2c3\\2b1a4e4\\47\\ConfigString",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\EnableLog",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\ConfigMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\ConfigString",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e\\ILDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Configuration,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\DisableConfigCache",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\ILDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\ForceLog",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledSessions\\GlobalSession",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\LogFailures",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e\\ConfigMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\c991064\\2bd33e1c\\79\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\ConfigMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\MissingDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Windows.Forms,2.0.0.0,,b77a5c561934e089,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\NIDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\41c04c7e\\7f3b6ac4\\78\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\41c04c7e\\7f3b6ac4\\78\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Web,2.0.0.0,,b03f5f7f11d50a3a,x86",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\1bd7b0d8\\87\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\EvalationData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\4f99a7c9\\53bea2b0\\2e\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\DisableMSIPeek",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\163e1f5e\\80\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\5a8de2c3\\2b1a4e4\\47\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\a5cd4db\\7e\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\141dfd70\\6b79efab\\43\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e\\NIDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Runtime.Serialization.Formatters.Soap,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\1b2590b1\\7c\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\141dfd70\\6b79efab\\43\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\a5cd4db\\7e\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\index4"
],
"directory_enumerated": [
"C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.VisualBasic\\8.0.0.0__b03f5f7f11d50a3a\\Microsoft.VisualBasic.INI",
"C:\\Windows\\Microsoft.NET\\Framework\\Upgrades.2.0.50727\\mscoreei.dll",
"C:\\Windows\\winsxs\\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\\msvcr80.dll",
"C:\\Windows\\assembly\\GAC_MSIL\\System.Management\\2.0.0.0__b03f5f7f11d50a3a\\System.Management.INI",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.INI",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe",
"C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\mscorlib.INI",
"C:\\Windows\\assembly\\GAC_MSIL\\System.Drawing\\2.0.0.0__b03f5f7f11d50a3a\\System.Drawing.INI",
"C:\\Windows",
"C:\\Windows\\winsxs",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscoreei.dll",
"C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\System.INI",
"C:\\Windows\\assembly\\GAC_MSIL\\System.Windows.Forms\\2.0.0.0__b77a5c561934e089\\System.Windows.Forms.INI",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorwks.dll"
]
},
"first_seen": 1597348387.421875,
"ppid": 1664
}
]Signatures
[
{
"markcount": 10,
"families": [],
"description": "Queries for the computername",
"severity": 1,
"marks": [
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "GetComputerNameW",
"return_value": 1,
"arguments": {
"computer_name": "CUCKPC"
},
"time": 1597348398.874875,
"tid": 1480,
"flags": {}
},
"pid": 2872,
"type": "call",
"cid": 25232
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "GetComputerNameW",
"return_value": 1,
"arguments": {
"computer_name": "CUCKPC"
},
"time": 1597348398.952875,
"tid": 368,
"flags": {}
},
"pid": 2872,
"type": "call",
"cid": 25535
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "GetComputerNameW",
"return_value": 1,
"arguments": {
"computer_name": "CUCKPC"
},
"time": 1597348398.952875,
"tid": 368,
"flags": {}
},
"pid": 2872,
"type": "call",
"cid": 25568
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "GetComputerNameW",
"return_value": 1,
"arguments": {
"computer_name": "CUCKPC"
},
"time": 1597348398.983875,
"tid": 1480,
"flags": {}
},
"pid": 2872,
"type": "call",
"cid": 25660
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "GetComputerNameW",
"return_value": 1,
"arguments": {
"computer_name": "CUCKPC"
},
"time": 1597348398.999875,
"tid": 264,
"flags": {}
},
"pid": 2872,
"type": "call",
"cid": 25707
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "GetComputerNameW",
"return_value": 1,
"arguments": {
"computer_name": "CUCKPC"
},
"time": 1597348398.999875,
"tid": 264,
"flags": {}
},
"pid": 2872,
"type": "call",
"cid": 25740
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "GetComputerNameW",
"return_value": 1,
"arguments": {
"computer_name": "CUCKPC"
},
"time": 1597348399.015875,
"tid": 1480,
"flags": {}
},
"pid": 2872,
"type": "call",
"cid": 25763
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "GetComputerNameA",
"return_value": 1,
"arguments": {
"computer_name": "CUCKPC"
},
"time": 1597348405.516125,
"tid": 2844,
"flags": {}
},
"pid": 1996,
"type": "call",
"cid": 1198
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "GetComputerNameA",
"return_value": 1,
"arguments": {
"computer_name": "CUCKPC"
},
"time": 1597348405.562125,
"tid": 2844,
"flags": {}
},
"pid": 1996,
"type": "call",
"cid": 1338
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "GetComputerNameA",
"return_value": 1,
"arguments": {
"computer_name": "CUCKPC"
},
"time": 1597348460.921625,
"tid": 3000,
"flags": {}
},
"pid": 984,
"type": "call",
"cid": 181
}
],
"references": [],
"name": "antivm_queries_computername"
},
{
"markcount": 2,
"families": [],
"description": "Checks if process is being debugged by a debugger",
"severity": 1,
"marks": [
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": -1073741772,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1597348386.766,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 73
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": -1073741700,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1597348387.515875,
"tid": 1480,
"flags": {}
},
"pid": 2872,
"type": "call",
"cid": 315
}
],
"references": [],
"name": "checks_debugger"
},
{
"markcount": 2,
"families": [],
"description": "Tries to locate where the browsers are installed",
"severity": 1,
"marks": [
{
"category": "file",
"ioc": "C:\\Program Files (x86)\\Mozilla Firefox\\nss3.dll",
"type": "ioc",
"description": null
},
{
"category": "registry",
"ioc": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Mozilla\\Mozilla Firefox\\bin",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "locates_browser"
},
{
"markcount": 1,
"families": [],
"description": "Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available",
"severity": 1,
"marks": [
{
"call": {
"category": "system",
"status": 1,
"stacktrace": [],
"api": "GlobalMemoryStatusEx",
"return_value": 1,
"arguments": {},
"time": 1597348387.561875,
"tid": 1480,
"flags": {}
},
"pid": 2872,
"type": "call",
"cid": 627
}
],
"references": [],
"name": "antivm_memory_available"
},
{
"markcount": 0,
"families": [],
"description": "One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.",
"severity": 2,
"marks": [],
"references": [],
"name": "dumped_buffer"
},
{
"markcount": 62,
"families": [],
"description": "Allocates read-write-execute memory (usually to unpack itself)",
"severity": 2,
"marks": [
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1664,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x00870000"
},
"time": 1597348387.234,
"tid": 2736,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 1664,
"type": "call",
"cid": 875
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1664,
"region_size": 589824,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x04520000"
},
"time": 1597348387.266,
"tid": 2736,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 1664,
"type": "call",
"cid": 893
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2872,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffff",
"base_address": "0x70c51000"
},
"time": 1597348387.499875,
"tid": 1480,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2872,
"type": "call",
"cid": 66
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2872,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffff",
"base_address": "0x74e74000"
},
"time": 1597348387.499875,
"tid": 1480,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2872,
"type": "call",
"cid": 68
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2872,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffff",
"base_address": "0x70c51000"
},
"time": 1597348387.515875,
"tid": 1480,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2872,
"type": "call",
"cid": 203
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2872,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x0069a000"
},
"time": 1597348387.515875,
"tid": 1480,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2872,
"type": "call",
"cid": 326
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2872,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 8192,
"protection": 64,
"process_handle": "0xffffffff",
"base_address": "0x70c52000"
},
"time": 1597348387.515875,
"tid": 1480,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2872,
"type": "call",
"cid": 327
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2872,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00692000"
},
"time": 1597348387.515875,
"tid": 1480,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2872,
"type": "call",
"cid": 328
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2872,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x006a2000"
},
"time": 1597348387.515875,
"tid": 1480,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2872,
"type": "call",
"cid": 437
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2872,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x006a3000"
},
"time": 1597348387.530875,
"tid": 1480,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2872,
"type": "call",
"cid": 528
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2872,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x006db000"
},
"time": 1597348387.530875,
"tid": 1480,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2872,
"type": "call",
"cid": 536
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2872,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x006d7000"
},
"time": 1597348387.530875,
"tid": 1480,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2872,
"type": "call",
"cid": 537
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2872,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffff",
"base_address": "0x751c1000"
},
"time": 1597348387.530875,
"tid": 1480,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2872,
"type": "call",
"cid": 581
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2872,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x006ac000"
},
"time": 1597348387.546875,
"tid": 1480,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2872,
"type": "call",
"cid": 603
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2872,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00bc0000"
},
"time": 1597348387.546875,
"tid": 1480,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2872,
"type": "call",
"cid": 613
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2872,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x006a4000"
},
"time": 1597348387.561875,
"tid": 1480,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2872,
"type": "call",
"cid": 621
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2872,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00bc1000"
},
"time": 1597348387.561875,
"tid": 1480,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2872,
"type": "call",
"cid": 624
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2872,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00bc2000"
},
"time": 1597348387.561875,
"tid": 1480,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2872,
"type": "call",
"cid": 638
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2872,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00bc3000"
},
"time": 1597348387.561875,
"tid": 1480,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2872,
"type": "call",
"cid": 646
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2872,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00bc4000"
},
"time": 1597348387.718875,
"tid": 1480,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2872,
"type": "call",
"cid": 681
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2872,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x006a5000"
},
"time": 1597348387.733875,
"tid": 1480,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2872,
"type": "call",
"cid": 726
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2872,
"region_size": 8192,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x006a6000"
},
"time": 1597348387.749875,
"tid": 1480,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2872,
"type": "call",
"cid": 912
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2872,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x006a8000"
},
"time": 1597348387.749875,
"tid": 1480,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2872,
"type": "call",
"cid": 914
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2872,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x006a9000"
},
"time": 1597348387.749875,
"tid": 1480,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2872,
"type": "call",
"cid": 925
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2872,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00bc5000"
},
"time": 1597348387.765875,
"tid": 1480,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2872,
"type": "call",
"cid": 957
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2872,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00d70000"
},
"time": 1597348387.874875,
"tid": 1480,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2872,
"type": "call",
"cid": 962
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2872,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x006ad000"
},
"time": 1597348387.874875,
"tid": 1480,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2872,
"type": "call",
"cid": 963
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2872,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x006aa000"
},
"time": 1597348387.874875,
"tid": 1480,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2872,
"type": "call",
"cid": 966
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2872,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x006ca000"
},
"time": 1597348387.874875,
"tid": 1480,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2872,
"type": "call",
"cid": 992
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2872,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x006b6000"
},
"time": 1597348387.905875,
"tid": 1480,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2872,
"type": "call",
"cid": 1080
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2872,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00bc6000"
},
"time": 1597348387.905875,
"tid": 1480,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2872,
"type": "call",
"cid": 1082
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2872,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffff",
"base_address": "0x75081000"
},
"time": 1597348387.921875,
"tid": 1480,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2872,
"type": "call",
"cid": 1092
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2872,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x006ba000"
},
"time": 1597348388.811875,
"tid": 1480,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2872,
"type": "call",
"cid": 25127
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2872,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x006b7000"
},
"time": 1597348388.811875,
"tid": 1480,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2872,
"type": "call",
"cid": 25128
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2872,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00d71000"
},
"time": 1597348388.811875,
"tid": 1480,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2872,
"type": "call",
"cid": 25133
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2872,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x006d5000"
},
"time": 1597348388.811875,
"tid": 1480,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2872,
"type": "call",
"cid": 25134
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2872,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00bc7000"
},
"time": 1597348398.827875,
"tid": 1480,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2872,
"type": "call",
"cid": 25169
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2872,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffff",
"base_address": "0x751b1000"
},
"time": 1597348398.890875,
"tid": 1480,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2872,
"type": "call",
"cid": 25301
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2872,
"region_size": 327680,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 1056768,
"base_address": "0x7ef40000"
},
"time": 1597348398.890875,
"tid": 1424,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_RESERVE|MEM_TOP_DOWN"
}
},
"pid": 2872,
"type": "call",
"cid": 25387
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2872,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x7ef40000"
},
"time": 1597348398.890875,
"tid": 1424,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2872,
"type": "call",
"cid": 25388
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2872,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x7ef40000"
},
"time": 1597348398.890875,
"tid": 1424,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2872,
"type": "call",
"cid": 25389
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2872,
"region_size": 65536,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 1056768,
"base_address": "0x7ef30000"
},
"time": 1597348398.890875,
"tid": 1424,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_RESERVE|MEM_TOP_DOWN"
}
},
"pid": 2872,
"type": "call",
"cid": 25390
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2872,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x7ef30000"
},
"time": 1597348398.890875,
"tid": 1424,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2872,
"type": "call",
"cid": 25391
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2872,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x0069b000"
},
"time": 1597348398.905875,
"tid": 1480,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2872,
"type": "call",
"cid": 25405
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2872,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x006c2000"
},
"time": 1597348398.936875,
"tid": 368,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2872,
"type": "call",
"cid": 25447
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2872,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffff",
"base_address": "0x6a311000"
},
"time": 1597348398.936875,
"tid": 368,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2872,
"type": "call",
"cid": 25460
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2872,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x006ab000"
},
"time": 1597348398.936875,
"tid": 368,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2872,
"type": "call",
"cid": 25473
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2872,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x074a0000"
},
"time": 1597348398.952875,
"tid": 368,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2872,
"type": "call",
"cid": 25490
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2872,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x074a1000"
},
"time": 1597348398.952875,
"tid": 368,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2872,
"type": "call",
"cid": 25505
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2872,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x074a2000"
},
"time": 1597348398.952875,
"tid": 368,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2872,
"type": "call",
"cid": 25517
}
],
"references": [],
"name": "allocates_rwx"
},
{
"markcount": 1,
"families": [],
"description": "A process attempted to delay the analysis task.",
"severity": 2,
"marks": [
{
"type": "generic",
"description": "RegAsm.exe tried to sleep 411 seconds, actually delayed analysis time by 411 seconds"
}
],
"references": [],
"name": "antisandbox_sleep"
},
{
"markcount": 2,
"families": [],
"description": "Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation",
"severity": 2,
"marks": [
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "GetDiskFreeSpaceW",
"return_value": 1,
"arguments": {
"root_path": "\\",
"sectors_per_cluster": 8,
"number_of_free_clusters": 5739977,
"total_number_of_clusters": 8362495,
"bytes_per_sector": 512
},
"time": 1597348405.516125,
"tid": 2844,
"flags": {}
},
"pid": 1996,
"type": "call",
"cid": 1202
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "GetDiskFreeSpaceW",
"return_value": 1,
"arguments": {
"root_path": "\\",
"sectors_per_cluster": 8,
"number_of_free_clusters": 5739977,
"total_number_of_clusters": 8362495,
"bytes_per_sector": 512
},
"time": 1597348405.562125,
"tid": 2844,
"flags": {}
},
"pid": 1996,
"type": "call",
"cid": 1342
}
],
"references": [],
"name": "antivm_disk_size"
},
{
"markcount": 3,
"families": [],
"description": "Steals private information from local Internet browsers",
"severity": 2,
"marks": [
{
"category": "file",
"ioc": "C:\\Users\\cuck\\AppData\\Roaming\\Opera\\Opera7\\profile\\wand.dat",
"type": "ioc",
"description": null
},
{
"category": "file",
"ioc": "C:\\Users\\cuck\\AppData\\Roaming\\Opera\\Opera\\wand.dat",
"type": "ioc",
"description": null
},
{
"category": "file",
"ioc": "C:\\Users\\cuck\\AppData\\Local\\Yandex\\YandexBrowser\\User Data\\Default\\Login Data",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "infostealer_browser"
},
{
"markcount": 2,
"families": [],
"description": "Executes one or more WMI queries",
"severity": 2,
"marks": [
{
"category": "wmi",
"ioc": "SELECT MacAddress FROM Win32_NetworkAdapterConfiguration ",
"type": "ioc",
"description": null
},
{
"category": "wmi",
"ioc": "SELECT ProcessorId FROM Win32_Processor ",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "has_wmi"
},
{
"markcount": 1,
"families": [],
"description": "Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping",
"severity": 2,
"marks": [
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "Process32NextW",
"return_value": 1,
"arguments": {
"process_name": "SearchFilterHost.exe",
"snapshot_handle": "0x00000124",
"process_identifier": 2888
},
"time": 1597348405.578125,
"tid": 2844,
"flags": {}
},
"pid": 1996,
"type": "call",
"cid": 1503
}
],
"references": [],
"name": "injection_process_search"
},
{
"markcount": 1,
"families": [],
"description": "Potentially malicious URLs were found in the process memory dump",
"severity": 2,
"marks": [
{
"category": "url",
"ioc": "http:\/\/www.nirsoft.net\/",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "memdump_urls"
},
{
"markcount": 2,
"families": [],
"description": "Executes one or more WMI queries which can be used to identify virtual machines",
"severity": 2,
"marks": [
{
"category": "wmi",
"ioc": "SELECT ProcessorId FROM Win32_Processor ",
"type": "ioc",
"description": null
},
{
"category": "wmi",
"ioc": "SELECT MacAddress FROM Win32_NetworkAdapterConfiguration ",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "wmi_antivm"
},
{
"markcount": 2,
"families": [],
"description": "One or more of the buffers contains an embedded PE file",
"severity": 3,
"marks": [
{
"category": "buffer",
"ioc": "Buffer with sha1: 57458d375b6493f3dc6fd641837161936d0dcfd2",
"type": "ioc",
"description": null
},
{
"category": "buffer",
"ioc": "Buffer with sha1: 75e53500feb070bc593915598f6c9cee699027fe",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "dumped_buffer2"
},
{
"markcount": 3,
"families": [],
"description": "Allocates execute permission to another process indicative of possible code injection",
"severity": 3,
"marks": [
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2872,
"region_size": 589824,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0x00000124",
"allocation_type": 12288,
"base_address": "0x00400000"
},
"time": 1597348387.266,
"tid": 2736,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 1664,
"type": "call",
"cid": 894
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1996,
"region_size": 372736,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0x00000384",
"allocation_type": 12288,
"base_address": "0x00400000"
},
"time": 1597348399.624875,
"tid": 1480,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2872,
"type": "call",
"cid": 49976
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 984,
"region_size": 114688,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0x00000348",
"allocation_type": 12288,
"base_address": "0x00400000"
},
"time": 1597348460.686875,
"tid": 1480,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2872,
"type": "call",
"cid": 50717
}
],
"references": [],
"name": "allocates_execute_remote_process"
},
{
"markcount": 1,
"families": [],
"description": "Harvests information related to installed instant messenger clients",
"severity": 3,
"marks": [
{
"category": "registry",
"ioc": "HKEY_CURRENT_USER\\Software\\Google\\Google Talk\\Accounts",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "infostealer_im"
},
{
"markcount": 6,
"families": [],
"description": "Potential code injection by writing to the memory of another process",
"severity": 3,
"marks": [
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "WriteProcessMemory",
"return_value": 1,
"arguments": {
"process_identifier": 2872,
"buffer": "\u0000\u0000@\u0000",
"process_handle": "0x00000124",
"base_address": "0x7efde008"
},
"time": 1597348387.266,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 901
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "WriteProcessMemory",
"return_value": 1,
"arguments": {
"process_identifier": 1996,
"buffer": "MZ\u0090\u0000\u0003\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u00ff\u00ff\u0000\u0000\u00b8\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00e8\u0000\u0000\u0000\u000e\u001f\u00ba\u000e\u0000\u00b4\t\u00cd!\u00b8\u0001L\u00cd!This program cannot be run in DOS mode.\r\r\n$\u0000\u0000\u0000\u0000\u0000\u0000\u0000N\u000b\u0080R\nj\u00ee\u0001\nj\u00ee\u0001\nj\u00ee\u0001\u00c9e\u00b1\u0001\bj\u00ee\u0001\u00c9e\u00b3\u0001\u001cj\u00ee\u0001\u00f0I\u00ae\u0001\u0001j\u00ee\u0001\u00d0I\u00f2\u0001\u0001j\u00ee\u0001\nj\u00ef\u0001Dk\u00ee\u0001\u00f0I\u00f7\u0001\tj\u00ee\u0001-\u00ac\u009c\u0001>j\u00ee\u0001-\u00ac\u0092\u0001\u000bj\u00ee\u0001-\u00ac\u0096\u0001\u000bj\u00ee\u0001Rich\nj\u00ee\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000PE\u0000\u0000L\u0001\u0004\u0000&\u00ebWY\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00e0\u0000\u0003\u0001\u000b\u0001\b\u0000\u0000@\u0004\u0000\u0000<\u0001\u0000\u0000\u0000\u0000\u0000.G\u0004\u0000\u0000\u0010\u0000\u0000\u0000P\u0004\u0000\u0000\u0000@\u0000\u0000\u0010\u0000\u0000\u0000\u0002\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00b0\u0005\u0000\u0000\u0004\u0000\u0000\u00e9\u000f\u0006\u0000\u0002\u0000\u0000\u0000\u0000\u0000\u0010\u0000\u0000\u0010\u0000\u0000\u0000\u0000\u0010\u0000\u0000\u0010\u0000\u0000\u0000\u0000\u0000\u0000\u0010\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000|\u00f2\u0004\u0000\u00f0\u0000\u0000\u0000\u0000@\u0005\u0000$i\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00a0T\u0004\u0000\u001c\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000P\u0004\u0000p\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000.text\u0000\u0000\u0000\u00cd>\u0004\u0000\u0000\u0010\u0000\u0000\u0000@\u0004\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000 \u0000\u0000`.rdata\u0000\u0000\u0006\u00ba\u0000\u0000\u0000P\u0004\u0000\u0000\u00bc\u0000\u0000\u0000D\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000@.data\u0000\u0000\u0000\u0084-\u0000\u0000\u0000\u0010\u0005\u0000\u0000\u0016\u0000\u0000\u0000\u0000\u0005\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000\u00c0.rsrc\u0000\u0000\u0000$i\u0000\u0000\u0000@\u0005\u0000\u0000j\u0000\u0000\u0000\u0016\u0005\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"process_handle": "0x00000384",
"base_address": "0x00400000"
},
"time": 1597348399.624875,
"tid": 1480,
"flags": {}
},
"pid": 2872,
"type": "call",
"cid": 49978
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "WriteProcessMemory",
"return_value": 1,
"arguments": {
"process_identifier": 1996,
"buffer": "\u0000\u0000@\u0000",
"process_handle": "0x00000384",
"base_address": "0x7efde008"
},
"time": 1597348399.624875,
"tid": 1480,
"flags": {}
},
"pid": 2872,
"type": "call",
"cid": 49986
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "WriteProcessMemory",
"return_value": 1,
"arguments": {
"process_identifier": 984,
"buffer": "MZ\u0090\u0000\u0003\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u00ff\u00ff\u0000\u0000\u00b8\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00e8\u0000\u0000\u0000\u000e\u001f\u00ba\u000e\u0000\u00b4\t\u00cd!\u00b8\u0001L\u00cd!This program cannot be run in DOS mode.\r\r\n$\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0015\u0010\u00fc\u00b9Qq\u0092\u00eaQq\u0092\u00eaQq\u0092\u00ea\u0092~\u00cf\u00eaCq\u0092\u00ea\u00abR\u00d2\u00eaRq\u0092\u00ea\u008bR\u008e\u00eaZq\u0092\u00eaQq\u0093\u00ea[p\u0092\u00ea\u00abR\u008b\u00eaRq\u0092\u00eav\u00b7\u00e0\u00eavq\u0092\u00eav\u00b7\u00ee\u00eaPq\u0092\u00eav\u00b7\u00ea\u00eaPq\u0092\u00eaRichQq\u0092\u00ea\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000PE\u0000\u0000L\u0001\u0004\u0000\u00d7\u00a4oW\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00e0\u0000\u0003\u0001\u000b\u0001\b\u0000\u0000\u0016\u0001\u0000\u0000v\u0000\u0000\u0000\u0000\u0000\u0000\u001a!\u0001\u0000\u0000\u0010\u0000\u0000\u00000\u0001\u0000\u0000\u0000@\u0000\u0000\u0010\u0000\u0000\u0000\u0002\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00c0\u0001\u0000\u0000\u0004\u0000\u0000\"\f\u0002\u0000\u0002\u0000\u0000\u0000\u0000\u0000\u0010\u0000\u0000\u0010\u0000\u0000\u0000\u0000\u0010\u0000\u0000\u0010\u0000\u0000\u0000\u0000\u0000\u0000\u0010\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000,V\u0001\u0000\u00dc\u0000\u0000\u0000\u0000\u0090\u0001\u0000\u00c4.\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00c03\u0001\u0000\u001c\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00000\u0001\u0000\u0098\u0003\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000.text\u0000\u0000\u0000D\u0014\u0001\u0000\u0000\u0010\u0000\u0000\u0000\u0016\u0001\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000 \u0000\u0000`.rdata\u0000\u0000\u00968\u0000\u0000\u00000\u0001\u0000\u0000:\u0000\u0000\u0000\u001a\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000@.data\u0000\u0000\u0000t\u001b\u0000\u0000\u0000p\u0001\u0000\u0000\f\u0000\u0000\u0000T\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000\u00c0.rsrc\u0000\u0000\u0000\u00c4.\u0000\u0000\u0000\u0090\u0001\u0000\u00000\u0000\u0000\u0000`\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"process_handle": "0x00000348",
"base_address": "0x00400000"
},
"time": 1597348460.686875,
"tid": 1480,
"flags": {}
},
"pid": 2872,
"type": "call",
"cid": 50718
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "WriteProcessMemory",
"return_value": 1,
"arguments": {
"process_identifier": 984,
"buffer": "\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000%\u0000G\u0000K\u0000P\u0000$\u0000^\u0000%\u0000^\u0000&\u0000L\u0000L\u0000(\u0000%\u0000^\u0000$\u0000^\u0000O\u0000&\u0000T\u0000R\u0000$\u0000^\u0000%\u0000^\u0000G\u0000V\u00006\u0000;\u0000l\u0000x\u0000z\u0000d\u0000\u0000\u0000\u0000\u0000O4A\u0000O4A\u0000\u00ff\u00ff\u00f0\u0000\u00ff\u00f0\u00f0\u0000\u00f0\u00f0\u00ff\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0001\u0001\u0000\u0000\u0000\u0000\u0001\u0000\u0001\u0000\u0001\u0000\u0000\u0001\u0001\u0000\u0001\u0001\u0001\u0000\u0000\u0000\u0000\u0001\u0001\u0000\u0000\u0001\u0000\u0001\u0000\u0001\u0001\u0001\u0000\u0001\u0000\u0000\u0001\u0001\u0001\u0000\u0001\u0001\u0000\u0001\u0001\u0001\u0001\u0001\u0001\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0001\u0000\u0000\u0000\u0001\u0001\u0000\u0001\u0000\u0000\u0000\u0001\u0000\u0001\u0000\u0001\u0001\u0000\u0000\u0001\u0001\u0001\u0001\u0000\u0000\u0000\u0001\u0000\u0000\u0001\u0001\u0000\u0001\u0000\u0001\u0000\u0001\u0001\u0001\u0001\u0000\u0000\u0001\u0001\u0000\u0001\u0001\u0001\u0001\u0000\u0001\u0001\u0001\u0001\u0000\u0004\u0001\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u0004\u0004\u0001\u0001\u0004\u0000\u0001\u0001\u0004\u0004\u0001\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0004\u0000\u0000\u0000\u0004\u0001\u0001\u0004\u0004\u0001\u0001\u0000\u0004\u0000\u0000\u0004\u0004\u0000\u0001\u0004\u0000\u0001\u0001\u0000\u0000\u0000\u0001\u0004\u0000\u0000\u0000\u0004\u0004\u0000\u0000\u0000\u0004\u0000\u0001\u0000\u0004\u0000\u0001\u0000\u0004\u0001\u0000\u0000\u0004\u0001\u0000\u0000\u0000\u0001\u0001\u0000\u0000\u0001\u0001\u0004\u0004\u0000\u0001\u0004\u0000\u0001\u0000\u0004\u0000\u0000\u0001\u0004\u0000\u0000\u0001\u0004\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0004\u0004\u0000\u0000\u0004\u0004\u0001\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0001\u0000\u0004\u0004\u0001\u0001\u0004\u0000\u0000\u0000\u0000\u0000\u0001\u0001\u0000\u0004\u0001\u0001\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0001\u0000\u0004\u0000\u0000\u0004\u0000\u0001\u0001\u0000\u0000\u0001\u0000\u0000\u0004\u0001\u0000\u0004\u0000\u0000\u0001\u0000\u0004\u0000\u0000\u0004\u0000\u0000\u0000\u0004\u0004\u0000\u0001\u0004\u0004\u0001\u0000\u0004\u0004\u0001\u0001\u0004\u0000\u0001\u0000\u0000\u0000\u0001\u0001\u0004\u0004\u0000\u0001\u0004\u0000\u0000\u0001\u0004\u0004\u0000\u0000\u0004\u0004\u0001\u0000\u0000\u0004\u0001\u0001\u0004\u0004\u0000\u0000\u0000\u0004\u0000\u0001\u0000\u0004\u0000\u0001\u0000\u0000\u0000\u0000\u0004\u0000\u0001\u0000\u0000\u0004\u0001\u0000\u0000\u0000\u0000\u0000\u0004\u0000\u0001\u0001 \u0080\u0010\u0080\u0000\u0080\u0000\u0080\u0000\u0080\u0000\u0000 \u0080\u0010\u0000\u0000\u0000\u0010\u0000 \u0000\u0000\u0000 \u0000\u0010\u0080 \u0080\u0000\u0080 \u0000\u0000\u0080 \u0080\u0010\u0080\u0000\u0080\u0010\u0080\u0000\u0000\u0000\u0080\u0000\u0080\u0000\u0080\u0000\u0000\u0010\u0000 \u0000\u0000\u0000 \u0000\u0010\u0080\u0000\u0080\u0010\u0000 \u0000\u0010\u0000 \u0080\u0000\u0080\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0080\u0000\u0080\u0000\u0000 \u0080\u0010\u0000\u0000\u0000\u0010\u0080 \u0000\u0010\u0000 \u0000\u0000\u0080\u0000\u0000\u0000\u0000\u0000\u0080\u0010\u0000 \u0080\u0000\u0000\u0000\u0080\u0010\u0080\u0000\u0000\u0010\u0080 \u0080\u0000\u0000\u0000\u0000\u0000\u0000 \u0080\u0010\u0000 \u0000\u0010\u0080\u0000\u0000\u0010\u0000 \u0080\u0000\u0080\u0000\u0000\u0010\u0080\u0000\u0080\u0010\u0080\u0000\u0080\u0000\u0000\u0000\u0000\u0010\u0080\u0000\u0080\u0000\u0080 \u0000\u0000\u0000 \u0080\u0010\u0080 \u0080\u0010\u0000 \u0000\u0000\u0000\u0000\u0080\u0000\u0000\u0000\u0000\u0000\u0080 \u0080\u0000\u0000\u0000\u0080\u0010\u0080\u0000\u0000\u0010\u0000 \u0000\u0000\u0080 \u0000\u0010\u0000 \u0080\u0000\u0080 \u0000\u0000\u0080 \u0000\u0010\u0000\u0000\u0080\u0010\u0000\u0000\u0000\u0000\u0000\u0000\u0080\u0000\u0080 \u0080\u0000\u0000\u0000\u0000\u0000\u0080 \u0000\u0010\u0080 \u0080\u0010\u0080\u0000\u0080\u0010\u0000\b\u0002\u0000\u0000\u0000\u0002\u0002\b\u0000\u0000\u0000\u0000\b\u0000\u0002\b\u0000\u0002\u0000\b\u0000\u0000\u0000\u0000\b\u0002\u0002\u0000\u0000\u0002\u0000\b\b\u0000\u0002\u0000\b\u0000\u0000\b\b\u0000\u0000\b\u0000\u0000\u0002\u0000\b\u0002\u0002\b\b\u0000\u0002\u0000\u0000\u0000\u0002\b\b\u0002\u0000\u0000\u0000\u0000\u0000\b\b\u0000\u0000\u0000\u0000\u0002\u0002\b\u0000\u0002\u0000\u0000\u0000\u0002\u0002\u0000\u0000\u0000\u0002\b\b\u0000\u0002\b\b\u0002\u0002\u0000\b\u0002\u0000\b\u0000\u0002\u0002\u0000\u0000\u0000\u0002\u0000\b\u0002\u0000\b\b\u0000\u0000\u0000\b\u0002\u0002\b\u0000\u0002\u0000\u0000\u0000\u0000\u0000\b\u0000\u0002\u0002\b\u0000\u0000\u0000\b\b\u0000\u0002\u0000\b\u0002\u0000\u0000\u0000\u0000\u0002\u0000\u0000\u0002\u0002\b\u0000\u0002\u0000\b\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0000\b\u0000\u0002\u0000\b\u0002\u0002\b\u0000\u0002\u0000\b\b\u0000\u0000\b\u0000\u0002\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0002\b\b\u0002\u0000\b\u0000\u0000\u0002\u0000\u0000\u0000\u0000\b\b\u0002\u0002\b\b\u0000\u0000\u0000\b\u0002\u0002\u0000\u0000\u0002\u0002\u0000\b\u0000\u0000\b\u0000\u0000\u0002\b\b\u0002\u0000\b\b\u0002\u0000\u0000\u0000\u0000\u0002\b\b\u0002\u0002\u0000\b\u0000\u0000\u0000\b\u0000\u0002\b\u0000\u0002\u0002\u0000\u0001 \u0080\u0000\u0081 \u0000\u0000\u0081 \u0000\u0000\u0080\u0000\u0000\u0000\u0080 \u0080\u0000\u0081\u0000\u0080\u0000\u0001\u0000\u0080\u0000\u0001 \u0000\u0000\u0000\u0000\u0000\u0000\u0000 \u0080\u0000\u0000 \u0080\u0000\u0081 \u0080\u0000\u0081\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0080\u0000\u0080\u0000\u0001\u0000\u0080\u0000\u0001\u0000\u0000\u0000\u0000 \u0000\u0000\u0000\u0000\u0080\u0000\u0001 \u0080\u0000\u0080\u0000\u0000\u0000\u0000\u0000\u0080\u0000\u0001 \u0000\u0000\u0080 \u0000\u0000\u0081\u0000\u0080\u0000\u0001\u0000\u0000\u0000\u0080 \u0000\u0000\u0080\u0000\u0080\u0000\u0000 \u0000\u0000\u0080 \u0080\u0000\u0081 \u0080\u0000\u0081\u0000\u0000\u0000\u0080\u0000\u0080\u0000\u0001\u0000\u0080\u0000\u0000 \u0080\u0000\u0081 \u0080\u0000\u0081\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000 \u0080\u0000\u0080 \u0000\u0000\u0080\u0000\u0080\u0000\u0081\u0000\u0080\u0000\u0001\u0000\u0000\u0000\u0001 \u0080\u0000\u0081 \u0000\u0000\u0081 \u0000\u0000\u0080\u0000\u0000\u0000\u0081 \u0080\u0000\u0081\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000 \u0000\u0000\u0001\u0000\u0080\u0000\u0001 \u0000\u0000\u0080 \u0080\u0000\u0081\u0000\u0080\u0000\u0001 \u0000\u0000\u0080 \u0000\u0000\u0000\u0000\u0080\u0000\u0001 \u0080\u0000\u0080\u0000\u0000\u0000\u0000\u0000\u0080\u0000\u0000 \u0000\u0000\u0080 \u0080\u0000\u0000\u0001\u0000\u0000\u0000\u0001\b\u0002\u0000\u0000\b\u0002\u0000\u0001\u0000B\u0000\u0000\b\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000@\u0000\u0000\b\u0002\u0000\u0001\b@\u0000\u0000\b\u0000\u0000\u0001\u0000\u0002\u0000\u0001\b@\u0000\u0001\u0000B\u0000\u0000\bB\u0000\u0001\b\u0000\u0000\u0000\u0000@\u0000\u0000\u0000\u0002\u0000\u0000\b@\u0000\u0000\b@\u0000\u0000\u0000\u0000\u0000\u0001\u0000@\u0000\u0001\bB\u0000\u0001\bB\u0000\u0001\u0000\u0002\u0000\u0000\bB\u0000\u0001\u0000@\u0000\u0000\u0000\u0000\u0000\u0000\u0000B\u0000\u0001\b\u0002\u0000\u0000\u0000\u0002\u0000\u0000\u0000B\u0000\u0001\b\u0000\u0000\u0000\b\u0000\u0000\u0001\u0000B\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0000\u0000@\u0000\u0000\b\u0002\u0000\u0001\u0000B\u0000\u0001\b@\u0000\u0001\u0000\u0002\u0000\u0000\u0000@\u0000\u0000\bB\u0000\u0001\b\u0002\u0000\u0001\b@\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0000\bB\u0000\u0001\bB\u0000\u0001\b\u0000\u0000\u0000\u0000B\u0000\u0001\bB\u0000\u0000\b\u0002\u0000\u0000\u0000\u0000\u0000\u0000\b@\u0000\u0000\u0000B\u0000\u0001\b\u0000\u0000\u0001\u0000\u0002\u0000\u0001\u0000@\u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b@\u0000\u0001\b\u0002\u0000\u0001\u0000@\u0010\u0000\u0000 \u0000\u0000@ \u0000@\u0000\u0000\u0010@@ \u0000\u0000@ \u0010\u0000\u0000\u0000\u0010@@ \u0000\u0000@\u0000\u0000@\u0000 \u0010@@\u0000\u0000\u0000@\u0000\u0010\u0000\u0000 \u0010\u0000@\u0000\u0000@\u0000 \u0000\u0000\u0000 \u0010@\u0000\u0000\u0000\u0000\u0000\u0000\u0010\u0000@\u0000\u0010@\u0000 \u0000@\u0000\u0000\u0000@@\u0000\u0010@\u0000 \u0010\u0000\u0000\u0000\u0010\u0000@ \u0010\u0000@ \u0000\u0000\u0000\u0000\u0010@@\u0000\u0000@@ \u0010@\u0000\u0000\u0000@@\u0000\u0000@@ \u0000\u0000\u0000 \u0000@\u0000 \u0010\u0000\u0000\u0000\u0010\u0000@ \u0000@@\u0000\u0010@@ \u0000\u0000@\u0000\u0010@\u0000\u0000\u0010\u0000\u0000 \u0000\u0000@\u0000\u0000@\u0000 \u0000\u0000\u0000 \u0010@\u0000\u0000\u0010\u0000\u0000 \u0010@@ \u0000@@\u0000\u0000\u0000@ \u0010@@\u0000\u0000@@ \u0000\u0000\u0000\u0000\u0010\u0000@ \u0010\u0000\u0000\u0000\u0000@\u0000\u0000\u0000\u0000@ \u0010@@\u0000\u0000@\u0000\u0000\u0010\u0000@\u0000\u0010@\u0000 \u0000\u0000\u0000\u0000\u0000@@ \u0000\u0000\u0000 \u0010\u0000@\u0000\u0010@\u0000 \u0000\u0000 \u0000\u0002\u0000 \u0004\u0002\b\u0000\u0004\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0002\b\u0000\u0004\u0002\b \u0000\u0000\b \u0004\u0002\b \u0004\u0000\u0000 \u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0000\u0004\u0002\u0000\u0000\u0000\u0000\u0000\u0000\u0004\u0002\u0000 \u0004\u0002\b\u0000\u0000\u0000\b\u0000\u0004\u0002\b \u0000\u0002\u0000 \u0000\u0000\b\u0000\u0004\u0002\u0000\u0000\u0004\u0000\u0000 \u0004\u0000\b \u0004\u0002\u0000 \u0000\u0000\u0000 \u0004\u0000\b\u0000\u0000\u0002\b\u0000\u0000\u0002\b \u0004\u0000\b \u0000\u0002\u0000\u0000\u0000\u0000\u0000\u0000\u0004\u0000\b \u0000\u0000\u0000\u0000\u0004\u0000\b \u0000\u0000\u0000 \u0000\u0002\b\u0000\u0004\u0002\b\u0000\u0004\u0002\u0000 \u0004\u0002\u0000 \u0004\u0002\u0000\u0000\u0000\u0002\u0000 \u0000\u0000\u0000\u0000\u0004\u0000\b\u0000\u0004\u0000\u0000 \u0000\u0000\b \u0004\u0002\b\u0000\u0000\u0002\b \u0000\u0000\b \u0004\u0002\b\u0000\u0000\u0002\u0000\u0000\u0004\u0002\b \u0004\u0000\u0000 \u0004\u0000\b \u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0000\u0000\u0002\b \u0004\u0000\u0000\u0000\u0000\u0002\b \u0000\u0000\u0000 \u0004\u0000\b\u0000\u0000\u0002\u0000\u0000\u0004\u0000\b\u0000\u0004\u0000\b\u0000\u0000\u0002\u0000 \u0000@\u0010\u0000\u0010\u0000\u0010\u0000\u0000\u0000\u0000\u0004\u0000@\u0010\u0004\u0010\u0000\u0000\u0000\u0010@\u0010\u0000\u0010@\u0000\u0000\u0000\u0000\u0000\u0000\u0010@\u0000\u0004\u0000\u0000\u0000\u0004\u0010@\u0010\u0004\u0010\u0000\u0010\u0004\u0000\u0000\u0010\u0004\u0010@\u0010\u0004\u0000\u0000\u0010\u0000\u0000@\u0000\u0000\u0000\u0000\u0000\u0004\u0010@\u0000\u0000\u0010\u0000\u0010\u0000\u0010@\u0010\u0000\u0000\u0000\u0010\u0004\u0000@\u0000\u0004\u0000@\u0000\u0004\u0010\u0000\u0010\u0004\u0010@\u0010\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0004\u0010@\u0000\u0000\u0010\u0000\u0010\u0000\u0010@\u0010\u0004\u0000\u0000\u0000\u0004\u0000@\u0010\u0004\u0000\u0000\u0000\u0004\u0000\u0000\u0010\u0004\u0010\u0000\u0010\u0000\u0000@\u0000\u0000\u0000@\u0000\u0004\u0010\u0000\u0010\u0000\u0000@\u0010\u0004\u0000\u0000\u0010\u0000\u0010@\u0000\u0000\u0000@\u0000\u0000\u0010\u0000\u0000\u0004\u0010@\u0000\u0004\u0010\u0000\u0000\u0000\u0010\u0000\u0000\u0004\u0000@\u0010\u0000\u0010\u0000\u0000\u0000\u0000@\u0010\u0004\u0010@\u0000\u0004\u0000@\u0000\u0000\u0010\u0000\u0000\u0004\u0010\u0000\u0010\u0000\u0010@\u0010\u0000\u0010\u0000\u0000\u0000\u0000@\u0010\u0004\u0010\u0000\u0010\u0004\u0000\u0000\u0010\u0004\u0000@\u0010\u0000\u0000@\u0010\u0000\u0000@\u0000\u0004\u0000\u0000\u0000\u0000\u0010\u0000\u0010\u0004\u0010\u0000\u0000\u0000\u0000\u0006\u0000\u0000\u0000\u0000\u0000\u0000\u0000n\u0000\u0000\u0000\u00e9\u0003\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0014\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0006\u0000\u0000\u0000\u0000\u0000\u0000\u0000x\u0000\u0000\u0000\u00ea\u0003\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0014\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0000\u0000\u0006\u0000\u0000\u0000\u0000\u0000\u0000\u0000n\u0000\u0000\u0000\u00eb\u0003\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0014\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0003\u0000\u0000\u0000\u0006\u0000\u0000\u0000\u0000\u0000\u0000\u0000x\u0000\u0000\u0000\u00ec\u0003\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0014\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u0006\u0000\u0000\u0000\u0000\u0000\u0000\u0000d\u0000\u0000\u0000\u00f1\u0003\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0014\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0005\u0000\u0000\u0000\u0006\u0000\u0000\u0000\u0000\u0000\u0000\u0000d\u0000\u0000\u0000\u00f2\u0003\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0014\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0006\u0000\u0000\u0000\u0006\u0000\u0000\u0000\u0000\u0000\u0000\u0000P\u0000\u0000\u0000\u00ed\u0003\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0014\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0007\u0000\u0000\u0000\u0006\u0000\u0000\u0000\u0000\u0000\u0000\u0000n\u0000\u0000\u0000\u00ee\u0003\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0014\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000\u0006\u0000\u0000\u0000\u0000\u0000\u0000\u0000x\u0000\u0000\u0000\u00ef\u0003\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0014\u0000\u0000\u0000\u0000\u0000\u0000\u0000\t\u0000\u0000\u0000\u0006\u0000\u0000\u0000\u0000\u0000\u0000\u0000x\u0000\u0000\u0000\u00f0\u0003\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0014\u0000\u0000\u0000\u0000\u0000\u0000\u0000\n\u0000\u0000\u0000\u0006\u0000\u0000\u0000\u0000\u0000\u0000\u0000x\u0000\u0000\u0000\u00f3\u0003\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0014\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u000b\u0000\u0000\u0000\u0006\u0000\u0000\u0000\u0000\u0000\u0000\u0000x\u0000\u0000\u0000\u00f4\u0003\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0014\u0000\u0000\u0000\u0000\u0000\u0000\u0000\f\u0000\u0000\u0000\u0006\u0000\u0000\u0000\u0000\u0000\u0000\u0000P\u0000\u0000\u0000\u00f5\u0003\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0014\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00ff\u00ff\u00f0\u0000\u00ff\u00f0\u00f0\u0000\u00f0\u00f0\u00ff\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000a\u0000b\u0000e\u00002\u00008\u00006\u00009\u0000f\u0000-\u00009\u0000b\u00004\u00007\u0000-\u00004\u0000c\u0000d\u00009\u0000-\u0000a\u00003\u00005\u00008\u0000-\u0000c\u00002\u00002\u00009\u00000\u00004\u0000d\u0000b\u0000a\u00007\u0000f\u00007\u0000\u0000\u0000\u0000\u0000\u00ff\u00ff\u00ff\u0000k\u0000\u0000\u0000\u0000\u0000\u0000\u00008\u00002\u0000B\u0000D\u00000\u0000E\u00006\u00007\u0000-\u00009\u0000F\u0000E\u0000A\u0000-\u00004\u00007\u00004\u00008\u0000-\u00008\u00006\u00007\u00002\u0000-\u0000D\u00005\u0000E\u0000F\u0000E\u00005\u0000B\u00007\u00007\u00009\u0000B\u00000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"process_handle": "0x00000348",
"base_address": "0x00417000"
},
"time": 1597348460.686875,
"tid": 1480,
"flags": {}
},
"pid": 2872,
"type": "call",
"cid": 50722
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "WriteProcessMemory",
"return_value": 1,
"arguments": {
"process_identifier": 984,
"buffer": "\u0000\u0000@\u0000",
"process_handle": "0x00000348",
"base_address": "0x7efde008"
},
"time": 1597348460.702875,
"tid": 1480,
"flags": {}
},
"pid": 2872,
"type": "call",
"cid": 50725
}
],
"references": [],
"name": "injection_write_memory"
},
{
"markcount": 2,
"families": [],
"description": "Code injection by writing an executable or DLL to the memory of another process",
"severity": 3,
"marks": [
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "WriteProcessMemory",
"return_value": 1,
"arguments": {
"process_identifier": 1996,
"buffer": "MZ\u0090\u0000\u0003\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u00ff\u00ff\u0000\u0000\u00b8\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00e8\u0000\u0000\u0000\u000e\u001f\u00ba\u000e\u0000\u00b4\t\u00cd!\u00b8\u0001L\u00cd!This program cannot be run in DOS mode.\r\r\n$\u0000\u0000\u0000\u0000\u0000\u0000\u0000N\u000b\u0080R\nj\u00ee\u0001\nj\u00ee\u0001\nj\u00ee\u0001\u00c9e\u00b1\u0001\bj\u00ee\u0001\u00c9e\u00b3\u0001\u001cj\u00ee\u0001\u00f0I\u00ae\u0001\u0001j\u00ee\u0001\u00d0I\u00f2\u0001\u0001j\u00ee\u0001\nj\u00ef\u0001Dk\u00ee\u0001\u00f0I\u00f7\u0001\tj\u00ee\u0001-\u00ac\u009c\u0001>j\u00ee\u0001-\u00ac\u0092\u0001\u000bj\u00ee\u0001-\u00ac\u0096\u0001\u000bj\u00ee\u0001Rich\nj\u00ee\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000PE\u0000\u0000L\u0001\u0004\u0000&\u00ebWY\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00e0\u0000\u0003\u0001\u000b\u0001\b\u0000\u0000@\u0004\u0000\u0000<\u0001\u0000\u0000\u0000\u0000\u0000.G\u0004\u0000\u0000\u0010\u0000\u0000\u0000P\u0004\u0000\u0000\u0000@\u0000\u0000\u0010\u0000\u0000\u0000\u0002\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00b0\u0005\u0000\u0000\u0004\u0000\u0000\u00e9\u000f\u0006\u0000\u0002\u0000\u0000\u0000\u0000\u0000\u0010\u0000\u0000\u0010\u0000\u0000\u0000\u0000\u0010\u0000\u0000\u0010\u0000\u0000\u0000\u0000\u0000\u0000\u0010\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000|\u00f2\u0004\u0000\u00f0\u0000\u0000\u0000\u0000@\u0005\u0000$i\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00a0T\u0004\u0000\u001c\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000P\u0004\u0000p\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000.text\u0000\u0000\u0000\u00cd>\u0004\u0000\u0000\u0010\u0000\u0000\u0000@\u0004\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000 \u0000\u0000`.rdata\u0000\u0000\u0006\u00ba\u0000\u0000\u0000P\u0004\u0000\u0000\u00bc\u0000\u0000\u0000D\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000@.data\u0000\u0000\u0000\u0084-\u0000\u0000\u0000\u0010\u0005\u0000\u0000\u0016\u0000\u0000\u0000\u0000\u0005\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000\u00c0.rsrc\u0000\u0000\u0000$i\u0000\u0000\u0000@\u0005\u0000\u0000j\u0000\u0000\u0000\u0016\u0005\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"process_handle": "0x00000384",
"base_address": "0x00400000"
},
"time": 1597348399.624875,
"tid": 1480,
"flags": {}
},
"pid": 2872,
"type": "call",
"cid": 49978
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "WriteProcessMemory",
"return_value": 1,
"arguments": {
"process_identifier": 984,
"buffer": "MZ\u0090\u0000\u0003\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u00ff\u00ff\u0000\u0000\u00b8\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00e8\u0000\u0000\u0000\u000e\u001f\u00ba\u000e\u0000\u00b4\t\u00cd!\u00b8\u0001L\u00cd!This program cannot be run in DOS mode.\r\r\n$\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0015\u0010\u00fc\u00b9Qq\u0092\u00eaQq\u0092\u00eaQq\u0092\u00ea\u0092~\u00cf\u00eaCq\u0092\u00ea\u00abR\u00d2\u00eaRq\u0092\u00ea\u008bR\u008e\u00eaZq\u0092\u00eaQq\u0093\u00ea[p\u0092\u00ea\u00abR\u008b\u00eaRq\u0092\u00eav\u00b7\u00e0\u00eavq\u0092\u00eav\u00b7\u00ee\u00eaPq\u0092\u00eav\u00b7\u00ea\u00eaPq\u0092\u00eaRichQq\u0092\u00ea\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000PE\u0000\u0000L\u0001\u0004\u0000\u00d7\u00a4oW\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00e0\u0000\u0003\u0001\u000b\u0001\b\u0000\u0000\u0016\u0001\u0000\u0000v\u0000\u0000\u0000\u0000\u0000\u0000\u001a!\u0001\u0000\u0000\u0010\u0000\u0000\u00000\u0001\u0000\u0000\u0000@\u0000\u0000\u0010\u0000\u0000\u0000\u0002\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00c0\u0001\u0000\u0000\u0004\u0000\u0000\"\f\u0002\u0000\u0002\u0000\u0000\u0000\u0000\u0000\u0010\u0000\u0000\u0010\u0000\u0000\u0000\u0000\u0010\u0000\u0000\u0010\u0000\u0000\u0000\u0000\u0000\u0000\u0010\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000,V\u0001\u0000\u00dc\u0000\u0000\u0000\u0000\u0090\u0001\u0000\u00c4.\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00c03\u0001\u0000\u001c\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00000\u0001\u0000\u0098\u0003\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000.text\u0000\u0000\u0000D\u0014\u0001\u0000\u0000\u0010\u0000\u0000\u0000\u0016\u0001\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000 \u0000\u0000`.rdata\u0000\u0000\u00968\u0000\u0000\u00000\u0001\u0000\u0000:\u0000\u0000\u0000\u001a\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000@.data\u0000\u0000\u0000t\u001b\u0000\u0000\u0000p\u0001\u0000\u0000\f\u0000\u0000\u0000T\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000\u00c0.rsrc\u0000\u0000\u0000\u00c4.\u0000\u0000\u0000\u0090\u0001\u0000\u00000\u0000\u0000\u0000`\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"process_handle": "0x00000348",
"base_address": "0x00400000"
},
"time": 1597348460.686875,
"tid": 1480,
"flags": {}
},
"pid": 2872,
"type": "call",
"cid": 50718
}
],
"references": [],
"name": "injection_write_memory_exe"
},
{
"markcount": 6,
"families": [],
"description": "Harvests credentials from local email clients",
"severity": 3,
"marks": [
{
"category": "registry",
"ioc": "HKEY_CURRENT_USER\\Identities\\{183045C5-6B41-4C94-A7FA-BE70B5E7A9D3}\\Software\\Microsoft\\Internet Account Manager\\Accounts",
"type": "ioc",
"description": null
},
{
"category": "registry",
"ioc": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows Live Mail",
"type": "ioc",
"description": null
},
{
"category": "registry",
"ioc": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles",
"type": "ioc",
"description": null
},
{
"category": "registry",
"ioc": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\Outlook\\OMI Account Manager\\Accounts",
"type": "ioc",
"description": null
},
{
"category": "registry",
"ioc": "HKEY_LOCAL_MACHINE\\Software\\Mozilla\\Mozilla Thunderbird",
"type": "ioc",
"description": null
},
{
"category": "registry",
"ioc": "HKEY_CURRENT_USER\\Software\\Google\\Google Talk\\Accounts",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "infostealer_mail"
},
{
"markcount": 6,
"families": [],
"description": "Used NtSetContextThread to modify a thread in a remote process indicative of process injection",
"severity": 3,
"marks": [
{
"category": "Process injection",
"ioc": "Process 1664 called NtSetContextThread to modify thread in remote process 2872",
"type": "ioc",
"description": null
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtSetContextThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x0000011c",
"registers": {
"eip": 2008678852,
"esp": 2948024,
"edi": 0,
"eax": 4764414,
"ebp": 0,
"edx": 0,
"ebx": 2130567168,
"esi": 0,
"ecx": 0
},
"process_identifier": 2872
},
"time": 1597348387.266,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 902
},
{
"category": "Process injection",
"ioc": "Process 2872 called NtSetContextThread to modify thread in remote process 1996",
"type": "ioc",
"description": null
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtSetContextThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x00000380",
"registers": {
"eip": 0,
"esp": 0,
"edi": 0,
"eax": 4474670,
"ebp": 0,
"edx": 0,
"ebx": 2130567168,
"esi": 0,
"ecx": 0
},
"process_identifier": 1996
},
"time": 1597348399.624875,
"tid": 1480,
"flags": {}
},
"pid": 2872,
"type": "call",
"cid": 49988
},
{
"category": "Process injection",
"ioc": "Process 2872 called NtSetContextThread to modify thread in remote process 984",
"type": "ioc",
"description": null
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtSetContextThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x00000258",
"registers": {
"eip": 0,
"esp": 0,
"edi": 0,
"eax": 4268314,
"ebp": 0,
"edx": 0,
"ebx": 2130567168,
"esi": 0,
"ecx": 0
},
"process_identifier": 984
},
"time": 1597348460.702875,
"tid": 1480,
"flags": {}
},
"pid": 2872,
"type": "call",
"cid": 50726
}
],
"references": [
"www.endgame.com\/blog\/technical-blog\/ten-process-injection-techniques-technical-survey-common-and-trending-process"
],
"name": "injection_ntsetcontextthread"
},
{
"markcount": 6,
"families": [],
"description": "Resumed a suspended thread in a remote process potentially indicative of process injection",
"severity": 3,
"marks": [
{
"category": "Process injection",
"ioc": "Process 1664 resumed a thread in remote process 2872",
"type": "ioc",
"description": null
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtResumeThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x0000011c",
"suspend_count": 1,
"process_identifier": 2872
},
"time": 1597348387.312,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 903
},
{
"category": "Process injection",
"ioc": "Process 2872 resumed a thread in remote process 1996",
"type": "ioc",
"description": null
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtResumeThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x00000380",
"suspend_count": 1,
"process_identifier": 1996
},
"time": 1597348399.655875,
"tid": 1480,
"flags": {}
},
"pid": 2872,
"type": "call",
"cid": 49990
},
{
"category": "Process injection",
"ioc": "Process 2872 resumed a thread in remote process 984",
"type": "ioc",
"description": null
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtResumeThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x00000258",
"suspend_count": 1,
"process_identifier": 984
},
"time": 1597348460.733875,
"tid": 1480,
"flags": {}
},
"pid": 2872,
"type": "call",
"cid": 50727
}
],
"references": [
"www.endgame.com\/blog\/technical-blog\/ten-process-injection-techniques-technical-survey-common-and-trending-process"
],
"name": "injection_resumethread"
},
{
"markcount": 40,
"families": [],
"description": "Executed a process and injected code into it, probably while unpacking",
"severity": 5,
"marks": [
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "CreateProcessInternalW",
"return_value": 1,
"arguments": {
"thread_identifier": 1480,
"thread_handle": "0x0000011c",
"process_identifier": 2872,
"current_directory": "",
"filepath": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe",
"track": 1,
"command_line": "",
"filepath_r": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe",
"stack_pivoted": 0,
"creation_flags": 4,
"process_handle": "0x00000124",
"inherit_handles": 0
},
"time": 1597348387.266,
"tid": 2736,
"flags": {
"creation_flags": "CREATE_SUSPENDED"
}
},
"pid": 1664,
"type": "call",
"cid": 890
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtGetContextThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x0000011c"
},
"time": 1597348387.266,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 891
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2872,
"region_size": 589824,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0x00000124",
"allocation_type": 12288,
"base_address": "0x00400000"
},
"time": 1597348387.266,
"tid": 2736,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 1664,
"type": "call",
"cid": 894
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"buffer": "75e53500feb070bc593915598f6c9cee699027fe",
"api": "WriteProcessMemory",
"return_value": 1,
"arguments": {
"process_identifier": 2872,
"buffer": "",
"process_handle": "0x00000124",
"base_address": "0x00400000"
},
"time": 1597348387.266,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 895
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "WriteProcessMemory",
"return_value": 1,
"arguments": {
"process_identifier": 2872,
"buffer": "\u0000\u0000@\u0000",
"process_handle": "0x00000124",
"base_address": "0x7efde008"
},
"time": 1597348387.266,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 901
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtSetContextThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x0000011c",
"registers": {
"eip": 2008678852,
"esp": 2948024,
"edi": 0,
"eax": 4764414,
"ebp": 0,
"edx": 0,
"ebx": 2130567168,
"esi": 0,
"ecx": 0
},
"process_identifier": 2872
},
"time": 1597348387.266,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 902
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtResumeThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x0000011c",
"suspend_count": 1,
"process_identifier": 2872
},
"time": 1597348387.312,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 903
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtResumeThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x0000015c",
"suspend_count": 1,
"process_identifier": 2872
},
"time": 1597348387.515875,
"tid": 1480,
"flags": {}
},
"pid": 2872,
"type": "call",
"cid": 313
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtResumeThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x000001b0",
"suspend_count": 1,
"process_identifier": 2872
},
"time": 1597348387.515875,
"tid": 1480,
"flags": {}
},
"pid": 2872,
"type": "call",
"cid": 380
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtResumeThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x000001e8",
"suspend_count": 1,
"process_identifier": 2872
},
"time": 1597348387.718875,
"tid": 1480,
"flags": {}
},
"pid": 2872,
"type": "call",
"cid": 696
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtResumeThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x00000208",
"suspend_count": 1,
"process_identifier": 2872
},
"time": 1597348387.749875,
"tid": 816,
"flags": {}
},
"pid": 2872,
"type": "call",
"cid": 924
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtResumeThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x00000238",
"suspend_count": 1,
"process_identifier": 2872
},
"time": 1597348398.890875,
"tid": 1480,
"flags": {}
},
"pid": 2872,
"type": "call",
"cid": 25236
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtResumeThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x000002e8",
"suspend_count": 1,
"process_identifier": 2872
},
"time": 1597348398.905875,
"tid": 1480,
"flags": {}
},
"pid": 2872,
"type": "call",
"cid": 25411
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtResumeThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x00000368",
"suspend_count": 1,
"process_identifier": 2872
},
"time": 1597348398.983875,
"tid": 1480,
"flags": {}
},
"pid": 2872,
"type": "call",
"cid": 25663
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "CreateProcessInternalW",
"return_value": 1,
"arguments": {
"thread_identifier": 2844,
"thread_handle": "0x00000380",
"process_identifier": 1996,
"current_directory": "",
"filepath": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\vbc.exe",
"track": 1,
"command_line": "\"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\vbc.exe\" \/stext \"C:\\Users\\cuck\\AppData\\Local\\Temp\\tmp8A04.tmp\"",
"filepath_r": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\vbc.exe",
"stack_pivoted": 0,
"creation_flags": 4,
"process_handle": "0x00000384",
"inherit_handles": 0
},
"time": 1597348399.624875,
"tid": 1480,
"flags": {
"creation_flags": "CREATE_SUSPENDED"
}
},
"pid": 2872,
"type": "call",
"cid": 49962
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtGetContextThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x00000380"
},
"time": 1597348399.624875,
"tid": 1480,
"flags": {}
},
"pid": 2872,
"type": "call",
"cid": 49964
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtUnmapViewOfSection",
"return_value": 0,
"arguments": {
"process_identifier": 1996,
"region_size": 4096,
"process_handle": "0x00000384",
"base_address": "0x00400000"
},
"time": 1597348399.624875,
"tid": 1480,
"flags": {}
},
"pid": 2872,
"type": "call",
"cid": 49974
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1996,
"region_size": 372736,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0x00000384",
"allocation_type": 12288,
"base_address": "0x00400000"
},
"time": 1597348399.624875,
"tid": 1480,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2872,
"type": "call",
"cid": 49976
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "WriteProcessMemory",
"return_value": 1,
"arguments": {
"process_identifier": 1996,
"buffer": "MZ\u0090\u0000\u0003\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u00ff\u00ff\u0000\u0000\u00b8\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00e8\u0000\u0000\u0000\u000e\u001f\u00ba\u000e\u0000\u00b4\t\u00cd!\u00b8\u0001L\u00cd!This program cannot be run in DOS mode.\r\r\n$\u0000\u0000\u0000\u0000\u0000\u0000\u0000N\u000b\u0080R\nj\u00ee\u0001\nj\u00ee\u0001\nj\u00ee\u0001\u00c9e\u00b1\u0001\bj\u00ee\u0001\u00c9e\u00b3\u0001\u001cj\u00ee\u0001\u00f0I\u00ae\u0001\u0001j\u00ee\u0001\u00d0I\u00f2\u0001\u0001j\u00ee\u0001\nj\u00ef\u0001Dk\u00ee\u0001\u00f0I\u00f7\u0001\tj\u00ee\u0001-\u00ac\u009c\u0001>j\u00ee\u0001-\u00ac\u0092\u0001\u000bj\u00ee\u0001-\u00ac\u0096\u0001\u000bj\u00ee\u0001Rich\nj\u00ee\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000PE\u0000\u0000L\u0001\u0004\u0000&\u00ebWY\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00e0\u0000\u0003\u0001\u000b\u0001\b\u0000\u0000@\u0004\u0000\u0000<\u0001\u0000\u0000\u0000\u0000\u0000.G\u0004\u0000\u0000\u0010\u0000\u0000\u0000P\u0004\u0000\u0000\u0000@\u0000\u0000\u0010\u0000\u0000\u0000\u0002\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00b0\u0005\u0000\u0000\u0004\u0000\u0000\u00e9\u000f\u0006\u0000\u0002\u0000\u0000\u0000\u0000\u0000\u0010\u0000\u0000\u0010\u0000\u0000\u0000\u0000\u0010\u0000\u0000\u0010\u0000\u0000\u0000\u0000\u0000\u0000\u0010\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000|\u00f2\u0004\u0000\u00f0\u0000\u0000\u0000\u0000@\u0005\u0000$i\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00a0T\u0004\u0000\u001c\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000P\u0004\u0000p\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000.text\u0000\u0000\u0000\u00cd>\u0004\u0000\u0000\u0010\u0000\u0000\u0000@\u0004\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000 \u0000\u0000`.rdata\u0000\u0000\u0006\u00ba\u0000\u0000\u0000P\u0004\u0000\u0000\u00bc\u0000\u0000\u0000D\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000@.data\u0000\u0000\u0000\u0084-\u0000\u0000\u0000\u0010\u0005\u0000\u0000\u0016\u0000\u0000\u0000\u0000\u0005\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000\u00c0.rsrc\u0000\u0000\u0000$i\u0000\u0000\u0000@\u0005\u0000\u0000j\u0000\u0000\u0000\u0016\u0005\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"process_handle": "0x00000384",
"base_address": "0x00400000"
},
"time": 1597348399.624875,
"tid": 1480,
"flags": {}
},
"pid": 2872,
"type": "call",
"cid": 49978
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"buffer": "4deb24737b4102b38ef30f0ce27d3fd268b6fcd7",
"api": "WriteProcessMemory",
"return_value": 1,
"arguments": {
"process_identifier": 1996,
"buffer": "",
"process_handle": "0x00000384",
"base_address": "0x00401000"
},
"time": 1597348399.624875,
"tid": 1480,
"flags": {}
},
"pid": 2872,
"type": "call",
"cid": 49980
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"buffer": "3dbf5abfc9079f291f5a15f402dfbcf716e83cf7",
"api": "WriteProcessMemory",
"return_value": 1,
"arguments": {
"process_identifier": 1996,
"buffer": "",
"process_handle": "0x00000384",
"base_address": "0x00445000"
},
"time": 1597348399.624875,
"tid": 1480,
"flags": {}
},
"pid": 2872,
"type": "call",
"cid": 49982
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"buffer": "1740540654e69d32d7168b196c27b09bf629d095",
"api": "WriteProcessMemory",
"return_value": 1,
"arguments": {
"process_identifier": 1996,
"buffer": "",
"process_handle": "0x00000384",
"base_address": "0x00451000"
},
"time": 1597348399.624875,
"tid": 1480,
"flags": {}
},
"pid": 2872,
"type": "call",
"cid": 49983
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"buffer": "39721f56fba776d158110d7d52fd75103426562b",
"api": "WriteProcessMemory",
"return_value": 1,
"arguments": {
"process_identifier": 1996,
"buffer": "",
"process_handle": "0x00000384",
"base_address": "0x00454000"
},
"time": 1597348399.624875,
"tid": 1480,
"flags": {}
},
"pid": 2872,
"type": "call",
"cid": 49985
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "WriteProcessMemory",
"return_value": 1,
"arguments": {
"process_identifier": 1996,
"buffer": "\u0000\u0000@\u0000",
"process_handle": "0x00000384",
"base_address": "0x7efde008"
},
"time": 1597348399.624875,
"tid": 1480,
"flags": {}
},
"pid": 2872,
"type": "call",
"cid": 49986
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtSetContextThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x00000380",
"registers": {
"eip": 0,
"esp": 0,
"edi": 0,
"eax": 4474670,
"ebp": 0,
"edx": 0,
"ebx": 2130567168,
"esi": 0,
"ecx": 0
},
"process_identifier": 1996
},
"time": 1597348399.624875,
"tid": 1480,
"flags": {}
},
"pid": 2872,
"type": "call",
"cid": 49988
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtResumeThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x00000380",
"suspend_count": 1,
"process_identifier": 1996
},
"time": 1597348399.655875,
"tid": 1480,
"flags": {}
},
"pid": 2872,
"type": "call",
"cid": 49990
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "CreateProcessInternalW",
"return_value": 1,
"arguments": {
"thread_identifier": 3000,
"thread_handle": "0x00000258",
"process_identifier": 984,
"current_directory": "",
"filepath": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\vbc.exe",
"track": 1,
"command_line": "\"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\vbc.exe\" \/stext \"C:\\Users\\cuck\\AppData\\Local\\Temp\\tmp789B.tmp\"",
"filepath_r": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\vbc.exe",
"stack_pivoted": 0,
"creation_flags": 4,
"process_handle": "0x00000348",
"inherit_handles": 0
},
"time": 1597348460.686875,
"tid": 1480,
"flags": {
"creation_flags": "CREATE_SUSPENDED"
}
},
"pid": 2872,
"type": "call",
"cid": 50713
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtGetContextThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x00000258"
},
"time": 1597348460.686875,
"tid": 1480,
"flags": {}
},
"pid": 2872,
"type": "call",
"cid": 50714
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtUnmapViewOfSection",
"return_value": 0,
"arguments": {
"process_identifier": 984,
"region_size": 4096,
"process_handle": "0x00000348",
"base_address": "0x00400000"
},
"time": 1597348460.686875,
"tid": 1480,
"flags": {}
},
"pid": 2872,
"type": "call",
"cid": 50716
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 984,
"region_size": 114688,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0x00000348",
"allocation_type": 12288,
"base_address": "0x00400000"
},
"time": 1597348460.686875,
"tid": 1480,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2872,
"type": "call",
"cid": 50717
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "WriteProcessMemory",
"return_value": 1,
"arguments": {
"process_identifier": 984,
"buffer": "MZ\u0090\u0000\u0003\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u00ff\u00ff\u0000\u0000\u00b8\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00e8\u0000\u0000\u0000\u000e\u001f\u00ba\u000e\u0000\u00b4\t\u00cd!\u00b8\u0001L\u00cd!This program cannot be run in DOS mode.\r\r\n$\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0015\u0010\u00fc\u00b9Qq\u0092\u00eaQq\u0092\u00eaQq\u0092\u00ea\u0092~\u00cf\u00eaCq\u0092\u00ea\u00abR\u00d2\u00eaRq\u0092\u00ea\u008bR\u008e\u00eaZq\u0092\u00eaQq\u0093\u00ea[p\u0092\u00ea\u00abR\u008b\u00eaRq\u0092\u00eav\u00b7\u00e0\u00eavq\u0092\u00eav\u00b7\u00ee\u00eaPq\u0092\u00eav\u00b7\u00ea\u00eaPq\u0092\u00eaRichQq\u0092\u00ea\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000PE\u0000\u0000L\u0001\u0004\u0000\u00d7\u00a4oW\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00e0\u0000\u0003\u0001\u000b\u0001\b\u0000\u0000\u0016\u0001\u0000\u0000v\u0000\u0000\u0000\u0000\u0000\u0000\u001a!\u0001\u0000\u0000\u0010\u0000\u0000\u00000\u0001\u0000\u0000\u0000@\u0000\u0000\u0010\u0000\u0000\u0000\u0002\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00c0\u0001\u0000\u0000\u0004\u0000\u0000\"\f\u0002\u0000\u0002\u0000\u0000\u0000\u0000\u0000\u0010\u0000\u0000\u0010\u0000\u0000\u0000\u0000\u0010\u0000\u0000\u0010\u0000\u0000\u0000\u0000\u0000\u0000\u0010\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000,V\u0001\u0000\u00dc\u0000\u0000\u0000\u0000\u0090\u0001\u0000\u00c4.\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00c03\u0001\u0000\u001c\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00000\u0001\u0000\u0098\u0003\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000.text\u0000\u0000\u0000D\u0014\u0001\u0000\u0000\u0010\u0000\u0000\u0000\u0016\u0001\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000 \u0000\u0000`.rdata\u0000\u0000\u00968\u0000\u0000\u00000\u0001\u0000\u0000:\u0000\u0000\u0000\u001a\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000@.data\u0000\u0000\u0000t\u001b\u0000\u0000\u0000p\u0001\u0000\u0000\f\u0000\u0000\u0000T\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000\u00c0.rsrc\u0000\u0000\u0000\u00c4.\u0000\u0000\u0000\u0090\u0001\u0000\u00000\u0000\u0000\u0000`\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"process_handle": "0x00000348",
"base_address": "0x00400000"
},
"time": 1597348460.686875,
"tid": 1480,
"flags": {}
},
"pid": 2872,
"type": "call",
"cid": 50718
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"buffer": "fd7ef7da9d2e3466640b01831ab538183f3d6363",
"api": "WriteProcessMemory",
"return_value": 1,
"arguments": {
"process_identifier": 984,
"buffer": "",
"process_handle": "0x00000348",
"base_address": "0x00401000"
},
"time": 1597348460.686875,
"tid": 1480,
"flags": {}
},
"pid": 2872,
"type": "call",
"cid": 50720
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"buffer": "954eab585e89627a43237551b264ab18ea92c53b",
"api": "WriteProcessMemory",
"return_value": 1,
"arguments": {
"process_identifier": 984,
"buffer": "",
"process_handle": "0x00000348",
"base_address": "0x00413000"
},
"time": 1597348460.686875,
"tid": 1480,
"flags": {}
},
"pid": 2872,
"type": "call",
"cid": 50721
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "WriteProcessMemory",
"return_value": 1,
"arguments": {
"process_identifier": 984,
"buffer": "\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000%\u0000G\u0000K\u0000P\u0000$\u0000^\u0000%\u0000^\u0000&\u0000L\u0000L\u0000(\u0000%\u0000^\u0000$\u0000^\u0000O\u0000&\u0000T\u0000R\u0000$\u0000^\u0000%\u0000^\u0000G\u0000V\u00006\u0000;\u0000l\u0000x\u0000z\u0000d\u0000\u0000\u0000\u0000\u0000O4A\u0000O4A\u0000\u00ff\u00ff\u00f0\u0000\u00ff\u00f0\u00f0\u0000\u00f0\u00f0\u00ff\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0001\u0001\u0000\u0000\u0000\u0000\u0001\u0000\u0001\u0000\u0001\u0000\u0000\u0001\u0001\u0000\u0001\u0001\u0001\u0000\u0000\u0000\u0000\u0001\u0001\u0000\u0000\u0001\u0000\u0001\u0000\u0001\u0001\u0001\u0000\u0001\u0000\u0000\u0001\u0001\u0001\u0000\u0001\u0001\u0000\u0001\u0001\u0001\u0001\u0001\u0001\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0001\u0000\u0000\u0000\u0001\u0001\u0000\u0001\u0000\u0000\u0000\u0001\u0000\u0001\u0000\u0001\u0001\u0000\u0000\u0001\u0001\u0001\u0001\u0000\u0000\u0000\u0001\u0000\u0000\u0001\u0001\u0000\u0001\u0000\u0001\u0000\u0001\u0001\u0001\u0001\u0000\u0000\u0001\u0001\u0000\u0001\u0001\u0001\u0001\u0000\u0001\u0001\u0001\u0001\u0000\u0004\u0001\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u0004\u0004\u0001\u0001\u0004\u0000\u0001\u0001\u0004\u0004\u0001\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0004\u0000\u0000\u0000\u0004\u0001\u0001\u0004\u0004\u0001\u0001\u0000\u0004\u0000\u0000\u0004\u0004\u0000\u0001\u0004\u0000\u0001\u0001\u0000\u0000\u0000\u0001\u0004\u0000\u0000\u0000\u0004\u0004\u0000\u0000\u0000\u0004\u0000\u0001\u0000\u0004\u0000\u0001\u0000\u0004\u0001\u0000\u0000\u0004\u0001\u0000\u0000\u0000\u0001\u0001\u0000\u0000\u0001\u0001\u0004\u0004\u0000\u0001\u0004\u0000\u0001\u0000\u0004\u0000\u0000\u0001\u0004\u0000\u0000\u0001\u0004\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0004\u0004\u0000\u0000\u0004\u0004\u0001\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0001\u0000\u0004\u0004\u0001\u0001\u0004\u0000\u0000\u0000\u0000\u0000\u0001\u0001\u0000\u0004\u0001\u0001\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0001\u0000\u0004\u0000\u0000\u0004\u0000\u0001\u0001\u0000\u0000\u0001\u0000\u0000\u0004\u0001\u0000\u0004\u0000\u0000\u0001\u0000\u0004\u0000\u0000\u0004\u0000\u0000\u0000\u0004\u0004\u0000\u0001\u0004\u0004\u0001\u0000\u0004\u0004\u0001\u0001\u0004\u0000\u0001\u0000\u0000\u0000\u0001\u0001\u0004\u0004\u0000\u0001\u0004\u0000\u0000\u0001\u0004\u0004\u0000\u0000\u0004\u0004\u0001\u0000\u0000\u0004\u0001\u0001\u0004\u0004\u0000\u0000\u0000\u0004\u0000\u0001\u0000\u0004\u0000\u0001\u0000\u0000\u0000\u0000\u0004\u0000\u0001\u0000\u0000\u0004\u0001\u0000\u0000\u0000\u0000\u0000\u0004\u0000\u0001\u0001 \u0080\u0010\u0080\u0000\u0080\u0000\u0080\u0000\u0080\u0000\u0000 \u0080\u0010\u0000\u0000\u0000\u0010\u0000 \u0000\u0000\u0000 \u0000\u0010\u0080 \u0080\u0000\u0080 \u0000\u0000\u0080 \u0080\u0010\u0080\u0000\u0080\u0010\u0080\u0000\u0000\u0000\u0080\u0000\u0080\u0000\u0080\u0000\u0000\u0010\u0000 \u0000\u0000\u0000 \u0000\u0010\u0080\u0000\u0080\u0010\u0000 \u0000\u0010\u0000 \u0080\u0000\u0080\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0080\u0000\u0080\u0000\u0000 \u0080\u0010\u0000\u0000\u0000\u0010\u0080 \u0000\u0010\u0000 \u0000\u0000\u0080\u0000\u0000\u0000\u0000\u0000\u0080\u0010\u0000 \u0080\u0000\u0000\u0000\u0080\u0010\u0080\u0000\u0000\u0010\u0080 \u0080\u0000\u0000\u0000\u0000\u0000\u0000 \u0080\u0010\u0000 \u0000\u0010\u0080\u0000\u0000\u0010\u0000 \u0080\u0000\u0080\u0000\u0000\u0010\u0080\u0000\u0080\u0010\u0080\u0000\u0080\u0000\u0000\u0000\u0000\u0010\u0080\u0000\u0080\u0000\u0080 \u0000\u0000\u0000 \u0080\u0010\u0080 \u0080\u0010\u0000 \u0000\u0000\u0000\u0000\u0080\u0000\u0000\u0000\u0000\u0000\u0080 \u0080\u0000\u0000\u0000\u0080\u0010\u0080\u0000\u0000\u0010\u0000 \u0000\u0000\u0080 \u0000\u0010\u0000 \u0080\u0000\u0080 \u0000\u0000\u0080 \u0000\u0010\u0000\u0000\u0080\u0010\u0000\u0000\u0000\u0000\u0000\u0000\u0080\u0000\u0080 \u0080\u0000\u0000\u0000\u0000\u0000\u0080 \u0000\u0010\u0080 \u0080\u0010\u0080\u0000\u0080\u0010\u0000\b\u0002\u0000\u0000\u0000\u0002\u0002\b\u0000\u0000\u0000\u0000\b\u0000\u0002\b\u0000\u0002\u0000\b\u0000\u0000\u0000\u0000\b\u0002\u0002\u0000\u0000\u0002\u0000\b\b\u0000\u0002\u0000\b\u0000\u0000\b\b\u0000\u0000\b\u0000\u0000\u0002\u0000\b\u0002\u0002\b\b\u0000\u0002\u0000\u0000\u0000\u0002\b\b\u0002\u0000\u0000\u0000\u0000\u0000\b\b\u0000\u0000\u0000\u0000\u0002\u0002\b\u0000\u0002\u0000\u0000\u0000\u0002\u0002\u0000\u0000\u0000\u0002\b\b\u0000\u0002\b\b\u0002\u0002\u0000\b\u0002\u0000\b\u0000\u0002\u0002\u0000\u0000\u0000\u0002\u0000\b\u0002\u0000\b\b\u0000\u0000\u0000\b\u0002\u0002\b\u0000\u0002\u0000\u0000\u0000\u0000\u0000\b\u0000\u0002\u0002\b\u0000\u0000\u0000\b\b\u0000\u0002\u0000\b\u0002\u0000\u0000\u0000\u0000\u0002\u0000\u0000\u0002\u0002\b\u0000\u0002\u0000\b\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0000\b\u0000\u0002\u0000\b\u0002\u0002\b\u0000\u0002\u0000\b\b\u0000\u0000\b\u0000\u0002\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0002\b\b\u0002\u0000\b\u0000\u0000\u0002\u0000\u0000\u0000\u0000\b\b\u0002\u0002\b\b\u0000\u0000\u0000\b\u0002\u0002\u0000\u0000\u0002\u0002\u0000\b\u0000\u0000\b\u0000\u0000\u0002\b\b\u0002\u0000\b\b\u0002\u0000\u0000\u0000\u0000\u0002\b\b\u0002\u0002\u0000\b\u0000\u0000\u0000\b\u0000\u0002\b\u0000\u0002\u0002\u0000\u0001 \u0080\u0000\u0081 \u0000\u0000\u0081 \u0000\u0000\u0080\u0000\u0000\u0000\u0080 \u0080\u0000\u0081\u0000\u0080\u0000\u0001\u0000\u0080\u0000\u0001 \u0000\u0000\u0000\u0000\u0000\u0000\u0000 \u0080\u0000\u0000 \u0080\u0000\u0081 \u0080\u0000\u0081\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0080\u0000\u0080\u0000\u0001\u0000\u0080\u0000\u0001\u0000\u0000\u0000\u0000 \u0000\u0000\u0000\u0000\u0080\u0000\u0001 \u0080\u0000\u0080\u0000\u0000\u0000\u0000\u0000\u0080\u0000\u0001 \u0000\u0000\u0080 \u0000\u0000\u0081\u0000\u0080\u0000\u0001\u0000\u0000\u0000\u0080 \u0000\u0000\u0080\u0000\u0080\u0000\u0000 \u0000\u0000\u0080 \u0080\u0000\u0081 \u0080\u0000\u0081\u0000\u0000\u0000\u0080\u0000\u0080\u0000\u0001\u0000\u0080\u0000\u0000 \u0080\u0000\u0081 \u0080\u0000\u0081\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000 \u0080\u0000\u0080 \u0000\u0000\u0080\u0000\u0080\u0000\u0081\u0000\u0080\u0000\u0001\u0000\u0000\u0000\u0001 \u0080\u0000\u0081 \u0000\u0000\u0081 \u0000\u0000\u0080\u0000\u0000\u0000\u0081 \u0080\u0000\u0081\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000 \u0000\u0000\u0001\u0000\u0080\u0000\u0001 \u0000\u0000\u0080 \u0080\u0000\u0081\u0000\u0080\u0000\u0001 \u0000\u0000\u0080 \u0000\u0000\u0000\u0000\u0080\u0000\u0001 \u0080\u0000\u0080\u0000\u0000\u0000\u0000\u0000\u0080\u0000\u0000 \u0000\u0000\u0080 \u0080\u0000\u0000\u0001\u0000\u0000\u0000\u0001\b\u0002\u0000\u0000\b\u0002\u0000\u0001\u0000B\u0000\u0000\b\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000@\u0000\u0000\b\u0002\u0000\u0001\b@\u0000\u0000\b\u0000\u0000\u0001\u0000\u0002\u0000\u0001\b@\u0000\u0001\u0000B\u0000\u0000\bB\u0000\u0001\b\u0000\u0000\u0000\u0000@\u0000\u0000\u0000\u0002\u0000\u0000\b@\u0000\u0000\b@\u0000\u0000\u0000\u0000\u0000\u0001\u0000@\u0000\u0001\bB\u0000\u0001\bB\u0000\u0001\u0000\u0002\u0000\u0000\bB\u0000\u0001\u0000@\u0000\u0000\u0000\u0000\u0000\u0000\u0000B\u0000\u0001\b\u0002\u0000\u0000\u0000\u0002\u0000\u0000\u0000B\u0000\u0001\b\u0000\u0000\u0000\b\u0000\u0000\u0001\u0000B\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0000\u0000@\u0000\u0000\b\u0002\u0000\u0001\u0000B\u0000\u0001\b@\u0000\u0001\u0000\u0002\u0000\u0000\u0000@\u0000\u0000\bB\u0000\u0001\b\u0002\u0000\u0001\b@\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0000\bB\u0000\u0001\bB\u0000\u0001\b\u0000\u0000\u0000\u0000B\u0000\u0001\bB\u0000\u0000\b\u0002\u0000\u0000\u0000\u0000\u0000\u0000\b@\u0000\u0000\u0000B\u0000\u0001\b\u0000\u0000\u0001\u0000\u0002\u0000\u0001\u0000@\u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b@\u0000\u0001\b\u0002\u0000\u0001\u0000@\u0010\u0000\u0000 \u0000\u0000@ \u0000@\u0000\u0000\u0010@@ \u0000\u0000@ \u0010\u0000\u0000\u0000\u0010@@ \u0000\u0000@\u0000\u0000@\u0000 \u0010@@\u0000\u0000\u0000@\u0000\u0010\u0000\u0000 \u0010\u0000@\u0000\u0000@\u0000 \u0000\u0000\u0000 \u0010@\u0000\u0000\u0000\u0000\u0000\u0000\u0010\u0000@\u0000\u0010@\u0000 \u0000@\u0000\u0000\u0000@@\u0000\u0010@\u0000 \u0010\u0000\u0000\u0000\u0010\u0000@ \u0010\u0000@ \u0000\u0000\u0000\u0000\u0010@@\u0000\u0000@@ \u0010@\u0000\u0000\u0000@@\u0000\u0000@@ \u0000\u0000\u0000 \u0000@\u0000 \u0010\u0000\u0000\u0000\u0010\u0000@ \u0000@@\u0000\u0010@@ \u0000\u0000@\u0000\u0010@\u0000\u0000\u0010\u0000\u0000 \u0000\u0000@\u0000\u0000@\u0000 \u0000\u0000\u0000 \u0010@\u0000\u0000\u0010\u0000\u0000 \u0010@@ \u0000@@\u0000\u0000\u0000@ \u0010@@\u0000\u0000@@ \u0000\u0000\u0000\u0000\u0010\u0000@ \u0010\u0000\u0000\u0000\u0000@\u0000\u0000\u0000\u0000@ \u0010@@\u0000\u0000@\u0000\u0000\u0010\u0000@\u0000\u0010@\u0000 \u0000\u0000\u0000\u0000\u0000@@ \u0000\u0000\u0000 \u0010\u0000@\u0000\u0010@\u0000 \u0000\u0000 \u0000\u0002\u0000 \u0004\u0002\b\u0000\u0004\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0002\b\u0000\u0004\u0002\b \u0000\u0000\b \u0004\u0002\b \u0004\u0000\u0000 \u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0000\u0004\u0002\u0000\u0000\u0000\u0000\u0000\u0000\u0004\u0002\u0000 \u0004\u0002\b\u0000\u0000\u0000\b\u0000\u0004\u0002\b \u0000\u0002\u0000 \u0000\u0000\b\u0000\u0004\u0002\u0000\u0000\u0004\u0000\u0000 \u0004\u0000\b \u0004\u0002\u0000 \u0000\u0000\u0000 \u0004\u0000\b\u0000\u0000\u0002\b\u0000\u0000\u0002\b \u0004\u0000\b \u0000\u0002\u0000\u0000\u0000\u0000\u0000\u0000\u0004\u0000\b \u0000\u0000\u0000\u0000\u0004\u0000\b \u0000\u0000\u0000 \u0000\u0002\b\u0000\u0004\u0002\b\u0000\u0004\u0002\u0000 \u0004\u0002\u0000 \u0004\u0002\u0000\u0000\u0000\u0002\u0000 \u0000\u0000\u0000\u0000\u0004\u0000\b\u0000\u0004\u0000\u0000 \u0000\u0000\b \u0004\u0002\b\u0000\u0000\u0002\b \u0000\u0000\b \u0004\u0002\b\u0000\u0000\u0002\u0000\u0000\u0004\u0002\b \u0004\u0000\u0000 \u0004\u0000\b \u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0000\u0000\u0002\b \u0004\u0000\u0000\u0000\u0000\u0002\b \u0000\u0000\u0000 \u0004\u0000\b\u0000\u0000\u0002\u0000\u0000\u0004\u0000\b\u0000\u0004\u0000\b\u0000\u0000\u0002\u0000 \u0000@\u0010\u0000\u0010\u0000\u0010\u0000\u0000\u0000\u0000\u0004\u0000@\u0010\u0004\u0010\u0000\u0000\u0000\u0010@\u0010\u0000\u0010@\u0000\u0000\u0000\u0000\u0000\u0000\u0010@\u0000\u0004\u0000\u0000\u0000\u0004\u0010@\u0010\u0004\u0010\u0000\u0010\u0004\u0000\u0000\u0010\u0004\u0010@\u0010\u0004\u0000\u0000\u0010\u0000\u0000@\u0000\u0000\u0000\u0000\u0000\u0004\u0010@\u0000\u0000\u0010\u0000\u0010\u0000\u0010@\u0010\u0000\u0000\u0000\u0010\u0004\u0000@\u0000\u0004\u0000@\u0000\u0004\u0010\u0000\u0010\u0004\u0010@\u0010\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0004\u0010@\u0000\u0000\u0010\u0000\u0010\u0000\u0010@\u0010\u0004\u0000\u0000\u0000\u0004\u0000@\u0010\u0004\u0000\u0000\u0000\u0004\u0000\u0000\u0010\u0004\u0010\u0000\u0010\u0000\u0000@\u0000\u0000\u0000@\u0000\u0004\u0010\u0000\u0010\u0000\u0000@\u0010\u0004\u0000\u0000\u0010\u0000\u0010@\u0000\u0000\u0000@\u0000\u0000\u0010\u0000\u0000\u0004\u0010@\u0000\u0004\u0010\u0000\u0000\u0000\u0010\u0000\u0000\u0004\u0000@\u0010\u0000\u0010\u0000\u0000\u0000\u0000@\u0010\u0004\u0010@\u0000\u0004\u0000@\u0000\u0000\u0010\u0000\u0000\u0004\u0010\u0000\u0010\u0000\u0010@\u0010\u0000\u0010\u0000\u0000\u0000\u0000@\u0010\u0004\u0010\u0000\u0010\u0004\u0000\u0000\u0010\u0004\u0000@\u0010\u0000\u0000@\u0010\u0000\u0000@\u0000\u0004\u0000\u0000\u0000\u0000\u0010\u0000\u0010\u0004\u0010\u0000\u0000\u0000\u0000\u0006\u0000\u0000\u0000\u0000\u0000\u0000\u0000n\u0000\u0000\u0000\u00e9\u0003\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0014\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0006\u0000\u0000\u0000\u0000\u0000\u0000\u0000x\u0000\u0000\u0000\u00ea\u0003\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0014\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0000\u0000\u0006\u0000\u0000\u0000\u0000\u0000\u0000\u0000n\u0000\u0000\u0000\u00eb\u0003\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0014\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0003\u0000\u0000\u0000\u0006\u0000\u0000\u0000\u0000\u0000\u0000\u0000x\u0000\u0000\u0000\u00ec\u0003\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0014\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u0006\u0000\u0000\u0000\u0000\u0000\u0000\u0000d\u0000\u0000\u0000\u00f1\u0003\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0014\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0005\u0000\u0000\u0000\u0006\u0000\u0000\u0000\u0000\u0000\u0000\u0000d\u0000\u0000\u0000\u00f2\u0003\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0014\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0006\u0000\u0000\u0000\u0006\u0000\u0000\u0000\u0000\u0000\u0000\u0000P\u0000\u0000\u0000\u00ed\u0003\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0014\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0007\u0000\u0000\u0000\u0006\u0000\u0000\u0000\u0000\u0000\u0000\u0000n\u0000\u0000\u0000\u00ee\u0003\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0014\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000\u0006\u0000\u0000\u0000\u0000\u0000\u0000\u0000x\u0000\u0000\u0000\u00ef\u0003\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0014\u0000\u0000\u0000\u0000\u0000\u0000\u0000\t\u0000\u0000\u0000\u0006\u0000\u0000\u0000\u0000\u0000\u0000\u0000x\u0000\u0000\u0000\u00f0\u0003\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0014\u0000\u0000\u0000\u0000\u0000\u0000\u0000\n\u0000\u0000\u0000\u0006\u0000\u0000\u0000\u0000\u0000\u0000\u0000x\u0000\u0000\u0000\u00f3\u0003\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0014\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u000b\u0000\u0000\u0000\u0006\u0000\u0000\u0000\u0000\u0000\u0000\u0000x\u0000\u0000\u0000\u00f4\u0003\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0014\u0000\u0000\u0000\u0000\u0000\u0000\u0000\f\u0000\u0000\u0000\u0006\u0000\u0000\u0000\u0000\u0000\u0000\u0000P\u0000\u0000\u0000\u00f5\u0003\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0014\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00ff\u00ff\u00f0\u0000\u00ff\u00f0\u00f0\u0000\u00f0\u00f0\u00ff\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000a\u0000b\u0000e\u00002\u00008\u00006\u00009\u0000f\u0000-\u00009\u0000b\u00004\u00007\u0000-\u00004\u0000c\u0000d\u00009\u0000-\u0000a\u00003\u00005\u00008\u0000-\u0000c\u00002\u00002\u00009\u00000\u00004\u0000d\u0000b\u0000a\u00007\u0000f\u00007\u0000\u0000\u0000\u0000\u0000\u00ff\u00ff\u00ff\u0000k\u0000\u0000\u0000\u0000\u0000\u0000\u00008\u00002\u0000B\u0000D\u00000\u0000E\u00006\u00007\u0000-\u00009\u0000F\u0000E\u0000A\u0000-\u00004\u00007\u00004\u00008\u0000-\u00008\u00006\u00007\u00002\u0000-\u0000D\u00005\u0000E\u0000F\u0000E\u00005\u0000B\u00007\u00007\u00009\u0000B\u00000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"process_handle": "0x00000348",
"base_address": "0x00417000"
},
"time": 1597348460.686875,
"tid": 1480,
"flags": {}
},
"pid": 2872,
"type": "call",
"cid": 50722
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"buffer": "9977750f33844af2262447007dd4815980741a65",
"api": "WriteProcessMemory",
"return_value": 1,
"arguments": {
"process_identifier": 984,
"buffer": "",
"process_handle": "0x00000348",
"base_address": "0x00419000"
},
"time": 1597348460.702875,
"tid": 1480,
"flags": {}
},
"pid": 2872,
"type": "call",
"cid": 50724
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "WriteProcessMemory",
"return_value": 1,
"arguments": {
"process_identifier": 984,
"buffer": "\u0000\u0000@\u0000",
"process_handle": "0x00000348",
"base_address": "0x7efde008"
},
"time": 1597348460.702875,
"tid": 1480,
"flags": {}
},
"pid": 2872,
"type": "call",
"cid": 50725
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtSetContextThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x00000258",
"registers": {
"eip": 0,
"esp": 0,
"edi": 0,
"eax": 4268314,
"ebp": 0,
"edx": 0,
"ebx": 2130567168,
"esi": 0,
"ecx": 0
},
"process_identifier": 984
},
"time": 1597348460.702875,
"tid": 1480,
"flags": {}
},
"pid": 2872,
"type": "call",
"cid": 50726
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtResumeThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x00000258",
"suspend_count": 1,
"process_identifier": 984
},
"time": 1597348460.733875,
"tid": 1480,
"flags": {}
},
"pid": 2872,
"type": "call",
"cid": 50727
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtResumeThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x00000100",
"suspend_count": 1,
"process_identifier": 1996
},
"time": 1597348399.875125,
"tid": 2844,
"flags": {}
},
"pid": 1996,
"type": "call",
"cid": 1011
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtResumeThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x000000fc",
"suspend_count": 1,
"process_identifier": 984
},
"time": 1597348460.921625,
"tid": 3000,
"flags": {}
},
"pid": 984,
"type": "call",
"cid": 163
}
],
"references": [],
"name": "injection_runpe"
}
]Yara
The Yara rules did not detect anything in the file.
Network
{
"tls": [],
"udp": [
{
"src": "192.168.56.101",
"dst": "192.168.56.255",
"offset": 546,
"time": 3.0830719470977783,
"dport": 137,
"sport": 137
},
{
"src": "192.168.56.101",
"dst": "192.168.56.255",
"offset": 5874,
"time": 9.078351020812988,
"dport": 138,
"sport": 138
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 7718,
"time": 3.0259640216827393,
"dport": 5355,
"sport": 51001
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 8046,
"time": 1.0314428806304932,
"dport": 5355,
"sport": 53595
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 8374,
"time": 3.076387882232666,
"dport": 5355,
"sport": 53848
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 8702,
"time": 1.6616299152374268,
"dport": 5355,
"sport": 54255
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 9030,
"time": -0.09607505798339844,
"dport": 5355,
"sport": 55314
},
{
"src": "192.168.56.101",
"dst": "239.255.255.250",
"offset": 9358,
"time": 1.594372034072876,
"dport": 1900,
"sport": 1900
},
{
"src": "192.168.56.101",
"dst": "239.255.255.250",
"offset": 28768,
"time": 1.0648338794708252,
"dport": 3702,
"sport": 49152
},
{
"src": "192.168.56.101",
"dst": "239.255.255.250",
"offset": 37152,
"time": 3.1104249954223633,
"dport": 1900,
"sport": 53598
}
],
"dns_servers": [],
"http": [],
"icmp": [],
"smtp": [],
"tcp": [],
"smtp_ex": [],
"mitm": [],
"hosts": [],
"pcap_sha256": "ea51c826792569f693f7b145512ae862ed47397991dd192eea51e5f8ee88a9a6",
"dns": [],
"http_ex": [],
"domains": [],
"dead_hosts": [],
"sorted_pcap_sha256": "3bd5da8e126365142cf83b68f960be972b8020bfe2da8557ef8e098cb9a96b7e",
"irc": [],
"https_ex": []
}Screenshots
clerk.exe removal instructions
The instructions below shows how to remove clerk.exe with help from the FreeFixer removal tool. Basically, you install FreeFixer, scan your computer, check the clerk.exe file for removal, restart your computer and scan it again to verify that clerk.exe has been successfully removed. Here are the removal instructions in more detail:
- Download and install FreeFixer: http://www.freefixer.com/download.html
- Start FreeFixer and press the Start Scan button. The scan will finish in approximately five minutes.
- When the scan is finished, locate clerk.exe in the scan result and tick the checkbox next to the clerk.exe file. Do not check any other file for removal unless you are 100% sure you want to delete it. Tip: Press CTRL-F to open up FreeFixer's search dialog to quickly locate clerk.exe in the scan result.
c:\downloads\clerk.exe 
- Scroll down to the bottom of the scan result and press the Fix button. FreeFixer will now delete the clerk.exe file.
- Restart your computer.
- Start FreeFixer and scan your computer again. If clerk.exe still remains in the scan result, proceed with the next step. If clerk.exe is gone from the scan result you're done.
- If clerk.exe still remains in the scan result, check its checkbox again in the scan result and click Fix.
- Restart your computer.
- Start FreeFixer and scan your computer again. Verify that clerk.exe no longer appear in the scan result.
Hashes [?]
| Property | Value |
|---|---|
| MD5 | 3e514b169451b86f7f58bec4dcc24a4e |
| SHA256 | 83b69375b9d6bf5b5bd833d499a3971efd89cfa7a03685648c705d2c3c0b9c7e |
Error Messages
These are some of the error messages that can appear related to clerk.exe:
clerk.exe has encountered a problem and needs to close. We are sorry for the inconvenience.
clerk.exe - Application Error. The instruction at "0xXXXXXXXX" referenced memory at "0xXXXXXXXX". The memory could not be "read/written". Click on OK to terminate the program.
clerk.exe has stopped working.
End Program - clerk.exe. This program is not responding.
clerk.exe is not a valid Win32 application.
clerk.exe - Application Error. The application failed to initialize properly (0xXXXXXXXX). Click OK to terminate the application.
What will you do with clerk.exe?
To help other users, please let us know what you will do with clerk.exe:
Comments
Please share with the other users what you think about this file. What does this file do? Is it legitimate or something that your computer is better without? Do you know how it was installed on your system? Did you install it yourself or did it come bundled with some other software? Is it running smoothly or do you get some error message? Any information that will help to document this file is welcome. Thank you for your contributions.
I'm reading all new comments so don't hesitate to post a question about the file. If I don't have the answer perhaps another user can help you.
No comments posted yet.