cod2.3.exe is part of AsmScriptd according to the cod2.3.exe version information.
cod2.3.exe's description is "AsmScriptd"
cod2.3.exe is usually located in the 'c:\downloads\' folder.
Some of the anti-virus scanners at VirusTotal detected cod2.3.exe.
If you have additional information about the file, please share it with the FreeFixer users by posting a comment at the bottom of this page.
The following is the available information on cod2.3.exe:
Property | Value |
---|---|
Product name | AsmScriptd |
File description | AsmScriptd |
Internal name | AsmScriptd.exe |
Original filename | AsmScriptd.exe |
Legal copyright | Copyright AsmScriptd 2019 |
Product version | 1.0.0.0 |
File version | 1.0.0.0 |
Here's a screenshot of the file properties when displayed by Windows Explorer:
Product name | AsmScriptd |
File description | AsmScriptd |
Internal name | AsmScriptd.exe |
Original filename | AsmScriptd.exe |
Legal copyright | Copyright AsmScriptd 2019 |
Product version | 1.0.0.0 |
File version | 1.0.0.0 |
cod2.3.exe is not signed.
51 of the 70 anti-virus programs at VirusTotal detected the cod2.3.exe file. That's a 73% detection rate.
Scanner | Detection Name |
---|---|
Acronis | suspicious |
Ad-Aware | Gen:Variant.MSILPerseus.184308 |
AegisLab | Trojan.MSIL.Androm.4!c |
Alibaba | Trojan:Win32/Starter.ali2000005 |
Antiy-AVL | Trojan[Backdoor]/MSIL.Androm |
Arcabit | Trojan.MSILPerseus.D2CFF4 |
Avast | Win32:RATX-gen [Trj] |
AVG | Win32:RATX-gen [Trj] |
Avira | HEUR/AGEN.1024618 |
BitDefender | Gen:Variant.MSILPerseus.184308 |
CAT-QuickHeal | Backdoor.MSIL |
Comodo | Malware@#3kluw4e05b13b |
CrowdStrike | win/malicious_confidence_100% (W) |
Cybereason | malicious.c4d401 |
Cylance | Unsafe |
Cyren | W32/Trojan.EFCP-0730 |
DrWeb | Trojan.MulDrop8.62401 |
Emsisoft | Gen:Variant.MSILPerseus.184308 (B) |
Endgame | malicious (high confidence) |
ESET-NOD32 | Win32/Spy.Agent.PQM |
F-Secure | Heuristic.HEUR/AGEN.1024618 |
FireEye | Generic.mg.a1cf9d0c4d401bc1 |
Fortinet | MSIL/Kryptik.PFS!tr |
GData | Gen:Variant.MSILPerseus.184308 |
Ikarus | Trojan.MSIL.Crypt |
Invincea | heuristic |
Jiangmin | Backdoor.MSIL.batv |
K7AntiVirus | Trojan ( 0053a8191 ) |
K7GW | Trojan ( 0053a8191 ) |
Kaspersky | HEUR:Backdoor.MSIL.Androm.gen |
Malwarebytes | Backdoor.Agent.MSIL.Generic |
MAX | malware (ai score=100) |
McAfee | GenericRXHI-VT!A1CF9D0C4D40 |
McAfee-GW-Edition | BehavesLike.Win32.Generic.gc |
Microsoft | Trojan:Win32/Skeeyah.A!rfn |
MicroWorld-eScan | Gen:Variant.MSILPerseus.184308 |
NANO-Antivirus | Trojan.Win32.Androm.fovlqv |
Paloalto | generic.ml |
Panda | Generic Malware |
Qihoo-360 | Win32/Backdoor.9cf |
Rising | Backdoor.Androm!8.113 (CLOUD) |
SentinelOne | DFI - Malicious PE |
Sophos | Mal/Generic-S |
Symantec | Trojan.Gen.MBT |
Tencent | Msil.Backdoor.Androm.Lmkt |
Trapmine | malicious.high.ml.score |
TrendMicro | TROJ_GEN.R002C0WD519 |
TrendMicro-HouseCall | TROJ_GEN.R002C0WD519 |
VBA32 | TScope.Trojan.MSIL |
Yandex | TrojanSpy.Agent!frRBOBmhH6E |
ZoneAlarm | HEUR:Backdoor.MSIL.Androm.gen |
The following information was gathered by executing the file inside Cuckoo Sandbox.
Successfully executed process in sandbox.
{ "file_created": [ "C:\\Users\\cuck\\AppData\\Local\\Temp\\XDav9VW2fBNYjc3t.bat" ], "file_recreated": [ "\\Device\\KsecDD" ], "directory_created": [ "C:\\Users\\cuck\\AppData\\Roaming\\del" ], "dll_loaded": [ "gdiplus.dll", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\culture.dll", "kernel32", "ntdll", "api-ms-win-core-sysinfo-l1-2-1", "gdi32.dll", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\Gdiplus.dll", "kernel32.dll", "UxTheme.dll", "C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Windows.Forms\\3afcd5168c7a6cb02eab99d7fd71e102\\System.Windows.Forms.ni.dll", "dwmapi.dll", "ntdll.dll", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\ole32.dll", "C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Drawing\\dbfe8642a8ed7b2b103ad28e0c96418a\\System.Drawing.ni.dll", "C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System\\9e0a3b9b9f457233a335d7fba8f95419\\System.ni.dll", "api-ms-win-core-synch-l1-2-0", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorwks.dll", "bcrypt.dll", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorjit.dll", "C:\\Windows\\WinSxS\\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\\gdiplus.dll", "KERNEL32.DLL", "api-ms-win-appmodel-runtime-l1-1-1", "API-MS-Win-Core-LocalRegistry-L1-1-0.dll", "AdvApi32.dll", "advapi32.dll", "comctl32", "ole32.dll", "SHLWAPI.dll", "CRYPTSP.dll", "ext-ms-win-kernel32-package-current-l1-1-0", "C:\\Users\\cuck\\AppData\\Local\\Temp\\ntdll.dll", "C:\\Windows\\system32\\IMM32.DLL", "C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\bcrypt.dll", "C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\psapi.dll", "shell32.dll", "uxtheme.dll", "api-ms-win-core-localization-l1-2-1", "SHELL32.dll", "psapi.dll", "comctl32.dll", "C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\mscorlib\\62a0b3e4b40ec0e8c5cfaa0c8848e64a\\mscorlib.ni.dll", "mscoree.dll", "RpcRtRemote.dll", "api-ms-win-core-fibers-l1-1-1", "C:\\Windows\\assembly\\GAC_MSIL\\System.Windows.Forms\\2.0.0.0__b77a5c561934e089\\uxtheme.dll", "shfolder.dll", "USER32.dll", "ADVAPI32.dll", "SETUPAPI.dll", "WS2_32.dll", "user32.dll" ], "command_line": [ "\"C:\\Users\\cuck\\AppData\\Local\\Temp\\XDav9VW2fBNYjc3t.bat\" ", "C:\\Users\\cuck\\AppData\\Local\\Temp\\XDav9VW2fBNYjc3t.bat", "\"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\vbc.exe\"" ], "file_copied": [ [ "C:\\Users\\cuck\\AppData\\Local\\Temp\\04a9f7601933c4422778231983045c475714b282da5b6d9b92fa1b6a30489e70.bin", "C:\\Users\\cuck\\AppData\\Roaming\\del\\jbxFAeOMe8DU.exe" ] ], "regkey_opened": [ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.Accessibility__b03f5f7f11d50a3a", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\Managed\\S-1-5-21-699399860-4089948139-3198924279-1001\\Installer\\Assemblies\\Global", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\41c04c7e\\7f3b6ac4\\78", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\1c83327b\\86", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Runtime.Serialization.Formatters.Soap__b03f5f7f11d50a3a", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Deployment__b03f5f7f11d50a3a", "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\System", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\Standards\\v2.0.50727", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets\\LocalIntranet", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\AppPatch", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\a5cd4db\\7e", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\2d382ce6\\85", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\163e1f5e\\80", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\1b2590b1\\7c", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Installer\\Assemblies\\C:|Users|cuck|AppData|Local|Temp|04a9f7601933c4422778231983045c475714b282da5b6d9b92fa1b6a30489e70.bin", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b", "HKEY_CURRENT_USER\\Software\\Microsoft\\.NETFramework\\Policy\\Standards", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\c991064\\2bd33e1c\\79", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Windows.Forms__b77a5c561934e089", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets\\Internet", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\index127", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\4994341f\\3c4229dd", "HKEY_CURRENT_USER\\Software\\Microsoft\\Installer\\Assemblies\\C:|Users|cuck|AppData|Local|Temp|04a9f7601933c4422778231983045c475714b282da5b6d9b92fa1b6a30489e70.bin", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\22ffb435\\7465b96f", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a", "HKEY_CURRENT_USER\\Software\\Microsoft\\Installer\\Assemblies\\Global", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Security__b03f5f7f11d50a3a", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Installer\\Assemblies\\Global", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\Standards", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Drawing__b03f5f7f11d50a3a", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion", "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-699399860-4089948139-3198924279-1001", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\04a9f7601933c4422778231983045c475714b282da5b6d9b92fa1b6a30489e70.bin", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\v2.0.50727\\Security\\Policy", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System__b77a5c561934e089", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\StrongName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5", "HKEY_CURRENT_USER\\Software\\Microsoft\\Fusion", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion\\PublisherPolicy\\Default", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Xml__b77a5c561934e089", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\6f1da7aa\\88", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion\\GACChangeNotification\\Default", "HKEY_CURRENT_USER\\Software\\Microsoft\\.NETFramework", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\22ffb435\\355c1b3d", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\Upgrades", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\Policy\\", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Configuration__b03f5f7f11d50a3a", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Command Processor", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\1bd7b0d8\\87", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\Policy\\APTCA", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\v2.0", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\Policy\\Standards", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\Managed\\S-1-5-21-699399860-4089948139-3198924279-1001\\Installer\\Assemblies\\C:|Users|cuck|AppData|Local|Temp|04a9f7601933c4422778231983045c475714b282da5b6d9b92fa1b6a30489e70.bin", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064" ], "file_moved": [ [ "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\vbc.exe", "C:\\Users\\cuck\\AppData\\Local\\Temp\\XDav9VW2fBNYjc3t" ] ], "file_written": [ "C:\\Users\\cuck\\AppData\\Local\\Temp\\XDav9VW2fBNYjc3t.bat" ], "file_failed": [ "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\enterprisesec.config.cch", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\security.config.cch", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\enterprisesec.config", "C:\\Users\\cuck\\AppData\\Local\\Temp\\XDav9VW2fBNYjc3t.bat", "C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\security.config.cch", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\security.config", "C:\\Users\\cuck\\AppData\\Local\\Temp\\04a9f7601933c4422778231983045c475714b282da5b6d9b92fa1b6a30489e70.bin.config", "C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\security.config" ], "file_deleted": [ "C:\\Users\\cuck\\AppData\\Local\\Temp\\XDav9VW2fBNYjc3t.bat", "C:\\Users\\cuck\\AppData\\Local\\Temp\\04a9f7601933c4422778231983045c475714b282da5b6d9b92fa1b6a30489e70.bin:Zone.Identifier" ], "file_exists": [ "C:\\Windows\\Globalization\\en-us.nlp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\XDav9VW2fBNYjc3t", "C:\\Users\\cuck\\AppData\\Local\\Temp", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\machine.config", "C:\\Users\\cuck\\AppData\\Local\\Temp\\en\\AsmScriptd.resources.dll", "C:\\Users\\cuck\\AppData\\Local\\Temp\\en\\AsmScriptd.resources\\AsmScriptd.resources.exe", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\fusion.localgac", "C:\\Users\\cuck\\AppData\\Local\\Temp\\en\\AsmScriptd.resources.exe", "C:\\Windows\\Fonts\\ahronbd.ttf", "C:\\Users\\cuck\\AppData", "C:\\Users\\cuck\\AppData\\Local\\Temp\\04a9f7601933c4422778231983045c475714b282da5b6d9b92fa1b6a30489e70.config", "C:\\Users\\cuck\\AppData\\Roaming", "C:\\Users", "C:\\Users\\cuck\\AppData\\Roaming\\del", "C:\\Users\\cuck\\AppData\\Local\\Temp\\\"C:\\Users\\cuck\\AppData\\Local\\Temp\\XDav9VW2fBNYjc3t.bat\"", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\vbc.exe", "C:\\Windows\\System32\\MSCOREE.DLL.local", "C:\\Users\\cuck\\AppData\\Local\\Temp\\image.bmp", "C:\\Users\\cuck", "C:\\Windows\\Globalization\\en.nlp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\en-US\\AsmScriptd.resources.exe", "C:\\Users\\cuck\\AppData\\Local\\Temp\\en-US\\AsmScriptd.resources\\AsmScriptd.resources.exe", "C:\\Users\\cuck\\AppData\\Local\\Temp\\04a9f7601933c4422778231983045c475714b282da5b6d9b92fa1b6a30489e70.bin", "C:\\Users\\cuck\\AppData\\Local\\Temp\\en\\AsmScriptd.resources\\AsmScriptd.resources.dll", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\a4b073f7.bin", "C:\\Users\\cuck\\AppData\\Roaming\\del\\jbxFAeOMe8DU.exe", "C:\\Windows\\winsxs\\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\\msvcr80.dll", "C:\\Users\\cuck\\AppData\\Local\\Temp\\XDav9VW2fBNYjc3t.bat", "C:\\Users\\cuck\\AppData\\Local\\Temp\\en-US\\AsmScriptd.resources\\AsmScriptd.resources.dll", "C:\\Windows\\assembly\\GAC\\PublisherPolicy.tme", "C:\\Users\\cuck\\AppData\\Local\\Temp\\en-US\\AsmScriptd.resources.dll" ], "file_opened": [ "C:\\Windows\\Fonts\\msyh.ttf", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorrc.dll", "C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\sortkey.nlp", "C:\\Windows\\System32\\l_intl.nls", "C:\\Windows\\assembly\\pubpol4.dat", "C:\\", "C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\sorttbls.nlp", "C:\\Users\\cuck\\AppData\\Roaming\\del\\jbxFAeOMe8DU.exe", "C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\index127.dat", "C:\\Windows\\Fonts\\micross.ttf", "C:\\Users\\cuck\\AppData\\Local\\GDIPFONTCACHEV1.DAT", "C:\\Windows\\Fonts\\segoeui.ttf", "C:\\Windows\\Fonts\\tahoma.ttf", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\machine.config", "C:\\Users\\cuck\\AppData\\Local\\Temp\\XDav9VW2fBNYjc3t.bat", "C:\\Windows\\Fonts\\msjh.ttf", "C:\\Windows\\Fonts\\malgun.ttf", "C:\\Windows\\SysWOW64\\en-US\\KERNELBASE.dll.mui", "C:\\Users\\cuck\\AppData\\Local\\Temp\\04a9f7601933c4422778231983045c475714b282da5b6d9b92fa1b6a30489e70.bin" ], "file_read": [ "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\machine.config", "C:\\Users\\cuck\\AppData\\Local\\Temp\\XDav9VW2fBNYjc3t.bat", "C:\\Users\\cuck\\AppData\\Roaming\\del\\jbxFAeOMe8DU.exe" ], "regkey_read": [ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\DbgJITDebugLaunchSetting", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\LatestIndex", "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DisableUNCCheck", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\c991064\\2bd33e1c\\79\\Status", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\163e1f5e\\80\\SIG", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\DisplayName", "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DelayedExpansion", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\Modules", "HKEY_CURRENT_USER\\Software\\Microsoft\\GDIPlus\\FontCachePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\6f1da7aa\\88\\Status", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Drawing,2.0.0.0,,b03f5f7f11d50a3a,MSIL", "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\EnableExtensions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\41c04c7e\\7f3b6ac4\\78\\Modules", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\Status", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\ConfigString", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\DisplayName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\SourcePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\1bd7b0d8\\87\\DisplayName", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\Generation", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\Extensions\\RemoteRpcDll", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\ConfigString", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language Groups\\1", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\Extensions\\NdrOleExtDLL", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\LoadAppInit_DLLs", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\CLRLoadLogDir", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\a5cd4db\\7e\\LastModTime", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\2d382ce6\\85\\LastModTime", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\DevOverrideEnable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\EvalationData", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\a5cd4db\\7e\\Modules", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\c991064\\2bd33e1c\\79\\DisplayName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\PathCompletionChar", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\2d382ce6\\85\\SIG", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NoClientChecks", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\1b2590b1\\7c\\Modules", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\DownloadCacheQuotaInKB", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\1b2590b1\\7c\\DisplayName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\LoggingLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\6f1da7aa\\88\\DisplayName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\ConfigString", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\MVID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\ConfigMask", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\Status", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\LogFailures", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\MissingDependencies", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\DefaultColor", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Deployment,2.0.0.0,,b03f5f7f11d50a3a,MSIL", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Locale\\00000409", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\1b2590b1\\7c\\Status", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\Status", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\NIDependencies", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\safer\\codeidentifiers\\DefaultLevel", "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\PathCompletionChar", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\NIDependencies", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{00000134-0000-0000-C000-000000000046}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\Windows Error Reporting\\WMR\\Disable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\CompletionChar", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\Data", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\index127\\ILUsageMask", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\UseLegacyIdentityFormat", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\MissingDependencies", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\EnableExtensions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\1bd7b0d8\\87\\SIG", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\GCStressStart", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledSessions\\MachineThrottling", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\OnlyUseLatestCLR", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\6f1da7aa\\88\\Modules", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\2d382ce6\\85\\Status", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\DbgManagedDebugger", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\DisplayName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\1c83327b\\86\\Status", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Xml,2.0.0.0,,b77a5c561934e089,MSIL", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\index127\\NIUsageMask", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\ConfigString", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\Status", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\NIDependencies", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\EvalationData", "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DefaultColor", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\163e1f5e\\80\\LastModTime", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Security,2.0.0.0,,b03f5f7f11d50a3a,MSIL", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\AutoRun", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\MVID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\2d382ce6\\85\\Modules", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\41c04c7e\\7f3b6ac4\\78\\DisplayName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\SIG", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\CacheLocation", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\41c04c7e\\7f3b6ac4\\78\\LastModTime", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\DelayedExpansion", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\1c83327b\\86\\Modules", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\LegacyPolicyTimeStamp", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\LastModTime", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\6f1da7aa\\88\\SIG", "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\CompletionChar", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\EvalationData", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledProcesses\\BF6151FC", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\2d382ce6\\85\\DisplayName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\MVID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\41c04c7e\\7f3b6ac4\\78\\Status", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\VersioningLog", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\GCStressStartAtJit", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\mscorlib,2.0.0.0,,b77a5c561934e089,x86", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\a5cd4db\\7e\\DisplayName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\ILDependencies", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\c991064\\2bd33e1c\\79\\LastModTime", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\ConfigMask", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Srp\\GP\\RuleCount", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\safer\\codeidentifiers\\Levels", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\Latest", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\DisableUNCCheck", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\1b2590b1\\7c\\SIG", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\MVID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\Status", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\DevicePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\1bd7b0d8\\87\\Modules", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\InstallRoot", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\Accessibility,2.0.0.0,,b03f5f7f11d50a3a,MSIL", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\Data", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\safer\\codeidentifiers\\LogFileName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\1c83327b\\86\\DisplayName", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\6f1da7aa\\88\\LastModTime", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\163e1f5e\\80\\Modules", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\1bd7b0d8\\87\\Status", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\ILDependencies", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\c991064\\2bd33e1c\\79\\SIG", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\LogResourceBinds", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System,2.0.0.0,,b77a5c561934e089,MSIL", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\1c83327b\\86\\LastModTime", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\EnableLog", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\ConfigMask", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\1c83327b\\86\\SIG", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\MissingDependencies", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Configuration,2.0.0.0,,b03f5f7f11d50a3a,MSIL", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\DisableConfigCache", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\ILDependencies", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\ForceLog", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledSessions\\GlobalSession", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\163e1f5e\\80\\DisplayName", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\Generation", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\c991064\\2bd33e1c\\79\\Modules", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\ConfigMask", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\MissingDependencies", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Windows.Forms,2.0.0.0,,b77a5c561934e089,MSIL", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\NIDependencies", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\41c04c7e\\7f3b6ac4\\78\\SIG", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\DisplayName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\ILDependencies", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\safer\\codeidentifiers\\PolicyScope", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\Enabled", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\1bd7b0d8\\87\\LastModTime", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\safer\\codeidentifiers\\SaferFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\EvalationData", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\DisableMSIPeek", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\163e1f5e\\80\\Status", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\a5cd4db\\7e\\SIG", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\DisplayName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Runtime.Serialization.Formatters.Soap,2.0.0.0,,b03f5f7f11d50a3a,MSIL", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\1b2590b1\\7c\\LastModTime", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\a5cd4db\\7e\\Status", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\index4", "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\AutoRun" ], "directory_enumerated": [ "C:\\Windows\\winsxs\\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\\msvcr80.dll", "C:\\Windows\\Microsoft.NET\\Framework\\Upgrades.2.0.50727\\mscoreei.dll", "C:\\Users\\cuck\\AppData", "C:\\Users\\cuck\\AppData\\Local\\Temp\\XDav9VW2fBNYjc3t", "C:\\Windows\\winsxs", "C:\\Users\\cuck\\AppData\\Local\\Temp\\04a9f7601933c4422778231983045c475714b282da5b6d9b92fa1b6a30489e70.INI", "C:\\Users\\cuck\\AppData\\Local\\Temp", "C:\\Users\\cuck", "C:\\Users\\cuck\\AppData\\Local\\Temp\\XDav9VW2fBNYjc3t.bat", "C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\mscorlib.INI", "C:\\Windows\\assembly\\GAC_MSIL\\System.Drawing\\2.0.0.0__b03f5f7f11d50a3a\\System.Drawing.INI", "C:\\Windows", "C:\\Users", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscoreei.dll", "C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\System.INI", "C:\\Users\\cuck\\AppData\\Local", "C:\\Windows\\assembly\\GAC_MSIL\\System.Windows.Forms\\2.0.0.0__b77a5c561934e089\\System.Windows.Forms.INI", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorwks.dll" ], "regkey_written": [ "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell" ] }
[ { "yara": [], "sha1": "61336fcaa8f5eff81f3c2a5e364fe9e03c3149b2", "name": "fa248170f99f3aea_XDav9VW2fBNYjc3t.bat", "filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\XDav9VW2fBNYjc3t.bat", "type": "ASCII text, with CRLF line terminators", "sha256": "fa248170f99f3aea8f77d3792c4bf074c0305b75bc11c07eef3102854d4566d5", "urls": [], "crc32": "B398137B", "path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/2595\/files\/fa248170f99f3aea_XDav9VW2fBNYjc3t.bat", "ssdeep": null, "size": 201, "sha512": "5955f7e954985a0208fd356bb30f6424d4efdf0783b90f4b42dd16785a26287f178debed5ec756bd72ea03400fa0f949790dc99899ef720036028f5949026448", "pids": [ 2260, 264 ], "md5": "0d8e5dfa3713f23ac3985b9db858f9e2" } ]
[ { "process_path": "C:\\Windows\\SysWOW64\\cmd.exe", "process_name": "cmd.exe", "pid": 264, "summary": { "dll_loaded": [ "ADVAPI32.dll" ], "file_opened": [ "C:\\Users\\cuck\\AppData\\Local\\Temp\\XDav9VW2fBNYjc3t.bat", "C:\\" ], "regkey_opened": [ "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\System", "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Command Processor" ], "file_deleted": [ "C:\\Users\\cuck\\AppData\\Local\\Temp\\XDav9VW2fBNYjc3t.bat" ], "file_exists": [ "C:\\Users\\cuck\\AppData\\Local\\Temp\\XDav9VW2fBNYjc3t", "C:\\Users\\cuck\\AppData\\Local\\Temp\\\"C:\\Users\\cuck\\AppData\\Local\\Temp\\XDav9VW2fBNYjc3t.bat\"", "C:\\Users\\cuck\\AppData\\Local\\Temp\\XDav9VW2fBNYjc3t.bat", "C:\\Users\\cuck\\AppData\\Local\\Temp" ], "file_failed": [ "C:\\Users\\cuck\\AppData\\Local\\Temp\\XDav9VW2fBNYjc3t.bat" ], "file_read": [ "C:\\Users\\cuck\\AppData\\Local\\Temp\\XDav9VW2fBNYjc3t.bat" ], "regkey_read": [ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\AutoRun", "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DisableUNCCheck", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\safer\\codeidentifiers\\LogFileName", "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DelayedExpansion", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\CompletionChar", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\DefaultColor", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\DelayedExpansion", "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\EnableExtensions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\safer\\codeidentifiers\\DefaultLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles", "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\PathCompletionChar", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\Windows Error Reporting\\WMR\\Disable", "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\CompletionChar", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\EnableExtensions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\safer\\codeidentifiers\\SaferFlags", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\safer\\codeidentifiers\\PolicyScope", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Srp\\GP\\RuleCount", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language Groups\\1", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Locale\\00000409", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\PathCompletionChar", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\safer\\codeidentifiers\\Levels", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\DisableUNCCheck", "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DefaultColor", "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\AutoRun" ], "directory_enumerated": [ "C:\\Users\\cuck\\AppData", "C:\\Users\\cuck\\AppData\\Local\\Temp\\XDav9VW2fBNYjc3t", "C:\\Users\\cuck\\AppData\\Local\\Temp", "C:\\Users\\cuck", "C:\\Users\\cuck\\AppData\\Local\\Temp\\XDav9VW2fBNYjc3t.bat", "C:\\Users", "C:\\Users\\cuck\\AppData\\Local" ] }, "first_seen": 1568749996.1821, "ppid": 2260 }, { "process_path": "C:\\Users\\cuck\\AppData\\Local\\Temp\\04a9f7601933c4422778231983045c475714b282da5b6d9b92fa1b6a30489e70.bin", "process_name": "04a9f7601933c4422778231983045c475714b282da5b6d9b92fa1b6a30489e70.bin", "pid": 2816, "summary": { "file_recreated": [ "\\Device\\KsecDD" ], "directory_created": [ "C:\\Users\\cuck\\AppData\\Roaming\\del" ], "dll_loaded": [ "gdiplus.dll", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\culture.dll", "ntdll", "gdi32.dll", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\Gdiplus.dll", "kernel32.dll", "UxTheme.dll", "C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Windows.Forms\\3afcd5168c7a6cb02eab99d7fd71e102\\System.Windows.Forms.ni.dll", "dwmapi.dll", "ntdll.dll", "C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System\\9e0a3b9b9f457233a335d7fba8f95419\\System.ni.dll", "C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Drawing\\dbfe8642a8ed7b2b103ad28e0c96418a\\System.Drawing.ni.dll", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\ole32.dll", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorwks.dll", "ADVAPI32.dll", "bcrypt.dll", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorjit.dll", "C:\\Windows\\WinSxS\\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\\gdiplus.dll", "API-MS-Win-Core-LocalRegistry-L1-1-0.dll", "advapi32.dll", "comctl32", "ole32.dll", "SHLWAPI.dll", "CRYPTSP.dll", "C:\\Windows\\system32\\IMM32.DLL", "C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\bcrypt.dll", "C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\psapi.dll", "AdvApi32.dll", "uxtheme.dll", "psapi.dll", "comctl32.dll", "C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\mscorlib\\62a0b3e4b40ec0e8c5cfaa0c8848e64a\\mscorlib.ni.dll", "mscoree.dll", "RpcRtRemote.dll", "C:\\Windows\\assembly\\GAC_MSIL\\System.Windows.Forms\\2.0.0.0__b77a5c561934e089\\uxtheme.dll", "shfolder.dll", "C:\\Users\\cuck\\AppData\\Local\\Temp\\ntdll.dll", "shell32.dll", "user32.dll" ], "file_failed": [ "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\enterprisesec.config.cch", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\security.config.cch", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\enterprisesec.config", "C:\\Users\\cuck\\AppData\\Local\\Temp\\04a9f7601933c4422778231983045c475714b282da5b6d9b92fa1b6a30489e70.bin.config", "C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\security.config.cch", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\security.config", "C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\security.config" ], "file_copied": [ [ "C:\\Users\\cuck\\AppData\\Local\\Temp\\04a9f7601933c4422778231983045c475714b282da5b6d9b92fa1b6a30489e70.bin", "C:\\Users\\cuck\\AppData\\Roaming\\del\\jbxFAeOMe8DU.exe" ] ], "regkey_opened": [ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.Accessibility__b03f5f7f11d50a3a", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\Managed\\S-1-5-21-699399860-4089948139-3198924279-1001\\Installer\\Assemblies\\Global", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\41c04c7e\\7f3b6ac4\\78", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\1c83327b\\86", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Installer\\Assemblies\\C:|Users|cuck|AppData|Local|Temp|04a9f7601933c4422778231983045c475714b282da5b6d9b92fa1b6a30489e70.bin", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Deployment__b03f5f7f11d50a3a", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\Policy\\", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Configuration__b03f5f7f11d50a3a", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets\\LocalIntranet", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\AppPatch", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\a5cd4db\\7e", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\2d382ce6\\85", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\163e1f5e\\80", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\1b2590b1\\7c", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\c991064\\2bd33e1c\\79", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Windows.Forms__b77a5c561934e089", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets\\Internet", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\index127", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\4994341f\\3c4229dd", "HKEY_CURRENT_USER\\Software\\Microsoft\\Installer\\Assemblies\\C:|Users|cuck|AppData|Local|Temp|04a9f7601933c4422778231983045c475714b282da5b6d9b92fa1b6a30489e70.bin", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\22ffb435\\7465b96f", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a", "HKEY_CURRENT_USER\\Software\\Microsoft\\Installer\\Assemblies\\Global", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Security__b03f5f7f11d50a3a", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Installer\\Assemblies\\Global", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\Standards", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Drawing__b03f5f7f11d50a3a", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\Standards\\v2.0.50727", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-699399860-4089948139-3198924279-1001", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\04a9f7601933c4422778231983045c475714b282da5b6d9b92fa1b6a30489e70.bin", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\v2.0.50727\\Security\\Policy", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System__b77a5c561934e089", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\StrongName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5", "HKEY_CURRENT_USER\\Software\\Microsoft\\Fusion", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion\\PublisherPolicy\\Default", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Xml__b77a5c561934e089", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\6f1da7aa\\88", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion\\GACChangeNotification\\Default", "HKEY_CURRENT_USER\\Software\\Microsoft\\.NETFramework", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\22ffb435\\355c1b3d", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\Upgrades", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Runtime.Serialization.Formatters.Soap__b03f5f7f11d50a3a", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\Policy\\Standards", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\1bd7b0d8\\87", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\Policy\\APTCA", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\v2.0", "HKEY_CURRENT_USER\\Software\\Microsoft\\.NETFramework\\Policy\\Standards", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\Managed\\S-1-5-21-699399860-4089948139-3198924279-1001\\Installer\\Assemblies\\C:|Users|cuck|AppData|Local|Temp|04a9f7601933c4422778231983045c475714b282da5b6d9b92fa1b6a30489e70.bin", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064" ], "file_deleted": [ "C:\\Users\\cuck\\AppData\\Local\\Temp\\04a9f7601933c4422778231983045c475714b282da5b6d9b92fa1b6a30489e70.bin:Zone.Identifier" ], "file_exists": [ "C:\\Users\\cuck\\AppData", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\machine.config", "C:\\Users\\cuck\\AppData\\Local\\Temp\\en\\AsmScriptd.resources\\AsmScriptd.resources.exe", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\fusion.localgac", "C:\\Users\\cuck\\AppData\\Local\\Temp\\en\\AsmScriptd.resources.exe", "C:\\Windows\\Fonts\\ahronbd.ttf", "C:\\Windows\\Globalization\\en-us.nlp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\04a9f7601933c4422778231983045c475714b282da5b6d9b92fa1b6a30489e70.config", "C:\\Users\\cuck\\AppData\\Roaming", "C:\\Users", "C:\\Users\\cuck\\AppData\\Roaming\\del", "C:\\Windows\\assembly\\GAC\\PublisherPolicy.tme", "C:\\Users\\cuck", "C:\\Windows\\Globalization\\en.nlp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\en-US\\AsmScriptd.resources.exe", "C:\\Users\\cuck\\AppData\\Local\\Temp\\en-US\\AsmScriptd.resources\\AsmScriptd.resources.exe", "C:\\Users\\cuck\\AppData\\Local\\Temp\\04a9f7601933c4422778231983045c475714b282da5b6d9b92fa1b6a30489e70.bin", "C:\\Users\\cuck\\AppData\\Local\\Temp\\en\\AsmScriptd.resources\\AsmScriptd.resources.dll", "C:\\Users\\cuck\\AppData\\Local\\Temp\\en-US\\AsmScriptd.resources.dll", "C:\\Users\\cuck\\AppData\\Roaming\\del\\jbxFAeOMe8DU.exe", "C:\\Windows\\winsxs\\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\\msvcr80.dll", "C:\\Users\\cuck\\AppData\\Local\\Temp\\en-US\\AsmScriptd.resources\\AsmScriptd.resources.dll", "C:\\Windows\\System32\\MSCOREE.DLL.local", "C:\\Users\\cuck\\AppData\\Local\\Temp\\en\\AsmScriptd.resources.dll" ], "file_opened": [ "C:\\Windows\\Fonts\\msyh.ttf", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorrc.dll", "C:\\Windows\\System32\\l_intl.nls", "C:\\Windows\\assembly\\pubpol4.dat", "C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\sorttbls.nlp", "C:\\Users\\cuck\\AppData\\Roaming\\del\\jbxFAeOMe8DU.exe", "C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\index127.dat", "C:\\Windows\\Fonts\\micross.ttf", "C:\\Windows\\Fonts\\tahoma.ttf", "C:\\Windows\\Fonts\\segoeui.ttf", "C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\sortkey.nlp", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\machine.config", "C:\\Users\\cuck\\AppData\\Local\\GDIPFONTCACHEV1.DAT", "C:\\Windows\\Fonts\\msjh.ttf", "C:\\Windows\\Fonts\\malgun.ttf", "C:\\Windows\\SysWOW64\\en-US\\KERNELBASE.dll.mui", "C:\\Users\\cuck\\AppData\\Local\\Temp\\04a9f7601933c4422778231983045c475714b282da5b6d9b92fa1b6a30489e70.bin" ], "command_line": [ "\"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\vbc.exe\"" ], "file_read": [ "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\machine.config", "C:\\Users\\cuck\\AppData\\Roaming\\del\\jbxFAeOMe8DU.exe" ], "regkey_read": [ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\DbgJITDebugLaunchSetting", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\LatestIndex", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\ILDependencies", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\c991064\\2bd33e1c\\79\\Status", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\163e1f5e\\80\\SIG", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\DisplayName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\Modules", "HKEY_CURRENT_USER\\Software\\Microsoft\\GDIPlus\\FontCachePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Drawing,2.0.0.0,,b03f5f7f11d50a3a,MSIL", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\2d382ce6\\85\\DisplayName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\41c04c7e\\7f3b6ac4\\78\\Modules", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\Status", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\ConfigString", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\DisplayName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\1c83327b\\86\\DisplayName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\Extensions\\RemoteRpcDll", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\ConfigString", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language Groups\\1", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\Extensions\\NdrOleExtDLL", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\LoadAppInit_DLLs", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\CLRLoadLogDir", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\a5cd4db\\7e\\LastModTime", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\2d382ce6\\85\\LastModTime", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\DevOverrideEnable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\EvalationData", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\a5cd4db\\7e\\Modules", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\2d382ce6\\85\\SIG", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NoClientChecks", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\1b2590b1\\7c\\Modules", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\DownloadCacheQuotaInKB", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\1b2590b1\\7c\\DisplayName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\LoggingLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\6f1da7aa\\88\\DisplayName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\ConfigString", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\MVID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\ConfigMask", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\Status", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\163e1f5e\\80\\DisplayName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\MissingDependencies", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Deployment,2.0.0.0,,b03f5f7f11d50a3a,MSIL", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Locale\\00000409", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\Status", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\NIDependencies", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\NIDependencies", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{00000134-0000-0000-C000-000000000046}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\c991064\\2bd33e1c\\79\\DisplayName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\index127\\ILUsageMask", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\UseLegacyIdentityFormat", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\MissingDependencies", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\GCStressStart", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\1bd7b0d8\\87\\SIG", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledSessions\\MachineThrottling", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\OnlyUseLatestCLR", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\6f1da7aa\\88\\Modules", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\2d382ce6\\85\\Status", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\DbgManagedDebugger", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\1c83327b\\86\\Status", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Xml,2.0.0.0,,b77a5c561934e089,MSIL", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\index127\\NIUsageMask", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\1c83327b\\86\\SIG", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\Status", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\NIDependencies", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\EvalationData", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\163e1f5e\\80\\LastModTime", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Security,2.0.0.0,,b03f5f7f11d50a3a,MSIL", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\6f1da7aa\\88\\Status", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\MVID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\2d382ce6\\85\\Modules", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\SIG", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\CacheLocation", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\41c04c7e\\7f3b6ac4\\78\\LastModTime", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\DisplayName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\1c83327b\\86\\Modules", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\LegacyPolicyTimeStamp", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\LastModTime", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\6f1da7aa\\88\\SIG", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\EvalationData", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledProcesses\\BF6151FC", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\1bd7b0d8\\87\\Status", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\MVID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\41c04c7e\\7f3b6ac4\\78\\Status", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\VersioningLog", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\GCStressStartAtJit", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\mscorlib,2.0.0.0,,b77a5c561934e089,x86", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\a5cd4db\\7e\\DisplayName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\ILDependencies", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\c991064\\2bd33e1c\\79\\LastModTime", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\ConfigMask", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\1bd7b0d8\\87\\DisplayName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\1b2590b1\\7c\\Status", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\Latest", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\1b2590b1\\7c\\SIG", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\MVID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\Status", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\1bd7b0d8\\87\\Modules", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\InstallRoot", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\Accessibility,2.0.0.0,,b03f5f7f11d50a3a,MSIL", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\MissingDependencies", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\6f1da7aa\\88\\LastModTime", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\163e1f5e\\80\\Modules", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\ILDependencies", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\c991064\\2bd33e1c\\79\\SIG", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\LogResourceBinds", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System,2.0.0.0,,b77a5c561934e089,MSIL", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\1c83327b\\86\\LastModTime", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\EnableLog", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\ConfigMask", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\ConfigString", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Configuration,2.0.0.0,,b03f5f7f11d50a3a,MSIL", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\DisableConfigCache", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\ILDependencies", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\ForceLog", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledSessions\\GlobalSession", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\LogFailures", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\c991064\\2bd33e1c\\79\\Modules", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\ConfigMask", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\MissingDependencies", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Windows.Forms,2.0.0.0,,b77a5c561934e089,MSIL", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\NIDependencies", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\41c04c7e\\7f3b6ac4\\78\\SIG", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\DisplayName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\41c04c7e\\7f3b6ac4\\78\\DisplayName", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\Enabled", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\1bd7b0d8\\87\\LastModTime", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\EvalationData", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\DisableMSIPeek", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\163e1f5e\\80\\Status", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\a5cd4db\\7e\\SIG", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\DisplayName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Runtime.Serialization.Formatters.Soap,2.0.0.0,,b03f5f7f11d50a3a,MSIL", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\1b2590b1\\7c\\LastModTime", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\a5cd4db\\7e\\Status", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\index4" ], "directory_enumerated": [ "C:\\Users", "C:\\Windows\\Microsoft.NET\\Framework\\Upgrades.2.0.50727\\mscoreei.dll", "C:\\Users\\cuck\\AppData", "C:\\Windows\\winsxs\\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\\msvcr80.dll", "C:\\Users\\cuck\\AppData\\Local\\Temp\\04a9f7601933c4422778231983045c475714b282da5b6d9b92fa1b6a30489e70.INI", "C:\\Users\\cuck\\AppData\\Local\\Temp", "C:\\Users\\cuck", "C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\mscorlib.INI", "C:\\Windows\\assembly\\GAC_MSIL\\System.Drawing\\2.0.0.0__b03f5f7f11d50a3a\\System.Drawing.INI", "C:\\Windows", "C:\\Windows\\winsxs", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscoreei.dll", "C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\System.INI", "C:\\Users\\cuck\\AppData\\Local", "C:\\Windows\\assembly\\GAC_MSIL\\System.Windows.Forms\\2.0.0.0__b77a5c561934e089\\System.Windows.Forms.INI", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorwks.dll" ], "regkey_written": [ "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell" ] }, "first_seen": 1568749989.6094, "ppid": 2016 }, { "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\vbc.exe", "process_name": "vbc.exe", "pid": 2260, "summary": { "file_created": [ "C:\\Users\\cuck\\AppData\\Local\\Temp\\XDav9VW2fBNYjc3t.bat" ], "dll_loaded": [ "ext-ms-win-kernel32-package-current-l1-1-0", "C:\\Windows\\system32\\IMM32.DLL", "API-MS-Win-Core-LocalRegistry-L1-1-0.dll", "kernel32", "api-ms-win-core-fibers-l1-1-1", "api-ms-win-core-localization-l1-2-1", "api-ms-win-core-sysinfo-l1-2-1", "api-ms-win-appmodel-runtime-l1-1-1", "KERNEL32.DLL", "USER32.dll", "SHELL32.dll", "SETUPAPI.dll", "WS2_32.dll", "api-ms-win-core-synch-l1-2-0" ], "command_line": [ "\"C:\\Users\\cuck\\AppData\\Local\\Temp\\XDav9VW2fBNYjc3t.bat\" ", "C:\\Users\\cuck\\AppData\\Local\\Temp\\XDav9VW2fBNYjc3t.bat" ], "file_moved": [ [ "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\vbc.exe", "C:\\Users\\cuck\\AppData\\Local\\Temp\\XDav9VW2fBNYjc3t" ] ], "file_written": [ "C:\\Users\\cuck\\AppData\\Local\\Temp\\XDav9VW2fBNYjc3t.bat" ], "file_exists": [ "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\vbc.exe", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\a4b073f7.bin", "C:\\Users\\cuck\\AppData\\Local\\Temp\\image.bmp" ], "regkey_read": [ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\SourcePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\DevicePath", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\Generation", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\Generation", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\LoadAppInit_DLLs", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\Data", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\Data" ] }, "first_seen": 1568749993.7651, "ppid": 2816 }, { "process_path": "C:\\Windows\\System32\\lsass.exe", "process_name": "lsass.exe", "pid": 476, "summary": {}, "first_seen": 1568749989.3281, "ppid": 376 } ]
[ { "markcount": 1, "families": [], "description": "Checks if process is being debugged by a debugger", "severity": 1, "marks": [ { "call": { "category": "system", "status": 0, "stacktrace": [], "last_error": 0, "nt_status": -1073741700, "api": "IsDebuggerPresent", "return_value": 0, "arguments": {}, "time": 1568749989.7964, "tid": 2420, "flags": {} }, "pid": 2816, "type": "call", "cid": 365 } ], "references": [], "name": "checks_debugger" }, { "markcount": 13, "families": [], "description": "Command line console output was observed", "severity": 1, "marks": [ { "call": { "category": "misc", "status": 1, "stacktrace": [], "api": "WriteConsoleW", "return_value": 1, "arguments": { "buffer": "C:\\Users\\cuck\\AppData\\Local\\Temp>", "console_handle": "0x00000007" }, "time": 1568749996.2761, "tid": 2268, "flags": {} }, "pid": 264, "type": "call", "cid": 191 }, { "call": { "category": "misc", "status": 1, "stacktrace": [], "api": "WriteConsoleW", "return_value": 1, "arguments": { "buffer": "del", "console_handle": "0x00000007" }, "time": 1568749996.2761, "tid": 2268, "flags": {} }, "pid": 264, "type": "call", "cid": 193 }, { "call": { "category": "misc", "status": 1, "stacktrace": [], "api": "WriteConsoleW", "return_value": 1, "arguments": { "buffer": " \"C:\\Users\\cuck\\AppData\\Local\\Temp\\XDav9VW2fBNYjc3t\" ", "console_handle": "0x00000007" }, "time": 1568749996.2761, "tid": 2268, "flags": {} }, "pid": 264, "type": "call", "cid": 195 }, { "call": { "category": "misc", "status": 1, "stacktrace": [], "api": "WriteConsoleW", "return_value": 1, "arguments": { "buffer": "Could Not Find C:\\Users\\cuck\\AppData\\Local\\Temp\\XDav9VW2fBNYjc3t\r\n", "console_handle": "0x0000000b" }, "time": 1568749996.2761, "tid": 2268, "flags": {} }, "pid": 264, "type": "call", "cid": 213 }, { "call": { "category": "misc", "status": 1, "stacktrace": [], "api": "WriteConsoleW", "return_value": 1, "arguments": { "buffer": "C:\\Users\\cuck\\AppData\\Local\\Temp>", "console_handle": "0x00000007" }, "time": 1568749996.2761, "tid": 2268, "flags": {} }, "pid": 264, "type": "call", "cid": 229 }, { "call": { "category": "misc", "status": 1, "stacktrace": [], "api": "WriteConsoleW", "return_value": 1, "arguments": { "buffer": "If ", "console_handle": "0x00000007" }, "time": 1568749996.2761, "tid": 2268, "flags": {} }, "pid": 264, "type": "call", "cid": 231 }, { "call": { "category": "misc", "status": 1, "stacktrace": [], "api": "WriteConsoleW", "return_value": 1, "arguments": { "buffer": "Exist \"C:\\Users\\cuck\\AppData\\Local\\Temp\\XDav9VW2fBNYjc3t\" ", "console_handle": "0x00000007" }, "time": 1568749996.2761, "tid": 2268, "flags": {} }, "pid": 264, "type": "call", "cid": 233 }, { "call": { "category": "misc", "status": 1, "stacktrace": [], "api": "WriteConsoleW", "return_value": 1, "arguments": { "buffer": "Goto", "console_handle": "0x00000007" }, "time": 1568749996.2761, "tid": 2268, "flags": {} }, "pid": 264, "type": "call", "cid": 235 }, { "call": { "category": "misc", "status": 1, "stacktrace": [], "api": "WriteConsoleW", "return_value": 1, "arguments": { "buffer": " Delfile ", "console_handle": "0x00000007" }, "time": 1568749996.2761, "tid": 2268, "flags": {} }, "pid": 264, "type": "call", "cid": 237 }, { "call": { "category": "misc", "status": 1, "stacktrace": [], "api": "WriteConsoleW", "return_value": 1, "arguments": { "buffer": "C:\\Users\\cuck\\AppData\\Local\\Temp>", "console_handle": "0x00000007" }, "time": 1568749996.2761, "tid": 2268, "flags": {} }, "pid": 264, "type": "call", "cid": 259 }, { "call": { "category": "misc", "status": 1, "stacktrace": [], "api": "WriteConsoleW", "return_value": 1, "arguments": { "buffer": "del", "console_handle": "0x00000007" }, "time": 1568749996.2761, "tid": 2268, "flags": {} }, "pid": 264, "type": "call", "cid": 261 }, { "call": { "category": "misc", "status": 1, "stacktrace": [], "api": "WriteConsoleW", "return_value": 1, "arguments": { "buffer": " \"C:\\Users\\cuck\\AppData\\Local\\Temp\\XDav9VW2fBNYjc3t.bat\" ", "console_handle": "0x00000007" }, "time": 1568749996.2761, "tid": 2268, "flags": {} }, "pid": 264, "type": "call", "cid": 263 }, { "call": { "category": "misc", "status": 1, "stacktrace": [], "api": "WriteConsoleW", "return_value": 1, "arguments": { "buffer": "The batch file cannot be found.\r\n", "console_handle": "0x0000000b" }, "time": 1568749996.2911, "tid": 2268, "flags": {} }, "pid": 264, "type": "call", "cid": 282 } ], "references": [], "name": "console_output" }, { "markcount": 1, "families": [], "description": "Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available", "severity": 1, "marks": [ { "call": { "category": "system", "status": 1, "stacktrace": [], "api": "GlobalMemoryStatusEx", "return_value": 1, "arguments": {}, "time": 1568749990.1564, "tid": 2420, "flags": {} }, "pid": 2816, "type": "call", "cid": 1730 } ], "references": [], "name": "antivm_memory_available" }, { "markcount": 0, "families": [], "description": "One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.", "severity": 2, "marks": [], "references": [], "name": "dumped_buffer" }, { "markcount": 43, "families": [], "description": "Allocates read-write-execute memory (usually to unpack itself)", "severity": 2, "marks": [ { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtProtectVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 2816, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "length": 4096, "protection": 64, "process_handle": "0xffffffff", "base_address": "0x749f1000" }, "time": 1568749989.7814, "tid": 2420, "flags": { "protection": "PAGE_EXECUTE_READWRITE" } }, "pid": 2816, "type": "call", "cid": 255 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 2816, "region_size": 4096, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 1, "protection": 64, "process_handle": "0xffffffff", "allocation_type": 4096, "base_address": "0x0047a000" }, "time": 1568749989.7964, "tid": 2420, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT" } }, "pid": 2816, "type": "call", "cid": 377 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtProtectVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 2816, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "length": 8192, "protection": 64, "process_handle": "0xffffffff", "base_address": "0x749f2000" }, "time": 1568749989.7964, "tid": 2420, "flags": { "protection": "PAGE_EXECUTE_READWRITE" } }, "pid": 2816, "type": "call", "cid": 378 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 2816, "region_size": 4096, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 1, "protection": 64, "process_handle": "0xffffffff", "allocation_type": 4096, "base_address": "0x00472000" }, "time": 1568749989.7964, "tid": 2420, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT" } }, "pid": 2816, "type": "call", "cid": 379 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 2816, "region_size": 4096, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 1, "protection": 64, "process_handle": "0xffffffff", "allocation_type": 4096, "base_address": "0x00482000" }, "time": 1568749989.8124, "tid": 2420, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT" } }, "pid": 2816, "type": "call", "cid": 507 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 2816, "region_size": 4096, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 1, "protection": 64, "process_handle": "0xffffffff", "allocation_type": 4096, "base_address": "0x00483000" }, "time": 1568749989.8124, "tid": 2420, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT" } }, "pid": 2816, "type": "call", "cid": 575 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 2816, "region_size": 4096, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 1, "protection": 64, "process_handle": "0xffffffff", "allocation_type": 4096, "base_address": "0x008eb000" }, "time": 1568749989.8124, "tid": 2420, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT" } }, "pid": 2816, "type": "call", "cid": 582 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 2816, "region_size": 4096, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 1, "protection": 64, "process_handle": "0xffffffff", "allocation_type": 4096, "base_address": "0x008e7000" }, "time": 1568749989.8124, "tid": 2420, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT" } }, "pid": 2816, "type": "call", "cid": 583 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 2816, "region_size": 4096, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 1, "protection": 64, "process_handle": "0xffffffff", "allocation_type": 4096, "base_address": "0x0048c000" }, "time": 1568749989.8124, "tid": 2420, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT" } }, "pid": 2816, "type": "call", "cid": 630 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 2816, "region_size": 4096, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 1, "protection": 64, "process_handle": "0xffffffff", "allocation_type": 4096, "base_address": "0x009b0000" }, "time": 1568749989.8284, "tid": 2420, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT" } }, "pid": 2816, "type": "call", "cid": 640 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 2816, "region_size": 4096, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 1, "protection": 64, "process_handle": "0xffffffff", "allocation_type": 4096, "base_address": "0x00484000" }, "time": 1568749989.8434, "tid": 2420, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT" } }, "pid": 2816, "type": "call", "cid": 822 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 2816, "region_size": 4096, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 1, "protection": 64, "process_handle": "0xffffffff", "allocation_type": 4096, "base_address": "0x00485000" }, "time": 1568749989.8434, "tid": 2420, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT" } }, "pid": 2816, "type": "call", "cid": 823 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 2816, "region_size": 4096, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 1, "protection": 64, "process_handle": "0xffffffff", "allocation_type": 4096, "base_address": "0x00486000" }, "time": 1568749989.8434, "tid": 2420, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT" } }, "pid": 2816, "type": "call", "cid": 831 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 2816, "region_size": 4096, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 1, "protection": 64, "process_handle": "0xffffffff", "allocation_type": 4096, "base_address": "0x004aa000" }, "time": 1568749989.8744, "tid": 2420, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT" } }, "pid": 2816, "type": "call", "cid": 853 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 2816, "region_size": 4096, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 1, "protection": 64, "process_handle": "0xffffffff", "allocation_type": 4096, "base_address": "0x004a7000" }, "time": 1568749989.8744, "tid": 2420, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT" } }, "pid": 2816, "type": "call", "cid": 854 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 2816, "region_size": 4096, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 1, "protection": 64, "process_handle": "0xffffffff", "allocation_type": 4096, "base_address": "0x008da000" }, "time": 1568749989.8744, "tid": 2420, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT" } }, "pid": 2816, "type": "call", "cid": 861 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 2816, "region_size": 4096, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 1, "protection": 64, "process_handle": "0xffffffff", "allocation_type": 4096, "base_address": "0x0047b000" }, "time": 1568749989.8744, "tid": 2420, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT" } }, "pid": 2816, "type": "call", "cid": 904 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 2816, "region_size": 4096, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 1, "protection": 64, "process_handle": "0xffffffff", "allocation_type": 4096, "base_address": "0x004a6000" }, "time": 1568749989.8904, "tid": 2420, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT" } }, "pid": 2816, "type": "call", "cid": 929 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 2816, "region_size": 4096, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 1, "protection": 64, "process_handle": "0xffffffff", "allocation_type": 4096, "base_address": "0x0048a000" }, "time": 1568749989.9214, "tid": 2420, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT" } }, "pid": 2816, "type": "call", "cid": 1015 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 2816, "region_size": 4096, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 1, "protection": 64, "process_handle": "0xffffffff", "allocation_type": 4096, "base_address": "0x00b30000" }, "time": 1568749989.9994, "tid": 2420, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT" } }, "pid": 2816, "type": "call", "cid": 1407 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 2816, "region_size": 4096, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 1, "protection": 64, "process_handle": "0xffffffff", "allocation_type": 4096, "base_address": "0x009b1000" }, "time": 1568749990.0314, "tid": 2420, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT" } }, "pid": 2816, "type": "call", "cid": 1572 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 2816, "region_size": 4096, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 1, "protection": 64, "process_handle": "0xffffffff", "allocation_type": 4096, "base_address": "0x00487000" }, "time": 1568749990.0784, "tid": 2420, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT" } }, "pid": 2816, "type": "call", "cid": 1603 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 2816, "region_size": 4096, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 1, "protection": 64, "process_handle": "0xffffffff", "allocation_type": 4096, "base_address": "0x008d2000" }, "time": 1568749990.0934, "tid": 2420, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT" } }, "pid": 2816, "type": "call", "cid": 1614 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 2816, "region_size": 4096, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 1, "protection": 64, "process_handle": "0xffffffff", "allocation_type": 4096, "base_address": "0x008dc000" }, "time": 1568749990.0934, "tid": 2420, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT" } }, "pid": 2816, "type": "call", "cid": 1615 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 2816, "region_size": 4096, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 1, "protection": 64, "process_handle": "0xffffffff", "allocation_type": 4096, "base_address": "0x009b2000" }, "time": 1568749990.0934, "tid": 2420, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT" } }, "pid": 2816, "type": "call", "cid": 1618 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 2816, "region_size": 4096, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 1, "protection": 64, "process_handle": "0xffffffff", "allocation_type": 4096, "base_address": "0x00488000" }, "time": 1568749990.0934, "tid": 2420, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT" } }, "pid": 2816, "type": "call", "cid": 1621 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 2816, "region_size": 4096, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 1, "protection": 64, "process_handle": "0xffffffff", "allocation_type": 4096, "base_address": "0x008e5000" }, "time": 1568749990.1094, "tid": 2420, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT" } }, "pid": 2816, "type": "call", "cid": 1649 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 2816, "region_size": 4096, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 1, "protection": 64, "process_handle": "0xffffffff", "allocation_type": 4096, "base_address": "0x009b3000" }, "time": 1568749990.1404, "tid": 2420, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT" } }, "pid": 2816, "type": "call", "cid": 1717 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 2816, "region_size": 4096, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 1, "protection": 64, "process_handle": "0xffffffff", "allocation_type": 4096, "base_address": "0x00473000" }, "time": 1568749990.1564, "tid": 2420, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT" } }, "pid": 2816, "type": "call", "cid": 1719 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 2816, "region_size": 4096, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 1, "protection": 64, "process_handle": "0xffffffff", "allocation_type": 4096, "base_address": "0x00489000" }, "time": 1568749990.1874, "tid": 2420, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT" } }, "pid": 2816, "type": "call", "cid": 1760 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 2816, "region_size": 4096, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 1, "protection": 64, "process_handle": "0xffffffff", "allocation_type": 4096, "base_address": "0x00ad0000" }, "time": 1568749990.1874, "tid": 2420, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT" } }, "pid": 2816, "type": "call", "cid": 1772 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 2816, "region_size": 4096, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 1, "protection": 64, "process_handle": "0xffffffff", "allocation_type": 4096, "base_address": "0x00ad1000" }, "time": 1568749990.2034, "tid": 2420, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT" } }, "pid": 2816, "type": "call", "cid": 1775 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 2816, "region_size": 4096, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 1, "protection": 64, "process_handle": "0xffffffff", "allocation_type": 4096, "base_address": "0x00ad2000" }, "time": 1568749990.2034, "tid": 2420, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT" } }, "pid": 2816, "type": "call", "cid": 1777 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 2816, "region_size": 4096, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 1, "protection": 64, "process_handle": "0xffffffff", "allocation_type": 4096, "base_address": "0x00ad3000" }, "time": 1568749990.2034, "tid": 2420, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT" } }, "pid": 2816, "type": "call", "cid": 1779 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 2816, "region_size": 4096, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 1, "protection": 64, "process_handle": "0xffffffff", "allocation_type": 4096, "base_address": "0x009b4000" }, "time": 1568749990.2034, "tid": 2420, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT" } }, "pid": 2816, "type": "call", "cid": 1794 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 2816, "region_size": 4096, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 1, "protection": 64, "process_handle": "0xffffffff", "allocation_type": 4096, "base_address": "0x0048d000" }, "time": 1568749990.2344, "tid": 2420, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT" } }, "pid": 2816, "type": "call", "cid": 1824 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 2816, "region_size": 12288, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 1, "protection": 64, "process_handle": "0xffffffff", "allocation_type": 4096, "base_address": "0x009b5000" }, "time": 1568749990.2344, "tid": 2420, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT" } }, "pid": 2816, "type": "call", "cid": 1826 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 2816, "region_size": 4096, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 1, "protection": 64, "process_handle": "0xffffffff", "allocation_type": 4096, "base_address": "0x00b31000" }, "time": 1568749990.2494, "tid": 2420, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT" } }, "pid": 2816, "type": "call", "cid": 1908 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 2816, "region_size": 4096, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 1, "protection": 64, "process_handle": "0xffffffff", "allocation_type": 4096, "base_address": "0x009b8000" }, "time": 1568749992.2814, "tid": 2420, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT" } }, "pid": 2816, "type": "call", "cid": 2001 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 2816, "region_size": 4096, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 1, "protection": 64, "process_handle": "0xffffffff", "allocation_type": 4096, "base_address": "0x009b9000" }, "time": 1568749992.2964, "tid": 2420, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT" } }, "pid": 2816, "type": "call", "cid": 2048 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 2816, "region_size": 4096, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 1, "protection": 64, "process_handle": "0xffffffff", "allocation_type": 4096, "base_address": "0x009ba000" }, "time": 1568749992.3284, "tid": 2420, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT" } }, "pid": 2816, "type": "call", "cid": 2085 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 2816, "region_size": 4096, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 1, "protection": 64, "process_handle": "0xffffffff", "allocation_type": 4096, "base_address": "0x009bb000" }, "time": 1568749993.7034, "tid": 1224, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT" } }, "pid": 2816, "type": "call", "cid": 2143 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtProtectVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 2260, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 1, "length": 4096, "protection": 64, "process_handle": "0xffffffff", "base_address": "0x00400000" }, "time": 1568749993.8591, "tid": 2820, "flags": { "protection": "PAGE_EXECUTE_READWRITE" } }, "pid": 2260, "type": "call", "cid": 168 } ], "references": [], "name": "allocates_rwx" }, { "markcount": 1, "families": [], "description": "A process attempted to delay the analysis task.", "severity": 2, "marks": [ { "type": "generic", "description": "04a9f7601933c4422778231983045c475714b282da5b6d9b92fa1b6a30489e70.bin tried to sleep 291 seconds, actually delayed analysis time by 291 seconds" } ], "references": [], "name": "antisandbox_sleep" }, { "markcount": 1, "families": [], "description": "Drops a binary and executes it", "severity": 2, "marks": [ { "category": "file", "ioc": "C:\\Users\\cuck\\AppData\\Local\\Temp\\XDav9VW2fBNYjc3t.bat", "type": "ioc", "description": null } ], "references": [], "name": "dropper" }, { "markcount": 1, "families": [], "description": "A process created a hidden window", "severity": 2, "marks": [ { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "ShellExecuteExW", "return_value": 1, "arguments": { "parameters": "", "filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\XDav9VW2fBNYjc3t.bat", "filepath_r": "C:\\Users\\cuck\\AppData\\Local\\Temp\\XDav9VW2fBNYjc3t.bat", "show_type": 0 }, "time": 1568749996.1091, "tid": 2824, "flags": {} }, "pid": 2260, "type": "call", "cid": 907 } ], "references": [], "name": "stealth_window" }, { "markcount": 2, "families": [], "description": "The binary likely contains encrypted or compressed data indicative of a packer", "severity": 2, "marks": [ { "entropy": 7.976432831564, "section": { "size_of_data": "0x00069e00", "virtual_address": "0x00002000", "entropy": 7.976432831564, "name": ".text", "virtual_size": "0x00069c8c" }, "type": "generic", "description": "A section with a high entropy has been found" }, { "entropy": 0.99529964747356, "type": "generic", "description": "Overall entropy of this PE file is high" } ], "references": [ "http:\/\/www.forensickb.com\/2013\/03\/file-entropy-explained.html", "http:\/\/virii.es\/U\/Using%20Entropy%20Analysis%20to%20Find%20Encrypted%20and%20Packed%20Malware.pdf" ], "name": "packer_entropy" }, { "markcount": 2, "families": [], "description": "Checks for the Locally Unique Identifier on the system for a suspicious privilege", "severity": 2, "marks": [ { "call": { "category": "system", "status": 1, "stacktrace": [], "api": "LookupPrivilegeValueW", "return_value": 1, "arguments": { "system_name": "", "privilege_name": "SeDebugPrivilege" }, "time": 1568749990.2344, "tid": 2420, "flags": {} }, "pid": 2816, "type": "call", "cid": 1847 }, { "call": { "category": "system", "status": 1, "stacktrace": [], "api": "LookupPrivilegeValueW", "return_value": 1, "arguments": { "system_name": "", "privilege_name": "SeDebugPrivilege" }, "time": 1568749996.0151, "tid": 2824, "flags": {} }, "pid": 2260, "type": "call", "cid": 811 } ], "references": [], "name": "privilege_luid_check" }, { "markcount": 1, "families": [], "description": "One or more of the buffers contains an embedded PE file", "severity": 3, "marks": [ { "category": "buffer", "ioc": "Buffer with sha1: f1c13c4fac4d969b4e3c7876a98456a9da070a9f", "type": "ioc", "description": null } ], "references": [], "name": "dumped_buffer2" }, { "markcount": 1, "families": [], "description": "Allocates execute permission to another process indicative of possible code injection", "severity": 3, "marks": [ { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 2260, "region_size": 786432, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "protection": 64, "process_handle": "0x0000025c", "allocation_type": 12288, "base_address": "0x00400000" }, "time": 1568749992.3434, "tid": 2420, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT|MEM_RESERVE" } }, "pid": 2816, "type": "call", "cid": 2112 } ], "references": [], "name": "allocates_execute_remote_process" }, { "markcount": 79, "families": [], "description": "Installs itself for autorun at Windows startup", "severity": 3, "marks": [ { "type": "generic", "reg_key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell", "reg_value": "\"C:\\Users\\cuck\\AppData\\Roaming\\del\\jbxFAeOMe8DU.exe\",explorer.exe" }, { "type": "generic", "reg_key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell", "reg_value": "\"C:\\Users\\cuck\\AppData\\Roaming\\del\\jbxFAeOMe8DU.exe\",explorer.exe" }, { "type": "generic", "reg_key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell", "reg_value": "\"C:\\Users\\cuck\\AppData\\Roaming\\del\\jbxFAeOMe8DU.exe\",explorer.exe" }, { "type": "generic", "reg_key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell", "reg_value": "\"C:\\Users\\cuck\\AppData\\Roaming\\del\\jbxFAeOMe8DU.exe\",explorer.exe" }, { "type": "generic", "reg_key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell", "reg_value": "\"C:\\Users\\cuck\\AppData\\Roaming\\del\\jbxFAeOMe8DU.exe\",explorer.exe" }, { "type": "generic", "reg_key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell", "reg_value": "\"C:\\Users\\cuck\\AppData\\Roaming\\del\\jbxFAeOMe8DU.exe\",explorer.exe" }, { "type": "generic", "reg_key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell", "reg_value": "\"C:\\Users\\cuck\\AppData\\Roaming\\del\\jbxFAeOMe8DU.exe\",explorer.exe" }, { "type": "generic", "reg_key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell", "reg_value": "\"C:\\Users\\cuck\\AppData\\Roaming\\del\\jbxFAeOMe8DU.exe\",explorer.exe" }, { "type": "generic", "reg_key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell", "reg_value": "\"C:\\Users\\cuck\\AppData\\Roaming\\del\\jbxFAeOMe8DU.exe\",explorer.exe" }, { "type": "generic", "reg_key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell", "reg_value": "\"C:\\Users\\cuck\\AppData\\Roaming\\del\\jbxFAeOMe8DU.exe\",explorer.exe" }, { "type": "generic", "reg_key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell", "reg_value": "\"C:\\Users\\cuck\\AppData\\Roaming\\del\\jbxFAeOMe8DU.exe\",explorer.exe" }, { "type": "generic", "reg_key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell", "reg_value": "\"C:\\Users\\cuck\\AppData\\Roaming\\del\\jbxFAeOMe8DU.exe\",explorer.exe" }, { "type": "generic", "reg_key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell", "reg_value": "\"C:\\Users\\cuck\\AppData\\Roaming\\del\\jbxFAeOMe8DU.exe\",explorer.exe" }, { "type": "generic", "reg_key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell", "reg_value": "\"C:\\Users\\cuck\\AppData\\Roaming\\del\\jbxFAeOMe8DU.exe\",explorer.exe" }, { "type": "generic", "reg_key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell", "reg_value": "\"C:\\Users\\cuck\\AppData\\Roaming\\del\\jbxFAeOMe8DU.exe\",explorer.exe" }, { "type": "generic", "reg_key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell", "reg_value": "\"C:\\Users\\cuck\\AppData\\Roaming\\del\\jbxFAeOMe8DU.exe\",explorer.exe" }, { "type": "generic", "reg_key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell", "reg_value": "\"C:\\Users\\cuck\\AppData\\Roaming\\del\\jbxFAeOMe8DU.exe\",explorer.exe" }, { "type": "generic", "reg_key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell", "reg_value": "\"C:\\Users\\cuck\\AppData\\Roaming\\del\\jbxFAeOMe8DU.exe\",explorer.exe" }, { "type": "generic", "reg_key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell", "reg_value": "\"C:\\Users\\cuck\\AppData\\Roaming\\del\\jbxFAeOMe8DU.exe\",explorer.exe" }, { "type": "generic", "reg_key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell", "reg_value": "\"C:\\Users\\cuck\\AppData\\Roaming\\del\\jbxFAeOMe8DU.exe\",explorer.exe" }, { "type": "generic", "reg_key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell", "reg_value": "\"C:\\Users\\cuck\\AppData\\Roaming\\del\\jbxFAeOMe8DU.exe\",explorer.exe" }, { "type": "generic", "reg_key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell", "reg_value": "\"C:\\Users\\cuck\\AppData\\Roaming\\del\\jbxFAeOMe8DU.exe\",explorer.exe" }, { "type": "generic", "reg_key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell", "reg_value": "\"C:\\Users\\cuck\\AppData\\Roaming\\del\\jbxFAeOMe8DU.exe\",explorer.exe" }, { "type": "generic", "reg_key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell", "reg_value": "\"C:\\Users\\cuck\\AppData\\Roaming\\del\\jbxFAeOMe8DU.exe\",explorer.exe" }, { "type": "generic", "reg_key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell", "reg_value": "\"C:\\Users\\cuck\\AppData\\Roaming\\del\\jbxFAeOMe8DU.exe\",explorer.exe" }, { "type": "generic", "reg_key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell", "reg_value": "\"C:\\Users\\cuck\\AppData\\Roaming\\del\\jbxFAeOMe8DU.exe\",explorer.exe" }, { "type": "generic", "reg_key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell", "reg_value": "\"C:\\Users\\cuck\\AppData\\Roaming\\del\\jbxFAeOMe8DU.exe\",explorer.exe" }, { "type": "generic", "reg_key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell", "reg_value": "\"C:\\Users\\cuck\\AppData\\Roaming\\del\\jbxFAeOMe8DU.exe\",explorer.exe" }, { "type": "generic", "reg_key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell", "reg_value": "\"C:\\Users\\cuck\\AppData\\Roaming\\del\\jbxFAeOMe8DU.exe\",explorer.exe" }, { "type": "generic", "reg_key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell", "reg_value": "\"C:\\Users\\cuck\\AppData\\Roaming\\del\\jbxFAeOMe8DU.exe\",explorer.exe" }, { "type": "generic", "reg_key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell", "reg_value": "\"C:\\Users\\cuck\\AppData\\Roaming\\del\\jbxFAeOMe8DU.exe\",explorer.exe" }, { "type": "generic", "reg_key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell", "reg_value": "\"C:\\Users\\cuck\\AppData\\Roaming\\del\\jbxFAeOMe8DU.exe\",explorer.exe" }, { "type": "generic", "reg_key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell", "reg_value": "\"C:\\Users\\cuck\\AppData\\Roaming\\del\\jbxFAeOMe8DU.exe\",explorer.exe" }, { "type": "generic", "reg_key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell", "reg_value": "\"C:\\Users\\cuck\\AppData\\Roaming\\del\\jbxFAeOMe8DU.exe\",explorer.exe" }, { "type": "generic", "reg_key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell", "reg_value": "\"C:\\Users\\cuck\\AppData\\Roaming\\del\\jbxFAeOMe8DU.exe\",explorer.exe" }, { "type": "generic", "reg_key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell", "reg_value": "\"C:\\Users\\cuck\\AppData\\Roaming\\del\\jbxFAeOMe8DU.exe\",explorer.exe" }, { "type": "generic", "reg_key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell", "reg_value": "\"C:\\Users\\cuck\\AppData\\Roaming\\del\\jbxFAeOMe8DU.exe\",explorer.exe" }, { "type": "generic", "reg_key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell", "reg_value": "\"C:\\Users\\cuck\\AppData\\Roaming\\del\\jbxFAeOMe8DU.exe\",explorer.exe" }, { "type": "generic", "reg_key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell", "reg_value": "\"C:\\Users\\cuck\\AppData\\Roaming\\del\\jbxFAeOMe8DU.exe\",explorer.exe" }, { "type": "generic", "reg_key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell", "reg_value": "\"C:\\Users\\cuck\\AppData\\Roaming\\del\\jbxFAeOMe8DU.exe\",explorer.exe" }, { "type": "generic", "reg_key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell", "reg_value": "\"C:\\Users\\cuck\\AppData\\Roaming\\del\\jbxFAeOMe8DU.exe\",explorer.exe" }, { "type": "generic", "reg_key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell", "reg_value": "\"C:\\Users\\cuck\\AppData\\Roaming\\del\\jbxFAeOMe8DU.exe\",explorer.exe" }, { "type": "generic", "reg_key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell", "reg_value": "\"C:\\Users\\cuck\\AppData\\Roaming\\del\\jbxFAeOMe8DU.exe\",explorer.exe" }, { "type": "generic", "reg_key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell", "reg_value": "\"C:\\Users\\cuck\\AppData\\Roaming\\del\\jbxFAeOMe8DU.exe\",explorer.exe" }, { "type": "generic", "reg_key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell", "reg_value": "\"C:\\Users\\cuck\\AppData\\Roaming\\del\\jbxFAeOMe8DU.exe\",explorer.exe" }, { "type": "generic", "reg_key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell", "reg_value": "\"C:\\Users\\cuck\\AppData\\Roaming\\del\\jbxFAeOMe8DU.exe\",explorer.exe" }, { "type": "generic", "reg_key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell", "reg_value": "\"C:\\Users\\cuck\\AppData\\Roaming\\del\\jbxFAeOMe8DU.exe\",explorer.exe" }, { "type": "generic", "reg_key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell", "reg_value": "\"C:\\Users\\cuck\\AppData\\Roaming\\del\\jbxFAeOMe8DU.exe\",explorer.exe" }, { "type": "generic", "reg_key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell", "reg_value": "\"C:\\Users\\cuck\\AppData\\Roaming\\del\\jbxFAeOMe8DU.exe\",explorer.exe" }, { "type": "generic", "reg_key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell", "reg_value": "\"C:\\Users\\cuck\\AppData\\Roaming\\del\\jbxFAeOMe8DU.exe\",explorer.exe" } ], "references": [], "name": "persistence_autorun" }, { "markcount": 2, "families": [], "description": "Potential code injection by writing to the memory of another process", "severity": 3, "marks": [ { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "WriteProcessMemory", "return_value": 1, "arguments": { "process_identifier": 2260, "buffer": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u0018\u0000\u0000\u0000\u0018\u0000\u0000\u0080\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u0001\u0000\u0000\u00000\u0000\u0000\u0080\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000\t\u0004\u0000\u0000H\u0000\u0000\u0000\\\u00f0\u000b\u0000\/\u0002\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000`\u00c0\u000b\u0000\u00ef\u00bb\u00bf\r\n<\/requestedExecutionLevel><\/requestedPrivileges><\/security><\/trustInfo> true<\/dpiAware><\/windowsSettings><\/application><\/assembly>\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00e4\u00f2\u000b\u0000\u00c8\u00f2\u000b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00f1\u00f2\u000b\u0000\u00dc\u00f2\u000b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u001a\u00f3\u000b\u0000\u00fc\u00f2\u000b\u0000\n\u00f3\u000b\u0000(\u00f3\u000b\u0000\u0000\u0000\u0000\u0000t\u0000\u0000\u0080\u0000\u0000\u0000\u0000KERNEL32.DLL\u0000WS2_32.dll\u0000\u0000\u0000ExitProcess\u0000\u0000\u0000GetProcAddress\u0000\u0000LoadLibraryA\u0000\u0000VirtualProtect\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "process_handle": "0x0000025c", "base_address": "0x004bf000" }, "time": 1568749992.3594, "tid": 2420, "flags": {} }, "pid": 2816, "type": "call", "cid": 2117 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "WriteProcessMemory", "return_value": 1, "arguments": { "process_identifier": 2260, "buffer": "\u0000\u0000@\u0000", "process_handle": "0x0000025c", "base_address": "0x7efde008" }, "time": 1568749992.3594, "tid": 2420, "flags": {} }, "pid": 2816, "type": "call", "cid": 2118 } ], "references": [], "name": "injection_write_memory" }, { "markcount": 2, "families": [], "description": "Used NtSetContextThread to modify a thread in a remote process indicative of process injection", "severity": 3, "marks": [ { "category": "Process injection", "ioc": "Process 2816 called NtSetContextThread to modify thread in remote process 2260", "type": "ioc", "description": null }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtSetContextThread", "return_value": 0, "arguments": { "thread_handle": "0x00000254", "registers": { "eip": 2008678852, "esp": 1638384, "edi": 0, "eax": 4973232, "ebp": 0, "edx": 0, "ebx": 2130567168, "esi": 0, "ecx": 0 }, "process_identifier": 2260 }, "time": 1568749992.3594, "tid": 2420, "flags": {} }, "pid": 2816, "type": "call", "cid": 2120 } ], "references": [ "www.endgame.com\/blog\/technical-blog\/ten-process-injection-techniques-technical-survey-common-and-trending-process" ], "name": "injection_ntsetcontextthread" }, { "markcount": 1, "families": [], "description": "Attempts to remove evidence of file being downloaded from the Internet", "severity": 3, "marks": [ { "category": "file", "ioc": "C:\\Users\\cuck\\AppData\\Local\\Temp\\04a9f7601933c4422778231983045c475714b282da5b6d9b92fa1b6a30489e70.bin:Zone.Identifier", "type": "ioc", "description": null } ], "references": [], "name": "removes_zoneid_ads" }, { "markcount": 2, "families": [], "description": "Resumed a suspended thread in a remote process potentially indicative of process injection", "severity": 3, "marks": [ { "category": "Process injection", "ioc": "Process 2816 resumed a thread in remote process 2260", "type": "ioc", "description": null }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtResumeThread", "return_value": 0, "arguments": { "thread_handle": "0x00000254", "suspend_count": 1, "process_identifier": 2260 }, "time": 1568749993.6874, "tid": 2420, "flags": {} }, "pid": 2816, "type": "call", "cid": 2122 } ], "references": [ "www.endgame.com\/blog\/technical-blog\/ten-process-injection-techniques-technical-survey-common-and-trending-process" ], "name": "injection_resumethread" }, { "markcount": 17, "families": [], "description": "Executed a process and injected code into it, probably while unpacking", "severity": 5, "marks": [ { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtResumeThread", "return_value": 0, "arguments": { "thread_handle": "0x000000cc", "suspend_count": 1, "process_identifier": 2816 }, "time": 1568749989.7964, "tid": 2420, "flags": {} }, "pid": 2816, "type": "call", "cid": 362 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtResumeThread", "return_value": 0, "arguments": { "thread_handle": "0x00000158", "suspend_count": 1, "process_identifier": 2816 }, "time": 1568749989.7964, "tid": 2420, "flags": {} }, "pid": 2816, "type": "call", "cid": 450 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtResumeThread", "return_value": 0, "arguments": { "thread_handle": "0x000001ec", "suspend_count": 1, "process_identifier": 2816 }, "time": 1568749990.0314, "tid": 2420, "flags": {} }, "pid": 2816, "type": "call", "cid": 1575 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "CreateProcessInternalW", "return_value": 1, "arguments": { "thread_identifier": 2820, "thread_handle": "0x00000254", "process_identifier": 2260, "current_directory": "", "filepath": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\vbc.exe", "track": 1, "command_line": "\"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\vbc.exe\"", "filepath_r": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\vbc.exe", "stack_pivoted": 0, "creation_flags": 134217732, "process_handle": "0x0000025c", "inherit_handles": 0 }, "time": 1568749992.3434, "tid": 2420, "flags": { "creation_flags": "CREATE_NO_WINDOW|CREATE_SUSPENDED" } }, "pid": 2816, "type": "call", "cid": 2094 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtGetContextThread", "return_value": 0, "arguments": { "thread_handle": "0x00000254" }, "time": 1568749992.3434, "tid": 2420, "flags": {} }, "pid": 2816, "type": "call", "cid": 2100 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtUnmapViewOfSection", "return_value": 0, "arguments": { "process_identifier": 2260, "region_size": 4096, "process_handle": "0x0000025c", "base_address": "0x00400000" }, "time": 1568749992.3434, "tid": 2420, "flags": {} }, "pid": 2816, "type": "call", "cid": 2110 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 2260, "region_size": 786432, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "protection": 64, "process_handle": "0x0000025c", "allocation_type": 12288, "base_address": "0x00400000" }, "time": 1568749992.3434, "tid": 2420, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT|MEM_RESERVE" } }, "pid": 2816, "type": "call", "cid": 2112 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "buffer": "f1c13c4fac4d969b4e3c7876a98456a9da070a9f", "api": "WriteProcessMemory", "return_value": 1, "arguments": { "process_identifier": 2260, "buffer": "", "process_handle": "0x0000025c", "base_address": "0x00400000" }, "time": 1568749992.3434, "tid": 2420, "flags": {} }, "pid": 2816, "type": "call", "cid": 2114 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "buffer": "e3146e171f886476502fa53390762031a2b6d80f", "api": "WriteProcessMemory", "return_value": 1, "arguments": { "process_identifier": 2260, "buffer": "", "process_handle": "0x0000025c", "base_address": "0x00476000" }, "time": 1568749992.3434, "tid": 2420, "flags": {} }, "pid": 2816, "type": "call", "cid": 2116 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "WriteProcessMemory", "return_value": 1, "arguments": { "process_identifier": 2260, "buffer": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u0018\u0000\u0000\u0000\u0018\u0000\u0000\u0080\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u0001\u0000\u0000\u00000\u0000\u0000\u0080\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000\t\u0004\u0000\u0000H\u0000\u0000\u0000\\\u00f0\u000b\u0000\/\u0002\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000`\u00c0\u000b\u0000\u00ef\u00bb\u00bf\r\n <\/requestedExecutionLevel><\/requestedPrivileges><\/security><\/trustInfo> true<\/dpiAware><\/windowsSettings><\/application><\/assembly>\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00e4\u00f2\u000b\u0000\u00c8\u00f2\u000b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00f1\u00f2\u000b\u0000\u00dc\u00f2\u000b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u001a\u00f3\u000b\u0000\u00fc\u00f2\u000b\u0000\n\u00f3\u000b\u0000(\u00f3\u000b\u0000\u0000\u0000\u0000\u0000t\u0000\u0000\u0080\u0000\u0000\u0000\u0000KERNEL32.DLL\u0000WS2_32.dll\u0000\u0000\u0000ExitProcess\u0000\u0000\u0000GetProcAddress\u0000\u0000LoadLibraryA\u0000\u0000VirtualProtect\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "process_handle": "0x0000025c", "base_address": "0x004bf000" }, "time": 1568749992.3594, "tid": 2420, "flags": {} }, "pid": 2816, "type": "call", "cid": 2117 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "WriteProcessMemory", "return_value": 1, "arguments": { "process_identifier": 2260, "buffer": "\u0000\u0000@\u0000", "process_handle": "0x0000025c", "base_address": "0x7efde008" }, "time": 1568749992.3594, "tid": 2420, "flags": {} }, "pid": 2816, "type": "call", "cid": 2118 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtSetContextThread", "return_value": 0, "arguments": { "thread_handle": "0x00000254", "registers": { "eip": 2008678852, "esp": 1638384, "edi": 0, "eax": 4973232, "ebp": 0, "edx": 0, "ebx": 2130567168, "esi": 0, "ecx": 0 }, "process_identifier": 2260 }, "time": 1568749992.3594, "tid": 2420, "flags": {} }, "pid": 2816, "type": "call", "cid": 2120 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtResumeThread", "return_value": 0, "arguments": { "thread_handle": "0x00000254", "suspend_count": 1, "process_identifier": 2260 }, "time": 1568749993.6874, "tid": 2420, "flags": {} }, "pid": 2816, "type": "call", "cid": 2122 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtResumeThread", "return_value": 0, "arguments": { "thread_handle": "0x00000270", "suspend_count": 1, "process_identifier": 2816 }, "time": 1568749993.6874, "tid": 2420, "flags": {} }, "pid": 2816, "type": "call", "cid": 2124 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtResumeThread", "return_value": 0, "arguments": { "thread_handle": "0x00000284", "suspend_count": 1, "process_identifier": 2816 }, "time": 1568749993.7034, "tid": 2420, "flags": {} }, "pid": 2816, "type": "call", "cid": 2153 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtResumeThread", "return_value": 0, "arguments": { "thread_handle": "0x000000a8", "suspend_count": 1, "process_identifier": 2260 }, "time": 1568749993.9531, "tid": 2824, "flags": {} }, "pid": 2260, "type": "call", "cid": 584 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "CreateProcessInternalW", "return_value": 1, "arguments": { "thread_identifier": 2268, "thread_handle": "0x00000248", "process_identifier": 264, "current_directory": "C:\\Users\\cuck\\AppData\\Local\\Temp", "filepath": "", "track": 1, "command_line": "\"C:\\Users\\cuck\\AppData\\Local\\Temp\\XDav9VW2fBNYjc3t.bat\" ", "filepath_r": "", "stack_pivoted": 0, "creation_flags": 67634192, "process_handle": "0x00000264", "inherit_handles": 0 }, "time": 1568749996.1091, "tid": 2824, "flags": { "creation_flags": "CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT" } }, "pid": 2260, "type": "call", "cid": 906 } ], "references": [], "name": "injection_runpe" } ]
The Yara rules did not detect anything in the file.
{ "tls": [], "udp": [ { "src": "192.168.56.101", "dst": "192.168.56.255", "offset": 546, "time": 3.127641916275, "dport": 137, "sport": 137 }, { "src": "192.168.56.101", "dst": "192.168.56.255", "offset": 5226, "time": 9.1725299358368, "dport": 138, "sport": 138 }, { "src": "192.168.56.101", "dst": "224.0.0.252", "offset": 7070, "time": 3.034029006958, "dport": 5355, "sport": 51001 }, { "src": "192.168.56.101", "dst": "224.0.0.252", "offset": 7398, "time": 1.0689671039581, "dport": 5355, "sport": 53595 }, { "src": "192.168.56.101", "dst": "224.0.0.252", "offset": 7726, "time": 3.0790030956268, "dport": 5355, "sport": 53848 }, { "src": "192.168.56.101", "dst": "224.0.0.252", "offset": 8054, "time": 1.5831990242004, "dport": 5355, "sport": 54255 }, { "src": "192.168.56.101", "dst": "224.0.0.252", "offset": 8382, "time": -0.080296039581299, "dport": 5355, "sport": 55314 }, { "src": "192.168.56.101", "dst": "239.255.255.250", "offset": 8710, "time": 1.5790650844574, "dport": 1900, "sport": 1900 }, { "src": "192.168.56.101", "dst": "239.255.255.250", "offset": 28120, "time": 1.0901570320129, "dport": 3702, "sport": 49152 }, { "src": "192.168.56.101", "dst": "239.255.255.250", "offset": 36504, "time": 3.1731140613556, "dport": 1900, "sport": 53598 } ], "dns_servers": [], "http": [], "icmp": [], "smtp": [], "tcp": [], "smtp_ex": [], "mitm": [], "hosts": [], "pcap_sha256": "cc8df2a42b6e7df9346117cbc83b10c809fd2dd11d10a83221cb6592b8115727", "dns": [], "http_ex": [], "domains": [], "dead_hosts": [], "sorted_pcap_sha256": "d72fe707128eca3c693d7389771d27015fc16846a0363377b3627e6b55c37f61", "irc": [], "https_ex": [] }
The instructions below shows how to remove cod2.3.exe with help from the FreeFixer removal tool. Basically, you install FreeFixer, scan your computer, check the cod2.3.exe file for removal, restart your computer and scan it again to verify that cod2.3.exe has been successfully removed. Here are the removal instructions in more detail:
Property | Value |
---|---|
MD5 | a1cf9d0c4d401bc10cf89eebaa13176f |
SHA256 | 04a9f7601933c4422778231983045c475714b282da5b6d9b92fa1b6a30489e70 |
These are some of the error messages that can appear related to cod2.3.exe:
cod2.3.exe has encountered a problem and needs to close. We are sorry for the inconvenience.
cod2.3.exe - Application Error. The instruction at "0xXXXXXXXX" referenced memory at "0xXXXXXXXX". The memory could not be "read/written". Click on OK to terminate the program.
AsmScriptd has stopped working.
End Program - cod2.3.exe. This program is not responding.
cod2.3.exe is not a valid Win32 application.
cod2.3.exe - Application Error. The application failed to initialize properly (0xXXXXXXXX). Click OK to terminate the application.
To help other users, please let us know what you will do with cod2.3.exe:
Please share with the other users what you think about this file. What does this file do? Is it legitimate or something that your computer is better without? Do you know how it was installed on your system? Did you install it yourself or did it come bundled with some other software? Is it running smoothly or do you get some error message? Any information that will help to document this file is welcome. Thank you for your contributions.
I'm reading all new comments so don't hesitate to post a question about the file. If I don't have the answer perhaps another user can help you.
No comments posted yet.