What is install_lodop32.exe?
install_lodop32.exe is part of Lodop(???) Install and developed by MTSoftware(CN) according to the install_lodop32.exe version information.
install_lodop32.exe's description is "Print Control Lodop(32-bit) Install"
install_lodop32.exe is usually located in the 'c:\downloads\' folder.
Some of the anti-virus scanners at VirusTotal detected install_lodop32.exe.
If you have additional information about the file, please share it with the FreeFixer users by posting a comment at the bottom of this page.
Vendor and version information [?]
The following is the available information on install_lodop32.exe:
| Property | Value |
|---|---|
| Product name | Lodop(???) Install |
| Company name | MTSoftware(CN) |
| File description | Print Control Lodop(32-bit) Install |
| Internal name | Lodop(???) Install |
| Original filename | install_lodop32.exe |
| Comments | (??)???????????MTSoftware |
| Legal copyright | (??)???????????MTSoftware |
| Legal trademark | Lodop |
| Product version | 6.x |
| File version | 6.2.1.7 |
Here's a screenshot of the file properties when displayed by Windows Explorer:
| Product name | Lodop(???) Install |
| Company name | MTSoftware(CN) |
| File description | Print Control Lodop(32-bit) Install |
| Internal name | Lodop(???) Install |
| Original filename | install_lodop32.exe |
| Comments | (??)???????????MTSoftware |
| Legal copyright | (??)???????????MTSoftware |
| Legal trademark | Lodop |
| Product version | 6.x |
| File version | 6.2.1.7 |
VirusTotal report
57 of the 65 anti-virus programs at VirusTotal detected the install_lodop32.exe file. That's a 88% detection rate.
| Scanner | Detection Name |
|---|---|
| Acronis | suspicious |
| Ad-Aware | Win32.Parite.B |
| AhnLab-V3 | Win32/Parite |
| ALYac | Win32.Parite.B |
| Antiy-AVL | Virus/Win32.Parite.c |
| Arcabit | Win32.Parite.B |
| Avast | Win32:Parite |
| AVG | Win32:Parite |
| Avira | W32/Parite |
| Baidu | Win32.Virus.Parite.d |
| BitDefender | Win32.Parite.B |
| CAT-QuickHeal | W32.Perite.A |
| ClamAV | Heuristics.W32.Parite.B |
| CMC | Virus.Win32.Parite.b!O |
| Comodo | Virus.Win32.Parite.gen@1dp8c4 |
| CrowdStrike | malicious_confidence_100% (W) |
| Cybereason | malicious.4e2d6c |
| Cylance | Unsafe |
| Cyren | W32/Parite.LAQX-0866 |
| DrWeb | Win32.Parite.2 |
| eGambit | Unsafe.AI_Score_97% |
| Emsisoft | Win32.Parite.B (B) |
| Endgame | malicious (moderate confidence) |
| ESET-NOD32 | Win32/Parite.B |
| F-Secure | Malware.W32/Parite |
| Fortinet | W32/Parite.B |
| GData | Win32.Parite.B |
| Ikarus | Trojan.Win32.FakeAV |
| Invincea | heuristic |
| Jiangmin | Win32/Parite.b |
| K7AntiVirus | Virus ( 00001b711 ) |
| K7GW | Virus ( 00001b711 ) |
| Kaspersky | Virus.Win32.Parite.b |
| Kingsoft | Win32.Parite.b.5756 |
| MAX | malware (ai score=100) |
| McAfee | W32/Pate.b |
| McAfee-GW-Edition | BehavesLike.Win32.Pate.vc |
| Microsoft | Virus:Win32/Parite.B |
| MicroWorld-eScan | Win32.Parite.B |
| NANO-Antivirus | Virus.Win32.Parite.bgvo |
| Paloalto | generic.ml |
| Panda | W32/Parite.B |
| Qihoo-360 | Virus.Win32.Parite.H |
| Rising | Virus.Parite!1.9B80 (CLOUD) |
| SentinelOne | static engine - malicious |
| Sophos | W32/Parite-B |
| Symantec | W32.Pinfi.B |
| TACHYON | Virus/W32.Parite.C |
| Tencent | Virus.Win32.Parite.b |
| TheHacker | W32/Pate.B |
| TotalDefense | Win32/Pinfi.A |
| Trapmine | malicious.high.ml.score |
| VBA32 | Virus.Win32.Parite.b |
| ViRobot | Win32.Parite.A |
| Yandex | Win32.Parite.B |
| ZoneAlarm | Virus.Win32.Parite.b |
| Zoner | Trojan.Win32.Parite.22014 |
Sandbox Report
The following information was gathered by executing the file inside Cuckoo Sandbox.
Summary
Successfully executed process in sandbox.
Summary
{
"file_created": [
"C:\\Program Files (x86)\\MountTaiSoftware\\Lodop\\NPCAOSOFT_WEB_PRINT_lodop.dll",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\user.js",
"C:\\Program Files (x86)\\MountTaiSoftware\\Lodop\\CAOSOFT_WEB_PRINT_lodop.ocx",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\xea57E8.tmp"
],
"file_recreated": [
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\user.js",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\xea57E8.tmp"
],
"directory_created": [
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\Application",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Default",
"C:\\Program Files (x86)\\MountTaiSoftware",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\Application\\plugins",
"C:\\Program Files (x86)\\MountTaiSoftware\\Lodop",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data"
],
"dll_loaded": [
"imm32.dll",
"winmm.dll",
"GDI32.DLL",
"kernel32.dll",
"UxTheme.dll",
"oleaut32.dll",
"C:\\Windows\\system32\\ole32.dll",
"dwmapi.dll",
"USER32.DLL",
"msimg32.dll",
"MPR.DLL",
"C:\\Program Files (x86)\\MountTaiSoftware\\Lodop\\CAOSOFT_WEB_PRINT_lodop.ocx",
"URLMON.DLL",
"C:\\Windows\\syswow64\\MSCTF.dll",
"KERNEL32.DLL",
"OLEAUT32.DLL",
"IPHLPAPI.DLL",
"advapi32.dll",
"comctl32",
"ole32.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\xea57E8.tmp",
"comdlg32.dll",
"olepro32.dll",
"version.dll",
"ADVAPI32.dll",
"uxtheme.dll",
"gdi32.dll",
"ADVAPI32.DLL",
"comctl32.dll",
"SETUPAPI.dll",
"security.dll",
"SXS.DLL",
"Kernel32.dll",
"msvcrt.dll",
"DEVRTL.dll",
"shell32.dll",
"OLE32.DLL",
"COMCTL32.DLL",
"winspool.drv",
"user32.dll",
"WSOCK32.DLL"
],
"file_opened": [
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\profiles.ini",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\user.js",
"C:\\Program Files (x86)\\MountTaiSoftware\\Lodop\\CAOSOFT_WEB_PRINT_lodop.ocx",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\5b85d0e242f32e68bc3b6594295f5cb0ec72b7079389645761144a849567650e.bin",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\permissions.sqlite"
],
"regkey_opened": [
"HKEY_CLASSES_ROOT\\CLSID\\{2105C259-1E0C-4534-8141-A753534CB4CA}\\Version",
"HKEY_CLASSES_ROOT\\CLSID\\{2105C259-1E0C-4534-8141-A753534CB4CA}\\TypeLib",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList",
"HKEY_LOCAL_MACHINE\\Software\\MozillaPlugins\\@MountTaiSoftware.com\/web_print_lodop,version=6.1\\MimeTypes",
"HKEY_CLASSES_ROOT\\CLSID\\{2105C259-1E0C-4534-8141-A753534CB4CA}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\LanguageProfile\\0x00000000\\{0001bea3-ed56-483d-a2e2-aeae25577436}",
"HKEY_CLASSES_ROOT\\Lodop.LodopX\\Clsid",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Keyboard Layouts\\04090409",
"HKEY_CLASSES_ROOT\\CLSID\\{2105C259-1E0C-4534-8141-A753534CB4CA}\\InprocServer32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\KnownClasses",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\\ProxyStubClsid32",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\3",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-699399860-4089948139-3198924279-1001",
"HKEY_CURRENT_USER\\Software\\CodeGear\\Locales",
"HKEY_CURRENT_USER\\Software\\Borland\\Locales",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{0F9014E9-F31C-408E-9CBA-C484B39066ED}",
"HKEY_CURRENT_USER\\Interface",
"HKEY_CLASSES_ROOT\\CLSID\\{2105C259-1E0C-4534-8141-A753534CB4CA}\\ToolboxBitmap32",
"HKEY_LOCAL_MACHINE\\Software\\MozillaPlugins\\@MountTaiSoftware.com\/web_print_lodop,version=6.1\\MimeTypes\\application\/x-print-lodop",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\Software\\Embarcadero\\Locales",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\\TypeLib",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{0F9014E9-F31C-408E-9CBA-C484B39066ED}\\6.0\\HELPDIR",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion",
"HKEY_CLASSES_ROOT\\CLSID\\{2105C259-1E0C-4534-8141-A753534CB4CA}\\Verb\\0",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\Compatibility\\5b85d0e242f32e68bc3b6594295f5cb0ec72b7079389645761144a849567650e.bin",
"HKEY_CURRENT_USER\\SOFTWARE\\MozillaPlugins\\@MountTaiSoftware.com\/web_print_lodop,version=6.1\\MimeTypes",
"HKEY_CURRENT_USER\\Software\\Microsoft\\CTF\\DirectSwitchHotkeys",
"HKEY_LOCAL_MACHINE\\System\\Setup",
"HKEY_LOCAL_MACHINE\\Software\\CodeGear\\Locales",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{0F9014E9-F31C-408E-9CBA-C484B39066ED}\\6.0\\FLAGS",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{0F9014E9-F31C-408E-9CBA-C484B39066ED}\\6.0",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{0F9014E9-F31C-408E-9CBA-C484B39066ED}\\6.0\\0",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_LOCALMACHINE_LOCKDOWN",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-20",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\\TypeLib",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Ext\\Stats\\{2105C259-1E0C-4534-8141-A753534CB4CA}\\iexplore",
"HKEY_CLASSES_ROOT\\CLSID\\{2105C259-1E0C-4534-8141-A753534CB4CA}\\Verb",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CLASSES_ROOT\\CLSID\\{2105C259-1E0C-4534-8141-A753534CB4CA}\\MiscStatus\\1",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\Software\\MozillaPlugins\\@MountTaiSoftware.com\/web_print_lodop,version=6.1",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Ole",
"HKEY_CLASSES_ROOT\\CLSID\\{2105C259-1E0C-4534-8141-A753534CB4CA}\\ProgID",
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\\ProxyStubClsid32",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Ext\\Stats\\{2105C259-1E0C-4534-8141-A753534CB4CA}\\iexplore\\AllowedDomains\\*",
"HKEY_CLASSES_ROOT\\Lodop.LodopX",
"HKEY_CLASSES_ROOT\\CLSID\\{2105C259-1E0C-4534-8141-A753534CB4CA}\\MiscStatus",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{0F9014E9-F31C-408E-9CBA-C484B39066ED}\\6.0\\0\\win32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{409D8542-9C63-4719-8DF6-ABDA44494A4E}",
"HKEY_LOCAL_MACHINE\\Software\\MozillaPlugins\\@MountTaiSoftware.com\/web_print_lodop,version=6.0",
"HKEY_LOCAL_MACHINE\\Software\\MozillaPlugins\\@MountTaiSoftware.com\/web_print_lodop,version=6.1",
"HKEY_CLASSES_ROOT\\CLSID\\{2105C259-1E0C-4534-8141-A753534CB4CA}\\Control",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\\TypeLib",
"HKEY_CURRENT_USER\\SOFTWARE\\MozillaPlugins\\@MountTaiSoftware.com\/web_print_lodop,version=6.1",
"HKEY_CURRENT_USER\\TypeLib",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-18",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-19",
"HKEY_CURRENT_USER\\Software\\Borland\\Delphi\\Locales",
"HKEY_CURRENT_USER\\Software\\MozillaPlugins\\@MountTaiSoftware.com\/web_print_lodop,version=6.1\\MimeTypes",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Ext\\Settings\\{2105C259-1E0C-4534-8141-A753534CB4CA}",
"HKEY_CURRENT_USER\\Software\\MozillaPlugins\\@MountTaiSoftware.com\/web_print_lodop,version=6.1\\MimeTypes\\application\/x-print-lodop",
"HKEY_LOCAL_MACHINE\\software\\microsoft\\windows\\currentversion\\setup\\PnpLockdownFiles",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLEAUT",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{3697C5FA-60DD-4B56-92D4-74A569205C16}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\\ProxyStubClsid32",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Keyboard Layouts\\041D0409",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\\ProxyStubClsid32",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders",
"HKEY_LOCAL_MACHINE\\Software\\Embarcadero\\Locales",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{409D8542-9C63-4719-8DF6-ABDA44494A4E}",
"HKEY_CURRENT_USER\\SOFTWARE\\MozillaPlugins\\@MountTaiSoftware.com\/web_print_lodop,version=6.1\\MimeTypes\\application\/x-print-lodop",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_LOCALMACHINE_LOCKDOWN\\Settings",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\\TypeLib",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}"
],
"file_written": [
"C:\\Program Files (x86)\\MountTaiSoftware\\Lodop\\NPCAOSOFT_WEB_PRINT_lodop.dll",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\user.js",
"C:\\Program Files (x86)\\MountTaiSoftware\\Lodop\\CAOSOFT_WEB_PRINT_lodop.ocx",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\xea57E8.tmp"
],
"regkey_deleted": [
"HKEY_LOCAL_MACHINE\\Software\\MozillaPlugins\\@MountTaiSoftware.com\/web_print_lodop,version=6.0",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Ext\\Settings\\{2105C259-1E0C-4534-8141-A753534CB4CA}"
],
"file_exists": [
"",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\profiles.ini",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\user.js",
"C:\\Program Files (x86)\\MountTaiSoftware\\Lodop\\CAOSOFT_WEB_PRINT_lodop.ocx",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\Application",
"C:\\Windows\\System32\\NPCAOSOFT_WEB_PRINT_lodop.dll",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Default",
"C:\\Program Files (x86)\\MountTaiSoftware\\Lodop\\LodopDllInstall64.exe",
"C:\\Program Files (x86)\\MountTaiSoftware\\Lodop\\NPCAOSOFT_WEB_PRINT_lodop.dll",
"C:\\Program Files (x86)",
"C:\\Program Files (x86)\\MountTaiSoftware",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Local State",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Preferences",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\Application\\plugins",
"C:\\Windows\\System32\\CAOSOFT_WEB_PRINT_lodop.ocx",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\permissions.sqlite",
"C:\\Users\\cuck\\AppData\\Local",
"C:\\Program Files (x86)\\MountTaiSoftware\\Lodop",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data"
],
"file_failed": [
"C:\\Windows\\winsxs\\FileMaps\\program_files_x86_mounttaisoftware_lodop_81071fa8a0de8fac.cdf-ms"
],
"file_read": [
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\profiles.ini",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\user.js",
"C:\\Program Files (x86)\\MountTaiSoftware\\Lodop\\CAOSOFT_WEB_PRINT_lodop.ocx",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\5b85d0e242f32e68bc3b6594295f5cb0ec72b7079389645761144a849567650e.bin",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\permissions.sqlite"
],
"regkey_read": [
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Language Hotkey",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\PINF",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{0F9014E9-F31C-408E-9CBA-C484B39066ED}\\6.0\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-18\\State",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\MS Shell Dlg 2",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-699399860-4089948139-3198924279-1001\\State",
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Hotkey",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\LanguageProfile\\0x00000000\\{0001bea3-ed56-483d-a2e2-aeae25577436}\\Enable",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\3\\1200",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\\TypeLib\\Version",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\ProgramFilesDir",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\\TypeLib\\Version",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\\TypeLib\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\\TypeLib\\Version",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Locale\\00000409",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{0F9014E9-F31C-408E-9CBA-C484B39066ED}\\6.0\\0\\win32\\(Default)",
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Layout Hotkey",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-19\\State",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\\(Default)",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\Local AppData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\CTF\\EnableAnchorContext",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{0F9014E9-F31C-408E-9CBA-C484B39066ED}\\6.0\\HELPDIR\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\\TypeLib\\(Default)",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Ext\\Stats\\{2105C259-1E0C-4534-8141-A753534CB4CA}\\iexplore\\Flags",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{0F9014E9-F31C-408E-9CBA-C484B39066ED}\\6.0\\FLAGS\\(Default)",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language Groups\\1",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\\TypeLib\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\\(Default)",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\3\\1405",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\\TypeLib\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE\\MaximumAllowedAllocationSize",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\3\\1400",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-20\\State",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\PnpLockdownFiles\\%SystemDrive%\\Program Files (x86)\\MountTaiSoftware\\Lodop\\CAOSOFT_WEB_PRINT_lodop.ocx",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\\TypeLib\\Version",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\SystemSetupInProgress"
],
"directory_enumerated": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\5b85d0e242f32e68bc3b6594295f5cb0ec72b7079389645761144a849567650e.en",
"C:\\Program Files (x86)\\MountTaiSoftware\\Lodop\\CAOSOFT_WEB_PRINT_lodop.EN",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\5b85d0e242f32e68bc3b6594295f5cb0ec72b7079389645761144a849567650e.en-US",
"C:\\Program Files (x86)\\MountTaiSoftware\\Lodop\\CAOSOFT_WEB_PRINT_lodop.en-US",
"C:\\Program Files (x86)\\MountTaiSoftware\\Lodop\\CAOSOFT_WEB_PRINT_lodop.en",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\5b85d0e242f32e68bc3b6594295f5cb0ec72b7079389645761144a849567650e.ENU",
"C:\\Program Files (x86)\\MountTaiSoftware\\Lodop\\CAOSOFT_WEB_PRINT_lodop.ENU",
"C:\\Program Files (x86)\\MountTaiSoftware\\Lodop",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\5b85d0e242f32e68bc3b6594295f5cb0ec72b7079389645761144a849567650e.EN"
],
"regkey_written": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{0F9014E9-F31C-408E-9CBA-C484B39066ED}\\6.0\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{2105C259-1E0C-4534-8141-A753534CB4CA}\\InprocServer32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{2105C259-1E0C-4534-8141-A753534CB4CA}\\MiscStatus\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{2105C259-1E0C-4534-8141-A753534CB4CA}\\ToolboxBitmap32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\\TypeLib\\Version",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{2105C259-1E0C-4534-8141-A753534CB4CA}\\InprocServer32\\ThreadingModel",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{2105C259-1E0C-4534-8141-A753534CB4CA}\\Verb\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\\TypeLib\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\MozillaPlugins\\@MountTaiSoftware.com\/web_print_lodop,version=6.1\\MimeTypes\\application\/x-print-lodop\\Description",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{2105C259-1E0C-4534-8141-A753534CB4CA}\\Version\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\MozillaPlugins\\@MountTaiSoftware.com\/web_print_lodop,version=6.1\\ProductName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\\TypeLib\\Version",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{0F9014E9-F31C-408E-9CBA-C484B39066ED}\\6.0\\0\\win32\\(Default)",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_LOCALMACHINE_LOCKDOWN\\Settings\\LOCALMACHINE_CD_UNLOCK",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\\ProxyStubClsid32\\(Default)",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_LOCALMACHINE_LOCKDOWN\\iexplore.exe",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Lodop.LodopX\\Clsid\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{0F9014E9-F31C-408E-9CBA-C484B39066ED}\\6.0\\HELPDIR\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\\TypeLib\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\MozillaPlugins\\@MountTaiSoftware.com\/web_print_lodop,version=6.1\\MimeTypes\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{2105C259-1E0C-4534-8141-A753534CB4CA}\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\MozillaPlugins\\@MountTaiSoftware.com\/web_print_lodop,version=6.1\\Path",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{0F9014E9-F31C-408E-9CBA-C484B39066ED}\\6.0\\FLAGS\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\MozillaPlugins\\@MountTaiSoftware.com\/web_print_lodop,version=6.1\\Version",
"HKEY_CURRENT_USER\\Software\\MozillaPlugins\\@MountTaiSoftware.com\/web_print_lodop,version=6.1\\Version",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\\TypeLib\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{2105C259-1E0C-4534-8141-A753534CB4CA}\\TypeLib\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{2105C259-1E0C-4534-8141-A753534CB4CA}\\Verb\\0\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\\TypeLib\\(Default)",
"HKEY_CURRENT_USER\\Software\\MozillaPlugins\\@MountTaiSoftware.com\/web_print_lodop,version=6.1\\Path",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Ext\\Stats\\{2105C259-1E0C-4534-8141-A753534CB4CA}\\iexplore\\AllowedDomains\\*\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{2105C259-1E0C-4534-8141-A753534CB4CA}\\ProgID\\(Default)",
"HKEY_CURRENT_USER\\Software\\MozillaPlugins\\@MountTaiSoftware.com\/web_print_lodop,version=6.1\\MimeTypes\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{2105C259-1E0C-4534-8141-A753534CB4CA}\\Control\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Lodop.LodopX\\(Default)",
"HKEY_CURRENT_USER\\Software\\MozillaPlugins\\@MountTaiSoftware.com\/web_print_lodop,version=6.1\\ProductName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\\TypeLib\\Version",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{2105C259-1E0C-4534-8141-A753534CB4CA}\\MiscStatus\\1\\(Default)",
"HKEY_CURRENT_USER\\Software\\MozillaPlugins\\@MountTaiSoftware.com\/web_print_lodop,version=6.1\\MimeTypes\\application\/x-print-lodop\\Description",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\\TypeLib\\Version"
]
}Dropped
[
{
"yara": [],
"sha1": "c2140a6148c29007971d79d908dec983f991727e",
"name": "27866fc51dfe2ff6_caosoft_web_print_lodop.ocx",
"filepath": "C:\\Program Files (x86)\\MountTaiSoftware\\Lodop\\CAOSOFT_WEB_PRINT_lodop.ocx",
"type": "PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed",
"sha256": "27866fc51dfe2ff61fa97338b66084df6d93b845dae6a4c314834e18aaa17341",
"urls": [],
"crc32": "89133362",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/3876\/files\/27866fc51dfe2ff6_caosoft_web_print_lodop.ocx",
"ssdeep": null,
"size": 1583616,
"sha512": "99d1a9c824572a01d8735b214b5ab2e9897044b99668cf00b99c640ec5249e8e93fe3557597ca433b22eb7fca6e7b4cc7c1153ac67b5cfea6c371b838311a7e2",
"pids": [
2660
],
"md5": "332b0fd1e98efc209e3cafff2b3d6446"
},
{
"yara": [],
"sha1": "894b3a5a4edeecb6e9a7fb172570ff6c6cb63ec7",
"name": "60a5fda3a85bc29c_npcaosoft_web_print_lodop.dll",
"filepath": "C:\\Program Files (x86)\\MountTaiSoftware\\Lodop\\NPCAOSOFT_WEB_PRINT_lodop.dll",
"type": "PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed",
"sha256": "60a5fda3a85bc29cd94b7e1df6aa613353b31187bf5a9b30363d8dc6f1dfa202",
"urls": [],
"crc32": "E167917E",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/3876\/files\/60a5fda3a85bc29c_npcaosoft_web_print_lodop.dll",
"ssdeep": null,
"size": 343552,
"sha512": "3863c7fbc250e9754c5a053dcb0a4e37ac11dca65ba8ee25ef67b227d9df1f00eee538f524925dad286abb12a34a6d39bc1eebcff3380f56381d633693f66573",
"pids": [
2660
],
"md5": "0b11270c32657df207a40d0ef02e07d4"
},
{
"yara": [],
"sha1": "6a1b978f5e6150b88c8634146f1406ed97d2f134",
"name": "0e478c95a7a07570_xea57e8.tmp",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\xea57E8.tmp",
"type": "PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows",
"sha256": "0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4",
"urls": [],
"crc32": "CB1602FC",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/3876\/files\/0e478c95a7a07570_xea57e8.tmp",
"ssdeep": null,
"size": 176128,
"sha512": "6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9",
"pids": [
2660
],
"md5": "685f1cbd4af30a1d0c25f252d399a666"
},
{
"yara": [],
"sha1": "136cb3f073848fc8a78139752e8f4de31390cfde",
"name": "9692bfc4e6eb3385_user.js",
"filepath": "C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\user.js",
"type": "ASCII text, with CRLF line terminators",
"sha256": "9692bfc4e6eb338595b20fcd8883730f669fd519574061daf56cb0738b481c79",
"urls": [],
"crc32": "03DF3867",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/3876\/files\/9692bfc4e6eb3385_user.js",
"ssdeep": null,
"size": 103,
"sha512": "2602d766a1c98d3fd65e6b85f42e1103bbb73277b213ed3388e90be6e248cad4c7a9af0b97f095761a6f3b2bea226233dc503dd37ef4dc209aa0716ffe46a6b3",
"pids": [
2660
],
"md5": "388eda8542b008b44722d1713ecd8d4d"
}
]Generic
[
{
"process_path": "C:\\Windows\\System32\\lsass.exe",
"process_name": "lsass.exe",
"pid": 476,
"summary": {},
"first_seen": 1574916786.34375,
"ppid": 376
},
{
"process_path": "C:\\Users\\cuck\\AppData\\Local\\Temp\\5b85d0e242f32e68bc3b6594295f5cb0ec72b7079389645761144a849567650e.bin",
"process_name": "5b85d0e242f32e68bc3b6594295f5cb0ec72b7079389645761144a849567650e.bin",
"pid": 2660,
"summary": {
"file_created": [
"C:\\Program Files (x86)\\MountTaiSoftware\\Lodop\\NPCAOSOFT_WEB_PRINT_lodop.dll",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\user.js",
"C:\\Program Files (x86)\\MountTaiSoftware\\Lodop\\CAOSOFT_WEB_PRINT_lodop.ocx",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\xea57E8.tmp"
],
"file_recreated": [
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\user.js",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\xea57E8.tmp"
],
"directory_created": [
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\Application",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Default",
"C:\\Program Files (x86)\\MountTaiSoftware",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\Application\\plugins",
"C:\\Program Files (x86)\\MountTaiSoftware\\Lodop",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data"
],
"dll_loaded": [
"imm32.dll",
"winmm.dll",
"GDI32.DLL",
"kernel32.dll",
"UxTheme.dll",
"oleaut32.dll",
"C:\\Windows\\system32\\ole32.dll",
"dwmapi.dll",
"USER32.DLL",
"msimg32.dll",
"MPR.DLL",
"C:\\Program Files (x86)\\MountTaiSoftware\\Lodop\\CAOSOFT_WEB_PRINT_lodop.ocx",
"URLMON.DLL",
"C:\\Windows\\syswow64\\MSCTF.dll",
"KERNEL32.DLL",
"OLEAUT32.DLL",
"IPHLPAPI.DLL",
"advapi32.dll",
"comctl32",
"ole32.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\xea57E8.tmp",
"comdlg32.dll",
"olepro32.dll",
"version.dll",
"ADVAPI32.dll",
"uxtheme.dll",
"gdi32.dll",
"ADVAPI32.DLL",
"comctl32.dll",
"SETUPAPI.dll",
"security.dll",
"SXS.DLL",
"Kernel32.dll",
"msvcrt.dll",
"DEVRTL.dll",
"shell32.dll",
"OLE32.DLL",
"COMCTL32.DLL",
"winspool.drv",
"user32.dll",
"WSOCK32.DLL"
],
"file_opened": [
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\profiles.ini",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\user.js",
"C:\\Program Files (x86)\\MountTaiSoftware\\Lodop\\CAOSOFT_WEB_PRINT_lodop.ocx",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\5b85d0e242f32e68bc3b6594295f5cb0ec72b7079389645761144a849567650e.bin",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\permissions.sqlite"
],
"regkey_opened": [
"HKEY_CLASSES_ROOT\\CLSID\\{2105C259-1E0C-4534-8141-A753534CB4CA}\\Version",
"HKEY_CLASSES_ROOT\\CLSID\\{2105C259-1E0C-4534-8141-A753534CB4CA}\\TypeLib",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList",
"HKEY_LOCAL_MACHINE\\Software\\MozillaPlugins\\@MountTaiSoftware.com\/web_print_lodop,version=6.1\\MimeTypes",
"HKEY_CLASSES_ROOT\\CLSID\\{2105C259-1E0C-4534-8141-A753534CB4CA}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\LanguageProfile\\0x00000000\\{0001bea3-ed56-483d-a2e2-aeae25577436}",
"HKEY_CLASSES_ROOT\\Lodop.LodopX\\Clsid",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Keyboard Layouts\\04090409",
"HKEY_CLASSES_ROOT\\CLSID\\{2105C259-1E0C-4534-8141-A753534CB4CA}\\InprocServer32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\KnownClasses",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\\ProxyStubClsid32",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\3",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-699399860-4089948139-3198924279-1001",
"HKEY_CURRENT_USER\\Software\\CodeGear\\Locales",
"HKEY_CURRENT_USER\\Software\\Borland\\Locales",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{0F9014E9-F31C-408E-9CBA-C484B39066ED}",
"HKEY_CURRENT_USER\\Interface",
"HKEY_CLASSES_ROOT\\CLSID\\{2105C259-1E0C-4534-8141-A753534CB4CA}\\ToolboxBitmap32",
"HKEY_LOCAL_MACHINE\\Software\\MozillaPlugins\\@MountTaiSoftware.com\/web_print_lodop,version=6.1\\MimeTypes\\application\/x-print-lodop",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\Software\\Embarcadero\\Locales",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\\TypeLib",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{0F9014E9-F31C-408E-9CBA-C484B39066ED}\\6.0\\HELPDIR",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion",
"HKEY_CLASSES_ROOT\\CLSID\\{2105C259-1E0C-4534-8141-A753534CB4CA}\\Verb\\0",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\Compatibility\\5b85d0e242f32e68bc3b6594295f5cb0ec72b7079389645761144a849567650e.bin",
"HKEY_CURRENT_USER\\SOFTWARE\\MozillaPlugins\\@MountTaiSoftware.com\/web_print_lodop,version=6.1\\MimeTypes",
"HKEY_CURRENT_USER\\Software\\Microsoft\\CTF\\DirectSwitchHotkeys",
"HKEY_LOCAL_MACHINE\\System\\Setup",
"HKEY_LOCAL_MACHINE\\Software\\CodeGear\\Locales",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{0F9014E9-F31C-408E-9CBA-C484B39066ED}\\6.0\\FLAGS",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{0F9014E9-F31C-408E-9CBA-C484B39066ED}\\6.0",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{0F9014E9-F31C-408E-9CBA-C484B39066ED}\\6.0\\0",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_LOCALMACHINE_LOCKDOWN",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-20",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\\TypeLib",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Ext\\Stats\\{2105C259-1E0C-4534-8141-A753534CB4CA}\\iexplore",
"HKEY_CLASSES_ROOT\\CLSID\\{2105C259-1E0C-4534-8141-A753534CB4CA}\\Verb",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CLASSES_ROOT\\CLSID\\{2105C259-1E0C-4534-8141-A753534CB4CA}\\MiscStatus\\1",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\Software\\MozillaPlugins\\@MountTaiSoftware.com\/web_print_lodop,version=6.1",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Ole",
"HKEY_CLASSES_ROOT\\CLSID\\{2105C259-1E0C-4534-8141-A753534CB4CA}\\ProgID",
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\\ProxyStubClsid32",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Ext\\Stats\\{2105C259-1E0C-4534-8141-A753534CB4CA}\\iexplore\\AllowedDomains\\*",
"HKEY_CLASSES_ROOT\\Lodop.LodopX",
"HKEY_CLASSES_ROOT\\CLSID\\{2105C259-1E0C-4534-8141-A753534CB4CA}\\MiscStatus",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{0F9014E9-F31C-408E-9CBA-C484B39066ED}\\6.0\\0\\win32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{409D8542-9C63-4719-8DF6-ABDA44494A4E}",
"HKEY_LOCAL_MACHINE\\Software\\MozillaPlugins\\@MountTaiSoftware.com\/web_print_lodop,version=6.0",
"HKEY_LOCAL_MACHINE\\Software\\MozillaPlugins\\@MountTaiSoftware.com\/web_print_lodop,version=6.1",
"HKEY_CLASSES_ROOT\\CLSID\\{2105C259-1E0C-4534-8141-A753534CB4CA}\\Control",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\\TypeLib",
"HKEY_CURRENT_USER\\SOFTWARE\\MozillaPlugins\\@MountTaiSoftware.com\/web_print_lodop,version=6.1",
"HKEY_CURRENT_USER\\TypeLib",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-18",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-19",
"HKEY_CURRENT_USER\\Software\\Borland\\Delphi\\Locales",
"HKEY_CURRENT_USER\\Software\\MozillaPlugins\\@MountTaiSoftware.com\/web_print_lodop,version=6.1\\MimeTypes",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Ext\\Settings\\{2105C259-1E0C-4534-8141-A753534CB4CA}",
"HKEY_CURRENT_USER\\Software\\MozillaPlugins\\@MountTaiSoftware.com\/web_print_lodop,version=6.1\\MimeTypes\\application\/x-print-lodop",
"HKEY_LOCAL_MACHINE\\software\\microsoft\\windows\\currentversion\\setup\\PnpLockdownFiles",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLEAUT",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{3697C5FA-60DD-4B56-92D4-74A569205C16}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\\ProxyStubClsid32",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Keyboard Layouts\\041D0409",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\\ProxyStubClsid32",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders",
"HKEY_LOCAL_MACHINE\\Software\\Embarcadero\\Locales",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{409D8542-9C63-4719-8DF6-ABDA44494A4E}",
"HKEY_CURRENT_USER\\SOFTWARE\\MozillaPlugins\\@MountTaiSoftware.com\/web_print_lodop,version=6.1\\MimeTypes\\application\/x-print-lodop",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_LOCALMACHINE_LOCKDOWN\\Settings",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\\TypeLib",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}"
],
"file_written": [
"C:\\Program Files (x86)\\MountTaiSoftware\\Lodop\\NPCAOSOFT_WEB_PRINT_lodop.dll",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\user.js",
"C:\\Program Files (x86)\\MountTaiSoftware\\Lodop\\CAOSOFT_WEB_PRINT_lodop.ocx",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\xea57E8.tmp"
],
"regkey_deleted": [
"HKEY_LOCAL_MACHINE\\Software\\MozillaPlugins\\@MountTaiSoftware.com\/web_print_lodop,version=6.0",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Ext\\Settings\\{2105C259-1E0C-4534-8141-A753534CB4CA}"
],
"file_exists": [
"",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\profiles.ini",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\user.js",
"C:\\Program Files (x86)\\MountTaiSoftware\\Lodop\\CAOSOFT_WEB_PRINT_lodop.ocx",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\Application",
"C:\\Windows\\System32\\NPCAOSOFT_WEB_PRINT_lodop.dll",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Default",
"C:\\Program Files (x86)\\MountTaiSoftware\\Lodop\\LodopDllInstall64.exe",
"C:\\Program Files (x86)\\MountTaiSoftware\\Lodop\\NPCAOSOFT_WEB_PRINT_lodop.dll",
"C:\\Program Files (x86)",
"C:\\Program Files (x86)\\MountTaiSoftware",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Local State",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Preferences",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\Application\\plugins",
"C:\\Windows\\System32\\CAOSOFT_WEB_PRINT_lodop.ocx",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\permissions.sqlite",
"C:\\Users\\cuck\\AppData\\Local",
"C:\\Program Files (x86)\\MountTaiSoftware\\Lodop",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data"
],
"file_failed": [
"C:\\Windows\\winsxs\\FileMaps\\program_files_x86_mounttaisoftware_lodop_81071fa8a0de8fac.cdf-ms"
],
"file_read": [
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\profiles.ini",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\user.js",
"C:\\Program Files (x86)\\MountTaiSoftware\\Lodop\\CAOSOFT_WEB_PRINT_lodop.ocx",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\5b85d0e242f32e68bc3b6594295f5cb0ec72b7079389645761144a849567650e.bin",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\permissions.sqlite"
],
"regkey_read": [
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Language Hotkey",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\PINF",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{0F9014E9-F31C-408E-9CBA-C484B39066ED}\\6.0\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-18\\State",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\MS Shell Dlg 2",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-699399860-4089948139-3198924279-1001\\State",
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Hotkey",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\LanguageProfile\\0x00000000\\{0001bea3-ed56-483d-a2e2-aeae25577436}\\Enable",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\3\\1200",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\\TypeLib\\Version",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\ProgramFilesDir",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\\TypeLib\\Version",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\\TypeLib\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\\TypeLib\\Version",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Locale\\00000409",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{0F9014E9-F31C-408E-9CBA-C484B39066ED}\\6.0\\0\\win32\\(Default)",
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Layout Hotkey",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-19\\State",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\\(Default)",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\Local AppData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\CTF\\EnableAnchorContext",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{0F9014E9-F31C-408E-9CBA-C484B39066ED}\\6.0\\HELPDIR\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\\TypeLib\\(Default)",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Ext\\Stats\\{2105C259-1E0C-4534-8141-A753534CB4CA}\\iexplore\\Flags",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{0F9014E9-F31C-408E-9CBA-C484B39066ED}\\6.0\\FLAGS\\(Default)",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language Groups\\1",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\\TypeLib\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\\(Default)",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\3\\1405",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\\TypeLib\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE\\MaximumAllowedAllocationSize",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\3\\1400",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-20\\State",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\PnpLockdownFiles\\%SystemDrive%\\Program Files (x86)\\MountTaiSoftware\\Lodop\\CAOSOFT_WEB_PRINT_lodop.ocx",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\\TypeLib\\Version",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\SystemSetupInProgress"
],
"directory_enumerated": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\5b85d0e242f32e68bc3b6594295f5cb0ec72b7079389645761144a849567650e.en",
"C:\\Program Files (x86)\\MountTaiSoftware\\Lodop\\CAOSOFT_WEB_PRINT_lodop.EN",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\5b85d0e242f32e68bc3b6594295f5cb0ec72b7079389645761144a849567650e.en-US",
"C:\\Program Files (x86)\\MountTaiSoftware\\Lodop\\CAOSOFT_WEB_PRINT_lodop.en-US",
"C:\\Program Files (x86)\\MountTaiSoftware\\Lodop\\CAOSOFT_WEB_PRINT_lodop.en",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\5b85d0e242f32e68bc3b6594295f5cb0ec72b7079389645761144a849567650e.ENU",
"C:\\Program Files (x86)\\MountTaiSoftware\\Lodop\\CAOSOFT_WEB_PRINT_lodop.ENU",
"C:\\Program Files (x86)\\MountTaiSoftware\\Lodop",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\5b85d0e242f32e68bc3b6594295f5cb0ec72b7079389645761144a849567650e.EN"
],
"regkey_written": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{0F9014E9-F31C-408E-9CBA-C484B39066ED}\\6.0\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{2105C259-1E0C-4534-8141-A753534CB4CA}\\InprocServer32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{2105C259-1E0C-4534-8141-A753534CB4CA}\\MiscStatus\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{2105C259-1E0C-4534-8141-A753534CB4CA}\\ToolboxBitmap32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\\TypeLib\\Version",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{2105C259-1E0C-4534-8141-A753534CB4CA}\\InprocServer32\\ThreadingModel",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{2105C259-1E0C-4534-8141-A753534CB4CA}\\Verb\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\\TypeLib\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\MozillaPlugins\\@MountTaiSoftware.com\/web_print_lodop,version=6.1\\MimeTypes\\application\/x-print-lodop\\Description",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{2105C259-1E0C-4534-8141-A753534CB4CA}\\Version\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\MozillaPlugins\\@MountTaiSoftware.com\/web_print_lodop,version=6.1\\ProductName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\\TypeLib\\Version",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{0F9014E9-F31C-408E-9CBA-C484B39066ED}\\6.0\\0\\win32\\(Default)",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_LOCALMACHINE_LOCKDOWN\\Settings\\LOCALMACHINE_CD_UNLOCK",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\\ProxyStubClsid32\\(Default)",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_LOCALMACHINE_LOCKDOWN\\iexplore.exe",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Lodop.LodopX\\Clsid\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{0F9014E9-F31C-408E-9CBA-C484B39066ED}\\6.0\\HELPDIR\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\\TypeLib\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\MozillaPlugins\\@MountTaiSoftware.com\/web_print_lodop,version=6.1\\MimeTypes\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{2105C259-1E0C-4534-8141-A753534CB4CA}\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\MozillaPlugins\\@MountTaiSoftware.com\/web_print_lodop,version=6.1\\Path",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{0F9014E9-F31C-408E-9CBA-C484B39066ED}\\6.0\\FLAGS\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\MozillaPlugins\\@MountTaiSoftware.com\/web_print_lodop,version=6.1\\Version",
"HKEY_CURRENT_USER\\Software\\MozillaPlugins\\@MountTaiSoftware.com\/web_print_lodop,version=6.1\\Version",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\\TypeLib\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{2105C259-1E0C-4534-8141-A753534CB4CA}\\TypeLib\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{2105C259-1E0C-4534-8141-A753534CB4CA}\\Verb\\0\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\\TypeLib\\(Default)",
"HKEY_CURRENT_USER\\Software\\MozillaPlugins\\@MountTaiSoftware.com\/web_print_lodop,version=6.1\\Path",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Ext\\Stats\\{2105C259-1E0C-4534-8141-A753534CB4CA}\\iexplore\\AllowedDomains\\*\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{2105C259-1E0C-4534-8141-A753534CB4CA}\\ProgID\\(Default)",
"HKEY_CURRENT_USER\\Software\\MozillaPlugins\\@MountTaiSoftware.com\/web_print_lodop,version=6.1\\MimeTypes\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{2105C259-1E0C-4534-8141-A753534CB4CA}\\Control\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Lodop.LodopX\\(Default)",
"HKEY_CURRENT_USER\\Software\\MozillaPlugins\\@MountTaiSoftware.com\/web_print_lodop,version=6.1\\ProductName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\\TypeLib\\Version",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{2105C259-1E0C-4534-8141-A753534CB4CA}\\MiscStatus\\1\\(Default)",
"HKEY_CURRENT_USER\\Software\\MozillaPlugins\\@MountTaiSoftware.com\/web_print_lodop,version=6.1\\MimeTypes\\application\/x-print-lodop\\Description",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\\TypeLib\\Version"
]
},
"first_seen": 1574916786.609375,
"ppid": 1624
}
]Signatures
[
{
"markcount": 1,
"families": [],
"description": "The executable contains unknown PE section names indicative of a packer (could be a false positive)",
"severity": 1,
"marks": [
{
"category": "section",
"ioc": ".pmj\\x07",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "pe_features"
},
{
"markcount": 2,
"families": [],
"description": "The file contains an unknown PE resource name possibly indicative of a packer",
"severity": 1,
"marks": [
{
"category": "resource name",
"ioc": "DLL",
"type": "ioc",
"description": null
},
{
"category": "resource name",
"ioc": "OCX",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "pe_unknown_resource_name"
},
{
"markcount": 1,
"families": [],
"description": "One or more processes crashed",
"severity": 1,
"marks": [
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "5\nb\n8\n5\nd\n0\ne\n2\n4\n2\nf\n3\n2\ne\n6\n8\nb\nc\n3\nb\n6\n5\n9\n4\n2\n9\n5\nf\n5\nc\nb\n0\ne\nc\n7\n2\nb\n7\n0\n7\n9\n3\n8\n9\n6\n4\n5\n7\n6\n1\n1\n4\n4\na\n8\n4\n9\n5\n6\n7\n6\n5\n0\ne\n+\n0\nx\n4\nb\n4\ne\n5\n \n@\n \n0\nx\n4\n4\nb\n4\ne\n5\n\n\n5\nb\n8\n5\nd\n0\ne\n2\n4\n2\nf\n3\n2\ne\n6\n8\nb\nc\n3\nb\n6\n5\n9\n4\n2\n9\n5\nf\n5\nc\nb\n0\ne\nc\n7\n2\nb\n7\n0\n7\n9\n3\n8\n9\n6\n4\n5\n7\n6\n1\n1\n4\n4\na\n8\n4\n9\n5\n6\n7\n6\n5\n0\ne\n+\n0\nx\n4\nb\n2\n3\n4\n \n@\n \n0\nx\n4\n4\nb\n2\n3\n4\n\n\n5\nb\n8\n5\nd\n0\ne\n2\n4\n2\nf\n3\n2\ne\n6\n8\nb\nc\n3\nb\n6\n5\n9\n4\n2\n9\n5\nf\n5\nc\nb\n0\ne\nc\n7\n2\nb\n7\n0\n7\n9\n3\n8\n9\n6\n4\n5\n7\n6\n1\n1\n4\n4\na\n8\n4\n9\n5\n6\n7\n6\n5\n0\ne\n+\n0\nx\nc\nb\n8\n8\n8\n \n@\n \n0\nx\n4\nc\nb\n8\n8\n8\n\n\n5\nb\n8\n5\nd\n0\ne\n2\n4\n2\nf\n3\n2\ne\n6\n8\nb\nc\n3\nb\n6\n5\n9\n4\n2\n9\n5\nf\n5\nc\nb\n0\ne\nc\n7\n2\nb\n7\n0\n7\n9\n3\n8\n9\n6\n4\n5\n7\n6\n1\n1\n4\n4\na\n8\n4\n9\n5\n6\n7\n6\n5\n0\ne\n+\n0\nx\nc\na\n3\n1\ne\n \n@\n \n0\nx\n4\nc\na\n3\n1\ne\n\n\n5\nb\n8\n5\nd\n0\ne\n2\n4\n2\nf\n3\n2\ne\n6\n8\nb\nc\n3\nb\n6\n5\n9\n4\n2\n9\n5\nf\n5\nc\nb\n0\ne\nc\n7\n2\nb\n7\n0\n7\n9\n3\n8\n9\n6\n4\n5\n7\n6\n1\n1\n4\n4\na\n8\n4\n9\n5\n6\n7\n6\n5\n0\ne\n+\n0\nx\na\n8\n2\n8\n1\n \n@\n \n0\nx\n4\na\n8\n2\n8\n1\n\n\n5\nb\n8\n5\nd\n0\ne\n2\n4\n2\nf\n3\n2\ne\n6\n8\nb\nc\n3\nb\n6\n5\n9\n4\n2\n9\n5\nf\n5\nc\nb\n0\ne\nc\n7\n2\nb\n7\n0\n7\n9\n3\n8\n9\n6\n4\n5\n7\n6\n1\n1\n4\n4\na\n8\n4\n9\n5\n6\n7\n6\n5\n0\ne\n+\n0\nx\n8\n5\n2\n4\nd\n \n@\n \n0\nx\n4\n8\n5\n2\n4\nd\n\n\n5\nb\n8\n5\nd\n0\ne\n2\n4\n2\nf\n3\n2\ne\n6\n8\nb\nc\n3\nb\n6\n5\n9\n4\n2\n9\n5\nf\n5\nc\nb\n0\ne\nc\n7\n2\nb\n7\n0\n7\n9\n3\n8\n9\n6\n4\n5\n7\n6\n1\n1\n4\n4\na\n8\n4\n9\n5\n6\n7\n6\n5\n0\ne\n+\n0\nx\na\n5\n9\n8\n5\n \n@\n \n0\nx\n4\na\n5\n9\n8\n5\n\n\n5\nb\n8\n5\nd\n0\ne\n2\n4\n2\nf\n3\n2\ne\n6\n8\nb\nc\n3\nb\n6\n5\n9\n4\n2\n9\n5\nf\n5\nc\nb\n0\ne\nc\n7\n2\nb\n7\n0\n7\n9\n3\n8\n9\n6\n4\n5\n7\n6\n1\n1\n4\n4\na\n8\n4\n9\n5\n6\n7\n6\n5\n0\ne\n+\n0\nx\n8\n4\n8\ne\nb\n \n@\n \n0\nx\n4\n8\n4\n8\ne\nb\n\n\n5\nb\n8\n5\nd\n0\ne\n2\n4\n2\nf\n3\n2\ne\n6\n8\nb\nc\n3\nb\n6\n5\n9\n4\n2\n9\n5\nf\n5\nc\nb\n0\ne\nc\n7\n2\nb\n7\n0\n7\n9\n3\n8\n9\n6\n4\n5\n7\n6\n1\n1\n4\n4\na\n8\n4\n9\n5\n6\n7\n6\n5\n0\ne\n+\n0\nx\n4\n0\n9\n4\n6\n \n@\n \n0\nx\n4\n4\n0\n9\n4\n6\n\n\ng\na\np\nf\nn\nS\nc\nS\ne\nn\nd\nM\ne\ns\ns\na\ng\ne\n+\n0\nx\n3\n3\n2\n \nG\ne\nt\nA\np\np\nC\no\nm\np\na\nt\nF\nl\na\ng\ns\n2\n-\n0\nx\n8\ne\na\n \nu\ns\ne\nr\n3\n2\n+\n0\nx\n1\n6\n2\nf\na\n \n@\n \n0\nx\n7\n6\n3\na\n6\n2\nf\na\n\n\nG\ne\nt\nT\nh\nr\ne\na\nd\nD\ne\ns\nk\nt\no\np\n+\n0\nx\nd\n7\n \nG\ne\nt\nW\ni\nn\nd\no\nw\nL\no\nn\ng\nW\n-\n0\nx\n2\nc\n4\n \nu\ns\ne\nr\n3\n2\n+\n0\nx\n1\n6\nd\n3\na\n \n@\n \n0\nx\n7\n6\n3\na\n6\nd\n3\na\n\n\nG\ne\nt\nT\nh\nr\ne\na\nd\nD\ne\ns\nk\nt\no\np\n+\n0\nx\n1\n8\n5\n \nG\ne\nt\nW\ni\nn\nd\no\nw\nL\no\nn\ng\nW\n-\n0\nx\n2\n1\n6\n \nu\ns\ne\nr\n3\n2\n+\n0\nx\n1\n6\nd\ne\n8\n \n@\n \n0\nx\n7\n6\n3\na\n6\nd\ne\n8\n\n\nG\ne\nt\nT\nh\nr\ne\na\nd\nD\ne\ns\nk\nt\no\np\n+\n0\nx\n1\ne\n1\n \nG\ne\nt\nW\ni\nn\nd\no\nw\nL\no\nn\ng\nW\n-\n0\nx\n1\nb\na\n \nu\ns\ne\nr\n3\n2\n+\n0\nx\n1\n6\ne\n4\n4\n \n@\n \n0\nx\n7\n6\n3\na\n6\ne\n4\n4\n\n\nK\ni\nU\ns\ne\nr\nC\na\nl\nl\nb\na\nc\nk\nD\ni\ns\np\na\nt\nc\nh\ne\nr\n+\n0\nx\n2\ne\n \nK\ni\nU\ns\ne\nr\nE\nx\nc\ne\np\nt\ni\no\nn\nD\ni\ns\np\na\nt\nc\nh\ne\nr\n-\n0\nx\n1\na\n \nn\nt\nd\nl\nl\n+\n0\nx\n1\n0\n1\n1\na\n \n@\n \n0\nx\n7\n7\nb\na\n0\n1\n1\na\n\n\nS\ne\nn\nd\nM\ne\ns\ns\na\ng\ne\nW\n+\n0\nx\n4\nc\n \nG\ne\nt\nA\nn\nc\ne\ns\nt\no\nr\n-\n0\nx\nc\n0\n \nu\ns\ne\nr\n3\n2\n+\n0\nx\n1\n9\n6\nc\n5\n \n@\n \n0\nx\n7\n6\n3\na\n9\n6\nc\n5\n\n\n5\nb\n8\n5\nd\n0\ne\n2\n4\n2\nf\n3\n2\ne\n6\n8\nb\nc\n3\nb\n6\n5\n9\n4\n2\n9\n5\nf\n5\nc\nb\n0\ne\nc\n7\n2\nb\n7\n0\n7\n9\n3\n8\n9\n6\n4\n5\n7\n6\n1\n1\n4\n4\na\n8\n4\n9\n5\n6\n7\n6\n5\n0\ne\n+\n0\nx\na\n2\n9\n1\n9\n \n@\n \n0\nx\n4\na\n2\n9\n1\n9\n\n\n5\nb\n8\n5\nd\n0\ne\n2\n4\n2\nf\n3\n2\ne\n6\n8\nb\nc\n3\nb\n6\n5\n9\n4\n2\n9\n5\nf\n5\nc\nb\n0\ne\nc\n7\n2\nb\n7\n0\n7\n9\n3\n8\n9\n6\n4\n5\n7\n6\n1\n1\n4\n4\na\n8\n4\n9\n5\n6\n7\n6\n5\n0\ne\n+\n0\nx\n8\n4\ne\n5\n2\n \n@\n \n0\nx\n4\n8\n4\ne\n5\n2\n\n\n5\nb\n8\n5\nd\n0\ne\n2\n4\n2\nf\n3\n2\ne\n6\n8\nb\nc\n3\nb\n6\n5\n9\n4\n2\n9\n5\nf\n5\nc\nb\n0\ne\nc\n7\n2\nb\n7\n0\n7\n9\n3\n8\n9\n6\n4\n5\n7\n6\n1\n1\n4\n4\na\n8\n4\n9\n5\n6\n7\n6\n5\n0\ne\n+\n0\nx\na\n5\n9\n8\n5\n \n@\n \n0\nx\n4\na\n5\n9\n8\n5\n\n\n5\nb\n8\n5\nd\n0\ne\n2\n4\n2\nf\n3\n2\ne\n6\n8\nb\nc\n3\nb\n6\n5\n9\n4\n2\n9\n5\nf\n5\nc\nb\n0\ne\nc\n7\n2\nb\n7\n0\n7\n9\n3\n8\n9\n6\n4\n5\n7\n6\n1\n1\n4\n4\na\n8\n4\n9\n5\n6\n7\n6\n5\n0\ne\n+\n0\nx\n8\n4\n8\ne\nb\n \n@\n \n0\nx\n4\n8\n4\n8\ne\nb\n\n\n5\nb\n8\n5\nd\n0\ne\n2\n4\n2\nf\n3\n2\ne\n6\n8\nb\nc\n3\nb\n6\n5\n9\n4\n2\n9\n5\nf\n5\nc\nb\n0\ne\nc\n7\n2\nb\n7\n0\n7\n9\n3\n8\n9\n6\n4\n5\n7\n6\n1\n1\n4\n4\na\n8\n4\n9\n5\n6\n7\n6\n5\n0\ne\n+\n0\nx\n4\n0\n9\n4\n6\n \n@\n \n0\nx\n4\n4\n0\n9\n4\n6\n\n\ng\na\np\nf\nn\nS\nc\nS\ne\nn\nd\nM\ne\ns\ns\na\ng\ne\n+\n0\nx\n3\n3\n2\n \nG\ne\nt\nA\np\np\nC\no\nm\np\na\nt\nF\nl\na\ng\ns\n2\n-\n0\nx\n8\ne\na\n \nu\ns\ne\nr\n3\n2\n+\n0\nx\n1\n6\n2\nf\na\n \n@\n \n0\nx\n7\n6\n3\na\n6\n2\nf\na\n\n\nG\ne\nt\nT\nh\nr\ne\na\nd\nD\ne\ns\nk\nt\no\np\n+\n0\nx\nd\n7\n \nG\ne\nt\nW\ni\nn\nd\no\nw\nL\no\nn\ng\nW\n-\n0\nx\n2\nc\n4\n \nu\ns\ne\nr\n3\n2\n+\n0\nx\n1\n6\nd\n3\na\n \n@\n \n0\nx\n7\n6\n3\na\n6\nd\n3\na\n\n\nG\ne\nt\nT\nh\nr\ne\na\nd\nD\ne\ns\nk\nt\no\np\n+\n0\nx\n1\n8\n5\n \nG\ne\nt\nW\ni\nn\nd\no\nw\nL\no\nn\ng\nW\n-\n0\nx\n2\n1\n6\n \nu\ns\ne\nr\n3\n2\n+\n0\nx\n1\n6\nd\ne\n8\n \n@\n \n0\nx\n7\n6\n3\na\n6\nd\ne\n8\n\n\nG\ne\nt\nT\nh\nr\ne\na\nd\nD\ne\ns\nk\nt\no\np\n+\n0\nx\n1\ne\n1\n \nG\ne\nt\nW\ni\nn\nd\no\nw\nL\no\nn\ng\nW\n-\n0\nx\n1\nb\na\n \nu\ns\ne\nr\n3\n2\n+\n0\nx\n1\n6\ne\n4\n4\n \n@\n \n0\nx\n7\n6\n3\na\n6\ne\n4\n4\n\n\nK\ni\nU\ns\ne\nr\nC\na\nl\nl\nb\na\nc\nk\nD\ni\ns\np\na\nt\nc\nh\ne\nr\n+\n0\nx\n2\ne\n \nK\ni\nU\ns\ne\nr\nE\nx\nc\ne\np\nt\ni\no\nn\nD\ni\ns\np\na\nt\nc\nh\ne\nr\n-\n0\nx\n1\na\n \nn\nt\nd\nl\nl\n+\n0\nx\n1\n0\n1\n1\na\n \n@\n \n0\nx\n7\n7\nb\na\n0\n1\n1\na\n\n\n5\nb\n8\n5\nd\n0\ne\n2\n4\n2\nf\n3\n2\ne\n6\n8\nb\nc\n3\nb\n6\n5\n9\n4\n2\n9\n5\nf\n5\nc\nb\n0\ne\nc\n7\n2\nb\n7\n0\n7\n9\n3\n8\n9\n6\n4\n5\n7\n6\n1\n1\n4\n4\na\n8\n4\n9\n5\n6\n7\n6\n5\n0\ne\n+\n0\nx\n8\n5\n2\n4\nd\n \n@\n \n0\nx\n4\n8\n5\n2\n4\nd\n\n\n5\nb\n8\n5\nd\n0\ne\n2\n4\n2\nf\n3\n2\ne\n6\n8\nb\nc\n3\nb\n6\n5\n9\n4\n2\n9\n5\nf\n5\nc\nb\n0\ne\nc\n7\n2\nb\n7\n0\n7\n9\n3\n8\n9\n6\n4\n5\n7\n6\n1\n1\n4\n4\na\n8\n4\n9\n5\n6\n7\n6\n5\n0\ne\n+\n0\nx\na\n5\n9\n8\n5\n \n@\n \n0\nx\n4\na\n5\n9\n8\n5\n\n\n5\nb\n8\n5\nd\n0\ne\n2\n4\n2\nf\n3\n2\ne\n6\n8\nb\nc\n3\nb\n6\n5\n9\n4\n2\n9\n5\nf\n5\nc\nb\n0\ne\nc\n7\n2\nb\n7\n0\n7\n9\n3\n8\n9\n6\n4\n5\n7\n6\n1\n1\n4\n4\na\n8\n4\n9\n5\n6\n7\n6\n5\n0\ne\n+\n0\nx\n8\n4\n8\ne\nb\n \n@\n \n0\nx\n4\n8\n4\n8\ne\nb\n\n\n5\nb\n8\n5\nd\n0\ne\n2\n4\n2\nf\n3\n2\ne\n6\n8\nb\nc\n3\nb\n6\n5\n9\n4\n2\n9\n5\nf\n5\nc\nb\n0\ne\nc\n7\n2\nb\n7\n0\n7\n9\n3\n8\n9\n6\n4\n5\n7\n6\n1\n1\n4\n4\na\n8\n4\n9\n5\n6\n7\n6\n5\n0\ne\n+\n0\nx\n4\n0\n9\n4\n6\n \n@\n \n0\nx\n4\n4\n0\n9\n4\n6\n\n\ng\na\np\nf\nn\nS\nc\nS\ne\nn\nd\nM\ne\ns\ns\na\ng\ne\n+\n0\nx\n3\n3\n2\n \nG\ne\nt\nA\np\np\nC\no\nm\np\na\nt\nF\nl\na\ng\ns\n2\n-\n0\nx\n8\ne\na\n \nu\ns\ne\nr\n3\n2\n+\n0\nx\n1\n6\n2\nf\na\n \n@\n \n0\nx\n7\n6\n3\na\n6\n2\nf\na\n\n\nG\ne\nt\nT\nh\nr\ne\na\nd\nD\ne\ns\nk\nt\no\np\n+\n0\nx\nd\n7\n \nG\ne\nt\nW\ni\nn\nd\no\nw\nL\no\nn\ng\nW\n-\n0\nx\n2\nc\n4\n \nu\ns\ne\nr\n3\n2\n+\n0\nx\n1\n6\nd\n3\na\n \n@\n \n0\nx\n7\n6\n3\na\n6\nd\n3\na\n\n\nG\ne\nt\nT\nh\nr\ne\na\nd\nD\ne\ns\nk\nt\no\np\n+\n0\nx\n1\n8\n5\n \nG\ne\nt\nW\ni\nn\nd\no\nw\nL\no\nn\ng\nW\n-\n0\nx\n2\n1\n6\n \nu\ns\ne\nr\n3\n2\n+\n0\nx\n1\n6\nd\ne\n8\n \n@\n \n0\nx\n7\n6\n3\na\n6\nd\ne\n8\n\n\nG\ne\nt\nT\nh\nr\ne\na\nd\nD\ne\ns\nk\nt\no\np\n+\n0\nx\n1\ne\n1\n \nG\ne\nt\nW\ni\nn\nd\no\nw\nL\no\nn\ng\nW\n-\n0\nx\n1\nb\na\n \nu\ns\ne\nr\n3\n2\n+\n0\nx\n1\n6\ne\n4\n4\n \n@\n \n0\nx\n7\n6\n3\na\n6\ne\n4\n4\n\n\nK\ni\nU\ns\ne\nr\nC\na\nl\nl\nb\na\nc\nk\nD\ni\ns\np\na\nt\nc\nh\ne\nr\n+\n0\nx\n2\ne\n \nK\ni\nU\ns\ne\nr\nE\nx\nc\ne\np\nt\ni\no\nn\nD\ni\ns\np\na\nt\nc\nh\ne\nr\n-\n0\nx\n1\na\n \nn\nt\nd\nl\nl\n+\n0\nx\n1\n0\n1\n1\na\n \n@\n \n0\nx\n7\n7\nb\na\n0\n1\n1\na\n\n\n5\nb\n8\n5\nd\n0\ne\n2\n4\n2\nf\n3\n2\ne\n6\n8\nb\nc\n3\nb\n6\n5\n9\n4\n2\n9\n5\nf\n5\nc\nb\n0\ne\nc\n7\n2\nb\n7\n0\n7\n9\n3\n8\n9\n6\n4\n5\n7\n6\n1\n1\n4\n4\na\n8\n4\n9\n5\n6\n7\n6\n5\n0\ne\n+\n0\nx\n8\n0\n9\ne\nf\n \n@\n \n0\nx\n4\n8\n0\n9\ne\nf\n\n\n5\nb\n8\n5\nd\n0\ne\n2\n4\n2\nf\n3\n2\ne\n6\n8\nb\nc\n3\nb\n6\n5\n9\n4\n2\n9\n5\nf\n5\nc\nb\n0\ne\nc\n7\n2\nb\n7\n0\n7\n9\n3\n8\n9\n6\n4\n5\n7\n6\n1\n1\n4\n4\na\n8\n4\n9\n5\n6\n7\n6\n5\n0\ne\n+\n0\nx\n8\n5\n2\n4\nd\n \n@\n \n0\nx\n4\n8\n5\n2\n4\nd\n\n\n5\nb\n8\n5\nd\n0\ne\n2\n4\n2\nf\n3\n2\ne\n6\n8\nb\nc\n3\nb\n6\n5\n9\n4\n2\n9\n5\nf\n5\nc\nb\n0\ne\nc\n7\n2\nb\n7\n0\n7\n9\n3\n8\n9\n6\n4\n5\n7\n6\n1\n1\n4\n4\na\n8\n4\n9\n5\n6\n7\n6\n5\n0\ne\n+\n0\nx\na\n5\n9\n8\n5\n \n@\n \n0\nx\n4\na\n5\n9\n8\n5\n\n\n5\nb\n8\n5\nd\n0\ne\n2\n4\n2\nf\n3\n2\ne\n6\n8\nb\nc\n3\nb\n6\n5\n9\n4\n2\n9\n5\nf\n5\nc\nb\n0\ne\nc\n7\n2\nb\n7\n0\n7\n9\n3\n8\n9\n6\n4\n5\n7\n6\n1\n1\n4\n4\na\n8\n4\n9\n5\n6\n7\n6\n5\n0\ne\n+\n0\nx\n8\n0\n6\n1\n3\n \n@\n \n0\nx\n4\n8\n0\n6\n1\n3\n\n\n5\nb\n8\n5\nd\n0\ne\n2\n4\n2\nf\n3\n2\ne\n6\n8\nb\nc\n3\nb\n6\n5\n9\n4\n2\n9\n5\nf\n5\nc\nb\n0\ne\nc\n7\n2\nb\n7\n0\n7\n9\n3\n8\n9\n6\n4\n5\n7\n6\n1\n1\n4\n4\na\n8\n4\n9\n5\n6\n7\n6\n5\n0\ne\n+\n0\nx\n8\n4\n6\n9\n6\n \n@\n \n0\nx\n4\n8\n4\n6\n9\n6\n\n\n5\nb\n8\n5\nd\n0\ne\n2\n4\n2\nf\n3\n2\ne\n6\n8\nb\nc\n3\nb\n6\n5\n9\n4\n2\n9\n5\nf\n5\nc\nb\n0\ne\nc\n7\n2\nb\n7\n0\n7\n9\n3\n8\n9\n6\n4\n5\n7\n6\n1\n1\n4\n4\na\n8\n4\n9\n5\n6\n7\n6\n5\n0\ne\n+\n0\nx\n8\n4\n7\na\n5\n \n@\n \n0\nx\n4\n8\n4\n7\na\n5\n\n\n5\nb\n8\n5\nd\n0\ne\n2\n4\n2\nf\n3\n2\ne\n6\n8\nb\nc\n3\nb\n6\n5\n9\n4\n2\n9\n5\nf\n5\nc\nb\n0\ne\nc\n7\n2\nb\n7\n0\n7\n9\n3\n8\n9\n6\n4\n5\n7\n6\n1\n1\n4\n4\na\n8\n4\n9\n5\n6\n7\n6\n5\n0\ne\n+\n0\nx\n8\n7\n2\n8\n7\n \n@\n \n0\nx\n4\n8\n7\n2\n8\n7\n\n\n5\nb\n8\n5\nd\n0\ne\n2\n4\n2\nf\n3\n2\ne\n6\n8\nb\nc\n3\nb\n6\n5\n9\n4\n2\n9\n5\nf\n5\nc\nb\n0\ne\nc\n7\n2\nb\n7\n0\n7\n9\n3\n8\n9\n6\n4\n5\n7\n6\n1\n1\n4\n4\na\n8\n4\n9\n5\n6\n7\n6\n5\n0\ne\n+\n0\nx\n8\n5\n2\n4\nd\n \n@\n \n0\nx\n4\n8\n5\n2\n4\nd\n\n\n5\nb\n8\n5\nd\n0\ne\n2\n4\n2\nf\n3\n2\ne\n6\n8\nb\nc\n3\nb\n6\n5\n9\n4\n2\n9\n5\nf\n5\nc\nb\n0\ne\nc\n7\n2\nb\n7\n0\n7\n9\n3\n8\n9\n6\n4\n5\n7\n6\n1\n1\n4\n4\na\n8\n4\n9\n5\n6\n7\n6\n5\n0\ne\n+\n0\nx\na\n5\n9\n8\n5\n \n@\n \n0\nx\n4\na\n5\n9\n8\n5\n\n\n5\nb\n8\n5\nd\n0\ne\n2\n4\n2\nf\n3\n2\ne\n6\n8\nb\nc\n3\nb\n6\n5\n9\n4\n2\n9\n5\nf\n5\nc\nb\n0\ne\nc\n7\n2\nb\n7\n0\n7\n9\n3\n8\n9\n6\n4\n5\n7\n6\n1\n1\n4\n4\na\n8\n4\n9\n5\n6\n7\n6\n5\n0\ne\n+\n0\nx\n8\n0\n6\n1\n3\n \n@\n \n0\nx\n4\n8\n0\n6\n1\n3\n\n\n5\nb\n8\n5\nd\n0\ne\n2\n4\n2\nf\n3\n2\ne\n6\n8\nb\nc\n3\nb\n6\n5\n9\n4\n2\n9\n5\nf\n5\nc\nb\n0\ne\nc\n7\n2\nb\n7\n0\n7\n9\n3\n8\n9\n6\n4\n5\n7\n6\n1\n1\n4\n4\na\n8\n4\n9\n5\n6\n7\n6\n5\n0\ne\n+\n0\nx\n7\nf\n0\n4\n7\n \n@\n \n0\nx\n4\n7\nf\n0\n4\n7\n\n\n5\nb\n8\n5\nd\n0\ne\n2\n4\n2\nf\n3\n2\ne\n6\n8\nb\nc\n3\nb\n6\n5\n9\n4\n2\n9\n5\nf\n5\nc\nb\n0\ne\nc\n7\n2\nb\n7\n0\n7\n9\n3\n8\n9\n6\n4\n5\n7\n6\n1\n1\n4\n4\na\n8\n4\n9\n5\n6\n7\n6\n5\n0\ne\n+\n0\nx\nd\n2\nd\nd\nb\n \n@\n \n0\nx\n4\nd\n2\nd\nd\nb\n\n\nB\na\ns\ne\nT\nh\nr\ne\na\nd\nI\nn\ni\nt\nT\nh\nu\nn\nk\n+\n0\nx\n1\n2\n \nV\ne\nr\ni\nf\ny\nC\no\nn\ns\no\nl\ne\nI\no\nH\na\nn\nd\nl\ne\n-\n0\nx\nb\n3\n \nk\ne\nr\nn\ne\nl\n3\n2\n+\n0\nx\n1\n3\n3\nc\na\n \n@\n \n0\nx\n7\n5\nb\nc\n3\n3\nc\na\n\n\nR\nt\nl\nI\nn\ni\nt\ni\na\nl\ni\nz\ne\nE\nx\nc\ne\np\nt\ni\no\nn\nC\nh\na\ni\nn\n+\n0\nx\n6\n3\n \nR\nt\nl\nA\nl\nl\no\nc\na\nt\ne\nA\nc\nt\ni\nv\na\nt\ni\no\nn\nC\no\nn\nt\ne\nx\nt\nS\nt\na\nc\nk\n-\n0\nx\na\n1\n \nn\nt\nd\nl\nl\n+\n0\nx\n3\n9\ne\nd\n2\n \n@\n \n0\nx\n7\n7\nb\nc\n9\ne\nd\n2\n\n\nR\nt\nl\nI\nn\ni\nt\ni\na\nl\ni\nz\ne\nE\nx\nc\ne\np\nt\ni\no\nn\nC\nh\na\ni\nn\n+\n0\nx\n3\n6\n \nR\nt\nl\nA\nl\nl\no\nc\na\nt\ne\nA\nc\nt\ni\nv\na\nt\ni\no\nn\nC\no\nn\nt\ne\nx\nt\nS\nt\na\nc\nk\n-\n0\nx\nc\ne\n \nn\nt\nd\nl\nl\n+\n0\nx\n3\n9\ne\na\n5\n \n@\n \n0\nx\n7\n7\nb\nc\n9\ne\na\n5",
"registers": {
"esp": 1633980,
"edi": 1634152,
"eax": 1633980,
"ebp": 1634060,
"edx": 0,
"ebx": 44996480,
"esi": 5030836,
"ecx": 7
},
"exception": {
"instruction_r": "c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b",
"symbol": "RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727",
"instruction": "leave",
"module": "KERNELBASE.dll",
"exception_code": "0xeedfade",
"offset": 46887,
"address": "0x75dbb727"
}
},
"time": 1574916787.530375,
"tid": 2308,
"flags": {}
},
"pid": 2660,
"type": "call",
"cid": 3270
}
],
"references": [],
"name": "raises_exception"
},
{
"markcount": 9,
"families": [],
"description": "Allocates read-write-execute memory (usually to unpack itself)",
"severity": 2,
"marks": [
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2660,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffff",
"base_address": "0x77311000"
},
"time": 1574916786.749375,
"tid": 2308,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2660,
"type": "call",
"cid": 66
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2660,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffff",
"base_address": "0x77b61000"
},
"time": 1574916786.749375,
"tid": 2308,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2660,
"type": "call",
"cid": 68
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2660,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00890000"
},
"time": 1574916786.780375,
"tid": 2308,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2660,
"type": "call",
"cid": 575
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2660,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x008a0000"
},
"time": 1574916786.827375,
"tid": 2308,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2660,
"type": "call",
"cid": 1251
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2660,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffff",
"base_address": "0x74ad1000"
},
"time": 1574916786.843375,
"tid": 2308,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2660,
"type": "call",
"cid": 1397
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2660,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffff",
"base_address": "0x77351000"
},
"time": 1574916787.155375,
"tid": 2308,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2660,
"type": "call",
"cid": 1955
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2660,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffff",
"base_address": "0x74ab1000"
},
"time": 1574916787.155375,
"tid": 2308,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2660,
"type": "call",
"cid": 1957
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2660,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x02120000"
},
"time": 1574916787.187375,
"tid": 2308,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2660,
"type": "call",
"cid": 2835
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2660,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffff",
"base_address": "0x749f1000"
},
"time": 1574916787.202375,
"tid": 2308,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2660,
"type": "call",
"cid": 3000
}
],
"references": [],
"name": "allocates_rwx"
},
{
"markcount": 6,
"families": [],
"description": "Steals private information from local Internet browsers",
"severity": 2,
"marks": [
{
"category": "file",
"ioc": "C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\Application",
"type": "ioc",
"description": null
},
{
"category": "file",
"ioc": "C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Default",
"type": "ioc",
"description": null
},
{
"category": "file",
"ioc": "C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Preferences",
"type": "ioc",
"description": null
},
{
"category": "file",
"ioc": "C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Local State",
"type": "ioc",
"description": null
},
{
"category": "file",
"ioc": "C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\Application\\plugins",
"type": "ioc",
"description": null
},
{
"category": "file",
"ioc": "C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "infostealer_browser"
},
{
"markcount": 5,
"families": [],
"description": "Foreign language identified in PE resource",
"severity": 2,
"marks": [
{
"name": "DLL",
"language": "LANG_CHINESE",
"offset": "0x000f4904",
"filetype": "data",
"sublanguage": "SUBLANG_CHINESE_SIMPLIFIED",
"type": "generic",
"size": "0x00053e00"
},
{
"name": "OCX",
"language": "LANG_CHINESE",
"offset": "0x00148704",
"filetype": "data",
"sublanguage": "SUBLANG_CHINESE_SIMPLIFIED",
"type": "generic",
"size": "0x00182a00"
},
{
"name": "RT_ICON",
"language": "LANG_CHINESE",
"offset": "0x002f5908",
"filetype": "GLS_BINARY_LSB_FIRST",
"sublanguage": "SUBLANG_CHINESE_SIMPLIFIED",
"type": "generic",
"size": "0x00000128"
},
{
"name": "RT_GROUP_ICON",
"language": "LANG_CHINESE",
"offset": "0x002f5a34",
"filetype": "MS Windows icon resource - 1 icon, 16x16, 16 colors",
"sublanguage": "SUBLANG_CHINESE_SIMPLIFIED",
"type": "generic",
"size": "0x00000014"
},
{
"name": "RT_VERSION",
"language": "LANG_CHINESE",
"offset": "0x002f5a4c",
"filetype": "data",
"sublanguage": "SUBLANG_CHINESE_SIMPLIFIED",
"type": "generic",
"size": "0x000003a0"
}
],
"references": [],
"name": "origin_langid"
},
{
"markcount": 1,
"families": [],
"description": "Drops an executable to the user AppData folder",
"severity": 2,
"marks": [
{
"category": "file",
"ioc": "C:\\Users\\cuck\\AppData\\Local\\Temp\\xea57E8.tmp",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "exe_appdata"
},
{
"markcount": 3,
"families": [],
"description": "The binary likely contains encrypted or compressed data indicative of a packer",
"severity": 2,
"marks": [
{
"entropy": 7.802939086167914,
"section": {
"size_of_data": "0x0024fa00",
"virtual_address": "0x000a5000",
"entropy": 7.802939086167914,
"name": "UPX1",
"virtual_size": "0x00250000"
},
"type": "generic",
"description": "A section with a high entropy has been found"
},
{
"entropy": 7.150906723842011,
"section": {
"size_of_data": "0x00000600",
"virtual_address": "0x002f7000",
"entropy": 7.150906723842011,
"name": ".pmj\\x07",
"virtual_size": "0x00001000"
},
"type": "generic",
"description": "A section with a high entropy has been found"
},
{
"entropy": 0.9981032665964172,
"type": "generic",
"description": "Overall entropy of this PE file is high"
}
],
"references": [
"http:\/\/www.forensickb.com\/2013\/03\/file-entropy-explained.html",
"http:\/\/virii.es\/U\/Using%20Entropy%20Analysis%20to%20Find%20Encrypted%20and%20Packed%20Malware.pdf"
],
"name": "packer_entropy"
},
{
"markcount": 2,
"families": [],
"description": "The executable is compressed using UPX",
"severity": 2,
"marks": [
{
"section": "UPX0",
"type": "generic",
"description": "Section name indicates UPX"
},
{
"section": "UPX1",
"type": "generic",
"description": "Section name indicates UPX"
}
],
"references": [],
"name": "packer_upx"
},
{
"markcount": 2,
"families": [],
"description": "Attempts to modify browser security settings",
"severity": 3,
"marks": [
{
"category": "registry",
"ioc": "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_LOCALMACHINE_LOCKDOWN\\iexplore.exe",
"type": "ioc",
"description": null
},
{
"category": "registry",
"ioc": "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_LOCALMACHINE_LOCKDOWN\\Settings\\LOCALMACHINE_CD_UNLOCK",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "browser_security"
}
]Yara
The Yara rules did not detect anything in the file.
Network
{
"tls": [],
"udp": [
{
"src": "192.168.56.101",
"dst": "192.168.56.255",
"offset": 662,
"time": 6.207767963409424,
"dport": 137,
"sport": 137
},
{
"src": "192.168.56.101",
"dst": "192.168.56.255",
"offset": 5342,
"time": 12.208781003952026,
"dport": 138,
"sport": 138
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 7186,
"time": 6.146852970123291,
"dport": 5355,
"sport": 51001
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 7514,
"time": 4.147227048873901,
"dport": 5355,
"sport": 53595
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 7842,
"time": 6.156819105148315,
"dport": 5355,
"sport": 53848
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 8170,
"time": 4.794993162155151,
"dport": 5355,
"sport": 54255
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 8498,
"time": 3.0388431549072266,
"dport": 5355,
"sport": 55314
},
{
"src": "192.168.56.101",
"dst": "239.255.255.250",
"offset": 8826,
"time": 4.710314989089966,
"dport": 1900,
"sport": 1900
},
{
"src": "192.168.56.101",
"dst": "239.255.255.250",
"offset": 28236,
"time": 4.178385019302368,
"dport": 3702,
"sport": 49152
},
{
"src": "192.168.56.101",
"dst": "239.255.255.250",
"offset": 36620,
"time": 6.255247116088867,
"dport": 1900,
"sport": 53598
}
],
"dns_servers": [],
"http": [],
"icmp": [],
"smtp": [],
"tcp": [],
"smtp_ex": [],
"mitm": [],
"hosts": [],
"pcap_sha256": "962a23065b607129696d72111096c66827d092404eff21b179b5eae7378ccce2",
"dns": [],
"http_ex": [],
"domains": [],
"dead_hosts": [],
"sorted_pcap_sha256": "3c52b3fc4ac69caaad9f65d203259a04d00cec90fab85b8f815af67111b29679",
"irc": [],
"https_ex": []
}Screenshots
install_lodop32.exe removal instructions
The instructions below shows how to remove install_lodop32.exe with help from the FreeFixer removal tool. Basically, you install FreeFixer, scan your computer, check the install_lodop32.exe file for removal, restart your computer and scan it again to verify that install_lodop32.exe has been successfully removed. Here are the removal instructions in more detail:
- Download and install FreeFixer: http://www.freefixer.com/download.html
- Start FreeFixer and press the Start Scan button. The scan will finish in approximately five minutes.
- When the scan is finished, locate install_lodop32.exe in the scan result and tick the checkbox next to the install_lodop32.exe file. Do not check any other file for removal unless you are 100% sure you want to delete it. Tip: Press CTRL-F to open up FreeFixer's search dialog to quickly locate install_lodop32.exe in the scan result.
c:\downloads\install_lodop32.exe 
- Scroll down to the bottom of the scan result and press the Fix button. FreeFixer will now delete the install_lodop32.exe file.
- Restart your computer.
- Start FreeFixer and scan your computer again. If install_lodop32.exe still remains in the scan result, proceed with the next step. If install_lodop32.exe is gone from the scan result you're done.
- If install_lodop32.exe still remains in the scan result, check its checkbox again in the scan result and click Fix.
- Restart your computer.
- Start FreeFixer and scan your computer again. Verify that install_lodop32.exe no longer appear in the scan result.
Hashes [?]
| Property | Value |
|---|---|
| MD5 | c66d1fc4e2d6caab8a9bb8d4f99e1e9f |
| SHA256 | 5b85d0e242f32e68bc3b6594295f5cb0ec72b7079389645761144a849567650e |
Error Messages
These are some of the error messages that can appear related to install_lodop32.exe:
install_lodop32.exe has encountered a problem and needs to close. We are sorry for the inconvenience.
install_lodop32.exe - Application Error. The instruction at "0xXXXXXXXX" referenced memory at "0xXXXXXXXX". The memory could not be "read/written". Click on OK to terminate the program.
Print Control Lodop(32-bit) Install has stopped working.
End Program - install_lodop32.exe. This program is not responding.
install_lodop32.exe is not a valid Win32 application.
install_lodop32.exe - Application Error. The application failed to initialize properly (0xXXXXXXXX). Click OK to terminate the application.
What will you do with the file?
To help other users, please let us know what you will do with the file:
Comments
Please share with the other users what you think about this file. What does this file do? Is it legitimate or something that your computer is better without? Do you know how it was installed on your system? Did you install it yourself or did it come bundled with some other software? Is it running smoothly or do you get some error message? Any information that will help to document this file is welcome. Thank you for your contributions.
I'm reading all new comments so don't hesitate to post a question about the file. If I don't have the answer perhaps another user can help you.
No comments posted yet.