What is rstyle.exe?
rstyle.exe is usually located in the 'c:\downloads\' folder.
Some of the anti-virus scanners at VirusTotal detected rstyle.exe.
If you have additional information about the file, please share it with the FreeFixer users by posting a comment at the bottom of this page.
Digital signatures [?]
rstyle.exe is not signed.
VirusTotal report
48 of the 71 anti-virus programs at VirusTotal detected the rstyle.exe file. That's a 68% detection rate.
| Scanner | Detection Name |
|---|---|
| Ad-Aware | Dropped:Application.GenericKD.3863024 |
| AegisLab | Trojan.Win32.Generic.lCIq |
| Alibaba | HackTool:Win32/Netpass.615e376f |
| Antiy-AVL | RiskWare[PSWTool]/Win32.NetPass |
| Arcabit | Application.Generic.D3AF1F0 |
| Avast | Win32:Malware-gen |
| AVG | Win32:Malware-gen |
| Avira | SPR/NetPass.A |
| BitDefender | Dropped:Application.GenericKD.3863024 |
| CAT-QuickHeal | Pwstool.Netpass |
| Comodo | Packed.Win32.MUPX.Gen@24tbus |
| CrowdStrike | win/malicious_confidence_60% (W) |
| Cybereason | malicious.2f529b |
| Cyren | W32/Trojan.MFTQ-3201 |
| DrWeb | Trojan.MulDrop9.9661 |
| Emsisoft | Dropped:Application.GenericKD.3863024 (B) |
| Endgame | malicious (moderate confidence) |
| ESET-NOD32 | a variant of Win32/NetPass.AA potentially unsafe |
| F-Prot | W32/Trojan2.OLOA |
| F-Secure | Heuristic.HEUR/AGEN.1041082 |
| FireEye | Generic.mg.4e68e792f529bc0c |
| Fortinet | Riskware/PassView |
| GData | Win64.Trojan.Agent.7M0BBX |
| Invincea | heuristic |
| Jiangmin | Trojan/Agent.hghn |
| K7AntiVirus | Trojan ( 004a84a31 ) |
| K7GW | Trojan ( 004a84a31 ) |
| Kaspersky | not-a-virus:PSWTool.Win32.NetPass.cek |
| Malwarebytes | PUP.Optional.NetworkPasswordTool |
| MAX | malware (ai score=100) |
| McAfee | Artemis!4E68E792F529 |
| McAfee-GW-Edition | RDN/Generic PUP.z |
| Microsoft | HackTool:Win32/Netpass |
| MicroWorld-eScan | Dropped:Application.GenericKD.3863024 |
| NANO-Antivirus | Riskware.Win32.PassView.crbaba |
| Qihoo-360 | Win32/Virus.PSW.06a |
| Rising | PUA.Presenoker!8.F608 (CLOUD) |
| Sophos | Generic PUA EB (PUA) |
| Symantec | SMG.Heur!gen |
| TotalDefense | Win32/Tnega.ROAcZN |
| Trapmine | suspicious.low.ml.score |
| TrendMicro | TROJ_FRS.0NA000EF14 |
| TrendMicro-HouseCall | TROJ_FRS.0NA000EF14 |
| VBA32 | Trojan.MulDrop |
| Webroot | W32.Trojan.Gen |
| Yandex | Riskware.PSWTool! |
| Zillya | Tool.NetPass.Win32.2568 |
| ZoneAlarm | not-a-virus:PSWTool.Win32.NetPass.cek |
Sandbox Report
The following information was gathered by executing the file inside Cuckoo Sandbox.
Summary
Successfully executed process in sandbox.
Summary
{
"file_created": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\gentee00.tmp",
"C:\\Windows\\servicing\\Editions\\prefetch\\com.dat",
"C:\\Windows\\servicing\\Editions\\prefetch\\fileschk.exe",
"C:\\Windows\\servicing\\Editions\\prefetch\\insta.bat",
"C:\\Windows\\servicing\\Editions\\prefetch\\rstyl.exe",
"C:\\Windows\\servicing\\Editions\\prefetch\\npsm.exe",
"C:\\Windows\\servicing\\Editions\\prefetch\\npsm64.exe",
"C:\\Windows\\servicing\\Editions\\__tmp_rar_sfx_access_check_16896921",
"C:\\Windows\\servicing\\Editions\\prefetch\\sfxd.exe",
"C:\\Windows\\servicing\\Editions\\prefetch\\cuck-190911_183309.sndr",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\gentee00\\pauto.dll",
"C:\\Windows\\servicing\\Editions\\prefetch\\cuck.tmp",
"C:\\Windows\\servicing\\Editions\\prefetch\\chek.bat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\gentee00\\Russian.lng",
"C:\\Windows\\servicing\\Editions\\prefetch\\cpt.tpl",
"C:\\Windows\\servicing\\Editions\\prefetch\\drmchk.exe"
],
"file_recreated": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\gentee00.tmp"
],
"directory_created": [
"C:\\Windows\\servicing\\GC64",
"C:\\Windows\\servicing\\Sessions",
"C:\\Windows\\servicing\\en-US",
"C:\\Windows\\servicing\\ru-RU",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\gentee00",
"C:\\Windows\\servicing\\Editions",
"C:\\Windows\\sysvol\\staging areas",
"C:\\Windows\\servicing",
"C:\\Users\\cuck\\AppData\\Local\\Temp",
"C:\\Windows\\servicing\\Editions\\prefetch",
"C:\\Windows\\sysvol\\staging",
"C:\\Windows\\sysvol",
"C:\\Windows\\sysvol\\domain",
"C:\\Windows",
"C:\\Windows\\servicing\\Version",
"C:\\Windows\\sysvol\\sysvol",
"C:\\Windows\\servicing\\SQM",
"C:\\Windows\\servicing\\Packages"
],
"dll_loaded": [
"gdi32",
"COMDLG32.dll",
"kernel32",
"gdi32.dll",
"kernel32.dll",
"UxTheme.dll",
"C:\\Windows\\system32\\ole32.dll",
"dwmapi.dll",
"OLEAUT32.DLL",
"mpr.dll",
"C:\\Windows\\syswow64\\MSCTF.dll",
"KERNEL32.DLL",
"API-MS-Win-Core-LocalRegistry-L1-1-0.dll",
"user32",
"comdlg32",
"advapi32.dll",
"comctl32",
"ole32.dll",
"COMCTL32.dll",
"ws2_32.dll",
"USER32.dll",
"IMM32.dll",
"HHCTRL.OCX",
"version.dll",
"riched32.dll",
"shell32.dll",
"OLEAUT32.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\gentee00\\pauto.dll",
"SHELL32.dll",
"comctl32.dll",
"C:\\Windows\\system32\\shell32.dll",
"riched20.dll",
"GDI32.dll",
"Kernel32.dll",
"Oleaut32.dll",
"ADVAPI32.dll",
"rpcrt4.dll",
"SETUPAPI.dll",
"user32.dll",
"COMCTL32.DLL"
],
"file_opened": [
"C:\\",
"C:\\Windows\\sysvol\\",
"C:\\Users\\cuck\\Documents\\desktop.ini",
"C:\\Windows\\servicing\\Editions\\prefetch\\npsm.exe",
"C:\\Windows\\servicing\\Editions\\prefetch\\drmchk.exe",
"C:\\Windows\\servicing\\Editions\\prefetch\\cuck.tmp",
"C:\\Windows\\servicing\\Editions",
"C:\\Windows\\servicing\\Editions\\prefetch\\com.dat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\3e18eb3a0fb61ceada0d8a73b67939a47baddad77706309c40dd7ff5ba75991e.bin",
"C:\\Windows\\servicing\\Editions\\prefetch\\sfxd.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\gentee00\\Russian.lng",
"C:\\Users\\cuck\\Videos\\desktop.ini",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Credentials\\",
"C:\\Users",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Credentials\\",
"C:\\Users\\desktop.ini",
"C:\\Windows\\win.ini",
"C:\\Windows\\servicing\\Editions\\prefetch\\npsm64.exe",
"C:\\Users\\cuck\\Pictures\\desktop.ini",
"C:\\Users\\cuck\\Music\\desktop.ini",
"C:\\Windows\\servicing\\Editions\\prefetch\\chek.bat",
"C:\\Users\\cuck\\Favorites\\desktop.ini",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls",
"C:\\Windows\\servicing\\Editions\\prefetch\\insta.bat",
"C:\\Users\\cuck",
"C:\\Windows\\servicing\\Editions\\prefetch"
],
"regkey_opened": [
"HKEY_CURRENT_USER\\Software",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\Rpc",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Policies",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AutoComplete\\Client\\",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\System",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\OLE\\Tracing",
"HKEY_LOCAL_MACHINE\\Software",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Setup",
"HKEY_CLASSES_ROOT\\Drive\\shellex\\FolderExtensions\\{fbeb8a05-beee-4442-804e-409d6c4515e9}",
"HKEY_CURRENT_USER\\Control Panel\\Desktop",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AutoComplete",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\LanguageProfile\\0x00000000\\{0001bea3-ed56-483d-a2e2-aeae25577436}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\Compatibility\\3e18eb3a0fb61ceada0d8a73b67939a47baddad77706309c40dd7ff5ba75991e.bin",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Rpc",
"HKEY_CURRENT_USER\\Software\\Microsoft\\CTF\\DirectSwitchHotkeys",
"HKEY_CLASSES_ROOT\\CLSID\\{00BB2763-6A77-11D0-A535-00C04FD7D062}\\InProcServer32",
"HKEY_CLASSES_ROOT\\Drive\\shellex\\FolderExtensions",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor",
"HKEY_CURRENT_USER\\Software\\Policies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CLASSES_ROOT\\CLSID\\{03C036F1-A186-11D0-824A-00AA005B4383}\\InProcServer32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\system\\CurrentControlSet\\control\\NetworkProvider\\HwOrder",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLEAUT",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{3697C5FA-60DD-4B56-92D4-74A569205C16}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\Software\\WinRAR SFX",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AutoComplete",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Command Processor",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AutoComplete",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AutoComplete",
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AutoComplete"
],
"file_moved": [
[
"C:\\Windows\\servicing\\Editions\\prefetch\\fileschk.exe",
"C:\\Windows\\sysvol\\fileschk.exe"
]
],
"file_written": [
"C:\\Windows\\servicing\\Editions\\prefetch\\fileschk.exe",
"C:\\Windows\\servicing\\Editions\\prefetch\\com.dat",
"C:\\Windows\\servicing\\Editions\\prefetch\\insta.bat",
"C:\\Windows\\servicing\\Editions\\prefetch\\rstyl.exe",
"C:\\Windows\\servicing\\Editions\\prefetch\\npsm.exe",
"C:\\Windows\\servicing\\Editions\\prefetch\\npsm64.exe",
"C:\\Windows\\servicing\\Editions\\prefetch\\drmchk.exe",
"C:\\Windows\\servicing\\Editions\\prefetch\\sfxd.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\gentee00\\pauto.dll",
"C:\\Windows\\servicing\\Editions\\prefetch\\cuck.tmp",
"C:\\Windows\\servicing\\Editions\\prefetch\\chek.bat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\gentee00\\Russian.lng",
"C:\\Windows\\servicing\\Editions\\prefetch\\cpt.tpl"
],
"file_deleted": [
"C:\\Windows\\servicing\\Editions\\prefetch\\sfxd.exe",
"C:\\Windows\\servicing\\Editions\\__tmp_rar_sfx_access_check_16896921",
"C:\\Windows\\servicing\\Editions\\prefetch\\insta.bat",
"C:\\Windows\\servicing\\Editions\\prefetch\\cuck-190911_183309.sndr",
"C:\\Windows\\servicing\\Editions\\prefetch\\cuck.tmp",
"C:\\Windows\\servicing\\Editions\\prefetch\\chek.bat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\gentee00\\Russian.lng"
],
"directory_removed": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\gentee00"
],
"file_exists": [
"C:\\Windows\\servicing\\Editions\\prefetch\\fileschk.exe",
"C:\\Windows\\servicing\\Editions\\prefetch\\com.dat",
"C:\\Windows\\servicing\\Editions\\prefetch\\npsm64_lng.ini",
"C:\\Windows\\servicing\\Editions\\prefetch\\chek.bat",
"C:\\Windows\\sysvol\\fileschk.exe",
"C:\\Windows\\servicing\\Editions\\prefetch\\insta.bat",
"C:\\Windows\\servicing\\Editions\\prefetch\\\"chek.bat\"",
"C:\\Windows\\servicing\\Editions\\prefetch\\rstyl.exe",
"C:\\Windows\\servicing\\Editions\\prefetch\\npsm.exe",
"C:\\Windows\\servicing\\Editions\\\"C:\\Windows\\servicing\\Editions\\prefetch\\insta.bat\"",
"C:\\Windows\\servicing\\Editions\\prefetch",
"C:\\Windows\\servicing\\Editions\\\n",
"C:\\Windows\\servicing\\Editions\\prefetch\\cuck-190911_183309.sndr",
"C:\\Windows\\servicing\\Editions\\prefetch\\sfxd.exe",
"C:\\Windows\\SysWOW64\\taskmgr.exe",
"C:\\Windows\\servicing\\Editions\\prefetch\\tpl.cpt",
"C:\\Windows\\servicing\\Editions\\prefetch\\npsm64.exe",
"C:\\Windows\\servicing\\Editions\\prefetch\\gocuck",
"C:\\Windows\\servicing\\Editions",
"C:\\Windows\\servicing\\Editions\\prefetch\\drmchk.exe"
],
"file_failed": [
"C:\\Windows\\servicing\\Editions\\prefetch\\insta.bat",
"C:\\Windows\\servicing\\Editions\\prefetch\\npsm64.cfg"
],
"guid": [
"{eac04bc0-3791-11d2-bb95-0060977b464c}",
"{5e078e03-8265-4bbe-9487-d242edbef910}",
"{00bb2763-6a77-11d0-a535-00c04fd7d062}",
"{00000000-0000-0000-c000-000000000046}",
"{807c1e6c-1d00-453f-b920-b61bb7cdd997}",
"{03c036f1-a186-11d0-824a-00aa005b4383}",
"{00bb2765-6a77-11d0-a535-00c04fd7d062}"
],
"command_line": [
"sfxd.exe \/co \/mo C:\\Windows\\sysvol\\staging\\",
"\"npsm64.exe\" \/allusers \/stext cuck-190911_183309.sndr",
"\"C:\\Windows\\servicing\\Editions\\prefetch\\insta.bat\" ",
"sfxd.exe \/co \/mo C:\\Windows\\sysvol\\sysvol\\",
"\"chek.bat\"",
"sfxd.exe \/co \/mo C:\\Windows\\sysvol\\",
"sfxd.exe \/co \/mo \"C:\\Windows\\sysvol\\staging areas\\\"",
"rstyl.exe ",
"C:\\Windows\\sysvol\\fileschk.exe ",
"\"cmd.exe\" \/c echo if ^%sof^% GTR 524 (md go%username%) else ^echo %username%^>^>com.dat>>chek.bat",
"\"cmd.exe\" \/c start \/D %windir%\\servicing\\Editions\\prefetch rstyl.exe",
"C:\\Windows\\servicing\\Editions\\prefetch\\insta.bat",
"sfxd.exe \/co \/mo C:\\Windows\\sysvol\\domain\\",
"\"cmd.exe\" \/c echo for ^%^%I in (cuck-190911_183309.sndr) do set sof=^%^%^~zI>chek.bat"
],
"file_read": [
"C:\\Windows\\servicing\\Editions\\prefetch\\com.dat",
"C:\\Users\\cuck\\Favorites\\desktop.ini",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\3e18eb3a0fb61ceada0d8a73b67939a47baddad77706309c40dd7ff5ba75991e.bin",
"C:\\Windows\\servicing\\Editions\\prefetch\\insta.bat",
"C:\\Users\\cuck\\Documents\\desktop.ini",
"C:\\Users\\desktop.ini",
"C:\\Windows\\win.ini",
"C:\\Users\\cuck\\Videos\\desktop.ini",
"C:\\Users\\cuck\\Pictures\\desktop.ini",
"C:\\Users\\cuck\\Music\\desktop.ini",
"C:\\Windows\\servicing\\Editions\\prefetch\\cuck.tmp",
"C:\\Windows\\servicing\\Editions\\prefetch\\chek.bat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\gentee00\\Russian.lng"
],
"regkey_read": [
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Language Hotkey",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\DevicePath",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\ScrollDelay",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\Fonts",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\DefaultColor",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Shell Folders\\Common AppData",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ListviewAlphaSelect",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\MaxRpcSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE\\PageAllocatorUseSystemHeap",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\LanguageProfile\\0x00000000\\{0001bea3-ed56-483d-a2e2-aeae25577436}\\Enable",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\AppData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\safer\\codeidentifiers\\LogFileName",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\Common Programs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\ProgramFilesDir",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\RegisteredOrganization",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\Desktop",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DelayedExpansion",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\Startup",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\safer\\codeidentifiers\\Levels",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\CompletionChar",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\AutoRun",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\TurnOffSPIAnimations",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\CommonFilesDir",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\DelayedExpansion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Segoe UI",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\ScrollInset",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\SystemSetupInProgress",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DisableUNCCheck",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\EnableExtensions",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\PathCompletionChar",
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Hotkey",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\MS Shell Dlg",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Drive\\shellex\\FolderExtensions\\{fbeb8a05-beee-4442-804e-409d6c4515e9}\\DriveMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Shell Folders\\Common Programs",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\OOBEInProgress",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\SourcePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\CTF\\EnableAnchorContext",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{00BB2763-6A77-11D0-A535-00C04FD7D062}\\InProcServer32\\(Default)",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\Generation",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\DragDelay",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\Generation",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Shell Folders\\Common Startup",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Shell Folders\\Common Start Menu",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\AutoComplete\\Client\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{03C036F1-A186-11D0-824A-00AA005B4383}\\InProcServer32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\safer\\codeidentifiers\\PolicyScope",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language Groups\\1",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\DragMinDist",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\AutoComplete\\AutoSuggest",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CEIPEnable",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\Common Fonts",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\Programs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\Windows Error Reporting\\WMR\\Disable",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\safer\\codeidentifiers\\DefaultLevel",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\CompletionChar",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\Data",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE\\PageAllocatorSystemHeapIsPrivate",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\ComputerName\\ActiveComputerName\\ComputerName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\AutoComplete\\Always Use Tab",
"HKEY_CURRENT_USER\\Control Panel\\Desktop\\SmoothScroll",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Srp\\GP\\RuleCount",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\safer\\codeidentifiers\\SaferFlags",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ListviewShadow",
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Layout Hotkey",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Locale\\00000409",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\Common Desktop",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\Data",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\Start Menu",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\PathCompletionChar",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\UseDoubleClickTimer",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\AccListViewV6",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Shell Folders\\Common Desktop",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\EnableBalloonTips",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\Common AppData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\DisableUNCCheck",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\Common Startup",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\EnableExtensions",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\Common Start Menu",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DefaultColor",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\ScrollInterval",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\AutoRun"
],
"directory_enumerated": [
"C:\\Windows\\sysvol\\sysvol\\*",
"C:\\Windows\\servicing\\Editions\\prefetch",
"C:\\Windows\\sysvol\\fileschk.exe",
"C:\\Windows\\sysvol\\staging areas\\*",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\3e18eb3a0fb61ceada0d8a73b67939a47baddad77706309c40dd7ff5ba75991e.bin",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\gentee00\\*.*",
"C:\\Windows\\servicing\\Editions\\prefetch\\fileschk.exe",
"C:\\Windows\\servicing\\Editions\\prefetch\\insta.bat",
"C:\\Windows\\sysvol\\staging\\*",
"C:\\Windows\\servicing\\Editions\\prefetch\\rstyl.exe",
"C:\\Windows\\servicing",
"C:\\Windows\\servicing\\Editions\\prefetch\\sfxd.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\gentee00\\*.lng",
"C:\\Windows\\servicing\\Editions\\prefetch\\cuck-190911_183309.sndr",
"C:\\Windows",
"C:\\Windows\\sysvol\\*",
"C:\\Windows\\servicing\\Editions\\prefetch\\tpl.cpt",
"C:\\Windows\\sysvol\\domain\\*",
"C:\\Windows\\servicing\\Editions\\prefetch\\chek.bat",
"C:\\Windows\\servicing\\Editions",
"C:\\Windows\\servicing\\Editions\\prefetch\\cuck.tmp"
],
"regkey_written": [
"HKEY_CURRENT_USER\\Software\\WinRAR SFX\\C%%Windows%servicing%Editions"
]
}Dropped
[
{
"yara": [],
"sha1": "ee84c81581bf09aa3ac36a18b7a5873ef38bb662",
"name": "3a9975796caebce4_sfxd.exe",
"filepath": "C:\\Windows\\servicing\\Editions\\prefetch\\sfxd.exe",
"type": "PE32 executable (GUI) Intel 80386, for MS Windows",
"sha256": "3a9975796caebce42f6f3c59a95e6783143d299b1e4d18e97e97f0523206d693",
"urls": [],
"crc32": "4DE28E5E",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/2456\/files\/3a9975796caebce4_sfxd.exe",
"ssdeep": null,
"size": 3072,
"sha512": "96c7f224ffb0867b60d11221304ad16c0f1314a18b36d61d6f0b71053c2323e3a7cb34f1aa00ef50bb9be971e7220a8b3e834f6dabc929ec2d25b30d515798ef",
"pids": [
1268,
2588
],
"md5": "699f44c3383caefb96f0b9c78fb05d1f"
},
{
"yara": [],
"sha1": "7d8b3eb56a7b7f0c9121dac26f4cac51a79a7458",
"name": "f7bb837f288515cf_npsm64.exe",
"filepath": "C:\\Windows\\servicing\\Editions\\prefetch\\npsm64.exe",
"type": "PE32+ executable (GUI) x86-64, for MS Windows",
"sha256": "f7bb837f288515cfdb5900a5fb8fce59b0f0b3865e69c57b79c92a895ddee871",
"urls": [
"http:\/\/www.usertrust.com1",
"http:\/\/ocsp.comodoca.com0",
"http:\/\/crt.usertrust.com\/UTNAddTrustObject_CA.crt0%",
"https:\/\/secure.comodo.net\/CPS0A",
"http:\/\/crl.usertrust.com\/UTN-USERFirst-Object.crl05",
"http:\/\/crl.usertrust.com\/UTN-USERFirst-Object.crl0t",
"http:\/\/crl.comodoca.com\/COMODOCodeSigningCA2.crl0r",
"http:\/\/www.nirsoft.net\/",
"http:\/\/crl.usertrust.com\/AddTrustExternalCARoot.crl05",
"http:\/\/ocsp.usertrust.com0",
"http:\/\/crt.comodoca.com\/COMODOCodeSigningCA2.crt0"
],
"crc32": "EDE6875C",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/2456\/files\/f7bb837f288515cf_npsm64.exe",
"ssdeep": null,
"size": 115296,
"sha512": "2b1745b0439b8c3ef42d30719bba13a86aa8d47df6ec63bb63d636f0604e7779da2ce7f7321df07294b5c375bf18ca75cb845ca1cc6810ad8cc520d279b6ad41",
"pids": [
1268
],
"md5": "2c7eeaff752c453e3d791635bbdafd0a"
},
{
"yara": [],
"sha1": "a19bd00d78692af2cc1bede23e3a7ed602bfc93e",
"name": "98955c793305aaf8_rstyl.exe",
"filepath": "C:\\Windows\\servicing\\Editions\\prefetch\\rstyl.exe",
"type": "PE32 executable (GUI) Intel 80386, for MS Windows",
"sha256": "98955c793305aaf88aff7222e268997bb530dfc2c0e06939431e2c4f495fba1e",
"urls": [
"http:\/\/www.usertrust.com1",
"http:\/\/ocsp.comodoca.com0",
"http:\/\/crl.usertrust.com\/UTN-USERFirst-Object.crl0",
"http:\/\/crl.usertrust.com\/UTN-USERFirst-Object.crl04",
"http:\/\/api.ipify.org\/",
"https:\/\/secure.comodo.net\/CPS0B",
"http:\/\/www.perfectautomation.com0"
],
"crc32": "8059BDE7",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/2456\/files\/98955c793305aaf8_rstyl.exe",
"ssdeep": null,
"size": 221184,
"sha512": "4dfc6ca10f0ec6851bdd55dc337ac98233c2014e193ded7b8f40615b372d276ce7f01380c70a1684cf8d765805b0f5cde0efae1f9381bd6f04cfdb9e2784ddfb",
"pids": [
1268
],
"md5": "8c2347cd266dae829d6a8545fd167b4e"
},
{
"yara": [],
"sha1": "21e99fb2bbc6854bd1c2c8a7a4fdf96d863e1251",
"name": "c3c3992bcf695395_npsm.exe",
"filepath": "C:\\Windows\\servicing\\Editions\\prefetch\\npsm.exe",
"type": "PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed",
"sha256": "c3c3992bcf695395df244d93ed91414267d11c78dfa656da117c3131de8a844a",
"urls": [
"http:\/\/www.usertrust.com1",
"http:\/\/ocsp.comodoca.com0",
"http:\/\/crt.usertrust.com\/UTNAddTrustObject_CA.crt0%",
"https:\/\/secure.comodo.net\/CPS0A",
"http:\/\/crl.usertrust.com\/UTN-USERFirst-Object.crl05",
"http:\/\/crl.usertrust.com\/UTN-USERFirst-Object.crl0t",
"http:\/\/crl.comodoca.com\/COMODOCodeSigningCA2.crl0r",
"http:\/\/crl.usertrust.com\/AddTrustExternalCARoot.crl05",
"http:\/\/ocsp.usertrust.com0",
"http:\/\/crt.comodoca.com\/COMODOCodeSigningCA2.crt0"
],
"crc32": "1B9E01D1",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/2456\/files\/c3c3992bcf695395_npsm.exe",
"ssdeep": null,
"size": 51808,
"sha512": "5187b34904a1cd3df32ab5aadf8eaa2f5174df0e372ba1dc5184629f0398e9df2295b2e7aae97ab670a004b9169091aa0c6d34dde679cf020ed09f384628e618",
"pids": [
1268
],
"md5": "b4010fad407348dec851a70f06e00e51"
},
{
"yara": [],
"sha1": "d6b585a34b112c91e53961d62df90c86fdf8fd3c",
"name": "1fb79568eda03f9e_cuck.tmp",
"filepath": "C:\\Windows\\servicing\\Editions\\prefetch\\cuck.tmp",
"type": "ASCII text, with no line terminators",
"sha256": "1fb79568eda03f9ed684fa1f0ba02dcbcac9cfdbdb28867098bf2f6af87c94b6",
"urls": [],
"crc32": "5C457BA4",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/2456\/files\/1fb79568eda03f9e_cuck.tmp",
"ssdeep": null,
"size": 18,
"sha512": "3dfab70d606d08fa26efaeeabeee892a19a6d035384a1d7837d17d5902c78d8bbd7c0812a2caa4913fa49428d42c27e2d2fae7a337d6fe45ebe68cbd183ae7f0",
"pids": [
2816
],
"md5": "c5db0da0800128da75eb3de3a8d26399"
},
{
"yara": [],
"sha1": "0a428c97f2dc51f83b19ec3bca29598d40f1d524",
"name": "b688886506acb826_russian.lng",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\gentee00\\Russian.lng",
"type": "UTF-8 Unicode (with BOM) text, with CRLF line terminators",
"sha256": "b688886506acb826fa60190e52468b841c32896c2f3cd4bda4e3fd15c20086d4",
"urls": [],
"crc32": "BA14E316",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/2456\/files\/b688886506acb826_russian.lng",
"ssdeep": null,
"size": 731,
"sha512": "b14eed623574291e949b1c4b0f4cb6d82eca376801d3a5bec88686252a467877b31d7f66a980dbd6e7d090468b38f198f0fc2dc0ba9a6395713e3e639fcaacb2",
"pids": [
2816
],
"md5": "9469302b6f7a2149e7ccec130eb87c75"
},
{
"yara": [],
"sha1": "484a3dc68ff7d1b4459079e9e830b22b6f027e7f",
"name": "26dbcac0f9b30430_com.dat",
"filepath": "C:\\Windows\\servicing\\Editions\\prefetch\\com.dat",
"type": "Big-endian UTF-16 Unicode text, with CRLF line terminators",
"sha256": "26dbcac0f9b3043071e9ab8bcfc14693031f337c7d8bba54d02795fce0c62fb7",
"urls": [],
"crc32": "14A2811E",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/2456\/files\/26dbcac0f9b30430_com.dat",
"ssdeep": null,
"size": 218,
"sha512": "ba9a06dcccabe6cf31c789bca5926f90cfc85b2536d70bab928a3ad2899fae5506ca1fc3eaebf9523ed18c078725a358c76f780e7777c962dba19bf8787349d2",
"pids": [
1268
],
"md5": "41465a5a84fc5d43a850cc82f49c4223"
},
{
"yara": [],
"sha1": "f87597f156a460608b577da0bc4ab708d142104b",
"name": "492e67102db73433_pauto.dll",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\gentee00\\pauto.dll",
"type": "PE32 executable (DLL) (GUI) Intel 80386, for MS Windows",
"sha256": "492e67102db73433364b6a0163ce3a0f7e9d5d905033cc2fedca45a210c817cf",
"urls": [
"http:\/\/www.usertrust.com1",
"http:\/\/ocsp.comodoca.com0",
"http:\/\/crl.usertrust.com\/UTN-USERFirst-Object.crl0",
"http:\/\/crl.usertrust.com\/UTN-USERFirst-Object.crl04",
"https:\/\/secure.comodo.net\/CPS0B",
"http:\/\/www.perfectautomation.com0"
],
"crc32": "9F89F996",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/2456\/files\/492e67102db73433_pauto.dll",
"ssdeep": null,
"size": 32544,
"sha512": "73e50adf7d5967f617c0fcffa0fedbff2837f9582cf762fa62f59340e0b917354405dc5b0f15140b8bd1c719b6c23f66f338f523ac78be8ccfad5033c412783e",
"pids": [
2816
],
"md5": "5395e2e30e9347d2292dc3b610163274"
},
{
"yara": [],
"sha1": "987ba168079d75171b39278e2585de3864d69bf1",
"name": "0a41a12b6383809d_insta.bat",
"filepath": "C:\\Windows\\servicing\\Editions\\prefetch\\insta.bat",
"type": "ASCII text, with CRLF line terminators",
"sha256": "0a41a12b6383809d7b29041da6c3afbb4bf1a1c2f9741fcf958ace7440743c58",
"urls": [],
"crc32": "2122916A",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/2456\/files\/0a41a12b6383809d_insta.bat",
"ssdeep": null,
"size": 965,
"sha512": "7a7d8c4e436828238d40a734fbeeacee8c61841a1302a816cf2a86cc8275e48332c49804a2f52ff5c974a294ffc8325353095e82ad1d4b611ae187525dce6011",
"pids": [
1268,
2588
],
"md5": "4afadb4c6c6e373e764085e6e54d686a"
},
{
"yara": [],
"sha1": "2e8f0808c2de000d558b233c33f0ae5aa865c628",
"name": "755f6884967440d3_fileschk.exe",
"filepath": "c:\\windows\\sysvol\\fileschk.exe",
"type": "PE32 executable (GUI) Intel 80386, for MS Windows",
"sha256": "755f6884967440d3f5d47f59a6827517aea5c74659c4191e3bc293a15d6013c3",
"urls": [],
"crc32": "D84E1EB2",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/2456\/files\/755f6884967440d3_fileschk.exe",
"ssdeep": null,
"size": 176128,
"sha512": "2d46bfe4436502de09f31f3bb43cbea43151896811401a4c103a094c0da51a61ff523b2f5befc8616961dde4a9fb68c214f9080e432ee6dd31c71c9750fa4d78",
"pids": [
1268,
2588
],
"md5": "b5f36ffe55de51dd84316682ba81ec82"
},
{
"yara": [],
"sha1": "6e1edfc5fdc4519dad13d689576139f7451730ef",
"name": "7d13d6fb7a3eb874_chek.bat",
"filepath": "C:\\Windows\\servicing\\Editions\\prefetch\\chek.bat",
"type": "ASCII text, with CRLF line terminators",
"sha256": "7d13d6fb7a3eb874ad4b4c46cd8d6c02fc1a1da06d88ab5ca1deaee946b067b1",
"urls": [],
"crc32": "8428FC96",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/2456\/files\/7d13d6fb7a3eb874_chek.bat",
"ssdeep": null,
"size": 109,
"sha512": "c3453a96a40d7084d2ac6b94440561e2866d201dd3a737cfd59f779c3c2525e123dbb325ec6f197c7570a514115d53d72ed86b8e65ea27bd274f820a0a1cc3fc",
"pids": [],
"md5": "729996dca10678e468ccea769827adea"
},
{
"yara": [],
"sha1": "37c8eda774167a69ed2fdade320e71c316be12c1",
"name": "fd4d559277dc8d07_drmchk.exe",
"filepath": "C:\\Windows\\servicing\\Editions\\prefetch\\drmchk.exe",
"type": "PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows",
"sha256": "fd4d559277dc8d076729a30ad607e9596b4e787838a5c23b40d9375a82ddd434",
"urls": [
"http:\/\/curl.haxx.se\/libcurl\/c\/curl_easy_setopt.html",
"http:\/\/curl.haxx.se\/docs\/sslcerts.html",
"http:\/\/curl.haxx.se\/rfc\/cookie_spec.html"
],
"crc32": "44F92371",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/2456\/files\/fd4d559277dc8d07_drmchk.exe",
"ssdeep": null,
"size": 400384,
"sha512": "c5f51c3648147f362eb1e364c549ea5be129fef53a7372ef60e35c2c3f190087c741fb3cd28d2c46165e310b62693d10474e1cee398973590b181f1006b17c94",
"pids": [
1268
],
"md5": "75592c89f4279b8e4ef390de70d36478"
},
{
"yara": [],
"sha1": "da39a3ee5e6b4b0d3255bfef95601890afd80709",
"name": "e3b0c44298fc1c14___tmp_rar_sfx_access_check_16896921",
"type": "empty",
"sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"urls": [],
"crc32": "00000000",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/2456\/files\/e3b0c44298fc1c14___tmp_rar_sfx_access_check_16896921",
"ssdeep": null,
"size": 0,
"sha512": "cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e",
"md5": "d41d8cd98f00b204e9800998ecf8427e"
},
{
"yara": [],
"sha1": "df76c30baf15aa7064a3df6d3b4146490212638d",
"name": "8f55bc5329d369a5_Russian.lng",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\gentee00\\Russian.lng",
"type": "UTF-8 Unicode (with BOM) text, with CRLF line terminators",
"sha256": "8f55bc5329d369a5053302b72643df94735a47671b715cef07a7a100eaef7bbf",
"urls": [],
"crc32": "848C99D2",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/2456\/files\/8f55bc5329d369a5_Russian.lng",
"ssdeep": null,
"size": 628,
"sha512": "146e8aeea2715821366b2b715ef1fd9079f623bba1b7ed1484e3d8c14586d4e9a3b4ecdd478259b6e186a29e77f4ed91efd13a239e7c2d41f07da4af919a1362",
"pids": [
2772,
2816
],
"md5": "81e8f27f3348ecdedcb69d369ac06e84"
}
]Generic
[
{
"process_path": "C:\\Windows\\SysWOW64\\cmd.exe",
"process_name": "cmd.exe",
"pid": 2752,
"summary": {
"file_opened": [
"C:\\Windows\\servicing\\Editions\\prefetch\\chek.bat"
],
"regkey_opened": [
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\System",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Command Processor"
],
"file_written": [
"C:\\Windows\\servicing\\Editions\\prefetch\\chek.bat"
],
"file_exists": [
"C:\\Windows\\servicing\\Editions\\prefetch"
],
"file_read": [
"C:\\Windows\\servicing\\Editions\\prefetch\\chek.bat"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\DefaultColor",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\AutoRun",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\DelayedExpansion",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DisableUNCCheck",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\EnableExtensions",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\CompletionChar",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\EnableExtensions",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\PathCompletionChar",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Locale\\00000409",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language Groups\\1",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\PathCompletionChar",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\DisableUNCCheck",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DelayedExpansion",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\AutoRun",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DefaultColor",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\CompletionChar"
],
"directory_enumerated": [
"C:\\Windows\\servicing",
"C:\\Windows\\servicing\\Editions\\prefetch",
"C:\\Windows\\servicing\\Editions",
"C:\\Windows"
]
},
"first_seen": 1568249594.0149,
"ppid": 2816
},
{
"process_path": "C:\\Windows\\servicing\\Editions\\prefetch\\rstyl.exe",
"process_name": "rstyl.exe",
"pid": 2816,
"summary": {
"file_created": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\gentee00\\pauto.dll",
"C:\\Windows\\servicing\\Editions\\prefetch\\cuck.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\gentee00\\Russian.lng"
],
"file_recreated": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\gentee00.tmp"
],
"directory_created": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\gentee00"
],
"dll_loaded": [
"gdi32",
"kernel32",
"gdi32.dll",
"kernel32.dll",
"UxTheme.dll",
"dwmapi.dll",
"mpr.dll",
"API-MS-Win-Core-LocalRegistry-L1-1-0.dll",
"user32",
"comdlg32",
"advapi32.dll",
"comctl32",
"ole32.dll",
"ws2_32.dll",
"IMM32.dll",
"HHCTRL.OCX",
"version.dll",
"ADVAPI32.dll",
"rpcrt4.dll",
"comctl32.dll",
"Kernel32.dll",
"Oleaut32.dll",
"shell32.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\gentee00\\pauto.dll",
"SETUPAPI.dll",
"user32.dll"
],
"file_opened": [
"C:\\Windows\\servicing\\Editions\\prefetch\\com.dat",
"C:\\Users\\cuck\\Favorites\\desktop.ini",
"C:\\",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls",
"C:\\Users\\cuck\\Documents\\desktop.ini",
"C:\\Users\\desktop.ini",
"C:\\Users\\cuck\\Pictures\\desktop.ini",
"C:\\Users\\cuck\\Videos\\desktop.ini",
"C:\\Users\\cuck",
"C:\\Users",
"C:\\Users\\cuck\\Music\\desktop.ini",
"C:\\Windows\\servicing\\Editions\\prefetch\\cuck.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\gentee00\\Russian.lng"
],
"regkey_opened": [
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\Rpc",
"HKEY_CLASSES_ROOT\\Drive\\shellex\\FolderExtensions",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced",
"HKEY_LOCAL_MACHINE\\system\\CurrentControlSet\\control\\NetworkProvider\\HwOrder",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLEAUT",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\OLE\\Tracing",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Rpc",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Setup",
"HKEY_CLASSES_ROOT\\Drive\\shellex\\FolderExtensions\\{fbeb8a05-beee-4442-804e-409d6c4515e9}",
"HKEY_CURRENT_USER\\Control Panel\\Desktop",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders"
],
"file_written": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\gentee00\\pauto.dll",
"C:\\Windows\\servicing\\Editions\\prefetch\\cuck.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\gentee00\\Russian.lng"
],
"file_deleted": [
"C:\\Windows\\servicing\\Editions\\prefetch\\cuck-190911_183309.sndr",
"C:\\Windows\\servicing\\Editions\\prefetch\\cuck.tmp",
"C:\\Windows\\servicing\\Editions\\prefetch\\chek.bat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\gentee00\\Russian.lng"
],
"directory_removed": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\gentee00"
],
"file_exists": [
"C:\\Windows\\servicing\\Editions\\prefetch\\drmchk.exe",
"C:\\Windows\\SysWOW64\\taskmgr.exe",
"C:\\Windows\\servicing\\Editions\\prefetch\\gocuck",
"C:\\Windows\\servicing\\Editions\\prefetch\\npsm.exe",
"C:\\Windows\\servicing\\Editions\\prefetch\\npsm64.exe"
],
"command_line": [
"\"npsm64.exe\" \/allusers \/stext cuck-190911_183309.sndr",
"\"chek.bat\"",
"\"cmd.exe\" \/c echo if ^%sof^% GTR 524 (md go%username%) else ^echo %username%^>^>com.dat>>chek.bat",
"\"cmd.exe\" \/c echo for ^%^%I in (cuck-190911_183309.sndr) do set sof=^%^%^~zI>chek.bat"
],
"file_read": [
"C:\\Windows\\servicing\\Editions\\prefetch\\com.dat",
"C:\\Users\\cuck\\Favorites\\desktop.ini",
"C:\\Users\\cuck\\Documents\\desktop.ini",
"C:\\Users\\desktop.ini",
"C:\\Users\\cuck\\Videos\\desktop.ini",
"C:\\Users\\cuck\\Pictures\\desktop.ini",
"C:\\Users\\cuck\\Music\\desktop.ini",
"C:\\Windows\\servicing\\Editions\\prefetch\\cuck.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\gentee00\\Russian.lng"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\DevicePath",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\Fonts",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Shell Folders\\Common AppData",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ListviewAlphaSelect",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\MaxRpcSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE\\PageAllocatorUseSystemHeap",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\Data",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\Common Programs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\ProgramFilesDir",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\RegisteredOrganization",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\Desktop",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\Startup",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\CommonFilesDir",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Segoe UI",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\SystemSetupInProgress",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\AppData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\MS Shell Dlg",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Drive\\shellex\\FolderExtensions\\{fbeb8a05-beee-4442-804e-409d6c4515e9}\\DriveMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Shell Folders\\Common Programs",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\Data",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\SourcePath",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\Generation",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\Generation",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Shell Folders\\Common Startup",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Shell Folders\\Common Start Menu",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CEIPEnable",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\Common Fonts",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\Programs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\TurnOffSPIAnimations",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE\\PageAllocatorSystemHeapIsPrivate",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\ComputerName\\ActiveComputerName\\ComputerName",
"HKEY_CURRENT_USER\\Control Panel\\Desktop\\SmoothScroll",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ListviewShadow",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\Common Desktop",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\OOBEInProgress",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\Start Menu",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\UseDoubleClickTimer",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\AccListViewV6",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Shell Folders\\Common Desktop",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\EnableBalloonTips",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\Common AppData",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\Common Startup",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\Common Start Menu"
],
"directory_enumerated": [
"C:\\Windows\\servicing\\Editions\\prefetch\\cuck.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\gentee00\\*.lng",
"C:\\Windows\\servicing\\Editions\\prefetch\\cuck-190911_183309.sndr",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\gentee00\\*.*",
"C:\\Windows\\servicing\\Editions\\prefetch\\chek.bat"
]
},
"first_seen": 1568249589.4524,
"ppid": 2812
},
{
"process_path": "C:\\Windows\\servicing\\Editions\\prefetch\\sfxd.exe",
"process_name": "sfxd.exe",
"pid": 2468,
"summary": {
"file_opened": [
"C:\\Windows\\sysvol\\"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles"
],
"directory_enumerated": [
"C:\\Windows\\sysvol\\*"
]
},
"first_seen": 1568249588.0774,
"ppid": 2588
},
{
"process_path": "C:\\Windows\\SysWOW64\\cmd.exe",
"process_name": "cmd.exe",
"pid": 2812,
"summary": {
"command_line": [
"rstyl.exe "
],
"file_exists": [
"C:\\Windows\\servicing\\Editions\\prefetch"
],
"regkey_opened": [
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\System",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Command Processor"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\DefaultColor",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\AutoRun",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\DelayedExpansion",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DisableUNCCheck",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\EnableExtensions",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\CompletionChar",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\EnableExtensions",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\PathCompletionChar",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Locale\\00000409",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language Groups\\1",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\PathCompletionChar",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\DisableUNCCheck",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DelayedExpansion",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\AutoRun",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DefaultColor",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\CompletionChar"
],
"directory_enumerated": [
"C:\\Windows\\servicing",
"C:\\Windows\\servicing\\Editions\\prefetch",
"C:\\Windows\\servicing\\Editions\\prefetch\\rstyl.exe",
"C:\\Windows\\servicing\\Editions",
"C:\\Windows"
]
},
"first_seen": 1568249589.2649,
"ppid": 2772
},
{
"process_path": "C:\\Windows\\SysWOW64\\cmd.exe",
"process_name": "cmd.exe",
"pid": 264,
"summary": {
"file_created": [
"C:\\Windows\\servicing\\Editions\\prefetch\\chek.bat"
],
"regkey_opened": [
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\System",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Command Processor"
],
"file_written": [
"C:\\Windows\\servicing\\Editions\\prefetch\\chek.bat"
],
"file_exists": [
"C:\\Windows\\servicing\\Editions\\prefetch"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\DefaultColor",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\AutoRun",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\DelayedExpansion",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DisableUNCCheck",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\EnableExtensions",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\CompletionChar",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\EnableExtensions",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\PathCompletionChar",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Locale\\00000409",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language Groups\\1",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\PathCompletionChar",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\DisableUNCCheck",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DelayedExpansion",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\AutoRun",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DefaultColor",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\CompletionChar"
],
"directory_enumerated": [
"C:\\Windows\\servicing",
"C:\\Windows\\servicing\\Editions\\prefetch",
"C:\\Windows\\servicing\\Editions",
"C:\\Windows"
]
},
"first_seen": 1568249593.8117,
"ppid": 2816
},
{
"process_path": "C:\\Windows\\System32\\lsass.exe",
"process_name": "lsass.exe",
"pid": 476,
"summary": {},
"first_seen": 1568249586.3281,
"ppid": 376
},
{
"process_path": "C:\\Windows\\servicing\\Editions\\prefetch\\sfxd.exe",
"process_name": "sfxd.exe",
"pid": 956,
"summary": {
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles"
],
"directory_enumerated": [
"C:\\Windows\\sysvol\\sysvol\\*"
]
},
"first_seen": 1568249588.7492,
"ppid": 2588
},
{
"process_path": "C:\\Windows\\servicing\\Editions\\prefetch\\sfxd.exe",
"process_name": "sfxd.exe",
"pid": 2572,
"summary": {
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles"
],
"directory_enumerated": [
"C:\\Windows\\sysvol\\domain\\*"
]
},
"first_seen": 1568249588.2492,
"ppid": 2588
},
{
"process_path": "C:\\Windows\\SysWOW64\\cmd.exe",
"process_name": "cmd.exe",
"pid": 1096,
"summary": {
"dll_loaded": [
"ADVAPI32.dll"
],
"file_opened": [
"C:\\Windows\\servicing\\Editions\\prefetch\\com.dat",
"C:\\Windows\\servicing\\Editions\\prefetch\\chek.bat"
],
"regkey_opened": [
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\System",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Command Processor"
],
"file_written": [
"C:\\Windows\\servicing\\Editions\\prefetch\\com.dat"
],
"file_exists": [
"C:\\Windows\\servicing\\Editions\\prefetch",
"C:\\Windows\\servicing\\Editions\\prefetch\\\"chek.bat\"",
"C:\\Windows\\servicing\\Editions\\prefetch\\chek.bat",
"C:\\Windows\\servicing\\Editions\\prefetch\\cuck-190911_183309.sndr"
],
"file_read": [
"C:\\Windows\\servicing\\Editions\\prefetch\\com.dat",
"C:\\Windows\\servicing\\Editions\\prefetch\\chek.bat"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\AutoRun",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DisableUNCCheck",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\safer\\codeidentifiers\\LogFileName",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DelayedExpansion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\CompletionChar",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\DefaultColor",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\DelayedExpansion",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\EnableExtensions",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\safer\\codeidentifiers\\DefaultLevel",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\PathCompletionChar",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\CompletionChar",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\EnableExtensions",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\safer\\codeidentifiers\\SaferFlags",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\safer\\codeidentifiers\\PolicyScope",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Srp\\GP\\RuleCount",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language Groups\\1",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Locale\\00000409",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\PathCompletionChar",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\safer\\codeidentifiers\\Levels",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\DisableUNCCheck",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DefaultColor",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\AutoRun"
],
"directory_enumerated": [
"C:\\Windows\\servicing\\Editions\\prefetch",
"C:\\Windows\\servicing",
"C:\\Windows\\servicing\\Editions\\prefetch\\cuck-190911_183309.sndr",
"C:\\Windows",
"C:\\Windows\\servicing\\Editions\\prefetch\\chek.bat",
"C:\\Windows\\servicing\\Editions"
]
},
"first_seen": 1568249594.2024,
"ppid": 2816
},
{
"process_path": "C:\\Windows\\servicing\\Editions\\prefetch\\sfxd.exe",
"process_name": "sfxd.exe",
"pid": 2484,
"summary": {
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles"
],
"directory_enumerated": [
"C:\\Windows\\sysvol\\staging areas\\*"
]
},
"first_seen": 1568249588.5774,
"ppid": 2588
},
{
"process_path": "C:\\Windows\\servicing\\Editions\\prefetch\\npsm64.exe",
"process_name": "npsm64.exe",
"pid": 1504,
"summary": {
"file_created": [
"C:\\Windows\\servicing\\Editions\\prefetch\\cuck-190911_183309.sndr"
],
"dll_loaded": [
"shell32.dll",
"advapi32.dll",
"kernel32.dll",
"comctl32.dll"
],
"file_failed": [
"C:\\Windows\\servicing\\Editions\\prefetch\\npsm64.cfg"
],
"file_exists": [
"C:\\Windows\\servicing\\Editions\\prefetch\\npsm64_lng.ini"
],
"file_opened": [
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Credentials\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Credentials\\"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles"
]
},
"first_seen": 1568249589.7649,
"ppid": 2816
},
{
"process_path": "C:\\Windows\\servicing\\Editions\\prefetch\\sfxd.exe",
"process_name": "sfxd.exe",
"pid": 2648,
"summary": {
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles"
],
"directory_enumerated": [
"C:\\Windows\\sysvol\\staging\\*"
]
},
"first_seen": 1568249588.3899,
"ppid": 2588
},
{
"process_path": "C:\\Windows\\sysvol\\fileschk.exe",
"process_name": "fileschk.exe",
"pid": 2772,
"summary": {
"file_created": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\gentee00.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\gentee00\\Russian.lng"
],
"directory_created": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\gentee00"
],
"dll_loaded": [
"gdi32",
"kernel32",
"gdi32.dll",
"kernel32.dll",
"UxTheme.dll",
"dwmapi.dll",
"mpr.dll",
"API-MS-Win-Core-LocalRegistry-L1-1-0.dll",
"user32",
"comdlg32",
"advapi32.dll",
"comctl32",
"ole32.dll",
"IMM32.dll",
"HHCTRL.OCX",
"version.dll",
"shell32.dll",
"comctl32.dll",
"Kernel32.dll",
"Oleaut32.dll",
"ADVAPI32.dll",
"rpcrt4.dll",
"SETUPAPI.dll",
"user32.dll"
],
"file_opened": [
"C:\\Users\\cuck\\Favorites\\desktop.ini",
"C:\\",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls",
"C:\\Users\\cuck\\Documents\\desktop.ini",
"C:\\Users\\desktop.ini",
"C:\\Users\\cuck\\Pictures\\desktop.ini",
"C:\\Users\\cuck\\Videos\\desktop.ini",
"C:\\Users\\cuck",
"C:\\Users",
"C:\\Users\\cuck\\Music\\desktop.ini",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\gentee00\\Russian.lng"
],
"regkey_opened": [
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders",
"HKEY_CLASSES_ROOT\\Drive\\shellex\\FolderExtensions",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\Rpc",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced",
"HKEY_LOCAL_MACHINE\\system\\CurrentControlSet\\control\\NetworkProvider\\HwOrder",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLEAUT",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\OLE\\Tracing",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Rpc",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Setup",
"HKEY_CLASSES_ROOT\\Drive\\shellex\\FolderExtensions\\{fbeb8a05-beee-4442-804e-409d6c4515e9}",
"HKEY_CURRENT_USER\\Control Panel\\Desktop",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders"
],
"file_written": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\gentee00\\Russian.lng"
],
"directory_removed": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\gentee00"
],
"command_line": [
"\"cmd.exe\" \/c start \/D %windir%\\servicing\\Editions\\prefetch rstyl.exe"
],
"file_read": [
"C:\\Users\\cuck\\Favorites\\desktop.ini",
"C:\\Users\\cuck\\Documents\\desktop.ini",
"C:\\Users\\desktop.ini",
"C:\\Users\\cuck\\Videos\\desktop.ini",
"C:\\Users\\cuck\\Pictures\\desktop.ini",
"C:\\Users\\cuck\\Music\\desktop.ini",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\gentee00\\Russian.lng"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\DevicePath",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\Fonts",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Shell Folders\\Common AppData",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ListviewAlphaSelect",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\MaxRpcSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE\\PageAllocatorUseSystemHeap",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\AppData",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\Common Programs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\ProgramFilesDir",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\RegisteredOrganization",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\Desktop",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\Startup",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\TurnOffSPIAnimations",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\CommonFilesDir",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Segoe UI",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\SystemSetupInProgress",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\MS Shell Dlg",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Drive\\shellex\\FolderExtensions\\{fbeb8a05-beee-4442-804e-409d6c4515e9}\\DriveMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Shell Folders\\Common Programs",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\OOBEInProgress",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\SourcePath",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\Generation",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\Generation",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Shell Folders\\Common Startup",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Shell Folders\\Common Start Menu",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CEIPEnable",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\Common Fonts",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\Programs",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\Data",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE\\PageAllocatorSystemHeapIsPrivate",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\ComputerName\\ActiveComputerName\\ComputerName",
"HKEY_CURRENT_USER\\Control Panel\\Desktop\\SmoothScroll",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ListviewShadow",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\Common Desktop",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\Data",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\Start Menu",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\UseDoubleClickTimer",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\AccListViewV6",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Shell Folders\\Common Desktop",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\EnableBalloonTips",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\Common AppData",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\Common Startup",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\Common Start Menu"
],
"directory_enumerated": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\gentee00\\*.lng",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\gentee00\\*.*"
]
},
"first_seen": 1568249588.9367,
"ppid": 2588
},
{
"process_path": "C:\\Users\\cuck\\AppData\\Local\\Temp\\3e18eb3a0fb61ceada0d8a73b67939a47baddad77706309c40dd7ff5ba75991e.bin",
"process_name": "3e18eb3a0fb61ceada0d8a73b67939a47baddad77706309c40dd7ff5ba75991e.bin",
"pid": 1268,
"summary": {
"file_created": [
"C:\\Windows\\servicing\\Editions\\prefetch\\drmchk.exe",
"C:\\Windows\\servicing\\Editions\\prefetch\\com.dat",
"C:\\Windows\\servicing\\Editions\\prefetch\\fileschk.exe",
"C:\\Windows\\servicing\\Editions\\prefetch\\insta.bat",
"C:\\Windows\\servicing\\Editions\\prefetch\\rstyl.exe",
"C:\\Windows\\servicing\\Editions\\prefetch\\npsm64.exe",
"C:\\Windows\\servicing\\Editions\\prefetch\\npsm.exe",
"C:\\Windows\\servicing\\Editions\\__tmp_rar_sfx_access_check_16896921",
"C:\\Windows\\servicing\\Editions\\prefetch\\sfxd.exe"
],
"directory_created": [
"C:\\Windows\\servicing",
"C:\\Windows\\servicing\\Editions\\prefetch",
"C:\\Windows\\servicing\\Editions",
"C:\\Windows",
"C:\\Users\\cuck\\AppData\\Local\\Temp"
],
"dll_loaded": [
"COMDLG32.dll",
"kernel32.dll",
"UxTheme.dll",
"C:\\Windows\\system32\\ole32.dll",
"dwmapi.dll",
"C:\\Windows\\syswow64\\MSCTF.dll",
"API-MS-Win-Core-LocalRegistry-L1-1-0.dll",
"KERNEL32.DLL",
"OLEAUT32.DLL",
"comctl32",
"ole32.dll",
"COMCTL32.dll",
"USER32.dll",
"IMM32.dll",
"riched32.dll",
"riched20.dll",
"OLEAUT32.dll",
"SHELL32.dll",
"comctl32.dll",
"C:\\Windows\\system32\\shell32.dll",
"GDI32.dll",
"ADVAPI32.dll",
"SETUPAPI.dll",
"COMCTL32.DLL"
],
"file_opened": [
"C:\\Windows\\servicing\\Editions\\prefetch",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\3e18eb3a0fb61ceada0d8a73b67939a47baddad77706309c40dd7ff5ba75991e.bin",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls",
"C:\\Windows\\servicing\\Editions\\prefetch\\sfxd.exe",
"C:\\Windows\\win.ini",
"C:\\Windows\\servicing\\Editions\\prefetch\\npsm.exe",
"C:\\Windows\\servicing\\Editions\\prefetch\\npsm64.exe",
"C:\\Windows\\servicing\\Editions\\prefetch\\drmchk.exe",
"C:\\Windows\\servicing\\Editions"
],
"regkey_opened": [
"HKEY_CURRENT_USER\\Software",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Policies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Setup",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\Control Panel\\Desktop",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AutoComplete",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AutoComplete",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\LanguageProfile\\0x00000000\\{0001bea3-ed56-483d-a2e2-aeae25577436}",
"HKEY_LOCAL_MACHINE\\Software",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\Compatibility\\3e18eb3a0fb61ceada0d8a73b67939a47baddad77706309c40dd7ff5ba75991e.bin",
"HKEY_CURRENT_USER\\Software\\Microsoft\\CTF\\DirectSwitchHotkeys",
"HKEY_CLASSES_ROOT\\CLSID\\{00BB2763-6A77-11D0-A535-00C04FD7D062}\\InProcServer32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\Software\\Policies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CLASSES_ROOT\\CLSID\\{03C036F1-A186-11D0-824A-00AA005B4383}\\InProcServer32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{3697C5FA-60DD-4B56-92D4-74A569205C16}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AutoComplete\\Client\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\Software\\WinRAR SFX",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AutoComplete",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AutoComplete",
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AutoComplete"
],
"command_line": [
"C:\\Windows\\servicing\\Editions\\prefetch\\insta.bat",
"\"C:\\Windows\\servicing\\Editions\\prefetch\\insta.bat\" "
],
"file_written": [
"C:\\Windows\\servicing\\Editions\\prefetch\\fileschk.exe",
"C:\\Windows\\servicing\\Editions\\prefetch\\com.dat",
"C:\\Windows\\servicing\\Editions\\prefetch\\insta.bat",
"C:\\Windows\\servicing\\Editions\\prefetch\\rstyl.exe",
"C:\\Windows\\servicing\\Editions\\prefetch\\npsm64.exe",
"C:\\Windows\\servicing\\Editions\\prefetch\\npsm.exe",
"C:\\Windows\\servicing\\Editions\\prefetch\\drmchk.exe",
"C:\\Windows\\servicing\\Editions\\prefetch\\sfxd.exe"
],
"file_deleted": [
"C:\\Windows\\servicing\\Editions\\__tmp_rar_sfx_access_check_16896921"
],
"file_exists": [
"C:\\Windows\\servicing\\Editions\\prefetch\\fileschk.exe",
"C:\\Windows\\servicing\\Editions\\prefetch\\com.dat",
"C:\\Windows\\servicing\\Editions\\prefetch\\insta.bat",
"C:\\Windows\\servicing\\Editions\\prefetch\\rstyl.exe",
"C:\\Windows\\servicing\\Editions\\prefetch\\npsm64.exe",
"C:\\Windows\\servicing\\Editions\\prefetch\\npsm.exe",
"C:\\Windows\\servicing\\Editions\\prefetch\\drmchk.exe",
"C:\\Windows\\servicing\\Editions\\prefetch\\sfxd.exe",
"C:\\Windows\\servicing\\Editions\\prefetch"
],
"file_failed": [
"C:\\Windows\\servicing\\Editions\\prefetch\\insta.bat"
],
"guid": [
"{eac04bc0-3791-11d2-bb95-0060977b464c}",
"{5e078e03-8265-4bbe-9487-d242edbef910}",
"{00bb2763-6a77-11d0-a535-00c04fd7d062}",
"{00000000-0000-0000-c000-000000000046}",
"{807c1e6c-1d00-453f-b920-b61bb7cdd997}",
"{03c036f1-a186-11d0-824a-00aa005b4383}",
"{00bb2765-6a77-11d0-a535-00c04fd7d062}"
],
"file_read": [
"C:\\Windows\\win.ini",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\3e18eb3a0fb61ceada0d8a73b67939a47baddad77706309c40dd7ff5ba75991e.bin"
],
"regkey_read": [
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Language Hotkey",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\DevicePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\AutoComplete\\Always Use Tab",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ListviewAlphaSelect",
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Hotkey",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\LanguageProfile\\0x00000000\\{0001bea3-ed56-483d-a2e2-aeae25577436}\\Enable",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\Data",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{00BB2763-6A77-11D0-A535-00C04FD7D062}\\InProcServer32\\(Default)",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Locale\\00000409",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Segoe UI",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\ScrollInset",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\ScrollInterval",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\ScrollDelay",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\Data",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\SourcePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\CTF\\EnableAnchorContext",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\Generation",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\Generation",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{03C036F1-A186-11D0-824A-00AA005B4383}\\InProcServer32\\(Default)",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language Groups\\1",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\DragMinDist",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\AutoComplete\\AutoSuggest",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\TurnOffSPIAnimations",
"HKEY_CURRENT_USER\\Control Panel\\Desktop\\SmoothScroll",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ListviewShadow",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\AccListViewV6",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\AutoComplete\\Client\\(Default)",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\UseDoubleClickTimer",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\EnableBalloonTips",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\DragDelay",
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Layout Hotkey"
],
"directory_enumerated": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\3e18eb3a0fb61ceada0d8a73b67939a47baddad77706309c40dd7ff5ba75991e.bin"
],
"regkey_written": [
"HKEY_CURRENT_USER\\Software\\WinRAR SFX\\C%%Windows%servicing%Editions"
]
},
"first_seen": 1568249586.6875,
"ppid": 2308
},
{
"process_path": "C:\\Windows\\SysWOW64\\cmd.exe",
"process_name": "cmd.exe",
"pid": 2588,
"summary": {
"file_created": [
"C:\\Windows\\servicing\\Editions\\prefetch\\cpt.tpl"
],
"directory_created": [
"C:\\Windows\\servicing\\GC64",
"C:\\Windows\\servicing\\Sessions",
"C:\\Windows\\servicing\\en-US",
"C:\\Windows\\servicing\\ru-RU",
"C:\\Windows\\sysvol\\staging",
"C:\\Windows\\sysvol\\staging areas",
"C:\\Windows\\servicing\\Editions\\prefetch",
"C:\\Windows\\sysvol",
"C:\\Windows\\sysvol\\domain",
"C:\\Windows",
"C:\\Windows\\servicing\\Version",
"C:\\Windows\\sysvol\\sysvol",
"C:\\Windows\\servicing\\SQM",
"C:\\Windows\\servicing\\Packages"
],
"dll_loaded": [
"ADVAPI32.dll",
"kernel32.dll"
],
"file_opened": [
"C:\\Windows\\servicing\\Editions\\prefetch\\insta.bat",
"C:\\Windows\\servicing\\Editions\\prefetch",
"C:\\",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls"
],
"regkey_opened": [
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\System",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Command Processor"
],
"file_moved": [
[
"C:\\Windows\\servicing\\Editions\\prefetch\\fileschk.exe",
"C:\\Windows\\sysvol\\fileschk.exe"
]
],
"file_written": [
"C:\\Windows\\servicing\\Editions\\prefetch\\cpt.tpl"
],
"file_deleted": [
"C:\\Windows\\servicing\\Editions\\prefetch\\sfxd.exe",
"C:\\Windows\\servicing\\Editions\\prefetch\\insta.bat"
],
"file_exists": [
"C:\\Windows\\servicing\\Editions\\prefetch\\fileschk.exe",
"C:\\Windows\\sysvol\\fileschk.exe",
"C:\\Windows\\servicing\\Editions\\prefetch\\insta.bat",
"C:\\Windows\\servicing\\Editions\\\"C:\\Windows\\servicing\\Editions\\prefetch\\insta.bat\"",
"C:\\Windows\\servicing\\Editions\\prefetch",
"C:\\Windows\\servicing\\Editions\\\n",
"C:\\Windows\\servicing\\Editions\\prefetch\\sfxd.exe",
"C:\\Windows\\servicing\\Editions\\prefetch\\tpl.cpt",
"C:\\Windows\\servicing\\Editions"
],
"file_failed": [
"C:\\Windows\\servicing\\Editions\\prefetch\\insta.bat"
],
"command_line": [
"sfxd.exe \/co \/mo C:\\Windows\\sysvol\\staging\\",
"sfxd.exe \/co \/mo C:\\Windows\\sysvol\\sysvol\\",
"sfxd.exe \/co \/mo C:\\Windows\\sysvol\\",
"sfxd.exe \/co \/mo \"C:\\Windows\\sysvol\\staging areas\\\"",
"C:\\Windows\\sysvol\\fileschk.exe ",
"sfxd.exe \/co \/mo C:\\Windows\\sysvol\\domain\\"
],
"file_read": [
"C:\\Windows\\servicing\\Editions\\prefetch\\insta.bat"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\AutoRun",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DisableUNCCheck",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\safer\\codeidentifiers\\LogFileName",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DelayedExpansion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\CompletionChar",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\DefaultColor",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\DelayedExpansion",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\EnableExtensions",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\safer\\codeidentifiers\\DefaultLevel",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\PathCompletionChar",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\Windows Error Reporting\\WMR\\Disable",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\CompletionChar",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\EnableExtensions",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\safer\\codeidentifiers\\SaferFlags",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\safer\\codeidentifiers\\PolicyScope",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Srp\\GP\\RuleCount",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language Groups\\1",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Locale\\00000409",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\PathCompletionChar",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\safer\\codeidentifiers\\Levels",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\DisableUNCCheck",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DefaultColor",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\AutoRun"
],
"directory_enumerated": [
"C:\\Windows\\servicing\\Editions\\prefetch",
"C:\\Windows\\sysvol\\fileschk.exe",
"C:\\Windows\\servicing\\Editions\\prefetch\\fileschk.exe",
"C:\\Windows\\servicing\\Editions\\prefetch\\insta.bat",
"C:\\Windows\\servicing",
"C:\\Windows\\servicing\\Editions\\prefetch\\sfxd.exe",
"C:\\Windows",
"C:\\Windows\\servicing\\Editions\\prefetch\\tpl.cpt",
"C:\\Windows\\servicing\\Editions"
]
},
"first_seen": 1568249587.7188,
"ppid": 1268
}
]Signatures
[
{
"markcount": 2,
"families": [],
"description": "Queries for the computername",
"severity": 1,
"marks": [
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "GetComputerNameA",
"return_value": 1,
"arguments": {
"computer_name": "CUCKPC"
},
"time": 1568249589.0468,
"tid": 2912,
"flags": {}
},
"pid": 2772,
"type": "call",
"cid": 397
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "GetComputerNameA",
"return_value": 1,
"arguments": {
"computer_name": "CUCKPC"
},
"time": 1568249589.6244,
"tid": 2460,
"flags": {}
},
"pid": 2816,
"type": "call",
"cid": 485
}
],
"references": [],
"name": "antivm_queries_computername"
},
{
"markcount": 1,
"families": [],
"description": "Checks if process is being debugged by a debugger",
"severity": 1,
"marks": [
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 2,
"nt_status": -1073741772,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1568249160.4251,
"tid": 300,
"flags": {}
},
"pid": 1504,
"type": "call",
"cid": 158
}
],
"references": [],
"name": "checks_debugger"
},
{
"markcount": 103,
"families": [],
"description": "Command line console output was observed",
"severity": 1,
"marks": [
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleW",
"return_value": 1,
"arguments": {
"buffer": "C:\\Windows\\servicing\\Editions>",
"console_handle": "0x00000007"
},
"time": 1568249587.8438,
"tid": 2500,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 183
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleW",
"return_value": 1,
"arguments": {
"buffer": "C:",
"console_handle": "0x00000007"
},
"time": 1568249587.8438,
"tid": 2500,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 185
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleW",
"return_value": 1,
"arguments": {
"buffer": "C:\\Windows\\servicing\\Editions>",
"console_handle": "0x00000007"
},
"time": 1568249587.8438,
"tid": 2500,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 218
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleW",
"return_value": 1,
"arguments": {
"buffer": "cd",
"console_handle": "0x00000007"
},
"time": 1568249587.8438,
"tid": 2500,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 220
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleW",
"return_value": 1,
"arguments": {
"buffer": " \/D \"\\Windows\\servicing\\Editions\\prefetch\\\" ",
"console_handle": "0x00000007"
},
"time": 1568249587.8438,
"tid": 2500,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 222
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleW",
"return_value": 1,
"arguments": {
"buffer": "C:\\Windows\\servicing\\Editions\\prefetch>",
"console_handle": "0x00000007"
},
"time": 1568249587.8438,
"tid": 2500,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 250
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleW",
"return_value": 1,
"arguments": {
"buffer": "md",
"console_handle": "0x00000007"
},
"time": 1568249587.8438,
"tid": 2500,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 252
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleW",
"return_value": 1,
"arguments": {
"buffer": " C:\\Windows\\servicing\\SQM ",
"console_handle": "0x00000007"
},
"time": 1568249587.8438,
"tid": 2500,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 254
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleW",
"return_value": 1,
"arguments": {
"buffer": "A subdirectory or file C:\\Windows\\servicing\\SQM already exists.\r\n",
"console_handle": "0x0000000b"
},
"time": 1568249587.8438,
"tid": 2500,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 262
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleW",
"return_value": 1,
"arguments": {
"buffer": "C:\\Windows\\servicing\\Editions\\prefetch>",
"console_handle": "0x00000007"
},
"time": 1568249587.8438,
"tid": 2500,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 276
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleW",
"return_value": 1,
"arguments": {
"buffer": "md",
"console_handle": "0x00000007"
},
"time": 1568249587.8438,
"tid": 2500,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 278
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleW",
"return_value": 1,
"arguments": {
"buffer": " C:\\Windows\\servicing\\Editions\\prefetch ",
"console_handle": "0x00000007"
},
"time": 1568249587.8438,
"tid": 2500,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 280
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleW",
"return_value": 1,
"arguments": {
"buffer": "A subdirectory or file C:\\Windows\\servicing\\Editions\\prefetch already exists.\r\n",
"console_handle": "0x0000000b"
},
"time": 1568249587.8438,
"tid": 2500,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 285
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleW",
"return_value": 1,
"arguments": {
"buffer": "C:\\Windows\\servicing\\Editions\\prefetch>",
"console_handle": "0x00000007"
},
"time": 1568249587.8438,
"tid": 2500,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 299
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleW",
"return_value": 1,
"arguments": {
"buffer": "md",
"console_handle": "0x00000007"
},
"time": 1568249587.8438,
"tid": 2500,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 301
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleW",
"return_value": 1,
"arguments": {
"buffer": " C:\\Windows\\servicing\\en-US ",
"console_handle": "0x00000007"
},
"time": 1568249587.8438,
"tid": 2500,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 303
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleW",
"return_value": 1,
"arguments": {
"buffer": "A subdirectory or file C:\\Windows\\servicing\\en-US already exists.\r\n",
"console_handle": "0x0000000b"
},
"time": 1568249587.8438,
"tid": 2500,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 308
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleW",
"return_value": 1,
"arguments": {
"buffer": "C:\\Windows\\servicing\\Editions\\prefetch>",
"console_handle": "0x00000007"
},
"time": 1568249587.8588,
"tid": 2500,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 322
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleW",
"return_value": 1,
"arguments": {
"buffer": "md",
"console_handle": "0x00000007"
},
"time": 1568249587.8588,
"tid": 2500,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 324
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleW",
"return_value": 1,
"arguments": {
"buffer": " C:\\Windows\\servicing\\GC64 ",
"console_handle": "0x00000007"
},
"time": 1568249587.8588,
"tid": 2500,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 326
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleW",
"return_value": 1,
"arguments": {
"buffer": "A subdirectory or file C:\\Windows\\servicing\\GC64 already exists.\r\n",
"console_handle": "0x0000000b"
},
"time": 1568249587.8588,
"tid": 2500,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 331
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleW",
"return_value": 1,
"arguments": {
"buffer": "C:\\Windows\\servicing\\Editions\\prefetch>",
"console_handle": "0x00000007"
},
"time": 1568249587.8588,
"tid": 2500,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 345
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleW",
"return_value": 1,
"arguments": {
"buffer": "md",
"console_handle": "0x00000007"
},
"time": 1568249587.8588,
"tid": 2500,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 347
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleW",
"return_value": 1,
"arguments": {
"buffer": " C:\\Windows\\servicing\\Packages ",
"console_handle": "0x00000007"
},
"time": 1568249587.8588,
"tid": 2500,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 349
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleW",
"return_value": 1,
"arguments": {
"buffer": "A subdirectory or file C:\\Windows\\servicing\\Packages already exists.\r\n",
"console_handle": "0x0000000b"
},
"time": 1568249587.8588,
"tid": 2500,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 354
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleW",
"return_value": 1,
"arguments": {
"buffer": "C:\\Windows\\servicing\\Editions\\prefetch>",
"console_handle": "0x00000007"
},
"time": 1568249587.8588,
"tid": 2500,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 368
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleW",
"return_value": 1,
"arguments": {
"buffer": "md",
"console_handle": "0x00000007"
},
"time": 1568249587.8588,
"tid": 2500,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 370
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleW",
"return_value": 1,
"arguments": {
"buffer": " C:\\Windows\\servicing\\ru-RU ",
"console_handle": "0x00000007"
},
"time": 1568249587.8588,
"tid": 2500,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 372
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleW",
"return_value": 1,
"arguments": {
"buffer": "C:\\Windows\\servicing\\Editions\\prefetch>",
"console_handle": "0x00000007"
},
"time": 1568249587.8588,
"tid": 2500,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 389
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleW",
"return_value": 1,
"arguments": {
"buffer": "md",
"console_handle": "0x00000007"
},
"time": 1568249587.8588,
"tid": 2500,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 391
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleW",
"return_value": 1,
"arguments": {
"buffer": " C:\\Windows\\servicing\\Sessions ",
"console_handle": "0x00000007"
},
"time": 1568249587.8588,
"tid": 2500,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 393
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleW",
"return_value": 1,
"arguments": {
"buffer": "A subdirectory or file C:\\Windows\\servicing\\Sessions already exists.\r\n",
"console_handle": "0x0000000b"
},
"time": 1568249587.8588,
"tid": 2500,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 398
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleW",
"return_value": 1,
"arguments": {
"buffer": "C:\\Windows\\servicing\\Editions\\prefetch>",
"console_handle": "0x00000007"
},
"time": 1568249587.8588,
"tid": 2500,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 412
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleW",
"return_value": 1,
"arguments": {
"buffer": "md",
"console_handle": "0x00000007"
},
"time": 1568249587.8588,
"tid": 2500,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 414
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleW",
"return_value": 1,
"arguments": {
"buffer": " C:\\Windows\\servicing\\Version ",
"console_handle": "0x00000007"
},
"time": 1568249587.8588,
"tid": 2500,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 416
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleW",
"return_value": 1,
"arguments": {
"buffer": "A subdirectory or file C:\\Windows\\servicing\\Version already exists.\r\n",
"console_handle": "0x0000000b"
},
"time": 1568249587.8588,
"tid": 2500,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 421
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleW",
"return_value": 1,
"arguments": {
"buffer": "C:\\Windows\\servicing\\Editions\\prefetch>",
"console_handle": "0x00000007"
},
"time": 1568249587.8588,
"tid": 2500,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 435
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleW",
"return_value": 1,
"arguments": {
"buffer": "md",
"console_handle": "0x00000007"
},
"time": 1568249587.8588,
"tid": 2500,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 437
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleW",
"return_value": 1,
"arguments": {
"buffer": " C:\\Windows\\sysvol\\domain ",
"console_handle": "0x00000007"
},
"time": 1568249587.8588,
"tid": 2500,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 439
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleW",
"return_value": 1,
"arguments": {
"buffer": "C:\\Windows\\servicing\\Editions\\prefetch>",
"console_handle": "0x00000007"
},
"time": 1568249587.8588,
"tid": 2500,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 459
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleW",
"return_value": 1,
"arguments": {
"buffer": "md",
"console_handle": "0x00000007"
},
"time": 1568249587.8588,
"tid": 2500,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 461
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleW",
"return_value": 1,
"arguments": {
"buffer": " C:\\Windows\\sysvol\\staging ",
"console_handle": "0x00000007"
},
"time": 1568249587.8588,
"tid": 2500,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 463
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleW",
"return_value": 1,
"arguments": {
"buffer": "C:\\Windows\\servicing\\Editions\\prefetch>",
"console_handle": "0x00000007"
},
"time": 1568249587.8747,
"tid": 2500,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 480
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleW",
"return_value": 1,
"arguments": {
"buffer": "md",
"console_handle": "0x00000007"
},
"time": 1568249587.8747,
"tid": 2500,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 482
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleW",
"return_value": 1,
"arguments": {
"buffer": " \"C:\\Windows\\sysvol\\staging areas\" ",
"console_handle": "0x00000007"
},
"time": 1568249587.8747,
"tid": 2500,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 484
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleW",
"return_value": 1,
"arguments": {
"buffer": "C:\\Windows\\servicing\\Editions\\prefetch>",
"console_handle": "0x00000007"
},
"time": 1568249587.8747,
"tid": 2500,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 501
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleW",
"return_value": 1,
"arguments": {
"buffer": "md",
"console_handle": "0x00000007"
},
"time": 1568249587.8747,
"tid": 2500,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 503
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleW",
"return_value": 1,
"arguments": {
"buffer": " C:\\Windows\\sysvol\\sysvol ",
"console_handle": "0x00000007"
},
"time": 1568249587.8747,
"tid": 2500,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 505
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleW",
"return_value": 1,
"arguments": {
"buffer": "C:\\Windows\\servicing\\Editions\\prefetch>",
"console_handle": "0x00000007"
},
"time": 1568249587.8747,
"tid": 2500,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 532
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleW",
"return_value": 1,
"arguments": {
"buffer": "move",
"console_handle": "0x00000007"
},
"time": 1568249587.8747,
"tid": 2500,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 534
}
],
"references": [],
"name": "console_output"
},
{
"markcount": 1,
"families": [],
"description": "Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available",
"severity": 1,
"marks": [
{
"call": {
"category": "system",
"status": 1,
"stacktrace": [],
"api": "GlobalMemoryStatusEx",
"return_value": 1,
"arguments": {},
"time": 1568249589.0148,
"tid": 2912,
"flags": {}
},
"pid": 2772,
"type": "call",
"cid": 212
}
],
"references": [],
"name": "antivm_memory_available"
},
{
"markcount": 35,
"families": [],
"description": "Allocates read-write-execute memory (usually to unpack itself)",
"severity": 2,
"marks": [
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2772,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x00480000"
},
"time": 1568249589.0308,
"tid": 2912,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2772,
"type": "call",
"cid": 272
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2772,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x00730000"
},
"time": 1568249589.0308,
"tid": 2912,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2772,
"type": "call",
"cid": 298
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2772,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x00750000"
},
"time": 1568249589.0308,
"tid": 2912,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2772,
"type": "call",
"cid": 361
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2772,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x02bd0000"
},
"time": 1568249589.1088,
"tid": 2912,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2772,
"type": "call",
"cid": 835
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2772,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x02d20000"
},
"time": 1568249589.1247,
"tid": 2912,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2772,
"type": "call",
"cid": 874
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2772,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x02d30000"
},
"time": 1568249589.1247,
"tid": 2912,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2772,
"type": "call",
"cid": 875
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2772,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x036b0000"
},
"time": 1568249589.1247,
"tid": 2912,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2772,
"type": "call",
"cid": 886
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2772,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x036c0000"
},
"time": 1568249589.1247,
"tid": 2912,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2772,
"type": "call",
"cid": 895
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2772,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x036d0000"
},
"time": 1568249589.1247,
"tid": 2912,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2772,
"type": "call",
"cid": 901
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2772,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x036e0000"
},
"time": 1568249589.1247,
"tid": 2912,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2772,
"type": "call",
"cid": 907
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2772,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x036f0000"
},
"time": 1568249589.1247,
"tid": 2912,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2772,
"type": "call",
"cid": 911
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2772,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x03700000"
},
"time": 1568249589.1247,
"tid": 2912,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2772,
"type": "call",
"cid": 917
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2772,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x03710000"
},
"time": 1568249589.1398,
"tid": 2912,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2772,
"type": "call",
"cid": 921
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2772,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x03720000"
},
"time": 1568249589.1558,
"tid": 2912,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2772,
"type": "call",
"cid": 1091
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2772,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x03730000"
},
"time": 1568249589.1558,
"tid": 2912,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2772,
"type": "call",
"cid": 1244
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2816,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x003e0000"
},
"time": 1568249589.5464,
"tid": 2460,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2816,
"type": "call",
"cid": 283
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2816,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x00610000"
},
"time": 1568249589.5464,
"tid": 2460,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2816,
"type": "call",
"cid": 309
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2816,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x00870000"
},
"time": 1568249589.5464,
"tid": 2460,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2816,
"type": "call",
"cid": 372
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2816,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x024b0000"
},
"time": 1568249589.6554,
"tid": 2460,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2816,
"type": "call",
"cid": 909
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2816,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x024c0000"
},
"time": 1568249589.6714,
"tid": 2460,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2816,
"type": "call",
"cid": 947
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2816,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x024d0000"
},
"time": 1568249589.6714,
"tid": 2460,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2816,
"type": "call",
"cid": 948
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2816,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x024e0000"
},
"time": 1568249589.6714,
"tid": 2460,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2816,
"type": "call",
"cid": 959
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2816,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x024f0000"
},
"time": 1568249589.6714,
"tid": 2460,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2816,
"type": "call",
"cid": 968
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2816,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x02ed0000"
},
"time": 1568249589.6714,
"tid": 2460,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2816,
"type": "call",
"cid": 974
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2816,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x02ee0000"
},
"time": 1568249589.6714,
"tid": 2460,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2816,
"type": "call",
"cid": 980
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2816,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x02ef0000"
},
"time": 1568249589.6714,
"tid": 2460,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2816,
"type": "call",
"cid": 984
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2816,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x02f00000"
},
"time": 1568249589.6714,
"tid": 2460,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2816,
"type": "call",
"cid": 990
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2816,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x02f10000"
},
"time": 1568249589.6714,
"tid": 2460,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2816,
"type": "call",
"cid": 994
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2816,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x02f20000"
},
"time": 1568249589.6714,
"tid": 2460,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2816,
"type": "call",
"cid": 1164
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2816,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x02f30000"
},
"time": 1568249589.6714,
"tid": 2460,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2816,
"type": "call",
"cid": 1281
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2816,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x03a60000"
},
"time": 1568249589.6864,
"tid": 2460,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2816,
"type": "call",
"cid": 1311
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2816,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x03a70000"
},
"time": 1568249590.1714,
"tid": 2460,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2816,
"type": "call",
"cid": 1348
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2816,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x03a80000"
},
"time": 1568249593.7024,
"tid": 2460,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2816,
"type": "call",
"cid": 1382
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2816,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x03a90000"
},
"time": 1568249593.9214,
"tid": 2460,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2816,
"type": "call",
"cid": 1412
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2816,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x03aa0000"
},
"time": 1568249594.1084,
"tid": 2460,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2816,
"type": "call",
"cid": 1442
}
],
"references": [],
"name": "allocates_rwx"
},
{
"markcount": 3,
"families": [],
"description": "Creates a suspicious process",
"severity": 2,
"marks": [
{
"category": "cmdline",
"ioc": "\"cmd.exe\" \/c echo if ^%sof^% GTR 524 (md go%username%) else ^echo %username%^>^>com.dat>>chek.bat",
"type": "ioc",
"description": null
},
{
"category": "cmdline",
"ioc": "\"cmd.exe\" \/c start \/D %windir%\\servicing\\Editions\\prefetch rstyl.exe",
"type": "ioc",
"description": null
},
{
"category": "cmdline",
"ioc": "\"cmd.exe\" \/c echo for ^%^%I in (cuck-190911_183309.sndr) do set sof=^%^%^~zI>chek.bat",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "suspicious_process"
},
{
"markcount": 3,
"families": [],
"description": "Drops a binary and executes it",
"severity": 2,
"marks": [
{
"category": "file",
"ioc": "C:\\Windows\\servicing\\Editions\\prefetch\\insta.bat",
"type": "ioc",
"description": null
},
{
"category": "file",
"ioc": "C:\\Windows\\servicing\\Editions\\prefetch\\sfxd.exe",
"type": "ioc",
"description": null
},
{
"category": "file",
"ioc": "C:\\Windows\\servicing\\Editions\\prefetch\\rstyl.exe",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "dropper"
},
{
"markcount": 1,
"families": [],
"description": "Drops an executable to the user AppData folder",
"severity": 2,
"marks": [
{
"category": "file",
"ioc": "C:\\Users\\cuck\\AppData\\Local\\Temp\\gentee00\\pauto.dll",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "exe_appdata"
},
{
"markcount": 2,
"families": [],
"description": "The binary likely contains encrypted or compressed data indicative of a packer",
"severity": 2,
"marks": [
{
"entropy": 7.8858381160605,
"section": {
"size_of_data": "0x0000b600",
"virtual_address": "0x0001d000",
"entropy": 7.8858381160605,
"name": "UPX1",
"virtual_size": "0x0000c000"
},
"type": "generic",
"description": "A section with a high entropy has been found"
},
{
"entropy": 0.78448275862069,
"type": "generic",
"description": "Overall entropy of this PE file is high"
}
],
"references": [
"http:\/\/www.forensickb.com\/2013\/03\/file-entropy-explained.html",
"http:\/\/virii.es\/U\/Using%20Entropy%20Analysis%20to%20Find%20Encrypted%20and%20Packed%20Malware.pdf"
],
"name": "packer_entropy"
},
{
"markcount": 3,
"families": [],
"description": "Checks for the Locally Unique Identifier on the system for a suspicious privilege",
"severity": 2,
"marks": [
{
"call": {
"category": "system",
"status": 1,
"stacktrace": [],
"api": "LookupPrivilegeValueW",
"return_value": 1,
"arguments": {
"system_name": "",
"privilege_name": "SeSecurityPrivilege"
},
"time": 1568249586.9225,
"tid": 2740,
"flags": {}
},
"pid": 1268,
"type": "call",
"cid": 1108
},
{
"call": {
"category": "system",
"status": 1,
"stacktrace": [],
"api": "LookupPrivilegeValueW",
"return_value": 1,
"arguments": {
"system_name": "",
"privilege_name": "SeRestorePrivilege"
},
"time": 1568249586.9225,
"tid": 2740,
"flags": {}
},
"pid": 1268,
"type": "call",
"cid": 1109
},
{
"call": {
"category": "system",
"status": 1,
"stacktrace": [],
"api": "LookupPrivilegeValueW",
"return_value": 1,
"arguments": {
"system_name": "",
"privilege_name": "SeDebugPrivilege"
},
"time": 1568249160.3781,
"tid": 300,
"flags": {}
},
"pid": 1504,
"type": "call",
"cid": 8
}
],
"references": [],
"name": "privilege_luid_check"
},
{
"markcount": 7,
"families": [],
"description": "Potentially malicious URLs were found in the process memory dump",
"severity": 2,
"marks": [
{
"category": "url",
"ioc": "http:\/\/www.usertrust.com1",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/ocsp.comodoca.com0",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/crl.usertrust.com\/UTN-USERFirst-Object.crl0",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/crl.usertrust.com\/UTN-USERFirst-Object.crl04",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/api.ipify.org\/",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "https:\/\/secure.comodo.net\/CPS0B",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/www.perfectautomation.com0",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "memdump_urls"
},
{
"markcount": 2,
"families": [],
"description": "The executable is compressed using UPX",
"severity": 2,
"marks": [
{
"section": "UPX0",
"type": "generic",
"description": "Section name indicates UPX"
},
{
"section": "UPX1",
"type": "generic",
"description": "Section name indicates UPX"
}
],
"references": [],
"name": "packer_upx"
},
{
"markcount": 4,
"families": [],
"description": "Resumed a suspended thread in a remote process potentially indicative of process injection",
"severity": 3,
"marks": [
{
"category": "Process injection",
"ioc": "Process 2588 resumed a thread in remote process 2772",
"type": "ioc",
"description": null
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtResumeThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x00000080",
"suspend_count": 0,
"process_identifier": 2772
},
"time": 1568249593.4527,
"tid": 2500,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 874
},
{
"category": "Process injection",
"ioc": "Process 2812 resumed a thread in remote process 2816",
"type": "ioc",
"description": null
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtResumeThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x00000080",
"suspend_count": 0,
"process_identifier": 2816
},
"time": 1568249593.7029,
"tid": 2688,
"flags": {}
},
"pid": 2812,
"type": "call",
"cid": 60
}
],
"references": [
"www.endgame.com\/blog\/technical-blog\/ten-process-injection-techniques-technical-survey-common-and-trending-process"
],
"name": "injection_resumethread"
}
]Yara
The Yara rules did not detect anything in the file.
Network
{
"tls": [],
"udp": [
{
"src": "192.168.56.101",
"dst": "192.168.56.255",
"offset": 546,
"time": 3.1134340763092,
"dport": 137,
"sport": 137
},
{
"src": "192.168.56.101",
"dst": "192.168.56.255",
"offset": 5226,
"time": 9.1183829307556,
"dport": 138,
"sport": 138
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 7070,
"time": 3.039253950119,
"dport": 5355,
"sport": 51001
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 7398,
"time": 1.0329060554504,
"dport": 5355,
"sport": 53595
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 7726,
"time": 3.0910680294037,
"dport": 5355,
"sport": 53848
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 8054,
"time": 1.5350239276886,
"dport": 5355,
"sport": 54255
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 8382,
"time": -0.085645914077759,
"dport": 5355,
"sport": 55314
},
{
"src": "192.168.56.101",
"dst": "239.255.255.250",
"offset": 8710,
"time": 1.5467150211334,
"dport": 1900,
"sport": 1900
},
{
"src": "192.168.56.101",
"dst": "239.255.255.250",
"offset": 28120,
"time": 1.0650639533997,
"dport": 3702,
"sport": 49152
},
{
"src": "192.168.56.101",
"dst": "239.255.255.250",
"offset": 36504,
"time": 3.1250491142273,
"dport": 1900,
"sport": 53598
}
],
"dns_servers": [],
"http": [],
"icmp": [],
"smtp": [],
"tcp": [],
"smtp_ex": [],
"mitm": [],
"hosts": [],
"pcap_sha256": "52a0b598e46822448ba6238c828028b3cd42cacef1d5103b17741b87d6006519",
"dns": [],
"http_ex": [],
"domains": [],
"dead_hosts": [],
"sorted_pcap_sha256": "9432caeb80c79547c92fa1f30f65d2bd8f70e06c87c6108e016d869dcea73f3f",
"irc": [],
"https_ex": []
}Screenshots
rstyle.exe removal instructions
The instructions below shows how to remove rstyle.exe with help from the FreeFixer removal tool. Basically, you install FreeFixer, scan your computer, check the rstyle.exe file for removal, restart your computer and scan it again to verify that rstyle.exe has been successfully removed. Here are the removal instructions in more detail:
- Download and install FreeFixer: http://www.freefixer.com/download.html
- Start FreeFixer and press the Start Scan button. The scan will finish in approximately five minutes.
- When the scan is finished, locate rstyle.exe in the scan result and tick the checkbox next to the rstyle.exe file. Do not check any other file for removal unless you are 100% sure you want to delete it. Tip: Press CTRL-F to open up FreeFixer's search dialog to quickly locate rstyle.exe in the scan result.
c:\downloads\rstyle.exe 
- Scroll down to the bottom of the scan result and press the Fix button. FreeFixer will now delete the rstyle.exe file.
- Restart your computer.
- Start FreeFixer and scan your computer again. If rstyle.exe still remains in the scan result, proceed with the next step. If rstyle.exe is gone from the scan result you're done.
- If rstyle.exe still remains in the scan result, check its checkbox again in the scan result and click Fix.
- Restart your computer.
- Start FreeFixer and scan your computer again. Verify that rstyle.exe no longer appear in the scan result.
Hashes [?]
| Property | Value |
|---|---|
| MD5 | 4e68e792f529bc0c69be9980f2f810ad |
| SHA256 | 3e18eb3a0fb61ceada0d8a73b67939a47baddad77706309c40dd7ff5ba75991e |
Error Messages
These are some of the error messages that can appear related to rstyle.exe:
rstyle.exe has encountered a problem and needs to close. We are sorry for the inconvenience.
rstyle.exe - Application Error. The instruction at "0xXXXXXXXX" referenced memory at "0xXXXXXXXX". The memory could not be "read/written". Click on OK to terminate the program.
rstyle.exe has stopped working.
End Program - rstyle.exe. This program is not responding.
rstyle.exe is not a valid Win32 application.
rstyle.exe - Application Error. The application failed to initialize properly (0xXXXXXXXX). Click OK to terminate the application.
What will you do with rstyle.exe?
To help other users, please let us know what you will do with rstyle.exe:
Comments
Please share with the other users what you think about this file. What does this file do? Is it legitimate or something that your computer is better without? Do you know how it was installed on your system? Did you install it yourself or did it come bundled with some other software? Is it running smoothly or do you get some error message? Any information that will help to document this file is welcome. Thank you for your contributions.
I'm reading all new comments so don't hesitate to post a question about the file. If I don't have the answer perhaps another user can help you.
No comments posted yet.