What is wyxwwy.exe?
wyxwwy.exe is developed by Liveness according to the wyxwwy.exe version information.
wyxwwy.exe's description is "Gargantuan Charnel"
wyxwwy.exe is usually located in the 'c:\users\%USERNAME%\appdata\roaming\microsoft\windows\start menu\programs\startup\' folder.
Some of the anti-virus scanners at VirusTotal detected wyxwwy.exe.
If you have additional information about the file, please share it with the FreeFixer users by posting a comment at the bottom of this page.
Vendor and version information [?]
The following is the available information on wyxwwy.exe:
| Property | Value |
|---|---|
| Company name | Liveness |
| File description | Gargantuan Charnel |
| Original filename | Goldurns |
| Comments | Olograph Combustible |
| Legal copyright | Plier Disassemble |
| File version | 25.89.47.53 |
Here's a screenshot of the file properties when displayed by Windows Explorer:
| Company name | Liveness |
| File description | Gargantuan Charnel |
| Original filename | Goldurns |
| Comments | Olograph Combustible |
| Legal copyright | Plier Disassemble |
| File version | 25.89.47.53 |
Digital signatures [?]
wyxwwy.exe is not signed.
VirusTotal report
46 of the 69 anti-virus programs at VirusTotal detected the wyxwwy.exe file. That's a 67% detection rate.
| Scanner | Detection Name |
|---|---|
| Ad-Aware | Trojan.GenericKD.4613578 |
| AegisLab | Trojan.Win32.Snojan.toEA |
| ALYac | Trojan.GenericKD.4613578 |
| Antiy-AVL | Trojan/Win32.BTSGeneric |
| APEX | Malicious |
| Arcabit | Trojan.Generic.D4665CA |
| AVG | FileRepMalware |
| Avira | HEUR/AGEN.1121499 |
| BitDefender | Trojan.GenericKD.4613578 |
| BitDefenderTheta | Gen:NN.ZexaF.34196.huW@aSaOnDli |
| Bkav | W32.AIDetectVM.malware1 |
| Cybereason | malicious.c39daf |
| Cylance | Unsafe |
| Cynet | Malicious (score: 100) |
| DrWeb | Trojan.DownLoader24.5906 |
| Elastic | malicious (high confidence) |
| ESET-NOD32 | Win32/Agent.YKT |
| F-Secure | Heuristic.HEUR/AGEN.1121499 |
| FireEye | Generic.mg.05ed23dc39dafd00 |
| Fortinet | W32/Troldesh.71B6!tr.ransom |
| GData | Trojan.GenericKD.4613578 |
| Ikarus | Trojan.Win32.Agent |
| Invincea | heuristic |
| Jiangmin | Trojan.Snojan.ik |
| K7AntiVirus | Trojan ( 00522ab11 ) |
| K7GW | Trojan ( 00522ab11 ) |
| Kaspersky | Trojan.Win32.Snojan.mkp |
| MAX | malware (ai score=87) |
| MaxSecure | Trojan.Malware.300983.susgen |
| McAfee | Artemis!05ED23DC39DA |
| Microsoft | Trojan:Win32/Dynamer!ac |
| MicroWorld-eScan | Trojan.GenericKD.4613578 |
| NANO-Antivirus | Trojan.Win32.Snojan.emoaio |
| Paloalto | generic.ml |
| Panda | Trj/GdSda.A |
| Qihoo-360 | Win32/Trojan.2b7 |
| Rising | Malware.Generic.4!tfe (C64:YzY0OoDgPqA86RqP) |
| SentinelOne | DFI - Suspicious PE |
| Sophos | Mal/Generic-S |
| Symantec | ML.Attribute.HighConfidence |
| TACHYON | Trojan/W32.Snojan.118784 |
| Tencent | Win32.Trojan.Generic.Hfp |
| VIPRE | Trojan.Win32.Generic!BT |
| Yandex | Trojan.Snojan! |
| Zillya | Trojan.Snojan.Win32.576 |
| ZoneAlarm | Trojan.Win32.Snojan.mkp |
Sandbox Report
The following information was gathered by executing the file inside Cuckoo Sandbox.
Summary
Successfully executed process in sandbox.
Summary
{
"connects_ip": [
"185.161.208.27",
"93.190.95.41"
],
"directory_created": [
"C:\\ProgramData\\Logs"
],
"dll_loaded": [
"C:\\Windows\\system32\\IMM32.DLL",
"urlmon.dll",
"GDI32.dll",
"SHELL32.dll",
"KERNEL32.dll",
"gdiplus.dll",
"ADVAPI32.dll",
"ntdll.dll",
"ole32.dll",
"SHLWAPI.dll",
"WS2_32.dll",
"USER32.dll"
],
"file_opened": [
"C:\\"
],
"file_copied": [
[
"C:\\Users\\cuck\\AppData\\Local\\Temp\\9ce272a734b0f8aab2d5560d1cdd0240f1b22f8e2d7ff0cd5f1c57525b1dc9e8.bin",
"C:\\ProgramData\\Logs\\eaangd.exe"
]
],
"regkey_opened": [
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\WbioSrvc",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\RpcLocator",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\VSS",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\ProtectedStorage",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Themes",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\stisvc",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SSDPSRV",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Power",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\vds",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\UI0Detect",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\wercplsupport",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\clr_optimization_v2.0.50727_32",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SysMain",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\PeerDistSvc",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\idsvc",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\CscService",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\AudioEndpointBuilder",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\BFE",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\dot3svc",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\MSiSCSI",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Dhcp",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\COMSysApp",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\wscsvc",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\WinHttpAutoProxySvc",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\WdiSystemHost",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SCardSvr",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\PNRPsvc",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\WPDBusEnum",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\wcncsvc",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\FDResPub",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\iphlpsvc",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\fdPHost",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\PcaSvc",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\UxSms",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\WdiServiceHost",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\VaultSvc",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\lmhosts",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\KtmRm",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\MozillaMaintenance",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\HomeGroupProvider",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\ehRecvr",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SENS",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\TrkWks",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\clr_optimization_v2.0.50727_64",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\swprv",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\CryptSvc",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\seclogon",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Winmgmt",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\AppMgmt",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\RasAuto",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\TrustedInstaller",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\IPBusEnum",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SCPolicySvc",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\WMPNetworkSvc",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SensrSvc",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Fax",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\RpcEptMapper",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\gpsvc",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\WinDefend",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\WSearch",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\wbengine",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\p2pimsvc",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Mcx2Svc",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\p2psvc",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\DPS",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\EventSystem",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\MMCSS",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Dnscache",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\napagent",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Wecsvc",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\RasMan",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\CertPropSvc",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\ShellHWDetection",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SDRSVC",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\PlugPlay",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Spooler",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\FontCache",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Browser",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\AxInstSV",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Netman",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\EFS",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\ProfSvc",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\bthserv",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\TapiSrv",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\PerfHost",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\KeyIso",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\RpcSs",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\AeLookupSvc",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\StorSvc",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\sppuinotify",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\HomeGroupListener",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\lltdsvc",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\eventlog",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\AppIDSvc",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\sppsvc",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\ehSched",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\NlaSvc",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SNMPTRAP",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SessionEnv",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\PNRPAutoReg",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\upnphost",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\wmiApSrv",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SamSs",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\AudioSrv",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\RemoteAccess",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\WinRM",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\hidserv",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\PolicyAgent",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\UmRdpService",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\hkmsvc",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\LanmanWorkstation",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\QWAVE",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\IKEEXT",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\TBS",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\ALG",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\WerSvc",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\wudfsvc",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\DcomLaunch",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\defragsvc",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\FontCache3.0.0.0",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\wuauserv",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\WcsPlugInService",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\pla",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\BDESVC",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Wlansvc",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\WebClient",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\THREADORDER",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\BITS",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\NetTcpPortSharing",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SstpSvc",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\MpsSvc",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\netprofm",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\WPCSvc",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Appinfo",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\TabletInputService",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\WwanSvc",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\TermService",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\EapHost",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\MSDTC",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Netlogon",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\msiserver",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\nsi",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Schedule",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\RemoteRegistry",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time"
],
"resolves_host": [
"185.161.208.27",
"93.190.95.41"
],
"file_deleted": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\9ce272a734b0f8aab2d5560d1cdd0240f1b22f8e2d7ff0cd5f1c57525b1dc9e8.bin"
],
"file_exists": [
"C:\\ProgramData\\Logs\\eaangd.exe"
],
"mutex": [
"Global\\f831043730c26db7nps"
],
"command_line": [
"C:\\Windows\\system32\\svchost.exe -k netsvcs"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\wbengine\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\RpcSs\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\EFS\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\WdiSystemHost\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\ProfSvc\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Spooler\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TapiSrv\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Fax\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\wscsvc\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\dot3svc\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\MMCSS\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\bthserv\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\ehSched\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\clr_optimization_v2.0.50727_64\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\NlaSvc\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\wmiApSrv\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Schedule\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\RasAuto\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\RpcEptMapper\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\BITS\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\RpcLocator\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\WPDBusEnum\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\WdiServiceHost\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\FontCache\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\HomeGroupListener\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\gpsvc\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\WwanSvc\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TermService\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Netlogon\\ImagePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\DisableImprovedZoneCheck",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\LoadAppInit_DLLs",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\ProtectedStorage\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\RemoteAccess\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\WinRM\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\defragsvc\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\swprv\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\EapHost\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\sppuinotify\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\pla\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\UI0Detect\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Power\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\p2psvc\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\UmRdpService\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\p2pimsvc\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\WcsPlugInService\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\AxInstSV\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\lmhosts\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\nsi\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\SessionEnv\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\RemoteRegistry\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\WPCSvc\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\wcncsvc\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\NetTcpPortSharing\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TBS\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\HomeGroupProvider\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\CryptSvc\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\SstpSvc\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\MSDTC\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\UxSms\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language\\InstallLanguageFallback",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\AudioEndpointBuilder\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\crypt32\\DebugHeapFlags",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\AppMgmt\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LanmanWorkstation\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\seclogon\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\ShellHWDetection\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\EMPTY",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\SENS\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Browser\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\SDRSVC\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\lltdsvc\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\MozillaMaintenance\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\SamSs\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\DcomLaunch\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\FontCache3.0.0.0\\ImagePath",
"HKEY_CURRENT_USER\\Control Panel\\Desktop\\MuiCached\\MachinePreferredUILanguages",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Netman\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\idsvc\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\PeerDistSvc\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Appinfo\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\WinDefend\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\UILanguages\\en-US\\Type",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Mcx2Svc\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\WebClient\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\WbioSrvc\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\SNMPTRAP\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\AeLookupSvc\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\StorSvc\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\CscService\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Themes\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\MpsSvc\\ImagePath",
"HKEY_CURRENT_USER\\Control Panel\\Desktop\\PreferredUILanguages",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\msiserver\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winmgmt\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\UILanguages\\en-US\\AlternateCodePage",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\eventlog\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\RasMan\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\CertPropSvc\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\PerfHost\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\IKEEXT\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\IPBusEnum\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\KtmRm\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\AudioSrv\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\SSDPSRV\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\W32Time\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dhcp\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\THREADORDER\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Wlansvc\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TabletInputService\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\DPS\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\IPHLPSVC\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\AppIDSvc\\ImagePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE\\PageAllocatorSystemHeapIsPrivate",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\PNRPAutoReg\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\PolicyAgent\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\wercplsupport\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TrustedInstaller\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\netprofm\\ImagePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Security_HKLM_only",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\SensrSvc\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\VaultSvc\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\QWAVE\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\PcaSvc\\ImagePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE\\PageAllocatorUseSystemHeap",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\VSS\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\WerSvc\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\SysMain\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\PNRPsvc\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\PlugPlay\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\WSearch\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\ehRecvr\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\WinHttpAutoProxySvc\\ImagePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\SCardSvr\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\EventSystem\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\BFE\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TrkWks\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\clr_optimization_v2.0.50727_32\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\SCPolicySvc\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LanmanServer\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\MSiSCSI\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\wudfsvc\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\hkmsvc\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\sppsvc\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\BDESVC\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\KeyIso\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\WMPNetworkSvc\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\COMSysApp\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\ALG\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\SharedAccess\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\upnphost\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\FDResPub\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\wuauserv\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\hidserv\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\vds\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Wecsvc\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\stisvc\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\fdPHost\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\ImagePath"
]
}Dropped
[
{
"yara": [],
"sha1": "31a52e2131b4fdb3967e85db735be5affbdd9a15",
"name": "9ce272a734b0f8aa_9ce272a734b0f8aab2d5560d1cdd0240f1b22f8e2d7ff0cd5f1c57525b1dc9e8.bin",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\9ce272a734b0f8aab2d5560d1cdd0240f1b22f8e2d7ff0cd5f1c57525b1dc9e8.bin",
"type": "PE32 executable (GUI) Intel 80386, for MS Windows",
"sha256": "9ce272a734b0f8aab2d5560d1cdd0240f1b22f8e2d7ff0cd5f1c57525b1dc9e8",
"urls": [],
"crc32": "941C6D5A",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/9115\/files\/9ce272a734b0f8aa_9ce272a734b0f8aab2d5560d1cdd0240f1b22f8e2d7ff0cd5f1c57525b1dc9e8.bin",
"ssdeep": null,
"size": 118784,
"sha512": "f88e50db88177bd1801581d3514544bd06dfe75680d156c53d65dc0961c2b5fbc12347d842148b7ae25ffa3267bd1a8ce35c8fd03d37e07c64f212b48ebf346d",
"pids": [],
"md5": "05ed23dc39dafd003e4b6e14256077ef"
}
]Generic
[
{
"process_path": "C:\\Users\\cuck\\AppData\\Local\\Temp\\9ce272a734b0f8aab2d5560d1cdd0240f1b22f8e2d7ff0cd5f1c57525b1dc9e8.bin",
"process_name": "9ce272a734b0f8aab2d5560d1cdd0240f1b22f8e2d7ff0cd5f1c57525b1dc9e8.bin",
"pid": 2124,
"summary": {
"file_opened": [
"C:\\"
],
"command_line": [
"C:\\Windows\\system32\\svchost.exe -k netsvcs"
],
"regkey_opened": [
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\WbioSrvc",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\RpcLocator",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\VSS",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\ProtectedStorage",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Themes",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\stisvc",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SSDPSRV",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Power",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\vds",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\UI0Detect",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\wercplsupport",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\clr_optimization_v2.0.50727_32",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SysMain",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\PeerDistSvc",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\idsvc",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\CscService",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\AudioEndpointBuilder",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\BFE",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\dot3svc",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\MSiSCSI",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Dhcp",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\COMSysApp",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\wscsvc",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\WinHttpAutoProxySvc",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\WdiSystemHost",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SCardSvr",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\PNRPsvc",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\WPDBusEnum",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\wcncsvc",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\FDResPub",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\iphlpsvc",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\fdPHost",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\PcaSvc",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\UxSms",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\WdiServiceHost",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\VaultSvc",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\lmhosts",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\KtmRm",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\MozillaMaintenance",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\HomeGroupProvider",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\ehRecvr",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SENS",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\TrkWks",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\clr_optimization_v2.0.50727_64",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\swprv",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\CryptSvc",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\seclogon",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Winmgmt",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\AppMgmt",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\RasAuto",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\TrustedInstaller",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\IPBusEnum",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SCPolicySvc",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\WMPNetworkSvc",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SensrSvc",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Fax",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\RpcEptMapper",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\gpsvc",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\WinDefend",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\WSearch",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\wbengine",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\p2pimsvc",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Mcx2Svc",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\p2psvc",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\DPS",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\EventSystem",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\MMCSS",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Dnscache",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\napagent",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Wecsvc",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\RasMan",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\CertPropSvc",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\ShellHWDetection",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SDRSVC",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\PlugPlay",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Spooler",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\FontCache",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Browser",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\AxInstSV",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Netman",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\EFS",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\ProfSvc",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\bthserv",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\TapiSrv",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\PerfHost",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\KeyIso",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\RpcSs",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\AeLookupSvc",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\StorSvc",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\sppuinotify",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\HomeGroupListener",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\lltdsvc",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\eventlog",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\AppIDSvc",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\sppsvc",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\ehSched",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\NlaSvc",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SNMPTRAP",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SessionEnv",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\PNRPAutoReg",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\upnphost",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\wmiApSrv",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SamSs",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\AudioSrv",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\RemoteAccess",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\WinRM",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\hidserv",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\PolicyAgent",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\UmRdpService",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\hkmsvc",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\LanmanWorkstation",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\QWAVE",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\IKEEXT",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\TBS",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\ALG",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\WerSvc",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\wudfsvc",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\DcomLaunch",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\defragsvc",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\FontCache3.0.0.0",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\wuauserv",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\WcsPlugInService",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\pla",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\BDESVC",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Wlansvc",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\WebClient",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\THREADORDER",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\BITS",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\NetTcpPortSharing",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SstpSvc",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\MpsSvc",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\netprofm",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\WPCSvc",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Appinfo",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\TabletInputService",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\WwanSvc",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\TermService",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\EapHost",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\MSDTC",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Netlogon",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\msiserver",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\nsi",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Schedule",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\RemoteRegistry",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\wbengine\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\RpcSs\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\EFS\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\WdiSystemHost\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\ProfSvc\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Spooler\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TapiSrv\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Fax\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\wscsvc\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\dot3svc\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\MMCSS\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\bthserv\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\ehSched\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\clr_optimization_v2.0.50727_64\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\NlaSvc\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\wmiApSrv\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Schedule\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\RasAuto\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\RpcEptMapper\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\BITS\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\RpcLocator\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\WPDBusEnum\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\WdiServiceHost\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\FontCache\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\HomeGroupListener\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\gpsvc\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\WwanSvc\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TermService\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Netlogon\\ImagePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\DisableImprovedZoneCheck",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\LoadAppInit_DLLs",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\ProtectedStorage\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\RemoteAccess\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\WinRM\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\defragsvc\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\swprv\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\EapHost\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\sppuinotify\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\pla\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\UI0Detect\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Power\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\p2psvc\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\UmRdpService\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\p2pimsvc\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\WcsPlugInService\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\AxInstSV\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\lmhosts\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\nsi\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\SessionEnv\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\RemoteRegistry\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\WPCSvc\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\wcncsvc\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\NetTcpPortSharing\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TBS\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\HomeGroupProvider\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\CryptSvc\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\SstpSvc\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\MSDTC\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\UxSms\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\AudioEndpointBuilder\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\crypt32\\DebugHeapFlags",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\AppMgmt\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LanmanWorkstation\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\seclogon\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\ShellHWDetection\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\SENS\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Browser\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\SDRSVC\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\lltdsvc\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\MozillaMaintenance\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\SamSs\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\DcomLaunch\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\FontCache3.0.0.0\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Netman\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\idsvc\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\PeerDistSvc\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Appinfo\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\WinDefend\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Mcx2Svc\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\WebClient\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\WbioSrvc\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\SNMPTRAP\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\AeLookupSvc\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\StorSvc\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\CscService\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Themes\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\MpsSvc\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\msiserver\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winmgmt\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\eventlog\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\RasMan\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\CertPropSvc\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\PerfHost\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\IKEEXT\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\IPBusEnum\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\KtmRm\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\AudioSrv\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\SSDPSRV\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\W32Time\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dhcp\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\THREADORDER\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Wlansvc\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TabletInputService\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\DPS\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\IPHLPSVC\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\AppIDSvc\\ImagePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE\\PageAllocatorSystemHeapIsPrivate",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\PNRPAutoReg\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\PolicyAgent\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\wercplsupport\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TrustedInstaller\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\netprofm\\ImagePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Security_HKLM_only",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\SensrSvc\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\VaultSvc\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\QWAVE\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\PcaSvc\\ImagePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE\\PageAllocatorUseSystemHeap",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\VSS\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\WerSvc\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\SysMain\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\PNRPsvc\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\PlugPlay\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\WSearch\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\ehRecvr\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\WinHttpAutoProxySvc\\ImagePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\SCardSvr\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\EventSystem\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\BFE\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TrkWks\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\clr_optimization_v2.0.50727_32\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\SCPolicySvc\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LanmanServer\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\MSiSCSI\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\wudfsvc\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\hkmsvc\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\sppsvc\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\BDESVC\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\KeyIso\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\WMPNetworkSvc\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\COMSysApp\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\ALG\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\SharedAccess\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\upnphost\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\FDResPub\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\wuauserv\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\hidserv\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\vds\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Wecsvc\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\stisvc\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\fdPHost\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\ImagePath"
],
"dll_loaded": [
"C:\\Windows\\system32\\IMM32.DLL",
"urlmon.dll",
"GDI32.dll",
"SHELL32.dll",
"KERNEL32.dll",
"gdiplus.dll",
"ADVAPI32.dll",
"ntdll.dll",
"ole32.dll",
"SHLWAPI.dll",
"WS2_32.dll",
"USER32.dll"
]
},
"first_seen": 1598511185.625,
"ppid": 2504
},
{
"process_path": "C:\\Windows\\System32\\lsass.exe",
"process_name": "lsass.exe",
"pid": 476,
"summary": {},
"first_seen": 1598511185.359375,
"ppid": 376
},
{
"process_path": "C:\\Windows\\SysWOW64\\svchost.exe",
"process_name": "svchost.exe",
"pid": 1676,
"summary": {
"connects_ip": [
"185.161.208.27",
"93.190.95.41"
],
"directory_created": [
"C:\\ProgramData\\Logs"
],
"dll_loaded": [
"C:\\Windows\\system32\\IMM32.DLL",
"urlmon.dll",
"GDI32.dll",
"SHELL32.dll",
"KERNEL32.dll",
"gdiplus.dll",
"ADVAPI32.dll",
"ntdll.dll",
"ole32.dll",
"SHLWAPI.dll",
"WS2_32.dll",
"USER32.dll"
],
"file_copied": [
[
"C:\\Users\\cuck\\AppData\\Local\\Temp\\9ce272a734b0f8aab2d5560d1cdd0240f1b22f8e2d7ff0cd5f1c57525b1dc9e8.bin",
"C:\\ProgramData\\Logs\\eaangd.exe"
]
],
"regkey_opened": [
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings"
],
"resolves_host": [
"185.161.208.27",
"93.190.95.41"
],
"file_deleted": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\9ce272a734b0f8aab2d5560d1cdd0240f1b22f8e2d7ff0cd5f1c57525b1dc9e8.bin"
],
"file_exists": [
"C:\\ProgramData\\Logs\\eaangd.exe"
],
"mutex": [
"Global\\f831043730c26db7nps"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language\\InstallLanguageFallback",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\crypt32\\DebugHeapFlags",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE\\PageAllocatorSystemHeapIsPrivate",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Security_HKLM_only",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE\\PageAllocatorUseSystemHeap",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\LoadAppInit_DLLs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\DisableImprovedZoneCheck",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_CURRENT_USER\\Control Panel\\Desktop\\PreferredUILanguages",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\UILanguages\\en-US\\Type",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\UILanguages\\en-US\\AlternateCodePage",
"HKEY_CURRENT_USER\\Control Panel\\Desktop\\MuiCached\\MachinePreferredUILanguages",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\EMPTY"
]
},
"first_seen": 1598511186.609375,
"ppid": 2124
}
]Signatures
[
{
"markcount": 1,
"families": [],
"description": "Queries for the computername",
"severity": 1,
"marks": [
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "GetComputerNameA",
"return_value": 1,
"arguments": {
"computer_name": "CUCKPC"
},
"time": 1598511186.375,
"tid": 2800,
"flags": {}
},
"pid": 2124,
"type": "call",
"cid": 182
}
],
"references": [],
"name": "antivm_queries_computername"
},
{
"markcount": 1,
"families": [],
"description": "The executable contains unknown PE section names indicative of a packer (could be a false positive)",
"severity": 1,
"marks": [
{
"category": "section",
"ioc": ".code",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "pe_features"
},
{
"markcount": 1,
"families": [],
"description": "The executable uses a known packer",
"severity": 1,
"marks": [
{
"category": "packer",
"ioc": "PureBasic 4.x -> Neil Hodgson",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "peid_packer"
},
{
"markcount": 0,
"families": [],
"description": "One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.",
"severity": 2,
"marks": [],
"references": [],
"name": "dumped_buffer"
},
{
"markcount": 2,
"families": [],
"description": "Allocates read-write-execute memory (usually to unpack itself)",
"severity": 2,
"marks": [
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2124,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00310000"
},
"time": 1598511186.328,
"tid": 2800,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2124,
"type": "call",
"cid": 9
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2124,
"region_size": 32768,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x00400000"
},
"time": 1598511186.328,
"tid": 2800,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2124,
"type": "call",
"cid": 13
}
],
"references": [],
"name": "allocates_rwx"
},
{
"markcount": 1,
"families": [],
"description": "Creates a suspicious process",
"severity": 2,
"marks": [
{
"category": "cmdline",
"ioc": "C:\\Windows\\system32\\svchost.exe -k netsvcs",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "suspicious_process"
},
{
"markcount": 1,
"families": [],
"description": "Drops an executable to the user AppData folder",
"severity": 2,
"marks": [
{
"category": "file",
"ioc": "C:\\Users\\cuck\\AppData\\Local\\Temp\\9ce272a734b0f8aab2d5560d1cdd0240f1b22f8e2d7ff0cd5f1c57525b1dc9e8.bin",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "exe_appdata"
},
{
"markcount": 1,
"families": [],
"description": "One or more of the buffers contains an embedded PE file",
"severity": 3,
"marks": [
{
"category": "buffer",
"ioc": "Buffer with sha1: 9b2b1eb9cb8fc2e53af365384d7681cce537e9cc",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "dumped_buffer2"
},
{
"markcount": 1,
"families": [],
"description": "Allocates execute permission to another process indicative of possible code injection",
"severity": 3,
"marks": [
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1676,
"region_size": 32768,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0x00000350",
"allocation_type": 12288,
"base_address": "0x000b0000"
},
"time": 1598511186.437,
"tid": 2800,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2124,
"type": "call",
"cid": 490
}
],
"references": [],
"name": "allocates_execute_remote_process"
},
{
"markcount": 1,
"families": [],
"description": "Installs itself for autorun at Windows startup",
"severity": 3,
"marks": [
{
"service_name": "SysMainneal",
"type": "generic",
"service_path": "C:\\ProgramData\\Logs\\eaangd.exe"
}
],
"references": [],
"name": "persistence_autorun"
},
{
"markcount": 1,
"families": [],
"description": "Created a service where a service was also not started",
"severity": 3,
"marks": [
{
"call": {
"category": "services",
"status": 1,
"stacktrace": [],
"api": "CreateServiceA",
"return_value": 5177968,
"arguments": {
"service_start_name": "",
"start_type": 2,
"service_handle": "0x004f0270",
"display_name": "Tuperfetch",
"error_control": 1,
"service_name": "SysMainneal",
"filepath": "C:\\ProgramData\\Logs\\eaangd.exe",
"filepath_r": "C:\\ProgramData\\Logs\\eaangd.exe",
"service_manager_handle": "0x004f0220",
"desired_access": 983551,
"service_type": 16,
"password": ""
},
"time": 1598511186.859375,
"tid": 2872,
"flags": {}
},
"pid": 1676,
"type": "call",
"cid": 217
}
],
"references": [],
"name": "creates_service"
},
{
"markcount": 2,
"families": [],
"description": "Used NtSetContextThread to modify a thread in a remote process indicative of process injection",
"severity": 3,
"marks": [
{
"category": "Process injection",
"ioc": "Process 2124 called NtSetContextThread to modify thread in remote process 1676",
"type": "ioc",
"description": null
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtSetContextThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x0000034c",
"registers": {
"eip": 0,
"esp": 0,
"edi": 0,
"eax": 730353,
"ebp": 0,
"edx": 0,
"ebx": 0,
"esi": 0,
"ecx": 0
},
"process_identifier": 1676
},
"time": 1598511186.437,
"tid": 2800,
"flags": {}
},
"pid": 2124,
"type": "call",
"cid": 492
}
],
"references": [
"www.endgame.com\/blog\/technical-blog\/ten-process-injection-techniques-technical-survey-common-and-trending-process"
],
"name": "injection_ntsetcontextthread"
},
{
"markcount": 2,
"families": [],
"description": "Resumed a suspended thread in a remote process potentially indicative of process injection",
"severity": 3,
"marks": [
{
"category": "Process injection",
"ioc": "Process 2124 resumed a thread in remote process 1676",
"type": "ioc",
"description": null
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtResumeThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x0000034c",
"suspend_count": 1,
"process_identifier": 1676
},
"time": 1598511186.531,
"tid": 2800,
"flags": {}
},
"pid": 2124,
"type": "call",
"cid": 493
}
],
"references": [
"www.endgame.com\/blog\/technical-blog\/ten-process-injection-techniques-technical-survey-common-and-trending-process"
],
"name": "injection_resumethread"
},
{
"markcount": 6,
"families": [],
"description": "Executed a process and injected code into it, probably while unpacking",
"severity": 5,
"marks": [
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtResumeThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x000000ec",
"suspend_count": 1,
"process_identifier": 2124
},
"time": 1598511186.391,
"tid": 2800,
"flags": {}
},
"pid": 2124,
"type": "call",
"cid": 188
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "CreateProcessInternalW",
"return_value": 1,
"arguments": {
"thread_identifier": 2872,
"thread_handle": "0x0000034c",
"process_identifier": 1676,
"current_directory": "",
"filepath": "",
"track": 1,
"command_line": "C:\\Windows\\system32\\svchost.exe -k netsvcs",
"filepath_r": "",
"stack_pivoted": 0,
"creation_flags": 4,
"process_handle": "0x00000350",
"inherit_handles": 0
},
"time": 1598511186.437,
"tid": 2800,
"flags": {
"creation_flags": "CREATE_SUSPENDED"
}
},
"pid": 2124,
"type": "call",
"cid": 488
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1676,
"region_size": 32768,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0x00000350",
"allocation_type": 12288,
"base_address": "0x000b0000"
},
"time": 1598511186.437,
"tid": 2800,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2124,
"type": "call",
"cid": 490
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtSetContextThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x0000034c",
"registers": {
"eip": 0,
"esp": 0,
"edi": 0,
"eax": 730353,
"ebp": 0,
"edx": 0,
"ebx": 0,
"esi": 0,
"ecx": 0
},
"process_identifier": 1676
},
"time": 1598511186.437,
"tid": 2800,
"flags": {}
},
"pid": 2124,
"type": "call",
"cid": 492
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtResumeThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x0000034c",
"suspend_count": 1,
"process_identifier": 1676
},
"time": 1598511186.531,
"tid": 2800,
"flags": {}
},
"pid": 2124,
"type": "call",
"cid": 493
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtResumeThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x000000e0",
"suspend_count": 1,
"process_identifier": 1676
},
"time": 1598511186.703375,
"tid": 2872,
"flags": {}
},
"pid": 1676,
"type": "call",
"cid": 215
}
],
"references": [],
"name": "injection_runpe"
}
]Yara
The Yara rules did not detect anything in the file.
Network
{
"tls": [],
"udp": [
{
"src": "192.168.56.101",
"dst": "192.168.56.255",
"offset": 662,
"time": 6.227829933166504,
"dport": 137,
"sport": 137
},
{
"src": "192.168.56.101",
"dst": "192.168.56.255",
"offset": 5342,
"time": 12.227958917617798,
"dport": 138,
"sport": 138
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 7186,
"time": 6.175227880477905,
"dport": 5355,
"sport": 51001
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 7514,
"time": 4.164947032928467,
"dport": 5355,
"sport": 53595
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 7842,
"time": 6.189435958862305,
"dport": 5355,
"sport": 53848
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 8170,
"time": 4.669365882873535,
"dport": 5355,
"sport": 54255
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 8498,
"time": 3.061444044113159,
"dport": 5355,
"sport": 55314
},
{
"src": "192.168.56.101",
"dst": "239.255.255.250",
"offset": 8826,
"time": 4.183393955230713,
"dport": 1900,
"sport": 1900
},
{
"src": "192.168.56.101",
"dst": "239.255.255.250",
"offset": 28236,
"time": 4.184997081756592,
"dport": 3702,
"sport": 49152
},
{
"src": "192.168.56.101",
"dst": "239.255.255.250",
"offset": 36620,
"time": 6.274805068969727,
"dport": 1900,
"sport": 53598
}
],
"dns_servers": [],
"http": [],
"icmp": [],
"smtp": [],
"tcp": [],
"smtp_ex": [],
"mitm": [],
"hosts": [],
"pcap_sha256": "94d3fcfd43e78446ce59fa5ab027ba03c91333ef4121aecbdf1c401b2706e399",
"dns": [],
"http_ex": [],
"domains": [],
"dead_hosts": [],
"sorted_pcap_sha256": "ed00e617b264599523dc38375818d584737c6c8b6c41475682e9bce25fd86bf4",
"irc": [],
"https_ex": []
}Screenshots
wyxwwy.exe removal instructions
The instructions below shows how to remove wyxwwy.exe with help from the FreeFixer removal tool. Basically, you install FreeFixer, scan your computer, check the wyxwwy.exe file for removal, restart your computer and scan it again to verify that wyxwwy.exe has been successfully removed. Here are the removal instructions in more detail:
- Download and install FreeFixer: http://www.freefixer.com/download.html
- Start FreeFixer and press the Start Scan button. The scan will finish in approximately five minutes.
- When the scan is finished, locate wyxwwy.exe in the scan result and tick the checkbox next to the wyxwwy.exe file. Do not check any other file for removal unless you are 100% sure you want to delete it. Tip: Press CTRL-F to open up FreeFixer's search dialog to quickly locate wyxwwy.exe in the scan result.
c:\users\%USERNAME%\appdata\ro..t\windows\start menu\programs\startup\wyxwwy.exe 
- Scroll down to the bottom of the scan result and press the Fix button. FreeFixer will now delete the wyxwwy.exe file.
- Restart your computer.
- Start FreeFixer and scan your computer again. If wyxwwy.exe still remains in the scan result, proceed with the next step. If wyxwwy.exe is gone from the scan result you're done.
- If wyxwwy.exe still remains in the scan result, check its checkbox again in the scan result and click Fix.
- Restart your computer.
- Start FreeFixer and scan your computer again. Verify that wyxwwy.exe no longer appear in the scan result.
Hashes [?]
| Property | Value |
|---|---|
| MD5 | 05ed23dc39dafd003e4b6e14256077ef |
| SHA256 | 9ce272a734b0f8aab2d5560d1cdd0240f1b22f8e2d7ff0cd5f1c57525b1dc9e8 |
Error Messages
These are some of the error messages that can appear related to wyxwwy.exe:
wyxwwy.exe has encountered a problem and needs to close. We are sorry for the inconvenience.
wyxwwy.exe - Application Error. The instruction at "0xXXXXXXXX" referenced memory at "0xXXXXXXXX". The memory could not be "read/written". Click on OK to terminate the program.
Gargantuan Charnel has stopped working.
End Program - wyxwwy.exe. This program is not responding.
wyxwwy.exe is not a valid Win32 application.
wyxwwy.exe - Application Error. The application failed to initialize properly (0xXXXXXXXX). Click OK to terminate the application.
What will you do with wyxwwy.exe?
To help other users, please let us know what you will do with wyxwwy.exe:
Comments
Please share with the other users what you think about this file. What does this file do? Is it legitimate or something that your computer is better without? Do you know how it was installed on your system? Did you install it yourself or did it come bundled with some other software? Is it running smoothly or do you get some error message? Any information that will help to document this file is welcome. Thank you for your contributions.
I'm reading all new comments so don't hesitate to post a question about the file. If I don't have the answer perhaps another user can help you.
No comments posted yet.