What is coccoc_vi.exe?
coccoc_vi.exe is part of CocCoc Update and developed by Coc Coc Co., Ltd. according to the coccoc_vi.exe version information.
coccoc_vi.exe's description is "CocCoc Update Setup"
coccoc_vi.exe is digitally signed by COC COC COMPANY LIMITED.
coccoc_vi.exe is usually located in the 'c:\downloads\' folder.
Some of the anti-virus scanners at VirusTotal detected coccoc_vi.exe.
If you have additional information about the file, please share it with the FreeFixer users by posting a comment at the bottom of this page.
Vendor and version information [?]
The following is the available information on coccoc_vi.exe:
| Property | Value |
|---|---|
| Product name | CocCoc Update |
| Company name | Coc Coc Co., Ltd. |
| File description | CocCoc Update Setup |
| Internal name | CocCoc Update Setup |
| Original filename | CocCocUpdateSetup.exe |
| Legal copyright | Copyright 2012 Google Inc. |
| Product version | 2.5.15.103 |
| File version | 2.5.15.103 |
Here's a screenshot of the file properties when displayed by Windows Explorer:
| Product name | CocCoc Update |
| Company name | Coc Coc Co., Ltd. |
| File description | CocCoc Update Setup |
| Internal name | CocCoc Update Setup |
| Original filename | CocCocUpdateSetup.exe |
| Legal copyright | Copyright 2012 Google Inc. |
| Product version | 2.5.15.103 |
| File version | 2.5.15.103 |
Digital signatures [?]
coccoc_vi.exe has a valid digital signature.
| Property | Value |
|---|---|
| Signer name | COC COC COMPANY LIMITED |
| Certificate issuer name | GlobalSign CodeSigning CA - G3 |
| Certificate serial number | 32016a80ecf7c3164ee394be |
VirusTotal report
1 of the 73 anti-virus programs at VirusTotal detected the coccoc_vi.exe file. That's a 1% detection rate.
| Scanner | Detection Name |
|---|---|
| DrWeb | Trojan.DownLoader27.45365 |
Sandbox Report
The following information was gathered by executing the file inside Cuckoo Sandbox.
Summary
Successfully executed process in sandbox.
Summary
{
"file_deleted": [
"C:\\Windows\\Tasks\\GoogleUpdateTaskUserS-1-5-21-699399860-4089948139-3198924279-1001.job",
"C:\\Windows\\Tasks\\GoogleUpdateTaskUser.job",
"C:\\Program Files (x86)\\GUM578A.tmp"
],
"file_created": [
"C:\\Program Files (x86)\\GUM578A.tmp\\psmachine.dll",
"C:\\Program Files (x86)\\GUM578A.tmp\\psuser.dll",
"C:\\Program Files (x86)\\GUM578A.tmp\\coccocpdateres_vi.dll",
"C:\\Program Files (x86)\\GUM578A.tmp\\CocCocUpdateHelper.msi",
"C:\\Program Files (x86)\\GUM578A.tmp\\CocCocUpdateBroker.exe",
"C:\\Program Files (x86)\\GUM578A.tmp\\CocCocUpdateOnDemand.exe",
"C:\\Windows\\Tasks\\CocCocUpdateTaskUserS-1-5-21-699399860-4089948139-3198924279-1001UA.job",
"C:\\Program Files (x86)\\GUM578A.tmp\\coccocpdateres_en.dll",
"C:\\Program Files (x86)\\GUM578A.tmp",
"C:\\Program Files (x86)\\GUT579A.tmp",
"C:\\Users\\cuck\\AppData\\Roaming\\CocCoc\\uid",
"C:\\Windows\\Tasks\\CocCocUpdateTaskUserS-1-5-21-699399860-4089948139-3198924279-1001Core.job",
"C:\\Program Files (x86)\\GUM578A.tmp\\CocCocTorrentUpdate.exe",
"C:\\Program Files (x86)\\GUM578A.tmp\\CocCocUpdate.exe",
"C:\\Program Files (x86)\\GUM578A.tmp\\CocCocCrashHandler.exe",
"C:\\Program Files (x86)\\GUM578A.tmp\\coccocpdate.dll",
"C:\\Program Files (x86)\\GUM578A.tmp\\CocCocUpdateWebPlugin.exe"
],
"directory_created": [
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\Download",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\CrashReports",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\Install",
"C:\\Program Files (x86)\\CocCoc",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\2.5.15.103",
"C:\\Program Files (x86)\\GUM578A.tmp",
"C:\\Program Files (x86)\\CocCoc\\CrashReports",
"C:\\Program Files (x86)",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update",
"C:\\Users\\cuck\\AppData\\Roaming\\CocCoc"
],
"dll_loaded": [
"dbghelp.dll",
"kernel32",
"API-MS-Win-Security-LSALookup-L1-1-0.dll",
"credssp.dll",
"CFGMGR32.dll",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\2.5.15.103\\psuser.dll",
"kernel32.dll",
"UxTheme.dll",
"C:\\Windows\\system32\\ole32.dll",
"dwmapi.dll",
"ntdll.dll",
"cryptsp.dll",
"api-ms-win-core-synch-l1-2-0",
"winhttp.dll",
"ntmarta.dll",
"API-MS-WIN-Service-Management-L2-1-0.dll",
"API-MS-WIN-Service-Management-L1-1-0.dll",
"wkscli.dll",
"API-MS-Win-Core-LocalRegistry-L1-1-0.dll",
"cryptbase.dll",
"SspiCli.dll",
"ole32.dll",
"SHLWAPI.dll",
"CRYPTSP.dll",
"API-MS-Win-Security-SDDL-L1-1-0.dll",
"API-MS-WIN-Service-winsvc-L1-1-0.dll",
"cscapi.dll",
"IPHLPAPI.DLL",
"MPR.DLL",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\2.5.15.103\\coccocpdate.dll",
"OLEAUT32.dll",
"C:\\Windows\\system32\\kernel32.dll",
"SHELL32.dll",
"RPCRT4.dll",
"DNSAPI.dll",
"C:\\Program Files (x86)\\GUM578A.tmp\\coccocpdate.dll",
"comctl32.dll",
"NSI.dll",
"RpcRtRemote.dll",
"api-ms-win-core-fibers-l1-1-1",
"C:\\Windows\\System32\\wship6.dll",
"C:\\Windows\\system32\\mswsock.dll",
"ADVAPI32.dll",
"rpcrt4.dll",
"C:\\Windows\\System32\\wshtcpip.dll",
"SETUPAPI.dll",
"WS2_32.dll",
"winhttp"
],
"file_opened": [
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\2.5.15.103\\psmachine.dll",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\2.5.15.103\\CocCocUpdateWebPlugin.exe",
"C:\\Program Files (x86)\\GUM578A.tmp\\CocCocTorrentUpdate.exe",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\2.5.15.103\\CocCocUpdateBroker.exe",
"C:\\",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\2.5.15.103\\CocCocCrashHandler.exe",
"\\\\?\\PIPE\\wkssvc",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\",
"C:\\Program Files (x86)\\GUM578A.tmp\\coccocpdateres_en.dll",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\CocCocTorrentUpdate.exe",
"C:\\Users\\cuck\\",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\2.5.15.103\\psuser.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\e9b3b6918ac282401509cb49d8330aa71ff0141477776820c8bfcc6f4750974c.bin",
"C:\\Program Files (x86)\\GUM578A.tmp\\CocCocCrashHandler.exe",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\2.5.15.103\\coccocpdateres_en.dll",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\2.5.15.103\\CocCocUpdateOnDemand.exe",
"C:\\Windows\\Tasks",
"C:\\Program Files (x86)\\GUM578A.tmp\\psuser.dll",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\2.5.15.103\\CocCocUpdate.exe",
"C:\\Program Files (x86)\\GUM578A.tmp\\CocCocUpdateBroker.exe",
"C:\\Users\\",
"C:\\Program Files (x86)\\GUM578A.tmp\\CocCocUpdateOnDemand.exe",
"C:\\Program Files (x86)\\GUM578A.tmp\\CocCocUpdateHelper.msi",
"C:\\Program Files (x86)\\GUT579A.tmp",
"C:\\Users\\cuck\\AppData\\Roaming\\CocCoc\\uid",
"C:\\Program Files (x86)\\CocCoc\\CrashReports",
"C:\\Program Files (x86)\\GUM578A.tmp\\CocCocUpdate.exe",
"C:\\Program Files (x86)\\GUM578A.tmp\\coccocpdate.dll",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\CocCocUpdate.exe",
"C:\\Program Files (x86)\\GUM578A.tmp\\CocCocUpdateWebPlugin.exe",
"C:\\Program Files (x86)\\GUM578A.tmp\\coccocpdateres_vi.dll",
"C:\\Program Files (x86)\\",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\2.5.15.103",
"C:\\Windows\\Tasks\\CocCocUpdateTaskUserS-1-5-21-699399860-4089948139-3198924279-1001UA.job",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\2.5.15.103\\coccocpdate.dll",
"C:\\Program Files (x86)\\GUM578A.tmp",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\2.5.15.103\\CocCocUpdateSetup.exe",
"C:\\Users\\cuck\\AppData\\Local\\",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\2.5.15.103\\coccocpdateres_vi.dll",
"C:\\Program Files (x86)\\GUM578A.tmp\\psmachine.dll",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\2.5.15.103\\CocCocUpdateHelper.msi",
"c:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\coccocupdate.exe",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls",
"C:\\Windows\\Tasks\\",
"C:\\Program Files (x86)\\GUM578A.tmp\\CocCocUpdateSetup.exe",
"C:\\Windows\\Tasks\\CocCocUpdateTaskUserS-1-5-21-699399860-4089948139-3198924279-1001Core.job",
"c:\\program files (x86)\\GUM578A.tmp\\coccocupdate.exe",
"C:\\Program Files (x86)\\desktop.ini",
"C:\\Users\\cuck\\AppData\\"
],
"file_copied": [
[
"C:\\Users\\cuck\\AppData\\Local\\Temp\\e9b3b6918ac282401509cb49d8330aa71ff0141477776820c8bfcc6f4750974c.bin",
"C:\\Program Files (x86)\\GUM578A.tmp\\CocCocUpdateSetup.exe"
],
[
"C:\\Program Files (x86)\\GUM578A.tmp\\psuser.dll",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\2.5.15.103\\psuser.dll"
],
[
"C:\\Program Files (x86)\\GUM578A.tmp\\CocCocUpdateHelper.msi",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\2.5.15.103\\CocCocUpdateHelper.msi"
],
[
"C:\\Program Files (x86)\\GUM578A.tmp\\CocCocUpdateWebPlugin.exe",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\2.5.15.103\\CocCocUpdateWebPlugin.exe"
],
[
"C:\\Program Files (x86)\\GUM578A.tmp\\CocCocUpdateBroker.exe",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\2.5.15.103\\CocCocUpdateBroker.exe"
],
[
"C:\\Program Files (x86)\\GUM578A.tmp\\CocCocUpdateSetup.exe",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\2.5.15.103\\CocCocUpdateSetup.exe"
],
[
"C:\\Program Files (x86)\\GUM578A.tmp\\psmachine.dll",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\2.5.15.103\\psmachine.dll"
],
[
"C:\\Program Files (x86)\\GUM578A.tmp\\CocCocCrashHandler.exe",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\2.5.15.103\\CocCocCrashHandler.exe"
],
[
"C:\\Program Files (x86)\\GUM578A.tmp\\CocCocTorrentUpdate.exe",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\CocCocTorrentUpdate.exe"
],
[
"C:\\Program Files (x86)\\GUM578A.tmp\\coccocpdateres_vi.dll",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\2.5.15.103\\coccocpdateres_vi.dll"
],
[
"C:\\Program Files (x86)\\GUM578A.tmp\\CocCocUpdate.exe",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\2.5.15.103\\CocCocUpdate.exe"
],
[
"C:\\Program Files (x86)\\GUM578A.tmp\\CocCocUpdateOnDemand.exe",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\2.5.15.103\\CocCocUpdateOnDemand.exe"
],
[
"C:\\Program Files (x86)\\GUM578A.tmp\\coccocpdate.dll",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\2.5.15.103\\coccocpdate.dll"
],
[
"C:\\Program Files (x86)\\GUM578A.tmp\\coccocpdateres_en.dll",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\2.5.15.103\\coccocpdateres_en.dll"
],
[
"C:\\Program Files (x86)\\GUM578A.tmp\\CocCocUpdate.exe",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\CocCocUpdate.exe"
]
],
"regkey_opened": [
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{ABA164D4-F794-491D-9400-7CA9E6F7EEF6}",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{ABA164D4-F794-491D-9400-7CA9E6F7EEF6}\\NumMethods",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{31E3405A-1CA1-4750-A6D9-4ED9BB3A5A59}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{F15393EF-1112-41C4-9A24-20C0F0075DC1}\\NumMethods",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{F15393EF-1112-41C4-9A24-20C0F0075DC1}",
"HKEY_CURRENT_USER\\Software\\CocCoc\\Update\\Clients\\{430FD4D0-B729-4F61-AA34-91526481799D}",
"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{A4F10457-0600-4470-9A22-AD99E26F7AD2}\\LocalServer32",
"HKEY_CURRENT_USER\\Software\\CocCoc\\Update\\proxy",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{BE7F68D5-4B90-4CB1-A35E-83A7024A83AA}\\NumMethods",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\LanguageProfile\\0x00000000\\{0001bea3-ed56-483d-a2e2-aeae25577436}",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{7A78866B-695A-4153-A29F-92B38626E332}\\NumMethods",
"HKEY_CURRENT_USER\\CocCoc.OneClickProcessLauncherUser.1.0",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{53F9B7E5-DC7B-4C70-87EA-9AE3629CBA75}",
"HKEY_CLASSES_ROOT\\Outlook.Application.12",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\SecurityProviders",
"HKEY_CLASSES_ROOT\\Outlook.Application.10",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\WinHttp",
"HKEY_CURRENT_USER\\CocCocUpdate.CredentialDialogUser.1.0",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager",
"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{F34D723C-FA54-43D8-9C05-574D28672153}\\VersionIndependentProgID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{4A2DF7EF-905D-4C4D-A683-42C891F228BF}",
"HKEY_CURRENT_USER\\CocCocUpdate.CredentialDialogUser\\CLSID",
"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{69279211-FE09-4A3B-9B32-E661957D9EA3}\\LocalServer32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\SecurityProviders\\SaslProfiles",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\BFE",
"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{F34D723C-FA54-43D8-9C05-574D28672153}\\LocalServer32",
"HKEY_CLASSES_ROOT\\Drive\\shellex\\FolderExtensions",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{37514F9D-A61C-4F73-B94C-56F2B47789EB}",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\LSA\\AccessProviders",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-699399860-4089948139-3198924279-1001",
"HKEY_CURRENT_USER\\Software\\Microsoft",
"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{CCBB641B-0D24-451C-9638-2DE0D4B5ED5F}",
"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{F34D723C-FA54-43D8-9C05-574D28672153}",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{03EFB89B-5FE9-488F-B4E7-D4AC5BC0E207}",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Winsock",
"HKEY_CURRENT_USER\\Software\\CocCoc\\Update\\Clients\\",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\msasn1",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\CocCocUpdate.exe",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{BE7F68D5-4B90-4CB1-A35E-83A7024A83AA}",
"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{F34D723C-FA54-43D8-9C05-574D28672153}\\ProgID",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{BA0E8C3A-2E4D-4E10-8AD7-8618C5138480}",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{FBD15E06-051F-43E6-9FE0-7F5B6B57B481}",
"HKEY_CURRENT_USER\\Software\\CocCoc\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{61C44F32-B764-4629-A9AD-A591E64B2580}\\ProxyStubClsid32",
"HKEY_CURRENT_USER\\CocCoc.OneClickProcessLauncherUser\\CLSID",
"HKEY_CLASSES_ROOT\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{CF051BE3-B7D3-4F50-B578-C647DD386940}\\ProxyStubClsid32",
"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{69279211-FE09-4A3B-9B32-E661957D9EA3}",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{19DEA306-99DC-4690-B2E9-FFD51AE45C96}\\NumMethods",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",
"HKEY_CURRENT_USER\\CocCocUpdate.CredentialDialogUser.1.0\\CLSID",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{63191E9E-FD33-4B38-B3F1-62982ADA8B2F}",
"HKEY_LOCAL_MACHINE\\Software\\CocCoc\\Update\\",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Low Rights\\ElevationPolicy\\{CCBB641B-0D24-451C-9638-2DE0D4B5ED5F}",
"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{A4F10457-0600-4470-9A22-AD99E26F7AD2}\\ProgID",
"HKEY_CURRENT_USER\\CocCocUpdate.OnDemandCOMClassUser.1.0\\CLSID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{00000134-0000-0000-C000-000000000046}\\ProxyStubClsid32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\Compatibility\\CocCocUpdate.exe",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{56D89BD1-3C6D-4D41-BAD1-F9ECA194DE72}\\ProxyStubClsid32",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\SspiCache",
"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{DFFF09FD-4FB6-4CF2-A855-3EACD48881FA}\\VersionIndependentProgID",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\LsaExtensionConfig\\SspiCli",
"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{DFFF09FD-4FB6-4CF2-A855-3EACD48881FA}\\ProgID",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{CDC22AF6-28C2-4638-9580-F867915A38C4}\\ProxyStubClsid32",
"HKEY_CURRENT_USER\\CocCocUpdate.Update3WebUser",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{3339BB5A-555B-4C33-8D97-15F78BFF5CE1}",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{61C44F32-B764-4629-A9AD-A591E64B2580}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{F0E42375-D761-47E9-B64F-310CEB39F32F}",
"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{0A039001-050F-4ADA-AD8B-F2E5C9615B45}\\InprocServer32",
"HKEY_CURRENT_USER\\Interface\\{00000134-0000-0000-C000-000000000046}",
"HKEY_LOCAL_MACHINE\\Software\\CocCoc\\UpdateDev\\",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{56D89BD1-3C6D-4D41-BAD1-F9ECA194DE72}\\NumMethods",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer",
"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{DFFF09FD-4FB6-4CF2-A855-3EACD48881FA}",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{3339BB5A-555B-4C33-8D97-15F78BFF5CE1}\\NumMethods",
"HKEY_CURRENT_USER\\CocCocUpdate.OnDemandCOMClassUser\\CurVer",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion",
"HKEY_CURRENT_USER\\CocCocUpdate.Update3COMClassUser.1.0",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip6\\Parameters\\Winsock",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{53F9B7E5-DC7B-4C70-87EA-9AE3629CBA75}\\NumMethods",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{7A78866B-695A-4153-A29F-92B38626E332}",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{F3BDCD40-E6F3-4F35-BA05-70D4C0389AE5}\\NumMethods",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{ABA164D4-F794-491D-9400-7CA9E6F7EEF6}\\ProxyStubClsid32",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{A673FB09-4B52-4BAF-BA9B-4B422531B44E}",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{B9D2B446-92D8-44E8-9A7B-127AAC768BA3}\\NumMethods",
"HKEY_CURRENT_USER\\Software\\Microsoft\\windows\\CurrentVersion\\Internet Settings\\Connections",
"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{69279211-FE09-4A3B-9B32-E661957D9EA3}\\ProgID",
"HKEY_CURRENT_USER\\Software\\Microsoft\\CTF\\DirectSwitchHotkeys",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{B9D2B446-92D8-44E8-9A7B-127AAC768BA3}\\ProxyStubClsid32",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer",
"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{0A039001-050F-4ADA-AD8B-F2E5C9615B45}",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{48AEB2A3-803F-4259-899D-B624B6DF64F5}\\NumMethods",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\WinHttp\\Tracing",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{CF051BE3-B7D3-4F50-B578-C647DD386940}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\CocCoc.OneClickProcessLauncherUser",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder",
"HKEY_CURRENT_USER\\CocCocUpdate.Update3COMClassUser",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winsock\\Setup Migration\\Providers\\Tcpip",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{A72E0E76-BF8B-48C8-BC14-DDE8254EBDA9}",
"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{4A2DF7EF-905D-4C4D-A683-42C891F228BF}\\InprocHandler32",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Low Rights",
"HKEY_CURRENT_USER\\CocCoc.OneClickProcessLauncherUser.1.0\\CLSID",
"HKEY_CURRENT_USER\\Software\\Microsoft\\windows\\CurrentVersion\\Internet Settings\\Wpad",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{4975912A-17C1-40D4-BCF5-1190E476FE82}\\NumMethods",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Class\\{4d36e972-e325-11ce-bfc1-08002be10318}",
"HKEY_CLASSES_ROOT\\Outlook.Application.11",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{CDC22AF6-28C2-4638-9580-F867915A38C4}",
"HKEY_CURRENT_USER\\CocCocUpdate.Update3WebUser.1.0",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\KnownClasses",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{A673FB09-4B52-4BAF-BA9B-4B422531B44E}\\NumMethods",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{37514F9D-A61C-4F73-B94C-56F2B47789EB}\\NumMethods",
"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{A4F10457-0600-4470-9A22-AD99E26F7AD2}",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{37514F9D-A61C-4F73-B94C-56F2B47789EB}\\ProxyStubClsid32",
"HKEY_CURRENT_USER\\CocCocUpdate.CredentialDialogUser",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{31E3405A-1CA1-4750-A6D9-4ED9BB3A5A59}\\ProxyStubClsid32",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{98864DB4-F198-41BB-9901-D499B74FAB1C}\\NumMethods",
"HKEY_CURRENT_USER\\CocCocUpdate.OnDemandCOMClassUser.1.0",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{63191E9E-FD33-4B38-B3F1-62982ADA8B2F}\\NumMethods",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum",
"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{A4F10457-0600-4470-9A22-AD99E26F7AD2}\\VersionIndependentProgID",
"HKEY_CURRENT_USER\\CocCocUpdate.Update3COMClassUser.1.0\\CLSID",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\Rpc",
"HKEY_CURRENT_USER\\Software\\CocCoc\\Update\\ClientState\\{C0CC0CBB-47DD-46FF-A04D-7011A06486E1}",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{98864DB4-F198-41BB-9901-D499B74FAB1C}\\ProxyStubClsid32",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{61C44F32-B764-4629-A9AD-A591E64B2580}\\NumMethods",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{A72E0E76-BF8B-48C8-BC14-DDE8254EBDA9}\\ProxyStubClsid32",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Setup",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{BA0E8C3A-2E4D-4E10-8AD7-8618C5138480}\\ProxyStubClsid32",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{BEF4B990-4E74-4DC3-BBCA-BDD8E48271B1}",
"HKEY_CURRENT_USER\\CocCocUpdate.OnDemandCOMClassUser\\CLSID",
"HKEY_CLASSES_ROOT\\Drive\\shellex\\FolderExtensions\\{fbeb8a05-beee-4442-804e-409d6c4515e9}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\",
"HKEY_CURRENT_USER\\SOFTWARE\\Clients\\StartMenuInternet",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{7FD24225-816C-4325-B8A3-48E4BA4E6F01}\\NumMethods",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{B9D2B446-92D8-44E8-9A7B-127AAC768BA3}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Winsock\\Setup Migration\\Providers",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{F0E42375-D761-47E9-B64F-310CEB39F32F}\\ProxyStubClsid32",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{A673FB09-4B52-4BAF-BA9B-4B422531B44E}\\ProxyStubClsid32",
"HKEY_CURRENT_USER\\CocCocUpdate.Update3WebUser\\CurVer",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Low Rights\\ElevationPolicy",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{3C765636-A9B6-457A-B7CA-146B131BE5BD}\\ProxyStubClsid32",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{7A78866B-695A-4153-A29F-92B38626E332}\\ProxyStubClsid32",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{31E3405A-1CA1-4750-A6D9-4ED9BB3A5A59}\\NumMethods",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\CLSID",
"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{D5E238C2-919F-47C9-B769-47D7432E1852}\\InProcServer32",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{4975912A-17C1-40D4-BCF5-1190E476FE82}\\ProxyStubClsid32",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Ole",
"HKEY_CLASSES_ROOT\\Outlook.Application",
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle",
"HKEY_CURRENT_USER\\Software\\Classes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CLASSES_ROOT\\CLSID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-699399860-4089948139-3198924279-1001\\Preference",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{3339BB5A-555B-4C33-8D97-15F78BFF5CE1}\\ProxyStubClsid32",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{98864DB4-F198-41BB-9901-D499B74FAB1C}",
"HKEY_CURRENT_USER\\Software\\CocCoc\\Update\\",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{03EFB89B-5FE9-488F-B4E7-D4AC5BC0E207}\\ProxyStubClsid32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Applications\\CocCocUpdate.exe",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{03EFB89B-5FE9-488F-B4E7-D4AC5BC0E207}\\NumMethods",
"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{DFFF09FD-4FB6-4CF2-A855-3EACD48881FA}\\LocalServer32",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\LDAP",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{3C765636-A9B6-457A-B7CA-146B131BE5BD}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes",
"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{CCBB641B-0D24-451C-9638-2DE0D4B5ED5F}\\ProgID",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{CDC22AF6-28C2-4638-9580-F867915A38C4}\\NumMethods",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{48AEB2A3-803F-4259-899D-B624B6DF64F5}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{63191E9E-FD33-4B38-B3F1-62982ADA8B2F}\\ProxyStubClsid32",
"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{D5E238C2-919F-47C9-B769-47D7432E1852}",
"HKEY_CURRENT_USER\\Software",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{CF051BE3-B7D3-4F50-B578-C647DD386940}\\NumMethods",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{53F9B7E5-DC7B-4C70-87EA-9AE3629CBA75}\\ProxyStubClsid32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder",
"HKEY_CURRENT_USER\\Software\\CocCoc\\Update\\ClientState\\",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{F3BDCD40-E6F3-4F35-BA05-70D4C0389AE5}\\ProxyStubClsid32",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StuckRects2",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Rpc\\Extensions",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{A72E0E76-BF8B-48C8-BC14-DDE8254EBDA9}\\NumMethods",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{BEF4B990-4E74-4DC3-BBCA-BDD8E48271B1}\\ProxyStubClsid32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{F0E42375-D761-47E9-B64F-310CEB39F32F}\\NumMethods",
"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{69279211-FE09-4A3B-9B32-E661957D9EA3}\\VersionIndependentProgID",
"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{CCBB641B-0D24-451C-9638-2DE0D4B5ED5F}\\VersionIndependentProgID",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{4975912A-17C1-40D4-BCF5-1190E476FE82}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\CocCocUpdate.exe",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winsock\\Setup Migration\\Providers\\Tcpip6",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{7FD24225-816C-4325-B8A3-48E4BA4E6F01}",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{F3BDCD40-E6F3-4F35-BA05-70D4C0389AE5}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Rpc",
"HKEY_CURRENT_USER\\Software\\CocCoc\\",
"HKEY_CURRENT_USER\\CocCocUpdate.Update3COMClassUser\\CurVer",
"HKEY_CURRENT_USER\\CocCocUpdate.Update3WebUser\\CLSID",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{7FD24225-816C-4325-B8A3-48E4BA4E6F01}\\ProxyStubClsid32",
"HKEY_CURRENT_USER\\CocCocUpdate.Update3COMClassUser\\CLSID",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{56D89BD1-3C6D-4D41-BAD1-F9ECA194DE72}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{3697C5FA-60DD-4B56-92D4-74A569205C16}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Winsock\\Parameters",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{BE7F68D5-4B90-4CB1-A35E-83A7024A83AA}\\ProxyStubClsid32",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{BA0E8C3A-2E4D-4E10-8AD7-8618C5138480}\\NumMethods",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{FBD15E06-051F-43E6-9FE0-7F5B6B57B481}\\ProxyStubClsid32",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{BEF4B990-4E74-4DC3-BBCA-BDD8E48271B1}\\NumMethods",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\windows\\CurrentVersion\\Internet Settings\\Connections",
"HKEY_CURRENT_USER\\SOFTWARE",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{19DEA306-99DC-4690-B2E9-FFD51AE45C96}",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{FBD15E06-051F-43E6-9FE0-7F5B6B57B481}\\NumMethods",
"HKEY_CLASSES_ROOT\\Interface",
"HKEY_LOCAL_MACHINE\\system\\CurrentControlSet\\control\\NetworkProvider\\HwOrder",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{19DEA306-99DC-4690-B2E9-FFD51AE45C96}\\ProxyStubClsid32",
"HKEY_CURRENT_USER\\CocCocUpdate.CredentialDialogUser\\CurVer",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{3C765636-A9B6-457A-B7CA-146B131BE5BD}\\NumMethods",
"HKEY_CURRENT_USER\\CocCoc.OneClickProcessLauncherUser\\CurVer",
"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{CCBB641B-0D24-451C-9638-2DE0D4B5ED5F}\\LocalServer32",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{F15393EF-1112-41C4-9A24-20C0F0075DC1}\\ProxyStubClsid32",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{48AEB2A3-803F-4259-899D-B624B6DF64F5}\\ProxyStubClsid32",
"HKEY_CURRENT_USER\\CocCocUpdate.Update3WebUser.1.0\\CLSID",
"HKEY_CURRENT_USER\\CocCocUpdate.OnDemandCOMClassUser"
],
"file_moved": [
[
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\2.5.15.103\\CocCocUpdateSetup.exe",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\2.5.15.103\\CocCocUpdateSetup.exe.old"
]
],
"file_written": [
"C:\\Program Files (x86)\\GUM578A.tmp\\psmachine.dll",
"C:\\Program Files (x86)\\GUM578A.tmp\\psuser.dll",
"C:\\Program Files (x86)\\GUM578A.tmp\\coccocpdateres_vi.dll",
"C:\\Program Files (x86)\\GUM578A.tmp\\CocCocUpdateHelper.msi",
"C:\\Program Files (x86)\\GUM578A.tmp\\CocCocUpdateBroker.exe",
"\\\\?\\PIPE\\wkssvc",
"C:\\Program Files (x86)\\GUM578A.tmp\\CocCocUpdateOnDemand.exe",
"C:\\Windows\\Tasks\\CocCocUpdateTaskUserS-1-5-21-699399860-4089948139-3198924279-1001UA.job",
"C:\\Program Files (x86)\\GUM578A.tmp\\coccocpdateres_en.dll",
"C:\\Program Files (x86)\\GUT579A.tmp",
"C:\\Users\\cuck\\AppData\\Roaming\\CocCoc\\uid",
"C:\\Windows\\Tasks\\CocCocUpdateTaskUserS-1-5-21-699399860-4089948139-3198924279-1001Core.job",
"C:\\Program Files (x86)\\GUM578A.tmp\\CocCocTorrentUpdate.exe",
"C:\\Program Files (x86)\\GUM578A.tmp\\CocCocUpdate.exe",
"C:\\Program Files (x86)\\GUM578A.tmp\\CocCocCrashHandler.exe",
"C:\\Program Files (x86)\\GUM578A.tmp\\coccocpdate.dll",
"C:\\Program Files (x86)\\GUM578A.tmp\\CocCocUpdateWebPlugin.exe"
],
"regkey_deleted": [
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\Bags\\1\\Desktop\\GroupCollapseState",
"HKEY_CURRENT_USER\\Software\\CocCoc\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}\\UpdateAvailableCount",
"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{0A039001-050F-4ADA-AD8B-F2E5C9615B45}",
"HKEY_CURRENT_USER\\Software\\CocCoc\\Update\\LastCodeRedCheck",
"HKEY_CURRENT_USER\\Software\\CocCoc\\Update\\ui",
"HKEY_CURRENT_USER\\Software\\CocCoc\\Update\\eulaaccepted",
"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{4A2DF7EF-905D-4C4D-A683-42C891F228BF}\\InprocHandler32",
"HKEY_CURRENT_USER\\Software\\CocCoc\\Update\\LastChecked",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\Bags\\1\\Desktop\\ItemPos800x600x96(1)",
"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{0A039001-050F-4ADA-AD8B-F2E5C9615B45}\\InprocServer32",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\Bags\\1\\Desktop\\ItemOrder",
"HKEY_CURRENT_USER\\Software\\CocCoc\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}\\UpdateAvailableSince",
"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{4A2DF7EF-905D-4C4D-A683-42C891F228BF}"
],
"command_line": [
"\"C:\\Program Files (x86)\\GUM578A.tmp\\CocCocUpdate.exe\" \/installsource taggedmi \/install \"appguid={C0CC0CBB-47DD-46FF-A04D-7011A06486E1}&appname=C%E1%BB%91c%20C%E1%BB%91c&needsadmin=false&lang=vi&client={00000000-0000-0000-0000-000000000000}&brand=XXXX\"",
"\"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\CocCocUpdate.exe\" \/regserver",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\CocCocUpdate.exe \/handoff \"appguid={C0CC0CBB-47DD-46FF-A04D-7011A06486E1}&appname=C%E1%BB%91c%20C%E1%BB%91c&needsadmin=false&lang=vi&client={00000000-0000-0000-0000-000000000000}&brand=XXXX\" \/installsource taggedmi \/sessionid \"{32761EF4-8770-4B28-BB79-9A12AE8D4036}\"",
"\"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\CocCocUpdate.exe\" \/handoff \"appguid={C0CC0CBB-47DD-46FF-A04D-7011A06486E1}&appname=C%E1%BB%91c%20C%E1%BB%91c&needsadmin=false&lang=vi&client={00000000-0000-0000-0000-000000000000}&brand=XXXX\" \/installsource taggedmi \/sessionid \"{32761EF4-8770-4B28-BB79-9A12AE8D4036}\"",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\CocCocUpdate.exe \/ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB2ZXJzaW9uPSIyLjUuMTUuMTAzIiBzaGVsbF92ZXJzaW9uPSIyLjUuMTUuMTAzIiBpc21hY2hpbmU9IjAiIHNlc3Npb25pZD0iezMyNzYxRUY0LTg3NzAtNEIyOC1CQjc5LTlBMTJBRThENDAzNn0iIHVzZXJpZD0iOUE2MUFCODgtNTY4Mi00MTRGLUIzQjAtRTgzODY5NDlEQjIyIiBpbnN0YWxsc291cmNlPSJ0YWdnZWRtaSIgcmVxdWVzdGlkPSJ7MzNFQkVDOTEtQkY0Ni00N0Y3LUFGOTktQ0Q2RThCQTJCMUI4fSIgZGVkdXA9ImNyIj48aHcgcGh5c21lbW9yeT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iNi4xIiBzcD0iU2VydmljZSBQYWNrIDEiIGFyY2g9Ing2NCIvPjxhcHAgYXBwaWQ9Ins0MzBGRDREMC1CNzI5LTRGNjEtQUEzNC05MTUyNjQ4MTc5OUR9IiB2ZXJzaW9uPSIiIG5leHR2ZXJzaW9uPSIyLjUuMTUuMTAzIiBsYW5nPSJ2aSIgYnJhbmQ9IlhYWFgiIGNsaWVudD0iezAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMH0iPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIGluc3RhbGxfdGltZV9tcz0iMTk2OSIvPjwvYXBwPjwvcmVxdWVzdD4",
"\"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\CocCocUpdate.exe\" \/ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB2ZXJzaW9uPSIyLjUuMTUuMTAzIiBzaGVsbF92ZXJzaW9uPSIyLjUuMTUuMTAzIiBpc21hY2hpbmU9IjAiIHNlc3Npb25pZD0iezMyNzYxRUY0LTg3NzAtNEIyOC1CQjc5LTlBMTJBRThENDAzNn0iIHVzZXJpZD0iOUE2MUFCODgtNTY4Mi00MTRGLUIzQjAtRTgzODY5NDlEQjIyIiBpbnN0YWxsc291cmNlPSJ0YWdnZWRtaSIgcmVxdWVzdGlkPSJ7MzNFQkVDOTEtQkY0Ni00N0Y3LUFGOTktQ0Q2RThCQTJCMUI4fSIgZGVkdXA9ImNyIj48aHcgcGh5c21lbW9yeT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iNi4xIiBzcD0iU2VydmljZSBQYWNrIDEiIGFyY2g9Ing2NCIvPjxhcHAgYXBwaWQ9Ins0MzBGRDREMC1CNzI5LTRGNjEtQUEzNC05MTUyNjQ4MTc5OUR9IiB2ZXJzaW9uPSIiIG5leHR2ZXJzaW9uPSIyLjUuMTUuMTAzIiBsYW5nPSJ2aSIgYnJhbmQ9IlhYWFgiIGNsaWVudD0iezAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMH0iPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIGluc3RhbGxfdGltZV9tcz0iMTk2OSIvPjwvYXBwPjwvcmVxdWVzdD4"
],
"file_exists": [
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\2.5.15.103\\psmachine.dll",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\2.5.15.103\\CocCocUpdateWebPlugin.exe",
"C:\\Program Files (x86)\\GUM578A.tmp\\CocCocUpdateHelper.msi",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\2.5.15.103\\CocCocUpdateBroker.exe",
"C:\\Users\\cuck\\AppData",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\CrashReports",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\2.5.15.103\\coccocpdateres_en.dll",
"C:\\Program Files (x86)\\GUM578A.tmp\\coccocpdateres_en.dll",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\CocCocTorrentUpdate.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\2.5.15.103\\psuser.dll",
"C:\\Program Files (x86)\\GUM578A.tmp\\CocCocTorrentUpdate.exe",
"C:\\Program Files (x86)\\GUM578A.tmp\\CocCocCrashHandler.exe",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\2.5.15.103\\CocCocUpdateOnDemand.exe",
"C:\\cuckoo_2700.ini",
"C:\\Program Files (x86)\\GUM578A.tmp\\psuser.dll",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\2.5.15.103\\CocCocUpdate.exe",
"C:\\CocCocUpdate.ini",
"C:\\Program Files (x86)\\GUM578A.tmp\\CocCocUpdateOnDemand.exe",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\2.5.15.103\\CocCocCrashHandler.exe",
"C:\\Program Files (x86)\\CocCoc",
"C:\\Users\\cuck\\AppData\\Roaming\\CocCoc\\uid",
"C:\\cuckoo_1788.ini",
"C:\\Program Files (x86)\\CocCoc\\CrashReports",
"C:\\Program Files (x86)\\GUM578A.tmp\\CocCocUpdate.exe",
"C:\\Users",
"C:\\Program Files (x86)\\GUM578A.tmp\\CocCocUpdateBroker.exe",
"C:\\Program Files (x86)\\GUM578A.tmp\\coccocpdate.dll",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\CocCocUpdate.exe",
"C:\\Program Files (x86)\\GUM578A.tmp\\CocCocUpdateWebPlugin.exe",
"C:\\Program Files (x86)\\GUM578A.tmp\\coccocpdateres_vi.dll",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\Download",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\coccocpdate.dll",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\2.5.15.103\\CocCocUpdateSetup.exe.old",
"C:\\cuckoo_1424.ini",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\2.5.15.103\\coccocpdate.dll",
"C:\\Program Files (x86)\\GUM578A.tmp",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\2.5.15.103",
"C:\\Users\\cuck",
"C:\\Program Files (x86)",
"C:\\Users\\cuck\\Desktop",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\2.5.15.103\\coccocpdateres_vi.dll",
"C:\\Users\\cuck\\AppData\\Local",
"C:\\Program Files (x86)\\GUM578A.tmp\\OfflineManifest.gup",
"C:\\Program Files (x86)\\GUM578A.tmp\\psmachine.dll",
"C:\\cuckoo_264.ini",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\2.5.15.103\\CocCocUpdateHelper.msi",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\2.5.15.103\\CocCocUpdateSetup.exe",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\Install",
"C:\\Program Files (x86)\\GUM578A.tmp\\CocCocUpdateSetup.exe"
],
"mutex": [
"Global\\CocCocS-1-5-21-699399860-4089948139-3198924279-1001{A9A86B93-B54E-4570-BE89-42418507707B}",
"Local\\Shell.CMruPidlList",
"Global\\CocCocS-1-5-21-699399860-4089948139-3198924279-1001{0A175FBE-AEEC-4fea-855A-2AA549A88846}",
"Global\\CocCocS-1-5-21-699399860-4089948139-3198924279-1001{D19BAF17-7C87-467E-8D63-6C4B1C836373}",
"Global\\CocCocS-1-5-21-699399860-4089948139-3198924279-1001{66CC0160-ABB3-4066-AE47-1CA6AD5065C8}",
"Global\\CocCocS-1-5-21-699399860-4089948139-3198924279-1001{6885AE8E-C070-458d-9711-37B9BEAB65F6}"
],
"file_failed": [
"C:\\cuckoo_264.ini",
"C:\\Windows\\Tasks\\CocCocUpdateTaskUserS-1-5-21-699399860-4089948139-3198924279-1001UA.job",
"C:\\cuckoo_1788.ini",
"C:\\Windows\\Tasks\\CocCocUpdateTaskUserS-1-5-21-699399860-4089948139-3198924279-1001Core.job",
"C:\\cuckoo_1424.ini",
"\\\\?\\pipe\\CocCocCrashServices\\S-1-5-21-699399860-4089948139-3198924279-1001",
"C:\\cuckoo_2700.ini"
],
"resolves_host": [
"browser.coccoc.com"
],
"guid": [
"{9b63616c-36b2-46bc-959f-c1593952d19b}",
"{1a1f4206-0688-4e7f-be03-d82ec69df9a5}",
"{42aedc87-2188-41fd-b9a3-0c966feabec1}",
"{148bd527-a2ab-11ce-b11f-00aa00530503}",
"{46a6eeff-908e-4dc6-92a6-64be9177b41c}",
"{2933bf81-7b36-11d2-b20e-00c04f983e60}",
"{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}",
"{2fb499a3-cfce-480f-a5f3-2453db7a2b7a}",
"{f6d90f11-9c73-11d3-b32e-00c04f990bb4}",
"{2faba4c7-4da9-4013-9697-20cc3fd40f85}",
"{660b90c8-73a9-4b58-8cae-355b7f55341b}",
"{148bd52a-a2ab-11ce-b11f-00aa00530503}"
],
"file_read": [
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\2.5.15.103\\CocCocUpdateWebPlugin.exe",
"C:\\Program Files (x86)\\GUM578A.tmp\\CocCocTorrentUpdate.exe",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\2.5.15.103\\CocCocUpdateBroker.exe",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\2.5.15.103\\CocCocCrashHandler.exe",
"\\\\?\\PIPE\\wkssvc",
"C:\\Program Files (x86)\\GUM578A.tmp\\coccocpdateres_en.dll",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\CocCocTorrentUpdate.exe",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\2.5.15.103\\psuser.dll",
"C:\\Program Files (x86)\\GUM578A.tmp\\CocCocCrashHandler.exe",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\2.5.15.103\\coccocpdateres_en.dll",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\2.5.15.103\\CocCocUpdateOnDemand.exe",
"C:\\Program Files (x86)\\GUM578A.tmp\\psuser.dll",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\2.5.15.103\\CocCocUpdate.exe",
"C:\\Program Files (x86)\\GUM578A.tmp\\CocCocUpdateBroker.exe",
"C:\\Program Files (x86)\\GUM578A.tmp\\CocCocUpdateOnDemand.exe",
"C:\\Program Files (x86)\\GUM578A.tmp\\CocCocUpdateHelper.msi",
"C:\\Program Files (x86)\\GUT579A.tmp",
"C:\\Users\\cuck\\AppData\\Roaming\\CocCoc\\uid",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\2.5.15.103\\psmachine.dll",
"C:\\Program Files (x86)\\GUM578A.tmp\\CocCocUpdate.exe",
"C:\\Program Files (x86)\\GUM578A.tmp\\coccocpdate.dll",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\CocCocUpdate.exe",
"C:\\Program Files (x86)\\GUM578A.tmp\\CocCocUpdateWebPlugin.exe",
"C:\\Program Files (x86)\\GUM578A.tmp\\coccocpdateres_vi.dll",
"C:\\Windows\\Tasks\\CocCocUpdateTaskUserS-1-5-21-699399860-4089948139-3198924279-1001UA.job",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\2.5.15.103\\coccocpdate.dll",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\2.5.15.103\\CocCocUpdateSetup.exe",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\2.5.15.103\\coccocpdateres_vi.dll",
"C:\\Program Files (x86)\\GUM578A.tmp\\psmachine.dll",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\2.5.15.103\\CocCocUpdateHelper.msi",
"C:\\Program Files (x86)\\GUM578A.tmp\\CocCocUpdateSetup.exe",
"C:\\Program Files (x86)\\desktop.ini"
],
"regkey_read": [
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Language Hotkey",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\MaxRpcSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\LanguageProfile\\0x00000000\\{0001bea3-ed56-483d-a2e2-aeae25577436}\\Enable",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.Job\\PerceivedType",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\UseDelayedAcceptance",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\MaxSockaddrLength",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\UseDelayedAcceptance",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\UseHostnameAsAlias",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SecurityProviders\\SecurityProviders",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\BagMRU\\NodeSlot",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\TurnOffSPIAnimations",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoSetFolders",
"HKEY_CURRENT_USER\\Software\\CocCoc\\Update\\Clients\\{430FD4D0-B729-4F61-AA34-91526481799D}\\pv",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\SystemSetupInProgress",
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Hotkey",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsFORDISPLAY",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\SourcePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\CTF\\EnableAnchorContext",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\Generation",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\Extensions\\RemoteRpcDll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\RestrictedAttributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\JobObject\\IsShortcut",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Domain",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-699399860-4089948139-3198924279-1001\\State",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\DisableImprovedZoneCheck",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\JobObject\\CLSID\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoInternetIcon",
"HKEY_CURRENT_USER\\Software\\CocCoc\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}\\usagestats",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\MinSockaddrLength",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsUniversalDelegate",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ProxySettingsPerUser",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SESSION MANAGER\\PendingFileRenameOperations",
"HKEY_CURRENT_USER\\Software\\CocCoc\\Update\\uid-create-time",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winsock\\Parameters\\Transports",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\QueryForOverlay",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\Attributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\MapNetDriveVerbs",
"HKEY_CURRENT_USER\\Software\\CocCoc\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}\\DayOfLastRollCall",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\QueryForInfoTip",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\NoFileFolderJunction",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}",
"HKEY_CURRENT_USER\\Software\\CocCoc\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}\\brand",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsParseDisplayName",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\WpadOverride",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Locale\\00000409",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Segoe UI",
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Layout Hotkey",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsAliasedNotifications",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledProcesses\\78B00063",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\Data",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Comment",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\UseDropHandler",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoCommonGroups",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Time Zones\\Pacific Standard Time\\Dynamic DST\\FirstEntry",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\ClearRecentDocsOnExit",
"HKEY_CURRENT_USER\\Software\\CocCoc\\Update\\eulaaccepted",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\PinToNameSpaceTree",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledSessions\\MachineThrottling",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\LdapClientIntegrity",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\HelperDllName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winsock\\Setup Migration\\Providers\\Tcpip6\\WinSock 2.0 Provider ID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsFORPARSING",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\Mapping",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Type",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\MaxSockaddrLength",
"HKEY_CURRENT_USER\\Software\\CocCoc\\Update\\old-uid",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\AllowFileCLSIDJunctions",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HideFolderVerbs",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\LsaExtensionConfig\\SspiCli\\CheckSignatureRoutine",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\MinSockaddrLength",
"HKEY_CURRENT_USER\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\TrayNotify\\PromotedIconCache",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Time Zones\\Pacific Standard Time\\Dynamic DST\\2019",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\JobObject\\NeverShowExt",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Hostname",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\LsaExtensionConfig\\SspiCli\\CheckSignatureDll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\JobObject\\DocObject",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\OOBEInProgress",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\JobObject\\BrowseInPlace",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HideInWebView",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Name",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoPropertiesRecycleBin",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\CallForAttributes",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\AccessProviders\\MartaExtension",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoPropertiesMyComputer",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Time Zones\\Pacific Standard Time\\Dynamic DST\\LastEntry",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\BagMRU Size",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\\DefaultConnectionSettings",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\HelperDllName",
"HKEY_CURRENT_USER\\Software\\CocCoc\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}\\DayOfLastActivity",
"HKEY_CURRENT_USER\\Software\\CocCoc\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}\\InstallTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\\WinHttpSettings",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Security_HKLM_only",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\DevicePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\TokenSize",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\Data",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Capabilities",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\BagMRU\\MRUListEx",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ShareCredsWithWinHttp",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\WinHttp\\Tracing\\Enabled",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\JobObject\\AlwaysShowExt",
"HKEY_CURRENT_USER\\Software\\CocCoc\\Update\\coccoc_task_ua",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Drive\\shellex\\FolderExtensions\\{fbeb8a05-beee-4442-804e-409d6c4515e9}\\DriveMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.Job\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HasNavigationEnum",
"HKEY_CURRENT_USER\\Software\\CocCoc\\Update\\coccoc_task_c",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledSessions\\GlobalSession",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.Job\\Content Type",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\Generation",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\UseOldHostResolutionOrder",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HideOnDesktopPerUser",
"HKEY_CURRENT_USER\\Software\\CocCoc\\Update\\proxy\\source",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\WinHttp\\DisableBranchCache",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CEIPEnable",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Version",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\BagMRU\\NodeSlots",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoControlPanel",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\ComputerName\\ActiveComputerName\\ComputerName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winsock\\Setup Migration\\Providers\\Tcpip\\WinSock 2.0 Provider ID",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language Groups\\1",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\Extensions\\NdrOleExtDLL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE\\MaximumAllowedAllocationSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{00000134-0000-0000-C000-000000000046}\\ProxyStubClsid32\\(Default)",
"HKEY_CURRENT_USER\\Software\\Clients\\StartMenuInternet\\(Default)",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\Mapping",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\RpcId",
"HKEY_CURRENT_USER\\Software\\CocCoc\\Update\\uid-num-rotations",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Time Zones\\Pacific Standard Time\\Dynamic DST\\2007"
],
"directory_enumerated": [
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\Install\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\CocCocUpdate.exe",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\Download\\*",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\*.*"
],
"regkey_written": [
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{BEF4B990-4E74-4DC3-BBCA-BDD8E48271B1}\\ProxyStubClsid32\\(Default)",
"HKEY_CURRENT_USER\\CocCocUpdate.Update3WebUser\\CLSID\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{61C44F32-B764-4629-A9AD-A591E64B2580}\\ProxyStubClsid32\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{A72E0E76-BF8B-48C8-BC14-DDE8254EBDA9}\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{0A039001-050F-4ADA-AD8B-F2E5C9615B45}\\InprocServer32\\(Default)",
"HKEY_CURRENT_USER\\CocCocUpdate.Update3COMClassUser\\CLSID\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{BE7F68D5-4B90-4CB1-A35E-83A7024A83AA}\\(Default)",
"HKEY_CURRENT_USER\\CocCocUpdate.OnDemandCOMClassUser\\CurVer\\(Default)",
"HKEY_CURRENT_USER\\CocCocUpdate.OnDemandCOMClassUser.1.0\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{F3BDCD40-E6F3-4F35-BA05-70D4C0389AE5}\\(Default)",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\Bags\\1\\Desktop\\Sort",
"HKEY_CURRENT_USER\\Software\\CocCoc\\Update\\Clients\\{430FD4D0-B729-4F61-AA34-91526481799D}\\pv",
"HKEY_CURRENT_USER\\CocCocUpdate.CredentialDialogUser\\CLSID\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{ABA164D4-F794-491D-9400-7CA9E6F7EEF6}\\ProxyStubClsid32\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{CDC22AF6-28C2-4638-9580-F867915A38C4}\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{98864DB4-F198-41BB-9901-D499B74FAB1C}\\ProxyStubClsid32\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{CCBB641B-0D24-451C-9638-2DE0D4B5ED5F}\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{37514F9D-A61C-4F73-B94C-56F2B47789EB}\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{BE7F68D5-4B90-4CB1-A35E-83A7024A83AA}\\NumMethods\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{63191E9E-FD33-4B38-B3F1-62982ADA8B2F}\\ProxyStubClsid32\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{F34D723C-FA54-43D8-9C05-574D28672153}\\ProgID\\(Default)",
"HKEY_CURRENT_USER\\CocCoc.OneClickProcessLauncherUser\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{7FD24225-816C-4325-B8A3-48E4BA4E6F01}\\(Default)",
"HKEY_CURRENT_USER\\CocCoc.OneClickProcessLauncherUser.1.0\\CLSID\\(Default)",
"HKEY_CURRENT_USER\\CocCoc.OneClickProcessLauncherUser\\CLSID\\(Default)",
"HKEY_CURRENT_USER\\CocCoc.OneClickProcessLauncherUser\\CurVer\\(Default)",
"HKEY_CURRENT_USER\\CocCocUpdate.Update3COMClassUser.1.0\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{19DEA306-99DC-4690-B2E9-FFD51AE45C96}\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{FBD15E06-051F-43E6-9FE0-7F5B6B57B481}\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{69279211-FE09-4A3B-9B32-E661957D9EA3}\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{CF051BE3-B7D3-4F50-B578-C647DD386940}\\ProxyStubClsid32\\(Default)",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\Bags\\1\\Desktop\\GroupView",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\Bags\\1\\Desktop\\GroupByKey:PID",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{7FD24225-816C-4325-B8A3-48E4BA4E6F01}\\NumMethods\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{3339BB5A-555B-4C33-8D97-15F78BFF5CE1}\\(Default)",
"HKEY_CURRENT_USER\\CocCocUpdate.Update3COMClassUser\\CurVer\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{CF051BE3-B7D3-4F50-B578-C647DD386940}\\(Default)",
"HKEY_CURRENT_USER\\CocCocUpdate.Update3COMClassUser\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{31E3405A-1CA1-4750-A6D9-4ED9BB3A5A59}\\NumMethods\\(Default)",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Low Rights\\ElevationPolicy\\{CCBB641B-0D24-451C-9638-2DE0D4B5ED5F}\\CLSID",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{4975912A-17C1-40D4-BCF5-1190E476FE82}\\ProxyStubClsid32\\(Default)",
"HKEY_CURRENT_USER\\Software\\CocCoc\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}\\DayOfLastRollCall",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{A72E0E76-BF8B-48C8-BC14-DDE8254EBDA9}\\ProxyStubClsid32\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{3C765636-A9B6-457A-B7CA-146B131BE5BD}\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{3C765636-A9B6-457A-B7CA-146B131BE5BD}\\NumMethods\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{A72E0E76-BF8B-48C8-BC14-DDE8254EBDA9}\\NumMethods\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{DFFF09FD-4FB6-4CF2-A855-3EACD48881FA}\\VersionIndependentProgID\\(Default)",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\Bags\\1\\Desktop\\IconSize",
"HKEY_CURRENT_USER\\Software\\CocCoc\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}\\brand",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{53F9B7E5-DC7B-4C70-87EA-9AE3629CBA75}\\ProxyStubClsid32\\(Default)",
"HKEY_CURRENT_USER\\CocCocUpdate.OnDemandCOMClassUser\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{37514F9D-A61C-4F73-B94C-56F2B47789EB}\\ProxyStubClsid32\\(Default)",
"HKEY_CURRENT_USER\\CocCocUpdate.Update3WebUser\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{DFFF09FD-4FB6-4CF2-A855-3EACD48881FA}\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{CDC22AF6-28C2-4638-9580-F867915A38C4}\\ProxyStubClsid32\\(Default)",
"HKEY_CURRENT_USER\\Software\\CocCoc\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}\\pv",
"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{D5E238C2-919F-47C9-B769-47D7432E1852}\\InProcServer32\\(Default)",
"HKEY_CURRENT_USER\\CocCocUpdate.Update3WebUser.1.0\\CLSID\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{BA0E8C3A-2E4D-4E10-8AD7-8618C5138480}\\ProxyStubClsid32\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{CCBB641B-0D24-451C-9638-2DE0D4B5ED5F}\\LocalServer32\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{D5E238C2-919F-47C9-B769-47D7432E1852}\\(Default)",
"HKEY_CURRENT_USER\\Software\\CocCoc\\Update\\path",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{ABA164D4-F794-491D-9400-7CA9E6F7EEF6}\\NumMethods\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{4A2DF7EF-905D-4C4D-A683-42C891F228BF}\\InprocHandler32\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{F3BDCD40-E6F3-4F35-BA05-70D4C0389AE5}\\NumMethods\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{A4F10457-0600-4470-9A22-AD99E26F7AD2}\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{53F9B7E5-DC7B-4C70-87EA-9AE3629CBA75}\\NumMethods\\(Default)",
"HKEY_CURRENT_USER\\CocCoc.OneClickProcessLauncherUser.1.0\\(Default)",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\CocCoc Update",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Streams\\Desktop\\TaskbarWinXP",
"HKEY_CURRENT_USER\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\TrayNotify\\UserStartTime",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{BE7F68D5-4B90-4CB1-A35E-83A7024A83AA}\\ProxyStubClsid32\\(Default)",
"HKEY_CURRENT_USER\\Software\\CocCoc\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}\\DayOfInstall",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{19DEA306-99DC-4690-B2E9-FFD51AE45C96}\\NumMethods\\(Default)",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StuckRects2\\Settings",
"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{D5E238C2-919F-47C9-B769-47D7432E1852}\\InProcServer32\\ThreadingModel",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{98864DB4-F198-41BB-9901-D499B74FAB1C}\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{B9D2B446-92D8-44E8-9A7B-127AAC768BA3}\\NumMethods\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{BEF4B990-4E74-4DC3-BBCA-BDD8E48271B1}\\NumMethods\\(Default)",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Low Rights\\ElevationPolicy\\{CCBB641B-0D24-451C-9638-2DE0D4B5ED5F}\\Policy",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{63191E9E-FD33-4B38-B3F1-62982ADA8B2F}\\NumMethods\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{4975912A-17C1-40D4-BCF5-1190E476FE82}\\(Default)",
"HKEY_CURRENT_USER\\CocCocUpdate.OnDemandCOMClassUser.1.0\\CLSID\\(Default)",
"HKEY_CURRENT_USER\\Software\\CocCoc\\Update\\LastOSVersion",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{98864DB4-F198-41BB-9901-D499B74FAB1C}\\NumMethods\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{F0E42375-D761-47E9-B64F-310CEB39F32F}\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{BEF4B990-4E74-4DC3-BBCA-BDD8E48271B1}\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{A673FB09-4B52-4BAF-BA9B-4B422531B44E}\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{F15393EF-1112-41C4-9A24-20C0F0075DC1}\\ProxyStubClsid32\\(Default)",
"HKEY_CURRENT_USER\\CocCocUpdate.Update3WebUser\\CurVer\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{F0E42375-D761-47E9-B64F-310CEB39F32F}\\NumMethods\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{F15393EF-1112-41C4-9A24-20C0F0075DC1}\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{CCBB641B-0D24-451C-9638-2DE0D4B5ED5F}\\ProgID\\(Default)",
"HKEY_CURRENT_USER\\CocCocUpdate.CredentialDialogUser\\CurVer\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{63191E9E-FD33-4B38-B3F1-62982ADA8B2F}\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{69279211-FE09-4A3B-9B32-E661957D9EA3}\\LocalServer32\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{A4F10457-0600-4470-9A22-AD99E26F7AD2}\\VersionIndependentProgID\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{37514F9D-A61C-4F73-B94C-56F2B47789EB}\\NumMethods\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{48AEB2A3-803F-4259-899D-B624B6DF64F5}\\ProxyStubClsid32\\(Default)",
"HKEY_CURRENT_USER\\Software\\CocCoc\\Update\\IsMSIHelperRegistered",
"HKEY_CURRENT_USER\\CocCocUpdate.CredentialDialogUser.1.0\\CLSID\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{3C765636-A9B6-457A-B7CA-146B131BE5BD}\\ProxyStubClsid32\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{ABA164D4-F794-491D-9400-7CA9E6F7EEF6}\\(Default)",
"HKEY_CURRENT_USER\\Software\\CocCoc\\Update\\Clients\\{430FD4D0-B729-4F61-AA34-91526481799D}\\name",
"HKEY_CURRENT_USER\\CocCocUpdate.Update3WebUser.1.0\\(Default)",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\Bags\\1\\Desktop\\ColInfo",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{F15393EF-1112-41C4-9A24-20C0F0075DC1}\\NumMethods\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{CCBB641B-0D24-451C-9638-2DE0D4B5ED5F}\\VersionIndependentProgID\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{0A039001-050F-4ADA-AD8B-F2E5C9615B45}\\InprocServer32\\ThreadingModel",
"HKEY_CURRENT_USER\\CocCocUpdate.CredentialDialogUser.1.0\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{31E3405A-1CA1-4750-A6D9-4ED9BB3A5A59}\\ProxyStubClsid32\\(Default)",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\Bags\\1\\Desktop\\GroupByDirection",
"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{DFFF09FD-4FB6-4CF2-A855-3EACD48881FA}\\LocalServer32\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{3339BB5A-555B-4C33-8D97-15F78BFF5CE1}\\ProxyStubClsid32\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{56D89BD1-3C6D-4D41-BAD1-F9ECA194DE72}\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{61C44F32-B764-4629-A9AD-A591E64B2580}\\NumMethods\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{61C44F32-B764-4629-A9AD-A591E64B2580}\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{4A2DF7EF-905D-4C4D-A683-42C891F228BF}\\InprocHandler32\\ThreadingModel",
"HKEY_CURRENT_USER\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\TrayNotify\\PastIconsStream",
"HKEY_CURRENT_USER\\Software\\CocCoc\\Update\\TorrentPath",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{4975912A-17C1-40D4-BCF5-1190E476FE82}\\NumMethods\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{7A78866B-695A-4153-A29F-92B38626E332}\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{19DEA306-99DC-4690-B2E9-FFD51AE45C96}\\ProxyStubClsid32\\(Default)",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\Bags\\1\\Desktop\\Mode",
"HKEY_CURRENT_USER\\Software\\CocCoc\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}\\DayOfLastActivity",
"HKEY_CURRENT_USER\\Software\\CocCoc\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}\\InstallTime",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{A673FB09-4B52-4BAF-BA9B-4B422531B44E}\\NumMethods\\(Default)",
"HKEY_CURRENT_USER\\CocCocUpdate.OnDemandCOMClassUser\\CLSID\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{FBD15E06-051F-43E6-9FE0-7F5B6B57B481}\\NumMethods\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{B9D2B446-92D8-44E8-9A7B-127AAC768BA3}\\ProxyStubClsid32\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{BA0E8C3A-2E4D-4E10-8AD7-8618C5138480}\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{53F9B7E5-DC7B-4C70-87EA-9AE3629CBA75}\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{CDC22AF6-28C2-4638-9580-F867915A38C4}\\NumMethods\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{03EFB89B-5FE9-488F-B4E7-D4AC5BC0E207}\\NumMethods\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{B9D2B446-92D8-44E8-9A7B-127AAC768BA3}\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{DFFF09FD-4FB6-4CF2-A855-3EACD48881FA}\\ProgID\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{56D89BD1-3C6D-4D41-BAD1-F9ECA194DE72}\\NumMethods\\(Default)",
"HKEY_CURRENT_USER\\Software\\CocCoc\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}\\client",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\Bags\\1\\Desktop\\GroupByKey:FMTID",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{48AEB2A3-803F-4259-899D-B624B6DF64F5}\\NumMethods\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{7FD24225-816C-4325-B8A3-48E4BA4E6F01}\\ProxyStubClsid32\\(Default)",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\Bags\\1\\Desktop\\FFlags",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\BagMRU\\MRUListEx",
"HKEY_CURRENT_USER\\CocCocUpdate.CredentialDialogUser\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{A4F10457-0600-4470-9A22-AD99E26F7AD2}\\ProgID\\(Default)",
"HKEY_CURRENT_USER\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\TrayNotify\\IconStreams",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{56D89BD1-3C6D-4D41-BAD1-F9ECA194DE72}\\ProxyStubClsid32\\(Default)",
"HKEY_CURRENT_USER\\Software\\CocCoc\\Update\\version",
"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{F34D723C-FA54-43D8-9C05-574D28672153}\\VersionIndependentProgID\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{BA0E8C3A-2E4D-4E10-8AD7-8618C5138480}\\NumMethods\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{7A78866B-695A-4153-A29F-92B38626E332}\\NumMethods\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{3339BB5A-555B-4C33-8D97-15F78BFF5CE1}\\NumMethods\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{A4F10457-0600-4470-9A22-AD99E26F7AD2}\\LocalServer32\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{69279211-FE09-4A3B-9B32-E661957D9EA3}\\ProgID\\(Default)",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\BagMRU\\NodeSlots",
"HKEY_CURRENT_USER\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\TrayNotify\\LastAdvertisement",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{48AEB2A3-803F-4259-899D-B624B6DF64F5}\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{F34D723C-FA54-43D8-9C05-574D28672153}\\LocalServer32\\(Default)",
"HKEY_CURRENT_USER\\Software\\CocCoc\\Update\\UninstallCmdLine",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\Bags\\1\\Desktop\\LogicalViewMode",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{03EFB89B-5FE9-488F-B4E7-D4AC5BC0E207}\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{CF051BE3-B7D3-4F50-B578-C647DD386940}\\NumMethods\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{F34D723C-FA54-43D8-9C05-574D28672153}\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{F0E42375-D761-47E9-B64F-310CEB39F32F}\\ProxyStubClsid32\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{69279211-FE09-4A3B-9B32-E661957D9EA3}\\VersionIndependentProgID\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{F3BDCD40-E6F3-4F35-BA05-70D4C0389AE5}\\ProxyStubClsid32\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{31E3405A-1CA1-4750-A6D9-4ED9BB3A5A59}\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{7A78866B-695A-4153-A29F-92B38626E332}\\ProxyStubClsid32\\(Default)",
"HKEY_CURRENT_USER\\CocCocUpdate.Update3COMClassUser.1.0\\CLSID\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{A673FB09-4B52-4BAF-BA9B-4B422531B44E}\\ProxyStubClsid32\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{FBD15E06-051F-43E6-9FE0-7F5B6B57B481}\\ProxyStubClsid32\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{03EFB89B-5FE9-488F-B4E7-D4AC5BC0E207}\\ProxyStubClsid32\\(Default)"
]
}Dropped
[
{
"yara": [],
"sha1": "7a59a4c59f309183ed8cc8bae41b5e0442f700f3",
"name": "02d97421e27d6301_coccocpdate.dll",
"filepath": "C:\\Program Files (x86)\\GUM578A.tmp\\coccocpdate.dll",
"type": "PE32 executable (DLL) (GUI) Intel 80386, for MS Windows",
"sha256": "02d97421e27d630127e3efaff58e5a192a0680f88bce78cd9dc025924a31aeff",
"urls": [
"http:\/\/crl.globalsign.com\/gs\/gstimestampingsha2g2.crl0",
"http:\/\/crl.globalsign.com\/root.crl0Y",
"http:\/\/crl.globalsign.com\/gs\/gscodesigng3.crl0",
"http:\/\/ocsp2.globalsign.com\/gstimestampingsha2g20",
"https:\/\/www.globalsign.com\/repository\/0",
"http:\/\/ocsp2.globalsign.com\/rootr306",
"http:\/\/secure.globalsign.com\/cacert\/gscodesignsha2g3ocsp.crt08",
"http:\/\/ocsp2.globalsign.com\/gscodesignsha2g30V",
"http:\/\/ocsp.globalsign.com\/rootr103",
"http:\/\/crl.globalsign.com\/gs\/gstimestampingg2.crl0",
"http:\/\/ocsp2.globalsign.com\/gstimestampingg20",
"http:\/\/crl.globalsign.com\/root-r3.crl0c",
"http:\/\/secure.globalsign.com\/cacert\/gstimestampingsha2g2.crt0",
"http:\/\/secure.globalsign.com\/cacert\/gstimestampingg2.crt08",
"https:\/\/www.globalsign.com\/repository\/03",
"http:\/\/crl.globalsign.net\/root.crl0",
"https:\/\/www.globalsign.com\/repository\/06",
"http:\/\/ocsp2.globalsign.com\/gscodesigng30V",
"http:\/\/crl.globalsign.net\/root-r3.crl0",
"http:\/\/secure.globalsign.com\/cacert\/gscodesigng3ocsp.crt04",
"http:\/\/crl.globalsign.com\/gscodesignsha2g3.crl0"
],
"crc32": "115E81C9",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/1828\/files\/02d97421e27d6301_coccocpdate.dll",
"ssdeep": null,
"size": 1847008,
"sha512": "def43f2c009bb653a061d15fdab0f7c1c0c8eb60c7d7fc365737f414ca8483d140a6e3c863a4ca732abbf0996fe24a89f3cd16835107583b7a36064534ad8de4",
"pids": [
1268
],
"md5": "edc529b95e6cd8835e93c28cd7ed0b0a"
},
{
"yara": [],
"sha1": "25665f508e6a4d4a1bab111e975d76a88507a7df",
"name": "0b6e346f3b1a83af_coccoccrashhandler.exe",
"filepath": "C:\\Program Files (x86)\\GUM578A.tmp\\CocCocCrashHandler.exe",
"type": "PE32 executable (GUI) Intel 80386, for MS Windows",
"sha256": "0b6e346f3b1a83af551ca7be23c4e36c81d7a1886907932d81e8f9d484498f18",
"urls": [
"http:\/\/crl.globalsign.com\/gs\/gstimestampingsha2g2.crl0",
"http:\/\/crl.globalsign.com\/root.crl0Y",
"http:\/\/crl.globalsign.com\/gs\/gscodesigng3.crl0",
"http:\/\/ocsp2.globalsign.com\/gstimestampingsha2g20",
"https:\/\/www.globalsign.com\/repository\/0",
"http:\/\/ocsp2.globalsign.com\/rootr306",
"http:\/\/secure.globalsign.com\/cacert\/gscodesignsha2g3ocsp.crt08",
"http:\/\/ocsp2.globalsign.com\/gscodesignsha2g30V",
"http:\/\/ocsp.globalsign.com\/rootr103",
"http:\/\/crl.globalsign.com\/gs\/gstimestampingg2.crl0",
"http:\/\/ocsp2.globalsign.com\/gstimestampingg20",
"http:\/\/crl.globalsign.com\/root-r3.crl0c",
"http:\/\/secure.globalsign.com\/cacert\/gstimestampingsha2g2.crt0",
"http:\/\/secure.globalsign.com\/cacert\/gstimestampingg2.crt08",
"https:\/\/www.globalsign.com\/repository\/03",
"http:\/\/crl.globalsign.net\/root.crl0",
"https:\/\/www.globalsign.com\/repository\/06",
"http:\/\/ocsp2.globalsign.com\/gscodesigng30V",
"http:\/\/crl.globalsign.net\/root-r3.crl0",
"http:\/\/secure.globalsign.com\/cacert\/gscodesigng3ocsp.crt04",
"http:\/\/crl.globalsign.com\/gscodesignsha2g3.crl0"
],
"crc32": "65DCD300",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/1828\/files\/0b6e346f3b1a83af_coccoccrashhandler.exe",
"ssdeep": null,
"size": 286944,
"sha512": "d525c2f4ab65f3e07df5d9d542846f7d6f1f8ac0989e0b36a4bb87c47d3873a1767da7d91fe2ad39876325a538b687c0174a3d620c3bd474ec6c9527a1446854",
"pids": [
1268
],
"md5": "c63981952a217dd3a40d84d0f47a727a"
},
{
"yara": [],
"sha1": "8cc66fe695d3b8ac0f4fb2566387344dc4e0d920",
"name": "2a7e3fd7495ca7fa_coccocupdatebroker.exe",
"filepath": "C:\\Program Files (x86)\\GUM578A.tmp\\CocCocUpdateBroker.exe",
"type": "PE32 executable (GUI) Intel 80386, for MS Windows",
"sha256": "2a7e3fd7495ca7fa31bd90b84df89c074a5887fd63c6744c2318fe40c50d3afe",
"urls": [
"http:\/\/crl.globalsign.com\/gs\/gstimestampingsha2g2.crl0",
"http:\/\/crl.globalsign.com\/root.crl0Y",
"http:\/\/crl.globalsign.com\/gs\/gscodesigng3.crl0",
"http:\/\/ocsp2.globalsign.com\/gstimestampingsha2g20",
"https:\/\/www.globalsign.com\/repository\/0",
"http:\/\/ocsp2.globalsign.com\/rootr306",
"http:\/\/secure.globalsign.com\/cacert\/gscodesignsha2g3ocsp.crt08",
"http:\/\/ocsp2.globalsign.com\/gscodesignsha2g30V",
"http:\/\/ocsp.globalsign.com\/rootr103",
"http:\/\/crl.globalsign.com\/gs\/gstimestampingg2.crl0",
"http:\/\/ocsp2.globalsign.com\/gstimestampingg20",
"http:\/\/crl.globalsign.com\/root-r3.crl0c",
"http:\/\/secure.globalsign.com\/cacert\/gstimestampingsha2g2.crt0",
"http:\/\/secure.globalsign.com\/cacert\/gstimestampingg2.crt08",
"https:\/\/www.globalsign.com\/repository\/03",
"http:\/\/crl.globalsign.net\/root.crl0",
"https:\/\/www.globalsign.com\/repository\/06",
"http:\/\/ocsp2.globalsign.com\/gscodesigng30V",
"http:\/\/crl.globalsign.net\/root-r3.crl0",
"http:\/\/secure.globalsign.com\/cacert\/gscodesigng3ocsp.crt04",
"http:\/\/crl.globalsign.com\/gscodesignsha2g3.crl0"
],
"crc32": "48563F99",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/1828\/files\/2a7e3fd7495ca7fa_coccocupdatebroker.exe",
"ssdeep": null,
"size": 101600,
"sha512": "7d3e74e87be555ff46c4d3f70a7d3ea5fd884deab4738df730f03d10e9657445a5262528d62b75c9552828d8aee6fdd3ad2ba1ad9d90be3602d0171ca7688e24",
"pids": [
1268
],
"md5": "2cfd15c03fd298c1aa48355ae1b114ea"
},
{
"yara": [],
"sha1": "dcf0882e6105055dc1c6ecda3cc8d902073c5e4a",
"name": "fe50beb918b84011_coccocupdate.exe",
"filepath": "C:\\Program Files (x86)\\GUM578A.tmp\\CocCocUpdate.exe",
"type": "PE32 executable (GUI) Intel 80386, for MS Windows",
"sha256": "fe50beb918b84011f7f37ee53ac9bc0538f72150dd4564bf8283ae0283530361",
"urls": [
"http:\/\/crl.globalsign.com\/gs\/gstimestampingsha2g2.crl0",
"http:\/\/crl.globalsign.com\/root.crl0Y",
"http:\/\/crl.globalsign.com\/gs\/gscodesigng3.crl0",
"http:\/\/ocsp2.globalsign.com\/gstimestampingsha2g20",
"https:\/\/www.globalsign.com\/repository\/0",
"http:\/\/ocsp2.globalsign.com\/rootr306",
"http:\/\/secure.globalsign.com\/cacert\/gscodesignsha2g3ocsp.crt08",
"http:\/\/ocsp2.globalsign.com\/gscodesignsha2g30V",
"http:\/\/ocsp.globalsign.com\/rootr103",
"http:\/\/crl.globalsign.com\/gs\/gstimestampingg2.crl0",
"http:\/\/ocsp2.globalsign.com\/gstimestampingg20",
"http:\/\/crl.globalsign.com\/root-r3.crl0c",
"http:\/\/secure.globalsign.com\/cacert\/gstimestampingsha2g2.crt0",
"http:\/\/secure.globalsign.com\/cacert\/gstimestampingg2.crt08",
"https:\/\/www.globalsign.com\/repository\/03",
"http:\/\/crl.globalsign.net\/root.crl0",
"https:\/\/www.globalsign.com\/repository\/06",
"http:\/\/ocsp2.globalsign.com\/gscodesigng30V",
"http:\/\/crl.globalsign.net\/root-r3.crl0",
"http:\/\/secure.globalsign.com\/cacert\/gscodesigng3ocsp.crt04",
"http:\/\/crl.globalsign.com\/gscodesignsha2g3.crl0"
],
"crc32": "36C5A057",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/1828\/files\/fe50beb918b84011_coccocupdate.exe",
"ssdeep": null,
"size": 116448,
"sha512": "37aa515e704056277471c6477ede5b89742fc03be036dbfd3514a0b88f5a72f6f356e4e2fead2efc5a6c0e942ca570c2897e70ec6a376f4a62dc68f822b67524",
"pids": [
1268
],
"md5": "20bbd5942f39ff6704b57317cff92f34"
},
{
"yara": [],
"sha1": "ab6393dfc6ae64c798fdd94c25466b3ecf75d468",
"name": "9be07733206324b2_uid",
"filepath": "C:\\Users\\cuck\\AppData\\Roaming\\CocCoc\\uid",
"type": "ASCII text, with no line terminators",
"sha256": "9be07733206324b280734859e131a54878074c60245f6707842fee8f679ec211",
"urls": [],
"crc32": "DA3363CC",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/1828\/files\/9be07733206324b2_uid",
"ssdeep": null,
"size": 36,
"sha512": "443554cfe39c17e0760887d02ed905700d967b727343e3f145482ab380f5eb5452f4c97c2fbe06bd3a1d60350d8222099624cdbd538759ce4270f63c2823ad9f",
"pids": [
2968
],
"md5": "2cff7fb007f5d45f4df04b25002c10d3"
},
{
"yara": [],
"sha1": "11c60f18ed32c328288668bfbe1b99b5d49a15d9",
"name": "d4c0ba8a2ca6bd7f_coccocupdatetaskusers-1-5-21-699399860-4089948139-3198924279-1001ua.job",
"filepath": "C:\\Windows\\Tasks\\CocCocUpdateTaskUserS-1-5-21-699399860-4089948139-3198924279-1001UA.job",
"type": "VAX-order 68k Blit mpx\/mux executable",
"sha256": "d4c0ba8a2ca6bd7f9bb547e24d2685fb449051ff436b782afd6a148403ea852e",
"urls": [],
"crc32": "0DBF11CE",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/1828\/files\/d4c0ba8a2ca6bd7f_coccocupdatetaskusers-1-5-21-699399860-4089948139-3198924279-1001ua.job",
"ssdeep": null,
"size": 998,
"sha512": "0a4421d5280f77601e3e8780e1f57baae012c5879604dd818ca152fad468802d73e5502093c6dc3ecd15f209f18029fdf3388ba6cf8bf1b26afdd98db1d81e4c",
"pids": [
2968
],
"md5": "703ddf317f5660de629bc7cf094b6d4d"
},
{
"yara": [],
"sha1": "d737024c17062bc3ad69fed2503b892dee62ac23",
"name": "afc10c16aa2df36e_coccocupdatehelper.msi",
"filepath": "C:\\Program Files (x86)\\GUM578A.tmp\\CocCocUpdateHelper.msi",
"type": "Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Google Update Helper, Author: Google Inc., Keywords: Installer, Comments: Copyright 2007-2010 Google Inc., Template: Intel;1033, Revision Number: {7321451F-329D-4FFE-ACED-ABCC53DF01BB}, Create Time\/Date: Wed Mar 13 08:27:32 2019, Last Saved Time\/Date: Wed Mar 13 08:27:32 2019, Number of Pages: 300, Number of Words: 0, Name of Creating Application: Windows Installer XML Toolset (3.10.3.3007), Security: 2",
"sha256": "afc10c16aa2df36e914ec447e3c64f63c0205057d739ac41ff268f0037f860d6",
"urls": [
"http:\/\/crl.globalsign.com\/gscodesignsha2g3.crl0",
"http:\/\/crl.globalsign.com\/root-r3.crl0c",
"http:\/\/secure.globalsign.com\/cacert\/gscodesignsha2g3ocsp.crt08",
"http:\/\/crl.globalsign.net\/root.crl0",
"http:\/\/ocsp2.globalsign.com\/rootr306",
"http:\/\/crl.globalsign.com\/gs\/gstimestampingg2.crl0",
"http:\/\/ocsp2.globalsign.com\/gstimestampingg20",
"https:\/\/www.globalsign.com\/repository\/0",
"http:\/\/secure.globalsign.com\/cacert\/gstimestampingg2.crt08",
"https:\/\/www.globalsign.com\/repository\/03",
"http:\/\/ocsp2.globalsign.com\/gscodesignsha2g30V"
],
"crc32": "4E34F9F9",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/1828\/files\/afc10c16aa2df36e_coccocupdatehelper.msi",
"ssdeep": null,
"size": 40960,
"sha512": "7ec4e4027cdc7438b5e3cba89f8cc9886f1c27d8d9e412a912c6db0021ddb70d575c6345b9fc58ffc81c4ec0a1ff93e6821a429153d9506233f9fb48ecfe2146",
"pids": [
1268
],
"md5": "4373103fd7474ce5bc0dbbf08b09da71"
},
{
"yara": [],
"sha1": "7194f2a06ed5392a6979d2c3035f279202b0f758",
"name": "48f98e5b9edae73d_coccocupdatetaskusers-1-5-21-699399860-4089948139-3198924279-1001core.job",
"filepath": "C:\\Windows\\Tasks\\CocCocUpdateTaskUserS-1-5-21-699399860-4089948139-3198924279-1001Core.job",
"type": "VAX-order 68k Blit mpx\/mux executable",
"sha256": "48f98e5b9edae73de7aeb70423799d66afe598637e251d21cd05c44c082db740",
"urls": [],
"crc32": "C0FE7CBA",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/1828\/files\/48f98e5b9edae73d_coccocupdatetaskusers-1-5-21-699399860-4089948139-3198924279-1001core.job",
"ssdeep": null,
"size": 946,
"sha512": "c0dcbd9a541e9a1ba144981831cdefc0cc2cb8bd522ee036e8096d2d6f919c41bfddb42c4cc9c8ab7ba60add4e28d845388f41ba93a27badfc3820aeb828ea18",
"pids": [
2968
],
"md5": "6bb06f46a792d93c9a781ec7734df0df"
},
{
"yara": [],
"sha1": "a962afe17531f9fe72b37152f6cc70cabe51ad86",
"name": "596ef8eeb8ebdfbd_coccocpdateres_vi.dll",
"filepath": "C:\\Program Files (x86)\\GUM578A.tmp\\coccocpdateres_vi.dll",
"type": "PE32 executable (DLL) (GUI) Intel 80386, for MS Windows",
"sha256": "596ef8eeb8ebdfbd3bdc1a81130a0ed3eff5480ec8ec00ae452ed36499960888",
"urls": [
"http:\/\/crl.globalsign.com\/gs\/gstimestampingsha2g2.crl0",
"http:\/\/crl.globalsign.com\/root.crl0Y",
"http:\/\/crl.globalsign.com\/gs\/gscodesigng3.crl0",
"http:\/\/ocsp2.globalsign.com\/gstimestampingsha2g20",
"https:\/\/www.globalsign.com\/repository\/0",
"http:\/\/ocsp2.globalsign.com\/rootr306",
"http:\/\/secure.globalsign.com\/cacert\/gscodesignsha2g3ocsp.crt08",
"http:\/\/ocsp2.globalsign.com\/gscodesignsha2g30V",
"http:\/\/ocsp.globalsign.com\/rootr103",
"http:\/\/crl.globalsign.com\/gs\/gstimestampingg2.crl0",
"http:\/\/ocsp2.globalsign.com\/gstimestampingg20",
"http:\/\/crl.globalsign.com\/root-r3.crl0c",
"http:\/\/secure.globalsign.com\/cacert\/gstimestampingsha2g2.crt0",
"http:\/\/secure.globalsign.com\/cacert\/gstimestampingg2.crt08",
"https:\/\/www.globalsign.com\/repository\/03",
"http:\/\/crl.globalsign.net\/root.crl0",
"https:\/\/www.globalsign.com\/repository\/06",
"http:\/\/ocsp2.globalsign.com\/gscodesigng30V",
"http:\/\/crl.globalsign.net\/root-r3.crl0",
"http:\/\/secure.globalsign.com\/cacert\/gscodesigng3ocsp.crt04",
"http:\/\/crl.globalsign.com\/gscodesignsha2g3.crl0"
],
"crc32": "13F94208",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/1828\/files\/596ef8eeb8ebdfbd_coccocpdateres_vi.dll",
"ssdeep": null,
"size": 390880,
"sha512": "ec7a9a5b9462487efcbe1f382621bb8e0197701666c550f187fb65e9a3608588556be0426824e92cdb465a79da1ab159ce28ee922d76b610aa565c6fcab7c22d",
"pids": [
1268
],
"md5": "642ce21e4c2e7dbaddf980cf22d9a647"
},
{
"yara": [],
"sha1": "693cccf2418fed296e49290d7d658cc74b79c29a",
"name": "8ea165dd87e6055c_psuser.dll",
"filepath": "C:\\Program Files (x86)\\GUM578A.tmp\\psuser.dll",
"type": "PE32 executable (DLL) (GUI) Intel 80386, for MS Windows",
"sha256": "8ea165dd87e6055cc0b246b4604f43040092e85c9b56581f039560f414794942",
"urls": [
"http:\/\/crl.globalsign.com\/gs\/gstimestampingsha2g2.crl0",
"http:\/\/crl.globalsign.com\/root.crl0Y",
"http:\/\/crl.globalsign.com\/gs\/gscodesigng3.crl0",
"http:\/\/ocsp2.globalsign.com\/gstimestampingsha2g20",
"https:\/\/www.globalsign.com\/repository\/0",
"http:\/\/ocsp2.globalsign.com\/rootr306",
"http:\/\/secure.globalsign.com\/cacert\/gscodesignsha2g3ocsp.crt08",
"http:\/\/ocsp2.globalsign.com\/gscodesignsha2g30V",
"http:\/\/ocsp.globalsign.com\/rootr103",
"http:\/\/crl.globalsign.com\/gs\/gstimestampingg2.crl0",
"http:\/\/ocsp2.globalsign.com\/gstimestampingg20",
"http:\/\/crl.globalsign.com\/root-r3.crl0c",
"http:\/\/secure.globalsign.com\/cacert\/gstimestampingsha2g2.crt0",
"http:\/\/secure.globalsign.com\/cacert\/gstimestampingg2.crt08",
"https:\/\/www.globalsign.com\/repository\/03",
"http:\/\/crl.globalsign.net\/root.crl0",
"https:\/\/www.globalsign.com\/repository\/06",
"http:\/\/ocsp2.globalsign.com\/gscodesigng30V",
"http:\/\/crl.globalsign.net\/root-r3.crl0",
"http:\/\/secure.globalsign.com\/cacert\/gscodesigng3ocsp.crt04",
"http:\/\/crl.globalsign.com\/gscodesignsha2g3.crl0"
],
"crc32": "F35D659D",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/1828\/files\/8ea165dd87e6055c_psuser.dll",
"ssdeep": null,
"size": 214752,
"sha512": "7796d3cd63fa53ac25cc3ce268f57c00a3e575ae098954670181350935c9ede35496f64146aeff60720cdd2927ea46c9a2ce0a62abf7e37377e3f7d3c69dfbdb",
"pids": [
1268
],
"md5": "a4a452c6e128405462594a5d7672f188"
},
{
"yara": [],
"sha1": "6458d106a53a1a3008faf81e8e413f3641eb6931",
"name": "b3fbc6a698ff3e7d_coccocpdateres_en.dll",
"filepath": "C:\\Program Files (x86)\\GUM578A.tmp\\coccocpdateres_en.dll",
"type": "PE32 executable (DLL) (GUI) Intel 80386, for MS Windows",
"sha256": "b3fbc6a698ff3e7dd919041a7edaa9ee1b2bd54d79d50a9f69bc255f88c781fc",
"urls": [
"http:\/\/crl.globalsign.com\/gs\/gstimestampingsha2g2.crl0",
"http:\/\/crl.globalsign.com\/root.crl0Y",
"http:\/\/crl.globalsign.com\/gs\/gscodesigng3.crl0",
"http:\/\/ocsp2.globalsign.com\/gstimestampingsha2g20",
"https:\/\/www.globalsign.com\/repository\/0",
"http:\/\/ocsp2.globalsign.com\/rootr306",
"http:\/\/secure.globalsign.com\/cacert\/gscodesignsha2g3ocsp.crt08",
"http:\/\/ocsp2.globalsign.com\/gscodesignsha2g30V",
"http:\/\/ocsp.globalsign.com\/rootr103",
"http:\/\/crl.globalsign.com\/gs\/gstimestampingg2.crl0",
"http:\/\/ocsp2.globalsign.com\/gstimestampingg20",
"http:\/\/crl.globalsign.com\/root-r3.crl0c",
"http:\/\/secure.globalsign.com\/cacert\/gstimestampingsha2g2.crt0",
"http:\/\/secure.globalsign.com\/cacert\/gstimestampingg2.crt08",
"https:\/\/www.globalsign.com\/repository\/03",
"http:\/\/crl.globalsign.net\/root.crl0",
"https:\/\/www.globalsign.com\/repository\/06",
"http:\/\/ocsp2.globalsign.com\/gscodesigng30V",
"http:\/\/crl.globalsign.net\/root-r3.crl0",
"http:\/\/secure.globalsign.com\/cacert\/gscodesigng3ocsp.crt04",
"http:\/\/crl.globalsign.com\/gscodesignsha2g3.crl0"
],
"crc32": "42DEE492",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/1828\/files\/b3fbc6a698ff3e7d_coccocpdateres_en.dll",
"ssdeep": null,
"size": 389856,
"sha512": "6d860d4cb27620b4d84e19c2a9a59253a9a3d71461dd72d8cd7d3f47f04556dcacebb69b9a2557140c9c5d6d1ac0747fad177b4ca3845d517fa0261089191839",
"pids": [
1268
],
"md5": "99e20a86a8a3df4f95154f3dad91345a"
},
{
"yara": [],
"sha1": "8d0f4e11046c2bfeaeaca6f19b549119ba70f67f",
"name": "67b69955cef68eac_coccocupdateondemand.exe",
"filepath": "C:\\Program Files (x86)\\GUM578A.tmp\\CocCocUpdateOnDemand.exe",
"type": "PE32 executable (GUI) Intel 80386, for MS Windows",
"sha256": "67b69955cef68eace213a024122a63d2ca68afee18a98c86e2db8c70547b36ce",
"urls": [
"http:\/\/crl.globalsign.com\/gs\/gstimestampingsha2g2.crl0",
"http:\/\/crl.globalsign.com\/root.crl0Y",
"http:\/\/crl.globalsign.com\/gs\/gscodesigng3.crl0",
"http:\/\/ocsp2.globalsign.com\/gstimestampingsha2g20",
"https:\/\/www.globalsign.com\/repository\/0",
"http:\/\/ocsp2.globalsign.com\/rootr306",
"http:\/\/secure.globalsign.com\/cacert\/gscodesignsha2g3ocsp.crt08",
"http:\/\/ocsp2.globalsign.com\/gscodesignsha2g30V",
"http:\/\/ocsp.globalsign.com\/rootr103",
"http:\/\/crl.globalsign.com\/gs\/gstimestampingg2.crl0",
"http:\/\/ocsp2.globalsign.com\/gstimestampingg20",
"http:\/\/crl.globalsign.com\/root-r3.crl0c",
"http:\/\/secure.globalsign.com\/cacert\/gstimestampingsha2g2.crt0",
"http:\/\/secure.globalsign.com\/cacert\/gstimestampingg2.crt08",
"https:\/\/www.globalsign.com\/repository\/03",
"http:\/\/crl.globalsign.net\/root.crl0",
"https:\/\/www.globalsign.com\/repository\/06",
"http:\/\/ocsp2.globalsign.com\/gscodesigng30V",
"http:\/\/crl.globalsign.net\/root-r3.crl0",
"http:\/\/secure.globalsign.com\/cacert\/gscodesigng3ocsp.crt04",
"http:\/\/crl.globalsign.com\/gscodesignsha2g3.crl0"
],
"crc32": "59CEAE56",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/1828\/files\/67b69955cef68eac_coccocupdateondemand.exe",
"ssdeep": null,
"size": 101600,
"sha512": "065dba52bc1801bbb58fc9bb45cd63cc0a901533e0bc9352035638a96166e81238e4a863f5b5ecde827a937950cbc47f4f69feb32c9448c214fe9174a3a85324",
"pids": [
1268
],
"md5": "e50f297618309f1047f001dac6813fd6"
},
{
"yara": [],
"sha1": "da39a3ee5e6b4b0d3255bfef95601890afd80709",
"name": "e3b0c44298fc1c14_GUM578A.tmp",
"type": "empty",
"sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"urls": [],
"crc32": "00000000",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/1828\/files\/e3b0c44298fc1c14_GUM578A.tmp",
"ssdeep": null,
"size": 0,
"sha512": "cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e",
"md5": "d41d8cd98f00b204e9800998ecf8427e"
},
{
"yara": [],
"sha1": "085340bd5b9471bfe92f8689aacb5c777af14ce5",
"name": "cee821b8e9e3f339_psmachine.dll",
"filepath": "C:\\Program Files (x86)\\GUM578A.tmp\\psmachine.dll",
"type": "PE32 executable (DLL) (GUI) Intel 80386, for MS Windows",
"sha256": "cee821b8e9e3f339a5fc91a40fd8505ac88d975025d893bef76f88ec2ca1264c",
"urls": [
"http:\/\/crl.globalsign.com\/gs\/gstimestampingsha2g2.crl0",
"http:\/\/crl.globalsign.com\/root.crl0Y",
"http:\/\/crl.globalsign.com\/gs\/gscodesigng3.crl0",
"http:\/\/ocsp2.globalsign.com\/gstimestampingsha2g20",
"https:\/\/www.globalsign.com\/repository\/0",
"http:\/\/ocsp2.globalsign.com\/rootr306",
"http:\/\/secure.globalsign.com\/cacert\/gscodesignsha2g3ocsp.crt08",
"http:\/\/ocsp2.globalsign.com\/gscodesignsha2g30V",
"http:\/\/ocsp.globalsign.com\/rootr103",
"http:\/\/crl.globalsign.com\/gs\/gstimestampingg2.crl0",
"http:\/\/ocsp2.globalsign.com\/gstimestampingg20",
"http:\/\/crl.globalsign.com\/root-r3.crl0c",
"http:\/\/secure.globalsign.com\/cacert\/gstimestampingsha2g2.crt0",
"http:\/\/secure.globalsign.com\/cacert\/gstimestampingg2.crt08",
"https:\/\/www.globalsign.com\/repository\/03",
"http:\/\/crl.globalsign.net\/root.crl0",
"https:\/\/www.globalsign.com\/repository\/06",
"http:\/\/ocsp2.globalsign.com\/gscodesigng30V",
"http:\/\/crl.globalsign.net\/root-r3.crl0",
"http:\/\/secure.globalsign.com\/cacert\/gscodesigng3ocsp.crt04",
"http:\/\/crl.globalsign.com\/gscodesignsha2g3.crl0"
],
"crc32": "44B4FB9C",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/1828\/files\/cee821b8e9e3f339_psmachine.dll",
"ssdeep": null,
"size": 214752,
"sha512": "15ca7fafc60bacc5a2a5d6bdf72d33a4b5250ec8f1b3018f1418102d52ea09243e8a7642727b2648ec1db4b2ed96134abca24cbed71620fd917d885b906c0895",
"pids": [
1268
],
"md5": "700e653720960c7eeab8d1b570c5970a"
},
{
"yara": [
{
"meta": {
"description": "Contains an embedded PE32 file",
"author": "nex"
},
"name": "embedded_pe",
"offsets": {
"b": [
[
590,
0
],
[
117838,
0
],
[
405582,
0
],
[
2294862,
0
],
[
2397262,
0
],
[
2499662,
0
],
[
2602062,
0
],
[
2817614,
0
],
[
3033166,
0
],
[
4646478,
0
],
[
5037134,
0
]
]
},
"strings": [
"VGhpcyBwcm9ncmFt"
]
},
{
"meta": {
"description": "A non-Windows executable contains win32 API functions names",
"author": "nex"
},
"name": "embedded_win_api",
"offsets": {
"api6": [
[
81210,
5
],
[
360068,
5
],
[
1222740,
5
],
[
2362268,
5
],
[
2464684,
5
],
[
2567068,
5
],
[
2762170,
5
],
[
2977718,
5
],
[
4468880,
5
]
],
"api7": [
[
1226066,
4
]
],
"api2": [
[
80474,
0
],
[
358468,
0
],
[
1222848,
0
],
[
2361668,
0
],
[
2464084,
0
],
[
2566468,
0
],
[
2760748,
0
],
[
2976296,
0
],
[
4468968,
0
]
],
"api3": [
[
4468986,
2
]
],
"api12": [
[
81554,
3
],
[
360450,
3
],
[
361008,
3
],
[
1222776,
3
],
[
1224892,
3
],
[
2362734,
3
],
[
2465150,
3
],
[
2567534,
3
],
[
2762936,
3
],
[
2978484,
3
],
[
4468860,
3
]
],
"api13": [
[
360870,
1
],
[
1223272,
1
]
]
},
"strings": [
"R2V0UHJvY0FkZHJlc3M=",
"R2V0VGVtcFBhdGg=",
"TG9hZExpYnJhcnlB",
"U2V0RmlsZVBvaW50ZXI=",
"U2hlbGxFeGVjdXRl",
"V3JpdGVGaWxl"
]
},
{
"meta": {
"description": "Matched shellcode byte patterns",
"author": "nex"
},
"name": "shellcode",
"offsets": {
"shell4": [
[
1054413,
3
]
],
"shell5": [
[
70432,
1
],
[
70455,
1
],
[
267920,
1
],
[
267943,
1
],
[
1023376,
1
],
[
1023399,
1
],
[
2331360,
1
],
[
2331383,
1
],
[
2433760,
1
],
[
2433783,
1
],
[
2536192,
1
],
[
2536215,
1
],
[
2682800,
1
],
[
2682823,
1
],
[
2898352,
1
],
[
2898375,
1
],
[
4132624,
1
],
[
4132647,
1
],
[
4151593,
1
]
],
"shell6": [
[
23255,
2
],
[
26927,
2
],
[
27604,
2
],
[
40773,
2
],
[
49294,
2
],
[
50347,
2
],
[
60770,
2
],
[
121446,
2
],
[
121680,
2
],
[
122108,
2
],
[
122837,
2
],
[
123403,
2
],
[
125603,
2
],
[
127059,
2
],
[
138802,
2
],
[
142296,
2
],
[
144003,
2
],
[
144261,
2
],
[
148220,
2
],
[
162687,
2
],
[
163014,
2
],
[
163687,
2
],
[
178826,
2
],
[
180305,
2
],
[
181500,
2
],
[
183189,
2
],
[
184059,
2
],
[
184926,
2
],
[
185731,
2
],
[
187566,
2
],
[
188589,
2
],
[
196392,
2
],
[
196858,
2
],
[
197851,
2
],
[
198213,
2
],
[
199179,
2
],
[
201901,
2
],
[
202836,
2
],
[
207301,
2
],
[
213632,
2
],
[
214025,
2
],
[
214409,
2
],
[
216539,
2
],
[
230977,
2
],
[
232030,
2
],
[
248466,
2
],
[
254466,
2
],
[
255631,
2
],
[
419325,
2
],
[
424306,
2
],
[
426809,
2
],
[
427042,
2
],
[
427470,
2
],
[
428219,
2
],
[
428976,
2
],
[
429493,
2
],
[
436959,
2
],
[
444748,
2
],
[
445573,
2
],
[
451338,
2
],
[
456096,
2
],
[
456419,
2
],
[
456863,
2
],
[
462531,
2
],
[
463412,
2
],
[
463660,
2
],
[
464180,
2
],
[
464504,
2
],
[
466715,
2
],
[
470739,
2
],
[
471988,
2
],
[
472563,
2
],
[
472677,
2
],
[
473046,
2
],
[
475964,
2
],
[
477803,
2
],
[
480212,
2
],
[
484541,
2
],
[
487144,
2
],
[
489232,
2
],
[
492975,
2
],
[
493475,
2
],
[
495238,
2
],
[
496052,
2
],
[
500757,
2
],
[
503033,
2
],
[
507575,
2
],
[
509994,
2
],
[
510369,
2
],
[
520502,
2
],
[
535629,
2
],
[
538068,
2
],
[
539301,
2
],
[
542633,
2
],
[
561129,
2
],
[
576105,
2
],
[
578080,
2
],
[
580857,
2
],
[
601843,
2
],
[
612277,
2
],
[
641699,
2
],
[
641781,
2
],
[
651420,
2
],
[
688161,
2
],
[
689247,
2
],
[
691654,
2
],
[
707029,
2
],
[
721004,
2
],
[
721990,
2
],
[
722368,
2
],
[
723692,
2
],
[
729228,
2
],
[
729805,
2
],
[
736356,
2
],
[
739131,
2
],
[
739572,
2
],
[
739868,
2
],
[
757664,
2
],
[
759039,
2
],
[
761721,
2
],
[
764061,
2
],
[
770112,
2
],
[
773639,
2
],
[
773764,
2
],
[
780144,
2
],
[
785491,
2
],
[
791586,
2
],
[
792454,
2
],
[
813213,
2
],
[
825599,
2
],
[
825719,
2
],
[
829067,
2
],
[
836204,
2
],
[
837170,
2
],
[
838234,
2
],
[
839167,
2
],
[
841501,
2
],
[
842424,
2
],
[
843920,
2
],
[
845003,
2
],
[
845447,
2
],
[
845910,
2
],
[
846525,
2
],
[
847402,
2
],
[
848159,
2
],
[
849290,
2
],
[
849701,
2
],
[
860835,
2
],
[
863773,
2
],
[
868697,
2
],
[
882373,
2
],
[
884015,
2
],
[
886276,
2
],
[
895723,
2
],
[
916420,
2
],
[
916886,
2
],
[
918000,
2
],
[
919643,
2
],
[
920786,
2
],
[
924868,
2
],
[
925131,
2
],
[
925770,
2
],
[
951136,
2
],
[
952361,
2
],
[
952745,
2
],
[
953138,
2
],
[
953522,
2
],
[
955788,
2
],
[
969584,
2
],
[
984235,
2
],
[
991970,
2
],
[
1001859,
2
],
[
1003459,
2
],
[
1004207,
2
],
[
1011704,
2
],
[
1012234,
2
],
[
1012812,
2
],
[
1017929,
2
],
[
1025800,
2
],
[
1035176,
2
],
[
1035610,
2
],
[
1036363,
2
],
[
1037499,
2
],
[
1038039,
2
],
[
1038637,
2
],
[
1041714,
2
],
[
1043356,
2
],
[
1057533,
2
],
[
1057656,
2
],
[
1061557,
2
],
[
2296129,
2
],
[
2297868,
2
],
[
2299019,
2
],
[
2308190,
2
],
[
2309930,
2
],
[
2310983,
2
],
[
2321522,
2
],
[
2398529,
2
],
[
2400268,
2
],
[
2401419,
2
],
[
2410590,
2
],
[
2412330,
2
],
[
2413383,
2
],
[
2423922,
2
],
[
2500929,
2
],
[
2502693,
2
],
[
2503851,
2
],
[
2513022,
2
],
[
2514762,
2
],
[
2515815,
2
],
[
2526354,
2
],
[
2606973,
2
],
[
2607892,
2
],
[
2612442,
2
],
[
2612960,
2
],
[
2615603,
2
],
[
2617344,
2
],
[
2623905,
2
],
[
2626939,
2
],
[
2628515,
2
],
[
2629481,
2
],
[
2630677,
2
],
[
2630940,
2
],
[
2633395,
2
],
[
2652585,
2
],
[
2664471,
2
],
[
2665001,
2
],
[
2665579,
2
],
[
2672930,
2
],
[
2674907,
2
],
[
2822525,
2
],
[
2823444,
2
],
[
2827994,
2
],
[
2828512,
2
],
[
2831155,
2
],
[
2832896,
2
],
[
2839457,
2
],
[
2842491,
2
],
[
2844067,
2
],
[
2845033,
2
],
[
2846229,
2
],
[
2846492,
2
],
[
2848947,
2
],
[
2868137,
2
],
[
2880023,
2
],
[
2880553,
2
],
[
2881131,
2
],
[
2888482,
2
],
[
2890459,
2
],
[
3054419,
2
],
[
3063230,
2
],
[
3063546,
2
],
[
3064765,
2
],
[
3064927,
2
],
[
3065061,
2
],
[
3065195,
2
],
[
3065329,
2
],
[
3065716,
2
],
[
3065823,
2
],
[
3066559,
2
],
[
3067107,
2
],
[
3067566,
2
],
[
3067857,
2
],
[
3068008,
2
],
[
3068145,
2
],
[
3068558,
2
],
[
3068834,
2
],
[
3069874,
2
],
[
3070765,
2
],
[
3070896,
2
],
[
3071825,
2
],
[
3072066,
2
],
[
3073851,
2
],
[
3074407,
2
],
[
3075062,
2
],
[
3075251,
2
],
[
3109081,
2
],
[
3167360,
2
],
[
3173252,
2
],
[
3204647,
2
],
[
3209575,
2
],
[
3216410,
2
],
[
3263633,
2
],
[
3315532,
2
],
[
3356456,
2
],
[
3357132,
2
],
[
3431445,
2
],
[
3465715,
2
],
[
3629781,
2
],
[
3677808,
2
],
[
3702941,
2
],
[
3799500,
2
],
[
3807658,
2
],
[
3815879,
2
],
[
3816139,
2
],
[
3855434,
2
],
[
3864307,
2
],
[
3864880,
2
],
[
3868754,
2
],
[
3869444,
2
],
[
3872194,
2
],
[
3873739,
2
],
[
3876206,
2
],
[
3877139,
2
],
[
3878976,
2
],
[
3884927,
2
],
[
3890009,
2
],
[
3905633,
2
],
[
3913163,
2
],
[
3918451,
2
],
[
3938371,
2
],
[
3938634,
2
],
[
3941728,
2
],
[
3950800,
2
],
[
3966134,
2
],
[
4050984,
2
],
[
4051675,
2
],
[
4052055,
2
],
[
4053525,
2
],
[
4067490,
2
],
[
4067851,
2
],
[
4067974,
2
],
[
4074068,
2
],
[
4081890,
2
],
[
4105174,
2
],
[
4106663,
2
],
[
4107404,
2
],
[
4118353,
2
],
[
4126964,
2
],
[
4127862,
2
],
[
4135027,
2
],
[
4136285,
2
],
[
4144311,
2
],
[
4144745,
2
],
[
4145491,
2
],
[
4146564,
2
],
[
4147104,
2
],
[
4147696,
2
],
[
4151885,
2
],
[
4163794,
2
]
],
"shell7": [
[
26164,
0
],
[
42380,
0
],
[
190416,
0
],
[
200747,
0
],
[
208925,
0
],
[
282658,
0
],
[
287294,
0
],
[
418049,
0
],
[
521185,
0
],
[
521480,
0
],
[
521746,
0
],
[
523596,
0
],
[
523622,
0
],
[
523853,
0
],
[
523975,
0
],
[
524389,
0
],
[
524575,
0
],
[
524601,
0
],
[
524675,
0
],
[
524701,
0
],
[
524727,
0
],
[
682780,
0
],
[
702329,
0
],
[
702355,
0
],
[
702487,
0
],
[
702513,
0
],
[
782181,
0
],
[
923262,
0
],
[
923707,
0
],
[
943828,
0
],
[
951874,
0
],
[
975831,
0
],
[
2297440,
0
],
[
2304251,
0
],
[
2399840,
0
],
[
2406651,
0
],
[
2502265,
0
],
[
2509083,
0
],
[
2617677,
0
],
[
2618125,
0
],
[
2631481,
0
],
[
2631926,
0
],
[
2644975,
0
],
[
2655621,
0
],
[
2833229,
0
],
[
2833677,
0
],
[
2847033,
0
],
[
2847478,
0
],
[
2860527,
0
],
[
2871173,
0
],
[
3077723,
0
],
[
3085798,
0
],
[
3116096,
0
],
[
3357964,
0
],
[
3843747,
0
],
[
3858806,
0
],
[
3936399,
0
],
[
3936797,
0
],
[
3936822,
0
],
[
3950109,
0
],
[
4020089,
0
],
[
4020283,
0
],
[
4037695,
0
],
[
4097986,
0
]
],
"shell2": [
[
42393,
4
],
[
48483,
4
],
[
208938,
4
],
[
230166,
4
],
[
975844,
4
],
[
1010957,
4
],
[
2304264,
4
],
[
2313204,
4
],
[
2406664,
4
],
[
2415604,
4
],
[
2509096,
4
],
[
2518036,
4
],
[
2655634,
4
],
[
2663724,
4
],
[
2871186,
4
],
[
2879276,
4
],
[
4097998,
4
]
]
},
"strings": [
"VYvs6A==",
"VYvsg8Q=",
"VYvsgew=",
"ZIs1MA==",
"ZKEw"
]
}
],
"sha1": "aec228d0ab11e2f8568397ff09ea8c4254b69bd3",
"name": "40b67a98cc6a712c_gut579a.tmp",
"filepath": "C:\\Program Files (x86)\\GUT579A.tmp",
"type": "POSIX tar archive (GNU)",
"sha256": "40b67a98cc6a712cc9c0645eab4688b11bcba7b64c17d98ecefa165b0bb138d8",
"urls": [
"https:\/\/www.globalsign.com\/repository\/0",
"http:\/\/ocsp2.globalsign.com\/rootr306",
"http:\/\/crl.globalsign.com\/gscodesignsha2g3.crl0",
"http:\/\/ocsp.globalsign.com\/rootr103",
"http:\/\/secure.globalsign.com\/cacert\/gstimestampingsha2g2.crt0",
"http:\/\/schemas.xmlsoap.org\/soap\/envelope\/",
"http:\/\/crl.globalsign.net\/root.crl0",
"http:\/\/crl.globalsign.com\/root.crl0Y",
"http:\/\/ocsp2.globalsign.com\/gstimestampingg20",
"https:\/\/www.globalsign.com\/repository\/06",
"https:\/\/www.globalsign.com\/repository\/03",
"http:\/\/schemas.xmlsoap.org\/soap\/encoding\/",
"http:\/\/ocsp2.globalsign.com\/gstimestampingsha2g20",
"http:\/\/secure.globalsign.com\/cacert\/gscodesigng3ocsp.crt04",
"http:\/\/crl.globalsign.com\/gs\/gscodesigng3.crl0",
"http:\/\/crl.globalsign.com\/root-r3.crl0c",
"http:\/\/secure.globalsign.com\/cacert\/gscodesignsha2g3ocsp.crt08",
"http:\/\/crl.globalsign.com\/gs\/gstimestampingg2.crl0",
"http:\/\/secure.globalsign.com\/cacert\/gstimestampingg2.crt08",
"http:\/\/crl.globalsign.com\/gs\/gstimestampingsha2g2.crl0",
"http:\/\/ocsp2.globalsign.com\/gscodesignsha2g30V",
"http:\/\/ocsp2.globalsign.com\/gscodesigng30V",
"http:\/\/crl.globalsign.net\/root-r3.crl0"
],
"crc32": "320B8C39",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/1828\/files\/40b67a98cc6a712c_gut579a.tmp",
"ssdeep": null,
"size": 5437440,
"sha512": "ee052120e053cf124246b87d165c5e7397d4961dd1b50ee1f4df3e331df83d8857ce2a7bff43d604f882e4addda0a56780004190aa53e33137991da7b9f40a7e",
"pids": [
1268
],
"md5": "ae4e16f9d2db18a8e3907864b352ad98"
},
{
"yara": [],
"sha1": "4e80e5e02efc26d4e3c6ac277f14a46a9d7609e7",
"name": "743919aabb80bfc5_coccoctorrentupdate.exe",
"filepath": "C:\\Program Files (x86)\\GUM578A.tmp\\CocCocTorrentUpdate.exe",
"type": "PE32 executable (GUI) Intel 80386, for MS Windows",
"sha256": "743919aabb80bfc5c82c94642c47a565421e0bb83972910e6833d3bf37531e56",
"urls": [
"https:\/\/www.globalsign.com\/repository\/0",
"http:\/\/ocsp2.globalsign.com\/rootr306",
"http:\/\/crl.globalsign.com\/gscodesignsha2g3.crl0",
"http:\/\/ocsp.globalsign.com\/rootr103",
"http:\/\/secure.globalsign.com\/cacert\/gstimestampingsha2g2.crt0",
"http:\/\/schemas.xmlsoap.org\/soap\/envelope\/",
"http:\/\/crl.globalsign.net\/root.crl0",
"http:\/\/crl.globalsign.com\/root.crl0Y",
"http:\/\/ocsp2.globalsign.com\/gstimestampingg20",
"https:\/\/www.globalsign.com\/repository\/06",
"https:\/\/www.globalsign.com\/repository\/03",
"http:\/\/schemas.xmlsoap.org\/soap\/encoding\/",
"http:\/\/ocsp2.globalsign.com\/gstimestampingsha2g20",
"http:\/\/secure.globalsign.com\/cacert\/gscodesigng3ocsp.crt04",
"http:\/\/crl.globalsign.com\/gs\/gscodesigng3.crl0",
"http:\/\/crl.globalsign.com\/root-r3.crl0c",
"http:\/\/secure.globalsign.com\/cacert\/gscodesignsha2g3ocsp.crt08",
"http:\/\/crl.globalsign.com\/gs\/gstimestampingg2.crl0",
"http:\/\/secure.globalsign.com\/cacert\/gstimestampingg2.crt08",
"http:\/\/crl.globalsign.com\/gs\/gstimestampingsha2g2.crl0",
"http:\/\/ocsp2.globalsign.com\/gscodesignsha2g30V",
"http:\/\/ocsp2.globalsign.com\/gscodesigng30V",
"http:\/\/crl.globalsign.net\/root-r3.crl0"
],
"crc32": "32E30FFF",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/1828\/files\/743919aabb80bfc5_coccoctorrentupdate.exe",
"ssdeep": null,
"size": 1612512,
"sha512": "146785d34252c1e0f7c81aba25143066d18832dec97738be575f7d356b133c7146575d74a2ba5a5aa17a48c34c5b3112db225696906da7c5067d6e6f6fbef3d5",
"pids": [
1268
],
"md5": "27ec60b955db504503ede4d9e7c4c2df"
},
{
"yara": [],
"sha1": "5750f95d2425bca024f1f599fa3a20dca4d04ba8",
"name": "e228c8ebd405c12e_coccocupdatewebplugin.exe",
"filepath": "C:\\Program Files (x86)\\GUM578A.tmp\\CocCocUpdateWebPlugin.exe",
"type": "PE32 executable (GUI) Intel 80386, for MS Windows",
"sha256": "e228c8ebd405c12e42c682645cba233ad18d91ae377733f1817d71d3025285ea",
"urls": [
"http:\/\/crl.globalsign.com\/gs\/gstimestampingsha2g2.crl0",
"http:\/\/crl.globalsign.com\/root.crl0Y",
"http:\/\/crl.globalsign.com\/gs\/gscodesigng3.crl0",
"http:\/\/ocsp2.globalsign.com\/gstimestampingsha2g20",
"https:\/\/www.globalsign.com\/repository\/0",
"http:\/\/ocsp2.globalsign.com\/rootr306",
"http:\/\/secure.globalsign.com\/cacert\/gscodesignsha2g3ocsp.crt08",
"http:\/\/ocsp2.globalsign.com\/gscodesignsha2g30V",
"http:\/\/ocsp.globalsign.com\/rootr103",
"http:\/\/crl.globalsign.com\/gs\/gstimestampingg2.crl0",
"http:\/\/ocsp2.globalsign.com\/gstimestampingg20",
"http:\/\/crl.globalsign.com\/root-r3.crl0c",
"http:\/\/secure.globalsign.com\/cacert\/gstimestampingsha2g2.crt0",
"http:\/\/secure.globalsign.com\/cacert\/gstimestampingg2.crt08",
"https:\/\/www.globalsign.com\/repository\/03",
"http:\/\/crl.globalsign.net\/root.crl0",
"https:\/\/www.globalsign.com\/repository\/06",
"http:\/\/ocsp2.globalsign.com\/gscodesigng30V",
"http:\/\/crl.globalsign.net\/root-r3.crl0",
"http:\/\/secure.globalsign.com\/cacert\/gscodesigng3ocsp.crt04",
"http:\/\/crl.globalsign.com\/gscodesignsha2g3.crl0"
],
"crc32": "79BA71A3",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/1828\/files\/e228c8ebd405c12e_coccocupdatewebplugin.exe",
"ssdeep": null,
"size": 101600,
"sha512": "fcb3ad36518f34fe1015cae77d2da2b94125658252294c762fe6ab1f5f0f5cf2cf8c9cd7e8c67018bf84a7abf42be2c858a9739670b84d6ac08154d08a7c9d07",
"pids": [
1268
],
"md5": "d7c2476111916ca559d9a87a15a2761d"
}
]Generic
[
{
"process_path": "C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\CocCocUpdate.exe",
"process_name": "CocCocUpdate.exe",
"pid": 264,
"summary": {
"directory_created": [
"C:\\Users\\cuck\\AppData\\Roaming\\CocCoc"
],
"dll_loaded": [
"dbghelp.dll",
"kernel32",
"CFGMGR32.dll",
"kernel32.dll",
"credssp.dll",
"ntdll.dll",
"cryptsp.dll",
"api-ms-win-core-synch-l1-2-0",
"winhttp.dll",
"API-MS-WIN-Service-Management-L2-1-0.dll",
"API-MS-WIN-Service-Management-L1-1-0.dll",
"C:\\Windows\\System32\\wship6.dll",
"cryptbase.dll",
"SspiCli.dll",
"ole32.dll",
"SHLWAPI.dll",
"API-MS-Win-Security-SDDL-L1-1-0.dll",
"API-MS-WIN-Service-winsvc-L1-1-0.dll",
"cscapi.dll",
"IPHLPAPI.DLL",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\2.5.15.103\\coccocpdate.dll",
"winhttp",
"RPCRT4.dll",
"DNSAPI.dll",
"wkscli.dll",
"NSI.dll",
"api-ms-win-core-fibers-l1-1-1",
"C:\\Windows\\system32\\mswsock.dll",
"ADVAPI32.dll",
"rpcrt4.dll",
"C:\\Windows\\System32\\wshtcpip.dll",
"WS2_32.dll"
],
"file_opened": [
"\\\\?\\PIPE\\wkssvc",
"C:\\Users\\cuck\\AppData\\Roaming\\CocCoc\\uid",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\2.5.15.103",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls"
],
"regkey_opened": [
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\LsaExtensionConfig\\SspiCli",
"HKEY_CURRENT_USER\\Software\\CocCoc\\Update\\Clients\\{430FD4D0-B729-4F61-AA34-91526481799D}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\Rpc",
"HKEY_CURRENT_USER\\Software\\CocCoc\\Update\\ClientState\\",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",
"HKEY_CURRENT_USER\\Software\\Microsoft\\windows\\CurrentVersion\\Internet Settings\\Connections",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System",
"HKEY_CURRENT_USER\\Software\\CocCoc\\Update\\proxy",
"HKEY_LOCAL_MACHINE\\Software\\CocCoc\\UpdateDev\\",
"HKEY_CURRENT_USER\\SOFTWARE\\Clients\\StartMenuInternet",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\windows\\CurrentVersion\\Internet Settings\\Connections",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\WinHttp",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winsock\\Setup Migration\\Providers\\Tcpip6",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-699399860-4089948139-3198924279-1001\\Preference",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Winsock\\Setup Migration\\Providers",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Rpc",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\SecurityProviders\\SaslProfiles",
"HKEY_CURRENT_USER\\Software\\Microsoft\\windows\\CurrentVersion\\Internet Settings\\Wpad",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-699399860-4089948139-3198924279-1001",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\WinHttp\\Tracing",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Winsock",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Ole",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Winsock\\Parameters",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winsock\\Setup Migration\\Providers\\Tcpip",
"HKEY_CURRENT_USER\\Software\\CocCoc\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}",
"HKEY_CURRENT_USER\\Software\\CocCoc\\Update\\",
"HKEY_CURRENT_USER",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\msasn1",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Class\\{4d36e972-e325-11ce-bfc1-08002be10318}",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\SecurityProviders",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip6\\Parameters\\Winsock",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\SspiCache"
],
"resolves_host": [
"browser.coccoc.com"
],
"file_written": [
"\\\\?\\PIPE\\wkssvc"
],
"file_exists": [
"C:\\Users\\cuck\\AppData",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc",
"C:\\CocCocUpdate.ini",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\CrashReports",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\coccocpdate.dll",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\2.5.15.103\\coccocpdate.dll",
"C:\\Program Files (x86)\\GUM578A.tmp",
"C:\\Users\\cuck\\AppData\\Roaming\\CocCoc\\uid",
"C:\\Users\\cuck",
"C:\\Users",
"C:\\Users\\cuck\\AppData\\Local"
],
"mutex": [
"Global\\CocCocS-1-5-21-699399860-4089948139-3198924279-1001{D19BAF17-7C87-467E-8D63-6C4B1C836373}"
],
"file_failed": [
"\\\\?\\pipe\\CocCocCrashServices\\S-1-5-21-699399860-4089948139-3198924279-1001"
],
"file_read": [
"\\\\?\\PIPE\\wkssvc",
"C:\\Users\\cuck\\AppData\\Roaming\\CocCoc\\uid"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\MaxSockaddrLength",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\TokenSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA",
"HKEY_CURRENT_USER\\Software\\CocCoc\\Update\\old-uid",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\MaxRpcSize",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Capabilities",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\UseDelayedAcceptance",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\LsaExtensionConfig\\SspiCli\\CheckSignatureRoutine",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SecurityProviders\\SecurityProviders",
"HKEY_CURRENT_USER\\Software\\CocCoc\\Update\\uid-num-rotations",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\MinSockaddrLength",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\WpadOverride",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ShareCredsWithWinHttp",
"HKEY_CURRENT_USER\\Software\\CocCoc\\Update\\Clients\\{430FD4D0-B729-4F61-AA34-91526481799D}\\pv",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\WinHttp\\Tracing\\Enabled",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\SystemSetupInProgress",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Hostname",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\LsaExtensionConfig\\SspiCli\\CheckSignatureDll",
"HKEY_CURRENT_USER\\Software\\CocCoc\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}\\usagestats",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\OOBEInProgress",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\Mapping",
"HKEY_CURRENT_USER\\Software\\CocCoc\\Update\\eulaaccepted",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Comment",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Name",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\UseDelayedAcceptance",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Domain",
"HKEY_CURRENT_USER\\Software\\CocCoc\\Update\\proxy\\source",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-699399860-4089948139-3198924279-1001\\State",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\WinHttp\\DisableBranchCache",
"HKEY_CURRENT_USER\\Software\\Clients\\StartMenuInternet\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CEIPEnable",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Version",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\MaxSockaddrLength",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\ComputerName\\ActiveComputerName\\ComputerName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winsock\\Setup Migration\\Providers\\Tcpip\\WinSock 2.0 Provider ID",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\\DefaultConnectionSettings",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\HelperDllName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\DisableImprovedZoneCheck",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winsock\\Setup Migration\\Providers\\Tcpip6\\WinSock 2.0 Provider ID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE\\MaximumAllowedAllocationSize",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\HelperDllName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ProxySettingsPerUser",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\MinSockaddrLength",
"HKEY_CURRENT_USER\\Software\\CocCoc\\Update\\uid-create-time",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winsock\\Parameters\\Transports",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\Mapping",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\\WinHttpSettings",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\RpcId",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Type",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Security_HKLM_only"
]
},
"first_seen": 1565988790.2969,
"ppid": 2968
},
{
"process_path": "C:\\Windows\\explorer.exe",
"process_name": "explorer.exe",
"pid": 1788,
"summary": {
"regkey_written": [
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\Bags\\1\\Desktop\\FFlags",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\Bags\\1\\Desktop\\GroupByDirection",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\BagMRU\\MRUListEx",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StuckRects2\\Settings",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\Bags\\1\\Desktop\\Sort",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\Bags\\1\\Desktop\\LogicalViewMode",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\Bags\\1\\Desktop\\Mode",
"HKEY_CURRENT_USER\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\TrayNotify\\UserStartTime",
"HKEY_CURRENT_USER\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\TrayNotify\\LastAdvertisement",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\Bags\\1\\Desktop\\GroupView",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\Bags\\1\\Desktop\\ColInfo",
"HKEY_CURRENT_USER\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\TrayNotify\\IconStreams",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\Bags\\1\\Desktop\\GroupByKey:FMTID",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\BagMRU\\NodeSlots",
"HKEY_CURRENT_USER\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\TrayNotify\\PastIconsStream",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Streams\\Desktop\\TaskbarWinXP",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\Bags\\1\\Desktop\\IconSize",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\Bags\\1\\Desktop\\GroupByKey:PID"
],
"file_opened": [
"c:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\coccocupdate.exe",
"C:\\Program Files (x86)\\",
"C:\\",
"C:\\Users\\",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\",
"C:\\Users\\cuck\\",
"c:\\program files (x86)\\GUM578A.tmp\\coccocupdate.exe",
"C:\\Users\\cuck\\AppData\\Local\\",
"C:\\Program Files (x86)\\desktop.ini",
"C:\\Users\\cuck\\AppData\\"
],
"regkey_opened": [
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StuckRects2",
"HKEY_CLASSES_ROOT\\Outlook.Application",
"HKEY_CLASSES_ROOT\\Outlook.Application.12",
"HKEY_CLASSES_ROOT\\Outlook.Application.11",
"HKEY_CLASSES_ROOT\\Outlook.Application.10"
],
"regkey_deleted": [
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\Bags\\1\\Desktop\\GroupCollapseState",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\Bags\\1\\Desktop\\ItemOrder",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\Bags\\1\\Desktop\\ItemPos800x600x96(1)"
],
"file_exists": [
"C:\\cuckoo_264.ini",
"C:\\Users\\cuck\\Desktop",
"C:\\cuckoo_1788.ini",
"C:\\Program Files (x86)",
"C:\\Program Files (x86)\\GUM578A.tmp\\CocCocUpdate.exe",
"C:\\cuckoo_1424.ini",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\CocCocUpdate.exe",
"C:\\cuckoo_2700.ini"
],
"mutex": [
"Local\\Shell.CMruPidlList"
],
"file_failed": [
"C:\\cuckoo_264.ini",
"C:\\cuckoo_1788.ini",
"C:\\cuckoo_2700.ini",
"C:\\cuckoo_1424.ini"
],
"guid": [
"{2fb499a3-cfce-480f-a5f3-2453db7a2b7a}",
"{1a1f4206-0688-4e7f-be03-d82ec69df9a5}",
"{42aedc87-2188-41fd-b9a3-0c966feabec1}",
"{9b63616c-36b2-46bc-959f-c1593952d19b}",
"{46a6eeff-908e-4dc6-92a6-64be9177b41c}",
"{660b90c8-73a9-4b58-8cae-355b7f55341b}"
],
"file_read": [
"C:\\Program Files (x86)\\desktop.ini"
],
"regkey_read": [
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\BagMRU\\NodeSlot",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\BagMRU\\MRUListEx",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\ClearRecentDocsOnExit",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.Job\\Content Type",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\JobObject\\AlwaysShowExt",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\JobObject\\IsShortcut",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\JobObject\\NeverShowExt",
"HKEY_CURRENT_USER\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\TrayNotify\\PromotedIconCache",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\JobObject\\CLSID\\(Default)",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\BagMRU\\NodeSlots",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.Job\\PerceivedType",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\JobObject\\DocObject",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.Job\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\JobObject\\BrowseInPlace",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\BagMRU Size"
]
},
"first_seen": 1565988788.1094,
"ppid": 1740
},
{
"process_path": "C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\CocCocUpdate.exe",
"process_name": "CocCocUpdate.exe",
"pid": 2700,
"summary": {
"directory_created": [
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\Install",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\Download",
"C:\\Users\\cuck\\AppData\\Roaming\\CocCoc"
],
"dll_loaded": [
"dbghelp.dll",
"API-MS-Win-Security-SDDL-L1-1-0.dll",
"cscapi.dll",
"kernel32",
"RpcRtRemote.dll",
"api-ms-win-core-fibers-l1-1-1",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\2.5.15.103\\coccocpdate.dll",
"kernel32.dll",
"UxTheme.dll",
"C:\\Windows\\system32\\ole32.dll",
"dwmapi.dll",
"rpcrt4.dll",
"CRYPTSP.dll",
"wkscli.dll",
"api-ms-win-core-synch-l1-2-0",
"comctl32.dll"
],
"file_opened": [
"\\\\?\\PIPE\\wkssvc",
"C:\\Users\\cuck\\AppData\\Roaming\\CocCoc\\uid",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\2.5.15.103",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\2.5.15.103\\coccocpdateres_vi.dll",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls"
],
"regkey_opened": [
"HKEY_CURRENT_USER\\Software\\CocCoc\\Update\\Clients\\{430FD4D0-B729-4F61-AA34-91526481799D}",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\Rpc",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Rpc\\Extensions",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System",
"HKEY_CURRENT_USER\\Interface\\{00000134-0000-0000-C000-000000000046}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\LanguageProfile\\0x00000000\\{0001bea3-ed56-483d-a2e2-aeae25577436}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\KnownClasses",
"HKEY_CURRENT_USER\\Software\\CocCoc\\Update\\ClientState\\{C0CC0CBB-47DD-46FF-A04D-7011A06486E1}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\CocCoc\\UpdateDev\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-699399860-4089948139-3198924279-1001\\Preference",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Rpc",
"HKEY_CURRENT_USER\\Software\\Microsoft\\CTF\\DirectSwitchHotkeys",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\BFE",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-699399860-4089948139-3198924279-1001",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\Software\\CocCoc\\Update\\Clients\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{00000134-0000-0000-C000-000000000046}\\ProxyStubClsid32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{3697C5FA-60DD-4B56-92D4-74A569205C16}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\Software\\CocCoc\\Update\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\msasn1",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes",
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\Compatibility\\CocCocUpdate.exe",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}"
],
"file_written": [
"\\\\?\\PIPE\\wkssvc"
],
"regkey_deleted": [
"HKEY_CURRENT_USER\\Software\\CocCoc\\Update\\eulaaccepted"
],
"file_exists": [
"C:\\Users\\cuck\\AppData",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc",
"C:\\CocCocUpdate.ini",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\CrashReports",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\Install",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\coccocpdate.dll",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\2.5.15.103\\coccocpdate.dll",
"C:\\Program Files (x86)\\GUM578A.tmp",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\2.5.15.103",
"C:\\Users\\cuck\\AppData\\Roaming\\CocCoc\\uid",
"C:\\Users\\cuck",
"C:\\Users",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\Download",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update",
"C:\\Users\\cuck\\AppData\\Local"
],
"mutex": [
"Global\\CocCocS-1-5-21-699399860-4089948139-3198924279-1001{6885AE8E-C070-458d-9711-37B9BEAB65F6}",
"Global\\CocCocS-1-5-21-699399860-4089948139-3198924279-1001{66CC0160-ABB3-4066-AE47-1CA6AD5065C8}",
"Global\\CocCocS-1-5-21-699399860-4089948139-3198924279-1001{0A175FBE-AEEC-4fea-855A-2AA549A88846}"
],
"file_failed": [
"\\\\?\\pipe\\CocCocCrashServices\\S-1-5-21-699399860-4089948139-3198924279-1001"
],
"file_read": [
"\\\\?\\PIPE\\wkssvc",
"C:\\Users\\cuck\\AppData\\Roaming\\CocCoc\\uid"
],
"regkey_read": [
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Language Hotkey",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\MaxRpcSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\LanguageProfile\\0x00000000\\{0001bea3-ed56-483d-a2e2-aeae25577436}\\Enable",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\Extensions\\RemoteRpcDll",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Locale\\00000409",
"HKEY_CURRENT_USER\\Software\\CocCoc\\Update\\Clients\\{430FD4D0-B729-4F61-AA34-91526481799D}\\pv",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\SystemSetupInProgress",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Hostname",
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Hotkey",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledProcesses\\78B00063",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\OOBEInProgress",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\CTF\\EnableAnchorContext",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledSessions\\GlobalSession",
"HKEY_CURRENT_USER\\Software\\CocCoc\\Update\\eulaaccepted",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Domain",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledSessions\\MachineThrottling",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\Extensions\\NdrOleExtDLL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CEIPEnable",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language Groups\\1",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\TurnOffSPIAnimations",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\ComputerName\\ActiveComputerName\\ComputerName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-699399860-4089948139-3198924279-1001\\State",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\DisableImprovedZoneCheck",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Segoe UI",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{00000134-0000-0000-C000-000000000046}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Security_HKLM_only",
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Layout Hotkey"
],
"directory_enumerated": [
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\Install\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\Download\\*"
]
},
"first_seen": 1565988790.3281,
"ppid": 2968
},
{
"process_path": "C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\CocCocUpdate.exe",
"process_name": "CocCocUpdate.exe",
"pid": 1424,
"summary": {
"directory_created": [
"C:\\Users\\cuck\\AppData\\Roaming\\CocCoc"
],
"dll_loaded": [
"dbghelp.dll",
"API-MS-Win-Security-SDDL-L1-1-0.dll",
"cscapi.dll",
"kernel32",
"api-ms-win-core-fibers-l1-1-1",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\2.5.15.103\\coccocpdate.dll",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\2.5.15.103\\psuser.dll",
"kernel32.dll",
"C:\\Windows\\system32\\kernel32.dll",
"rpcrt4.dll",
"wkscli.dll",
"api-ms-win-core-synch-l1-2-0"
],
"file_opened": [
"\\\\?\\PIPE\\wkssvc",
"C:\\Users\\cuck\\AppData\\Roaming\\CocCoc\\uid",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\2.5.15.103",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls"
],
"regkey_opened": [
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{ABA164D4-F794-491D-9400-7CA9E6F7EEF6}",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{ABA164D4-F794-491D-9400-7CA9E6F7EEF6}\\NumMethods",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{31E3405A-1CA1-4750-A6D9-4ED9BB3A5A59}",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{F15393EF-1112-41C4-9A24-20C0F0075DC1}\\NumMethods",
"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{CCBB641B-0D24-451C-9638-2DE0D4B5ED5F}",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{31E3405A-1CA1-4750-A6D9-4ED9BB3A5A59}\\ProxyStubClsid32",
"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{A4F10457-0600-4470-9A22-AD99E26F7AD2}\\LocalServer32",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{BE7F68D5-4B90-4CB1-A35E-83A7024A83AA}\\NumMethods",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{7A78866B-695A-4153-A29F-92B38626E332}\\NumMethods",
"HKEY_CURRENT_USER\\CocCoc.OneClickProcessLauncherUser.1.0",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{53F9B7E5-DC7B-4C70-87EA-9AE3629CBA75}",
"HKEY_CURRENT_USER\\CocCocUpdate.Update3WebUser",
"HKEY_CURRENT_USER\\CocCocUpdate.OnDemandCOMClassUser",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{CDC22AF6-28C2-4638-9580-F867915A38C4}",
"HKEY_CURRENT_USER\\CocCocUpdate.CredentialDialogUser.1.0",
"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{F34D723C-FA54-43D8-9C05-574D28672153}\\VersionIndependentProgID",
"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{4A2DF7EF-905D-4C4D-A683-42C891F228BF}",
"HKEY_CURRENT_USER\\CocCocUpdate.CredentialDialogUser\\CLSID",
"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{DFFF09FD-4FB6-4CF2-A855-3EACD48881FA}\\LocalServer32",
"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{F34D723C-FA54-43D8-9C05-574D28672153}\\LocalServer32",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{37514F9D-A61C-4F73-B94C-56F2B47789EB}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-699399860-4089948139-3198924279-1001",
"HKEY_CURRENT_USER\\Software\\Microsoft",
"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{F34D723C-FA54-43D8-9C05-574D28672153}",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{03EFB89B-5FE9-488F-B4E7-D4AC5BC0E207}",
"HKEY_CLASSES_ROOT\\Interface",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\msasn1",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{BE7F68D5-4B90-4CB1-A35E-83A7024A83AA}",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{BA0E8C3A-2E4D-4E10-8AD7-8618C5138480}",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{FBD15E06-051F-43E6-9FE0-7F5B6B57B481}",
"HKEY_CURRENT_USER\\Software\\CocCoc\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{61C44F32-B764-4629-A9AD-A591E64B2580}\\ProxyStubClsid32",
"HKEY_CURRENT_USER\\CocCoc.OneClickProcessLauncherUser\\CLSID",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{03EFB89B-5FE9-488F-B4E7-D4AC5BC0E207}\\ProxyStubClsid32",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{CF051BE3-B7D3-4F50-B578-C647DD386940}\\ProxyStubClsid32",
"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{69279211-FE09-4A3B-9B32-E661957D9EA3}",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{19DEA306-99DC-4690-B2E9-FFD51AE45C96}\\NumMethods",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{3339BB5A-555B-4C33-8D97-15F78BFF5CE1}",
"HKEY_CURRENT_USER\\CocCocUpdate.CredentialDialogUser.1.0\\CLSID",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{63191E9E-FD33-4B38-B3F1-62982ADA8B2F}",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{B9D2B446-92D8-44E8-9A7B-127AAC768BA3}\\NumMethods",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Low Rights\\ElevationPolicy\\{CCBB641B-0D24-451C-9638-2DE0D4B5ED5F}",
"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{A4F10457-0600-4470-9A22-AD99E26F7AD2}\\ProgID",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{56D89BD1-3C6D-4D41-BAD1-F9ECA194DE72}\\ProxyStubClsid32",
"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{DFFF09FD-4FB6-4CF2-A855-3EACD48881FA}\\VersionIndependentProgID",
"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{DFFF09FD-4FB6-4CF2-A855-3EACD48881FA}\\ProgID",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{CDC22AF6-28C2-4638-9580-F867915A38C4}\\ProxyStubClsid32",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{61C44F32-B764-4629-A9AD-A591E64B2580}",
"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{0A039001-050F-4ADA-AD8B-F2E5C9615B45}",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{F0E42375-D761-47E9-B64F-310CEB39F32F}",
"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{0A039001-050F-4ADA-AD8B-F2E5C9615B45}\\InprocServer32",
"HKEY_LOCAL_MACHINE\\Software\\CocCoc\\UpdateDev\\",
"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{DFFF09FD-4FB6-4CF2-A855-3EACD48881FA}",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{3339BB5A-555B-4C33-8D97-15F78BFF5CE1}\\NumMethods",
"HKEY_CURRENT_USER\\CocCocUpdate.OnDemandCOMClassUser\\CurVer",
"HKEY_CURRENT_USER\\CocCocUpdate.OnDemandCOMClassUser.1.0",
"HKEY_CURRENT_USER\\CocCocUpdate.Update3COMClassUser.1.0",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{3C765636-A9B6-457A-B7CA-146B131BE5BD}\\NumMethods",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{53F9B7E5-DC7B-4C70-87EA-9AE3629CBA75}\\NumMethods",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{7A78866B-695A-4153-A29F-92B38626E332}",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{F3BDCD40-E6F3-4F35-BA05-70D4C0389AE5}\\NumMethods",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{ABA164D4-F794-491D-9400-7CA9E6F7EEF6}\\ProxyStubClsid32",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{A673FB09-4B52-4BAF-BA9B-4B422531B44E}",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{56D89BD1-3C6D-4D41-BAD1-F9ECA194DE72}\\NumMethods",
"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{69279211-FE09-4A3B-9B32-E661957D9EA3}\\ProgID",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{B9D2B446-92D8-44E8-9A7B-127AAC768BA3}\\ProxyStubClsid32",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{7FD24225-816C-4325-B8A3-48E4BA4E6F01}\\ProxyStubClsid32",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{48AEB2A3-803F-4259-899D-B624B6DF64F5}\\NumMethods",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{98864DB4-F198-41BB-9901-D499B74FAB1C}\\ProxyStubClsid32",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{CF051BE3-B7D3-4F50-B578-C647DD386940}",
"HKEY_CURRENT_USER\\CocCoc.OneClickProcessLauncherUser",
"HKEY_CURRENT_USER\\CocCocUpdate.Update3COMClassUser",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{A72E0E76-BF8B-48C8-BC14-DDE8254EBDA9}",
"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{4A2DF7EF-905D-4C4D-A683-42C891F228BF}\\InprocHandler32",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Low Rights",
"HKEY_CURRENT_USER\\CocCoc.OneClickProcessLauncherUser.1.0\\CLSID",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{4975912A-17C1-40D4-BCF5-1190E476FE82}\\NumMethods",
"HKEY_CURRENT_USER\\CocCocUpdate.Update3WebUser.1.0",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{A673FB09-4B52-4BAF-BA9B-4B422531B44E}\\NumMethods",
"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{D5E238C2-919F-47C9-B769-47D7432E1852}",
"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{A4F10457-0600-4470-9A22-AD99E26F7AD2}",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{37514F9D-A61C-4F73-B94C-56F2B47789EB}\\ProxyStubClsid32",
"HKEY_CURRENT_USER\\CocCocUpdate.CredentialDialogUser",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{63191E9E-FD33-4B38-B3F1-62982ADA8B2F}\\NumMethods",
"HKEY_CURRENT_USER\\Software\\CocCoc\\Update\\Clients\\{430FD4D0-B729-4F61-AA34-91526481799D}",
"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{A4F10457-0600-4470-9A22-AD99E26F7AD2}\\VersionIndependentProgID",
"HKEY_CURRENT_USER\\CocCocUpdate.Update3COMClassUser.1.0\\CLSID",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\Rpc",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{53F9B7E5-DC7B-4C70-87EA-9AE3629CBA75}\\ProxyStubClsid32",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{A72E0E76-BF8B-48C8-BC14-DDE8254EBDA9}\\ProxyStubClsid32",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{BA0E8C3A-2E4D-4E10-8AD7-8618C5138480}\\ProxyStubClsid32",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{BEF4B990-4E74-4DC3-BBCA-BDD8E48271B1}",
"HKEY_CURRENT_USER\\CocCocUpdate.OnDemandCOMClassUser\\CLSID",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{61C44F32-B764-4629-A9AD-A591E64B2580}\\NumMethods",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{B9D2B446-92D8-44E8-9A7B-127AAC768BA3}",
"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{69279211-FE09-4A3B-9B32-E661957D9EA3}\\LocalServer32",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{F0E42375-D761-47E9-B64F-310CEB39F32F}\\ProxyStubClsid32",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{A673FB09-4B52-4BAF-BA9B-4B422531B44E}\\ProxyStubClsid32",
"HKEY_CURRENT_USER\\CocCocUpdate.Update3WebUser\\CurVer",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Low Rights\\ElevationPolicy",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{3C765636-A9B6-457A-B7CA-146B131BE5BD}\\ProxyStubClsid32",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{7A78866B-695A-4153-A29F-92B38626E332}\\ProxyStubClsid32",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{31E3405A-1CA1-4750-A6D9-4ED9BB3A5A59}\\NumMethods",
"HKEY_CURRENT_USER\\CLSID",
"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{D5E238C2-919F-47C9-B769-47D7432E1852}\\InProcServer32",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{4975912A-17C1-40D4-BCF5-1190E476FE82}\\ProxyStubClsid32",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Ole",
"HKEY_CURRENT_USER\\Software\\Classes",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{F15393EF-1112-41C4-9A24-20C0F0075DC1}",
"HKEY_CLASSES_ROOT\\CLSID",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{3339BB5A-555B-4C33-8D97-15F78BFF5CE1}\\ProxyStubClsid32",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{FBD15E06-051F-43E6-9FE0-7F5B6B57B481}\\NumMethods",
"HKEY_CURRENT_USER\\Software\\CocCoc\\Update\\",
"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{CCBB641B-0D24-451C-9638-2DE0D4B5ED5F}\\VersionIndependentProgID",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{98864DB4-F198-41BB-9901-D499B74FAB1C}\\NumMethods",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{3C765636-A9B6-457A-B7CA-146B131BE5BD}",
"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{CCBB641B-0D24-451C-9638-2DE0D4B5ED5F}\\ProgID",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{CDC22AF6-28C2-4638-9580-F867915A38C4}\\NumMethods",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{48AEB2A3-803F-4259-899D-B624B6DF64F5}",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{63191E9E-FD33-4B38-B3F1-62982ADA8B2F}\\ProxyStubClsid32",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{37514F9D-A61C-4F73-B94C-56F2B47789EB}\\NumMethods",
"HKEY_CURRENT_USER\\Software",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{CF051BE3-B7D3-4F50-B578-C647DD386940}\\NumMethods",
"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{F34D723C-FA54-43D8-9C05-574D28672153}\\ProgID",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{7FD24225-816C-4325-B8A3-48E4BA4E6F01}\\NumMethods",
"HKEY_CURRENT_USER\\Software\\CocCoc\\Update\\ClientState\\",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{F3BDCD40-E6F3-4F35-BA05-70D4C0389AE5}\\ProxyStubClsid32",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{A72E0E76-BF8B-48C8-BC14-DDE8254EBDA9}\\NumMethods",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{BEF4B990-4E74-4DC3-BBCA-BDD8E48271B1}\\ProxyStubClsid32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{F0E42375-D761-47E9-B64F-310CEB39F32F}\\NumMethods",
"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{69279211-FE09-4A3B-9B32-E661957D9EA3}\\VersionIndependentProgID",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{4975912A-17C1-40D4-BCF5-1190E476FE82}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{7FD24225-816C-4325-B8A3-48E4BA4E6F01}",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{F3BDCD40-E6F3-4F35-BA05-70D4C0389AE5}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-699399860-4089948139-3198924279-1001\\Preference",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Rpc",
"HKEY_CURRENT_USER\\CocCocUpdate.Update3COMClassUser\\CurVer",
"HKEY_CURRENT_USER\\CocCocUpdate.Update3WebUser\\CLSID",
"HKEY_CURRENT_USER\\CocCocUpdate.Update3COMClassUser\\CLSID",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{56D89BD1-3C6D-4D41-BAD1-F9ECA194DE72}",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{BE7F68D5-4B90-4CB1-A35E-83A7024A83AA}\\ProxyStubClsid32",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{BA0E8C3A-2E4D-4E10-8AD7-8618C5138480}\\NumMethods",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{FBD15E06-051F-43E6-9FE0-7F5B6B57B481}\\ProxyStubClsid32",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{BEF4B990-4E74-4DC3-BBCA-BDD8E48271B1}\\NumMethods",
"HKEY_CURRENT_USER\\SOFTWARE",
"HKEY_CURRENT_USER",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{19DEA306-99DC-4690-B2E9-FFD51AE45C96}",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{98864DB4-F198-41BB-9901-D499B74FAB1C}",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{03EFB89B-5FE9-488F-B4E7-D4AC5BC0E207}\\NumMethods",
"HKEY_CURRENT_USER\\CocCocUpdate.OnDemandCOMClassUser.1.0\\CLSID",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{19DEA306-99DC-4690-B2E9-FFD51AE45C96}\\ProxyStubClsid32",
"HKEY_CURRENT_USER\\CocCocUpdate.CredentialDialogUser\\CurVer",
"HKEY_CURRENT_USER\\CocCoc.OneClickProcessLauncherUser\\CurVer",
"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{CCBB641B-0D24-451C-9638-2DE0D4B5ED5F}\\LocalServer32",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{F15393EF-1112-41C4-9A24-20C0F0075DC1}\\ProxyStubClsid32",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{48AEB2A3-803F-4259-899D-B624B6DF64F5}\\ProxyStubClsid32",
"HKEY_CURRENT_USER\\CocCocUpdate.Update3WebUser.1.0\\CLSID"
],
"file_written": [
"\\\\?\\PIPE\\wkssvc"
],
"regkey_deleted": [
"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{0A039001-050F-4ADA-AD8B-F2E5C9615B45}\\InprocServer32",
"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{0A039001-050F-4ADA-AD8B-F2E5C9615B45}",
"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{4A2DF7EF-905D-4C4D-A683-42C891F228BF}\\InprocHandler32",
"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{4A2DF7EF-905D-4C4D-A683-42C891F228BF}"
],
"file_exists": [
"C:\\Users\\cuck\\AppData",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc",
"C:\\CocCocUpdate.ini",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\CrashReports",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\coccocpdate.dll",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\2.5.15.103\\coccocpdate.dll",
"C:\\Program Files (x86)\\GUM578A.tmp",
"C:\\Users\\cuck\\AppData\\Roaming\\CocCoc\\uid",
"C:\\Users\\cuck",
"C:\\Users",
"C:\\Users\\cuck\\AppData\\Local"
],
"file_failed": [
"\\\\?\\pipe\\CocCocCrashServices\\S-1-5-21-699399860-4089948139-3198924279-1001"
],
"file_read": [
"\\\\?\\PIPE\\wkssvc",
"C:\\Users\\cuck\\AppData\\Roaming\\CocCoc\\uid"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE\\MaximumAllowedAllocationSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\Extensions\\NdrOleExtDLL",
"HKEY_CURRENT_USER\\Software\\CocCoc\\Update\\Clients\\{430FD4D0-B729-4F61-AA34-91526481799D}\\pv",
"HKEY_CURRENT_USER\\Software\\CocCoc\\Update\\eulaaccepted",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\MaxRpcSize",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\SystemSetupInProgress",
"HKEY_CURRENT_USER\\Software\\CocCoc\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}\\usagestats",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Domain",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-699399860-4089948139-3198924279-1001\\State",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\DisableImprovedZoneCheck",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Hostname",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\OOBEInProgress",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Security_HKLM_only",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\ComputerName\\ActiveComputerName\\ComputerName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CEIPEnable"
],
"regkey_written": [
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{BEF4B990-4E74-4DC3-BBCA-BDD8E48271B1}\\ProxyStubClsid32\\(Default)",
"HKEY_CURRENT_USER\\CocCocUpdate.Update3WebUser\\CLSID\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{61C44F32-B764-4629-A9AD-A591E64B2580}\\ProxyStubClsid32\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{A72E0E76-BF8B-48C8-BC14-DDE8254EBDA9}\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{0A039001-050F-4ADA-AD8B-F2E5C9615B45}\\InprocServer32\\(Default)",
"HKEY_CURRENT_USER\\CocCocUpdate.Update3COMClassUser\\CLSID\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{BE7F68D5-4B90-4CB1-A35E-83A7024A83AA}\\(Default)",
"HKEY_CURRENT_USER\\CocCocUpdate.OnDemandCOMClassUser\\CurVer\\(Default)",
"HKEY_CURRENT_USER\\CocCocUpdate.OnDemandCOMClassUser.1.0\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{F3BDCD40-E6F3-4F35-BA05-70D4C0389AE5}\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{DFFF09FD-4FB6-4CF2-A855-3EACD48881FA}\\(Default)",
"HKEY_CURRENT_USER\\CocCocUpdate.CredentialDialogUser\\CLSID\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{ABA164D4-F794-491D-9400-7CA9E6F7EEF6}\\ProxyStubClsid32\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{CDC22AF6-28C2-4638-9580-F867915A38C4}\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{98864DB4-F198-41BB-9901-D499B74FAB1C}\\ProxyStubClsid32\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{CCBB641B-0D24-451C-9638-2DE0D4B5ED5F}\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{37514F9D-A61C-4F73-B94C-56F2B47789EB}\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{BE7F68D5-4B90-4CB1-A35E-83A7024A83AA}\\NumMethods\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{7A78866B-695A-4153-A29F-92B38626E332}\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{F34D723C-FA54-43D8-9C05-574D28672153}\\ProgID\\(Default)",
"HKEY_CURRENT_USER\\CocCoc.OneClickProcessLauncherUser\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{7FD24225-816C-4325-B8A3-48E4BA4E6F01}\\(Default)",
"HKEY_CURRENT_USER\\CocCoc.OneClickProcessLauncherUser.1.0\\CLSID\\(Default)",
"HKEY_CURRENT_USER\\CocCoc.OneClickProcessLauncherUser\\CLSID\\(Default)",
"HKEY_CURRENT_USER\\CocCoc.OneClickProcessLauncherUser\\CurVer\\(Default)",
"HKEY_CURRENT_USER\\CocCocUpdate.Update3COMClassUser.1.0\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{19DEA306-99DC-4690-B2E9-FFD51AE45C96}\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{FBD15E06-051F-43E6-9FE0-7F5B6B57B481}\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{69279211-FE09-4A3B-9B32-E661957D9EA3}\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{DFFF09FD-4FB6-4CF2-A855-3EACD48881FA}\\LocalServer32\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{7FD24225-816C-4325-B8A3-48E4BA4E6F01}\\NumMethods\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{3339BB5A-555B-4C33-8D97-15F78BFF5CE1}\\(Default)",
"HKEY_CURRENT_USER\\CocCocUpdate.Update3COMClassUser\\CurVer\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{CF051BE3-B7D3-4F50-B578-C647DD386940}\\(Default)",
"HKEY_CURRENT_USER\\CocCocUpdate.Update3COMClassUser\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{31E3405A-1CA1-4750-A6D9-4ED9BB3A5A59}\\NumMethods\\(Default)",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Low Rights\\ElevationPolicy\\{CCBB641B-0D24-451C-9638-2DE0D4B5ED5F}\\CLSID",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{4975912A-17C1-40D4-BCF5-1190E476FE82}\\ProxyStubClsid32\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{BA0E8C3A-2E4D-4E10-8AD7-8618C5138480}\\NumMethods\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{3C765636-A9B6-457A-B7CA-146B131BE5BD}\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{3C765636-A9B6-457A-B7CA-146B131BE5BD}\\NumMethods\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{A72E0E76-BF8B-48C8-BC14-DDE8254EBDA9}\\NumMethods\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{DFFF09FD-4FB6-4CF2-A855-3EACD48881FA}\\VersionIndependentProgID\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{53F9B7E5-DC7B-4C70-87EA-9AE3629CBA75}\\ProxyStubClsid32\\(Default)",
"HKEY_CURRENT_USER\\CocCocUpdate.OnDemandCOMClassUser\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{37514F9D-A61C-4F73-B94C-56F2B47789EB}\\ProxyStubClsid32\\(Default)",
"HKEY_CURRENT_USER\\CocCocUpdate.Update3WebUser\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{CDC22AF6-28C2-4638-9580-F867915A38C4}\\ProxyStubClsid32\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{D5E238C2-919F-47C9-B769-47D7432E1852}\\InProcServer32\\(Default)",
"HKEY_CURRENT_USER\\CocCocUpdate.Update3WebUser.1.0\\CLSID\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{BA0E8C3A-2E4D-4E10-8AD7-8618C5138480}\\ProxyStubClsid32\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{CCBB641B-0D24-451C-9638-2DE0D4B5ED5F}\\LocalServer32\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{D5E238C2-919F-47C9-B769-47D7432E1852}\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{ABA164D4-F794-491D-9400-7CA9E6F7EEF6}\\NumMethods\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{4A2DF7EF-905D-4C4D-A683-42C891F228BF}\\InprocHandler32\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{F3BDCD40-E6F3-4F35-BA05-70D4C0389AE5}\\NumMethods\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{A4F10457-0600-4470-9A22-AD99E26F7AD2}\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{53F9B7E5-DC7B-4C70-87EA-9AE3629CBA75}\\NumMethods\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{BEF4B990-4E74-4DC3-BBCA-BDD8E48271B1}\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{ABA164D4-F794-491D-9400-7CA9E6F7EEF6}\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{19DEA306-99DC-4690-B2E9-FFD51AE45C96}\\NumMethods\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{D5E238C2-919F-47C9-B769-47D7432E1852}\\InProcServer32\\ThreadingModel",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{98864DB4-F198-41BB-9901-D499B74FAB1C}\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{B9D2B446-92D8-44E8-9A7B-127AAC768BA3}\\NumMethods\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{BEF4B990-4E74-4DC3-BBCA-BDD8E48271B1}\\NumMethods\\(Default)",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Low Rights\\ElevationPolicy\\{CCBB641B-0D24-451C-9638-2DE0D4B5ED5F}\\Policy",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{48AEB2A3-803F-4259-899D-B624B6DF64F5}\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{4975912A-17C1-40D4-BCF5-1190E476FE82}\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{98864DB4-F198-41BB-9901-D499B74FAB1C}\\NumMethods\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{F0E42375-D761-47E9-B64F-310CEB39F32F}\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{CF051BE3-B7D3-4F50-B578-C647DD386940}\\ProxyStubClsid32\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{A673FB09-4B52-4BAF-BA9B-4B422531B44E}\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{F15393EF-1112-41C4-9A24-20C0F0075DC1}\\ProxyStubClsid32\\(Default)",
"HKEY_CURRENT_USER\\CocCocUpdate.Update3WebUser\\CurVer\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{F0E42375-D761-47E9-B64F-310CEB39F32F}\\NumMethods\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{F15393EF-1112-41C4-9A24-20C0F0075DC1}\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{CCBB641B-0D24-451C-9638-2DE0D4B5ED5F}\\ProgID\\(Default)",
"HKEY_CURRENT_USER\\CocCocUpdate.CredentialDialogUser\\CurVer\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{63191E9E-FD33-4B38-B3F1-62982ADA8B2F}\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{69279211-FE09-4A3B-9B32-E661957D9EA3}\\LocalServer32\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{A4F10457-0600-4470-9A22-AD99E26F7AD2}\\VersionIndependentProgID\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{37514F9D-A61C-4F73-B94C-56F2B47789EB}\\NumMethods\\(Default)",
"HKEY_CURRENT_USER\\CocCocUpdate.CredentialDialogUser.1.0\\CLSID\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{3C765636-A9B6-457A-B7CA-146B131BE5BD}\\ProxyStubClsid32\\(Default)",
"HKEY_CURRENT_USER\\CocCoc.OneClickProcessLauncherUser.1.0\\(Default)",
"HKEY_CURRENT_USER\\CocCocUpdate.Update3WebUser.1.0\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{F15393EF-1112-41C4-9A24-20C0F0075DC1}\\NumMethods\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{CCBB641B-0D24-451C-9638-2DE0D4B5ED5F}\\VersionIndependentProgID\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{0A039001-050F-4ADA-AD8B-F2E5C9615B45}\\InprocServer32\\ThreadingModel",
"HKEY_CURRENT_USER\\CocCocUpdate.CredentialDialogUser.1.0\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{31E3405A-1CA1-4750-A6D9-4ED9BB3A5A59}\\ProxyStubClsid32\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{BE7F68D5-4B90-4CB1-A35E-83A7024A83AA}\\ProxyStubClsid32\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{3339BB5A-555B-4C33-8D97-15F78BFF5CE1}\\ProxyStubClsid32\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{B9D2B446-92D8-44E8-9A7B-127AAC768BA3}\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{61C44F32-B764-4629-A9AD-A591E64B2580}\\NumMethods\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{61C44F32-B764-4629-A9AD-A591E64B2580}\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{4A2DF7EF-905D-4C4D-A683-42C891F228BF}\\InprocHandler32\\ThreadingModel",
"HKEY_CURRENT_USER\\CocCocUpdate.OnDemandCOMClassUser.1.0\\CLSID\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{4975912A-17C1-40D4-BCF5-1190E476FE82}\\NumMethods\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{63191E9E-FD33-4B38-B3F1-62982ADA8B2F}\\ProxyStubClsid32\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{19DEA306-99DC-4690-B2E9-FFD51AE45C96}\\ProxyStubClsid32\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{A673FB09-4B52-4BAF-BA9B-4B422531B44E}\\NumMethods\\(Default)",
"HKEY_CURRENT_USER\\CocCocUpdate.OnDemandCOMClassUser\\CLSID\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{FBD15E06-051F-43E6-9FE0-7F5B6B57B481}\\NumMethods\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{56D89BD1-3C6D-4D41-BAD1-F9ECA194DE72}\\ProxyStubClsid32\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{BA0E8C3A-2E4D-4E10-8AD7-8618C5138480}\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{CDC22AF6-28C2-4638-9580-F867915A38C4}\\NumMethods\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{03EFB89B-5FE9-488F-B4E7-D4AC5BC0E207}\\NumMethods\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{56D89BD1-3C6D-4D41-BAD1-F9ECA194DE72}\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{DFFF09FD-4FB6-4CF2-A855-3EACD48881FA}\\ProgID\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{56D89BD1-3C6D-4D41-BAD1-F9ECA194DE72}\\NumMethods\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{53F9B7E5-DC7B-4C70-87EA-9AE3629CBA75}\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{48AEB2A3-803F-4259-899D-B624B6DF64F5}\\NumMethods\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{7FD24225-816C-4325-B8A3-48E4BA4E6F01}\\ProxyStubClsid32\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{B9D2B446-92D8-44E8-9A7B-127AAC768BA3}\\ProxyStubClsid32\\(Default)",
"HKEY_CURRENT_USER\\CocCocUpdate.CredentialDialogUser\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{A4F10457-0600-4470-9A22-AD99E26F7AD2}\\ProgID\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{69279211-FE09-4A3B-9B32-E661957D9EA3}\\VersionIndependentProgID\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{F34D723C-FA54-43D8-9C05-574D28672153}\\VersionIndependentProgID\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{A72E0E76-BF8B-48C8-BC14-DDE8254EBDA9}\\ProxyStubClsid32\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{7A78866B-695A-4153-A29F-92B38626E332}\\NumMethods\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{3339BB5A-555B-4C33-8D97-15F78BFF5CE1}\\NumMethods\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{A4F10457-0600-4470-9A22-AD99E26F7AD2}\\LocalServer32\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{69279211-FE09-4A3B-9B32-E661957D9EA3}\\ProgID\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{48AEB2A3-803F-4259-899D-B624B6DF64F5}\\ProxyStubClsid32\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{63191E9E-FD33-4B38-B3F1-62982ADA8B2F}\\NumMethods\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{F34D723C-FA54-43D8-9C05-574D28672153}\\LocalServer32\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{F34D723C-FA54-43D8-9C05-574D28672153}\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{03EFB89B-5FE9-488F-B4E7-D4AC5BC0E207}\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{CF051BE3-B7D3-4F50-B578-C647DD386940}\\NumMethods\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{F0E42375-D761-47E9-B64F-310CEB39F32F}\\ProxyStubClsid32\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{F3BDCD40-E6F3-4F35-BA05-70D4C0389AE5}\\ProxyStubClsid32\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{31E3405A-1CA1-4750-A6D9-4ED9BB3A5A59}\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{7A78866B-695A-4153-A29F-92B38626E332}\\ProxyStubClsid32\\(Default)",
"HKEY_CURRENT_USER\\CocCocUpdate.Update3COMClassUser.1.0\\CLSID\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{A673FB09-4B52-4BAF-BA9B-4B422531B44E}\\ProxyStubClsid32\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{FBD15E06-051F-43E6-9FE0-7F5B6B57B481}\\ProxyStubClsid32\\(Default)",
"HKEY_CURRENT_USER\\Wow6432Node\\Interface\\{03EFB89B-5FE9-488F-B4E7-D4AC5BC0E207}\\ProxyStubClsid32\\(Default)"
]
},
"first_seen": 1565988789.4688,
"ppid": 2968
},
{
"process_path": "C:\\Users\\cuck\\AppData\\Local\\Temp\\e9b3b6918ac282401509cb49d8330aa71ff0141477776820c8bfcc6f4750974c.bin",
"process_name": "e9b3b6918ac282401509cb49d8330aa71ff0141477776820c8bfcc6f4750974c.bin",
"pid": 1268,
"summary": {
"file_created": [
"C:\\Program Files (x86)\\GUM578A.tmp\\psmachine.dll",
"C:\\Program Files (x86)\\GUM578A.tmp\\psuser.dll",
"C:\\Program Files (x86)\\GUM578A.tmp\\coccocpdateres_vi.dll",
"C:\\Program Files (x86)\\GUM578A.tmp\\CocCocTorrentUpdate.exe",
"C:\\Program Files (x86)\\GUM578A.tmp\\CocCocUpdateOnDemand.exe",
"C:\\Program Files (x86)\\GUM578A.tmp\\CocCocUpdateHelper.msi",
"C:\\Program Files (x86)\\GUM578A.tmp\\coccocpdateres_en.dll",
"C:\\Program Files (x86)\\GUM578A.tmp",
"C:\\Program Files (x86)\\GUT579A.tmp",
"C:\\Program Files (x86)\\GUM578A.tmp\\CocCocUpdateBroker.exe",
"C:\\Program Files (x86)\\GUM578A.tmp\\CocCocUpdate.exe",
"C:\\Program Files (x86)\\GUM578A.tmp\\CocCocCrashHandler.exe",
"C:\\Program Files (x86)\\GUM578A.tmp\\coccocpdate.dll",
"C:\\Program Files (x86)\\GUM578A.tmp\\CocCocUpdateWebPlugin.exe"
],
"directory_created": [
"C:\\Program Files (x86)",
"C:\\Program Files (x86)\\GUM578A.tmp"
],
"dll_loaded": [
"kernel32",
"kernel32.dll",
"api-ms-win-core-fibers-l1-1-1",
"api-ms-win-core-synch-l1-2-0"
],
"file_opened": [
"C:\\Program Files (x86)\\GUT579A.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\e9b3b6918ac282401509cb49d8330aa71ff0141477776820c8bfcc6f4750974c.bin",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls"
],
"file_copied": [
[
"C:\\Users\\cuck\\AppData\\Local\\Temp\\e9b3b6918ac282401509cb49d8330aa71ff0141477776820c8bfcc6f4750974c.bin",
"C:\\Program Files (x86)\\GUM578A.tmp\\CocCocUpdateSetup.exe"
]
],
"command_line": [
"\"C:\\Program Files (x86)\\GUM578A.tmp\\CocCocUpdate.exe\" \/installsource taggedmi \/install \"appguid={C0CC0CBB-47DD-46FF-A04D-7011A06486E1}&appname=C%E1%BB%91c%20C%E1%BB%91c&needsadmin=false&lang=vi&client={00000000-0000-0000-0000-000000000000}&brand=XXXX\""
],
"file_written": [
"C:\\Program Files (x86)\\GUM578A.tmp\\psmachine.dll",
"C:\\Program Files (x86)\\GUM578A.tmp\\psuser.dll",
"C:\\Program Files (x86)\\GUM578A.tmp\\coccocpdateres_vi.dll",
"C:\\Program Files (x86)\\GUM578A.tmp\\CocCocTorrentUpdate.exe",
"C:\\Program Files (x86)\\GUM578A.tmp\\CocCocUpdateOnDemand.exe",
"C:\\Program Files (x86)\\GUM578A.tmp\\CocCocUpdateHelper.msi",
"C:\\Program Files (x86)\\GUM578A.tmp\\coccocpdateres_en.dll",
"C:\\Program Files (x86)\\GUT579A.tmp",
"C:\\Program Files (x86)\\GUM578A.tmp\\CocCocUpdateBroker.exe",
"C:\\Program Files (x86)\\GUM578A.tmp\\CocCocUpdate.exe",
"C:\\Program Files (x86)\\GUM578A.tmp\\CocCocCrashHandler.exe",
"C:\\Program Files (x86)\\GUM578A.tmp\\coccocpdate.dll",
"C:\\Program Files (x86)\\GUM578A.tmp\\CocCocUpdateWebPlugin.exe"
],
"file_deleted": [
"C:\\Program Files (x86)\\GUM578A.tmp"
],
"file_exists": [
"C:\\Program Files (x86)"
],
"file_read": [
"C:\\Program Files (x86)\\GUT579A.tmp"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US"
]
},
"first_seen": 1565988786.7344,
"ppid": 2660
},
{
"process_path": "C:\\Program Files (x86)\\GUM578A.tmp\\CocCocUpdate.exe",
"process_name": "CocCocUpdate.exe",
"pid": 2968,
"summary": {
"file_deleted": [
"C:\\Windows\\Tasks\\GoogleUpdateTaskUserS-1-5-21-699399860-4089948139-3198924279-1001.job",
"C:\\Windows\\Tasks\\GoogleUpdateTaskUser.job"
],
"file_created": [
"C:\\Users\\cuck\\AppData\\Roaming\\CocCoc\\uid",
"C:\\Windows\\Tasks\\CocCocUpdateTaskUserS-1-5-21-699399860-4089948139-3198924279-1001Core.job",
"C:\\Windows\\Tasks\\CocCocUpdateTaskUserS-1-5-21-699399860-4089948139-3198924279-1001UA.job"
],
"directory_created": [
"C:\\Users\\cuck\\AppData\\Local\\CocCoc",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\CrashReports",
"C:\\Program Files (x86)\\CocCoc",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\2.5.15.103",
"C:\\Program Files (x86)\\CocCoc\\CrashReports",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update",
"C:\\Users\\cuck\\AppData\\Roaming\\CocCoc"
],
"dll_loaded": [
"dbghelp.dll",
"kernel32",
"API-MS-Win-Security-LSALookup-L1-1-0.dll",
"kernel32.dll",
"UxTheme.dll",
"C:\\Windows\\system32\\ole32.dll",
"dwmapi.dll",
"ntdll.dll",
"api-ms-win-core-synch-l1-2-0",
"ntmarta.dll",
"wkscli.dll",
"API-MS-Win-Core-LocalRegistry-L1-1-0.dll",
"SspiCli.dll",
"ole32.dll",
"SHLWAPI.dll",
"API-MS-Win-Security-SDDL-L1-1-0.dll",
"cscapi.dll",
"MPR.DLL",
"OLEAUT32.dll",
"SHELL32.dll",
"C:\\Program Files (x86)\\GUM578A.tmp\\coccocpdate.dll",
"comctl32.dll",
"api-ms-win-core-fibers-l1-1-1",
"ADVAPI32.dll",
"rpcrt4.dll",
"SETUPAPI.dll"
],
"file_opened": [
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\2.5.15.103\\psmachine.dll",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\2.5.15.103\\CocCocUpdateWebPlugin.exe",
"C:\\Program Files (x86)\\GUM578A.tmp\\CocCocTorrentUpdate.exe",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\2.5.15.103\\CocCocUpdateBroker.exe",
"C:\\",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\2.5.15.103\\CocCocCrashHandler.exe",
"\\\\?\\PIPE\\wkssvc",
"C:\\Program Files (x86)\\GUM578A.tmp\\coccocpdateres_en.dll",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\CocCocTorrentUpdate.exe",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\2.5.15.103\\psuser.dll",
"C:\\Program Files (x86)\\GUM578A.tmp\\CocCocCrashHandler.exe",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\2.5.15.103\\coccocpdateres_en.dll",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\2.5.15.103\\CocCocUpdateOnDemand.exe",
"C:\\Windows\\Tasks",
"C:\\Program Files (x86)\\GUM578A.tmp\\psuser.dll",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\2.5.15.103\\CocCocUpdate.exe",
"C:\\Program Files (x86)\\GUM578A.tmp\\CocCocUpdateBroker.exe",
"C:\\Program Files (x86)\\GUM578A.tmp\\CocCocUpdateOnDemand.exe",
"C:\\Program Files (x86)\\GUM578A.tmp\\CocCocUpdateHelper.msi",
"C:\\Users\\cuck\\AppData\\Roaming\\CocCoc\\uid",
"C:\\Program Files (x86)\\CocCoc\\CrashReports",
"C:\\Program Files (x86)\\GUM578A.tmp\\CocCocUpdate.exe",
"C:\\Program Files (x86)\\GUM578A.tmp\\coccocpdate.dll",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\CocCocUpdate.exe",
"C:\\Program Files (x86)\\GUM578A.tmp\\CocCocUpdateWebPlugin.exe",
"C:\\Program Files (x86)\\GUM578A.tmp\\coccocpdateres_vi.dll",
"C:\\Windows\\Tasks\\CocCocUpdateTaskUserS-1-5-21-699399860-4089948139-3198924279-1001UA.job",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\2.5.15.103\\coccocpdate.dll",
"C:\\Program Files (x86)\\GUM578A.tmp",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\2.5.15.103\\CocCocUpdateSetup.exe",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\2.5.15.103\\coccocpdateres_vi.dll",
"C:\\Program Files (x86)\\GUM578A.tmp\\psmachine.dll",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\2.5.15.103\\CocCocUpdateHelper.msi",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls",
"C:\\Windows\\Tasks\\",
"C:\\Program Files (x86)\\GUM578A.tmp\\CocCocUpdateSetup.exe",
"C:\\Windows\\Tasks\\CocCocUpdateTaskUserS-1-5-21-699399860-4089948139-3198924279-1001Core.job"
],
"file_copied": [
[
"C:\\Program Files (x86)\\GUM578A.tmp\\psuser.dll",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\2.5.15.103\\psuser.dll"
],
[
"C:\\Program Files (x86)\\GUM578A.tmp\\CocCocUpdateHelper.msi",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\2.5.15.103\\CocCocUpdateHelper.msi"
],
[
"C:\\Program Files (x86)\\GUM578A.tmp\\CocCocUpdateWebPlugin.exe",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\2.5.15.103\\CocCocUpdateWebPlugin.exe"
],
[
"C:\\Program Files (x86)\\GUM578A.tmp\\CocCocUpdateBroker.exe",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\2.5.15.103\\CocCocUpdateBroker.exe"
],
[
"C:\\Program Files (x86)\\GUM578A.tmp\\CocCocUpdateSetup.exe",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\2.5.15.103\\CocCocUpdateSetup.exe"
],
[
"C:\\Program Files (x86)\\GUM578A.tmp\\psmachine.dll",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\2.5.15.103\\psmachine.dll"
],
[
"C:\\Program Files (x86)\\GUM578A.tmp\\CocCocCrashHandler.exe",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\2.5.15.103\\CocCocCrashHandler.exe"
],
[
"C:\\Program Files (x86)\\GUM578A.tmp\\CocCocTorrentUpdate.exe",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\CocCocTorrentUpdate.exe"
],
[
"C:\\Program Files (x86)\\GUM578A.tmp\\coccocpdateres_vi.dll",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\2.5.15.103\\coccocpdateres_vi.dll"
],
[
"C:\\Program Files (x86)\\GUM578A.tmp\\CocCocUpdate.exe",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\2.5.15.103\\CocCocUpdate.exe"
],
[
"C:\\Program Files (x86)\\GUM578A.tmp\\CocCocUpdateOnDemand.exe",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\2.5.15.103\\CocCocUpdateOnDemand.exe"
],
[
"C:\\Program Files (x86)\\GUM578A.tmp\\coccocpdate.dll",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\2.5.15.103\\coccocpdate.dll"
],
[
"C:\\Program Files (x86)\\GUM578A.tmp\\coccocpdateres_en.dll",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\2.5.15.103\\coccocpdateres_en.dll"
],
[
"C:\\Program Files (x86)\\GUM578A.tmp\\CocCocUpdate.exe",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\CocCocUpdate.exe"
]
],
"regkey_opened": [
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum",
"HKEY_CURRENT_USER\\Software\\Microsoft\\CTF\\DirectSwitchHotkeys",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\Rpc",
"HKEY_CURRENT_USER\\Software\\CocCoc\\Update\\Clients\\{430FD4D0-B729-4F61-AA34-91526481799D}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Setup",
"HKEY_CLASSES_ROOT\\Drive\\shellex\\FolderExtensions\\{fbeb8a05-beee-4442-804e-409d6c4515e9}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{3697C5FA-60DD-4B56-92D4-74A569205C16}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\CocCoc\\UpdateDev\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\CocCocUpdate.exe",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\LanguageProfile\\0x00000000\\{0001bea3-ed56-483d-a2e2-aeae25577436}",
"HKEY_CURRENT_USER\\Software\\CocCoc\\Update\\ClientState\\",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Rpc",
"HKEY_CLASSES_ROOT\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder",
"HKEY_CURRENT_USER\\Software\\CocCoc\\",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion",
"HKEY_CLASSES_ROOT\\Drive\\shellex\\FolderExtensions",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\LSA\\AccessProviders",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-699399860-4089948139-3198924279-1001",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\Software\\CocCoc\\Update\\Clients\\",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\CocCocUpdate.exe",
"HKEY_LOCAL_MACHINE\\Software\\CocCoc\\Update\\",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\",
"HKEY_CURRENT_USER\\Software\\CocCoc\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-699399860-4089948139-3198924279-1001\\Preference",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\Software\\CocCoc\\Update\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\msasn1",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Applications\\CocCocUpdate.exe",
"HKEY_LOCAL_MACHINE\\system\\CurrentControlSet\\control\\NetworkProvider\\HwOrder",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\LDAP",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\KnownClasses",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\Compatibility\\CocCocUpdate.exe",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}"
],
"file_moved": [
[
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\2.5.15.103\\CocCocUpdateSetup.exe",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\2.5.15.103\\CocCocUpdateSetup.exe.old"
]
],
"file_written": [
"\\\\?\\PIPE\\wkssvc",
"C:\\Windows\\Tasks\\CocCocUpdateTaskUserS-1-5-21-699399860-4089948139-3198924279-1001Core.job",
"C:\\Windows\\Tasks\\CocCocUpdateTaskUserS-1-5-21-699399860-4089948139-3198924279-1001UA.job",
"C:\\Users\\cuck\\AppData\\Roaming\\CocCoc\\uid"
],
"regkey_deleted": [
"HKEY_CURRENT_USER\\Software\\CocCoc\\Update\\ui",
"HKEY_CURRENT_USER\\Software\\CocCoc\\Update\\LastChecked",
"HKEY_CURRENT_USER\\Software\\CocCoc\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}\\UpdateAvailableCount",
"HKEY_CURRENT_USER\\Software\\CocCoc\\Update\\LastCodeRedCheck",
"HKEY_CURRENT_USER\\Software\\CocCoc\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}\\UpdateAvailableSince"
],
"command_line": [
"\"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\CocCocUpdate.exe\" \/regserver",
"\"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\CocCocUpdate.exe\" \/handoff \"appguid={C0CC0CBB-47DD-46FF-A04D-7011A06486E1}&appname=C%E1%BB%91c%20C%E1%BB%91c&needsadmin=false&lang=vi&client={00000000-0000-0000-0000-000000000000}&brand=XXXX\" \/installsource taggedmi \/sessionid \"{32761EF4-8770-4B28-BB79-9A12AE8D4036}\"",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\CocCocUpdate.exe \/ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB2ZXJzaW9uPSIyLjUuMTUuMTAzIiBzaGVsbF92ZXJzaW9uPSIyLjUuMTUuMTAzIiBpc21hY2hpbmU9IjAiIHNlc3Npb25pZD0iezMyNzYxRUY0LTg3NzAtNEIyOC1CQjc5LTlBMTJBRThENDAzNn0iIHVzZXJpZD0iOUE2MUFCODgtNTY4Mi00MTRGLUIzQjAtRTgzODY5NDlEQjIyIiBpbnN0YWxsc291cmNlPSJ0YWdnZWRtaSIgcmVxdWVzdGlkPSJ7MzNFQkVDOTEtQkY0Ni00N0Y3LUFGOTktQ0Q2RThCQTJCMUI4fSIgZGVkdXA9ImNyIj48aHcgcGh5c21lbW9yeT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iNi4xIiBzcD0iU2VydmljZSBQYWNrIDEiIGFyY2g9Ing2NCIvPjxhcHAgYXBwaWQ9Ins0MzBGRDREMC1CNzI5LTRGNjEtQUEzNC05MTUyNjQ4MTc5OUR9IiB2ZXJzaW9uPSIiIG5leHR2ZXJzaW9uPSIyLjUuMTUuMTAzIiBsYW5nPSJ2aSIgYnJhbmQ9IlhYWFgiIGNsaWVudD0iezAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMH0iPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIGluc3RhbGxfdGltZV9tcz0iMTk2OSIvPjwvYXBwPjwvcmVxdWVzdD4",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\CocCocUpdate.exe \/handoff \"appguid={C0CC0CBB-47DD-46FF-A04D-7011A06486E1}&appname=C%E1%BB%91c%20C%E1%BB%91c&needsadmin=false&lang=vi&client={00000000-0000-0000-0000-000000000000}&brand=XXXX\" \/installsource taggedmi \/sessionid \"{32761EF4-8770-4B28-BB79-9A12AE8D4036}\"",
"\"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\CocCocUpdate.exe\" \/ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB2ZXJzaW9uPSIyLjUuMTUuMTAzIiBzaGVsbF92ZXJzaW9uPSIyLjUuMTUuMTAzIiBpc21hY2hpbmU9IjAiIHNlc3Npb25pZD0iezMyNzYxRUY0LTg3NzAtNEIyOC1CQjc5LTlBMTJBRThENDAzNn0iIHVzZXJpZD0iOUE2MUFCODgtNTY4Mi00MTRGLUIzQjAtRTgzODY5NDlEQjIyIiBpbnN0YWxsc291cmNlPSJ0YWdnZWRtaSIgcmVxdWVzdGlkPSJ7MzNFQkVDOTEtQkY0Ni00N0Y3LUFGOTktQ0Q2RThCQTJCMUI4fSIgZGVkdXA9ImNyIj48aHcgcGh5c21lbW9yeT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iNi4xIiBzcD0iU2VydmljZSBQYWNrIDEiIGFyY2g9Ing2NCIvPjxhcHAgYXBwaWQ9Ins0MzBGRDREMC1CNzI5LTRGNjEtQUEzNC05MTUyNjQ4MTc5OUR9IiB2ZXJzaW9uPSIiIG5leHR2ZXJzaW9uPSIyLjUuMTUuMTAzIiBsYW5nPSJ2aSIgYnJhbmQ9IlhYWFgiIGNsaWVudD0iezAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMH0iPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIGluc3RhbGxfdGltZV9tcz0iMTk2OSIvPjwvYXBwPjwvcmVxdWVzdD4"
],
"file_exists": [
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\2.5.15.103\\psmachine.dll",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\2.5.15.103\\CocCocUpdateWebPlugin.exe",
"C:\\Program Files (x86)\\GUM578A.tmp\\CocCocUpdateHelper.msi",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\2.5.15.103\\CocCocUpdateBroker.exe",
"C:\\Users\\cuck\\AppData",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\CrashReports",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\2.5.15.103\\coccocpdateres_en.dll",
"C:\\Program Files (x86)\\GUM578A.tmp\\coccocpdateres_en.dll",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\CocCocTorrentUpdate.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\2.5.15.103\\psuser.dll",
"C:\\Program Files (x86)\\GUM578A.tmp\\CocCocTorrentUpdate.exe",
"C:\\Program Files (x86)\\GUM578A.tmp\\CocCocCrashHandler.exe",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\2.5.15.103\\CocCocUpdateOnDemand.exe",
"C:\\Program Files (x86)\\GUM578A.tmp\\psuser.dll",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\2.5.15.103\\CocCocUpdate.exe",
"C:\\CocCocUpdate.ini",
"C:\\Program Files (x86)\\GUM578A.tmp\\CocCocUpdateOnDemand.exe",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\2.5.15.103\\CocCocCrashHandler.exe",
"C:\\Program Files (x86)\\CocCoc",
"C:\\Users\\cuck\\AppData\\Roaming\\CocCoc\\uid",
"C:\\Program Files (x86)\\CocCoc\\CrashReports",
"C:\\Program Files (x86)\\GUM578A.tmp\\CocCocUpdate.exe",
"C:\\Users",
"C:\\Program Files (x86)\\GUM578A.tmp\\CocCocUpdateBroker.exe",
"C:\\Program Files (x86)\\GUM578A.tmp\\coccocpdate.dll",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\CocCocUpdate.exe",
"C:\\Program Files (x86)\\GUM578A.tmp\\CocCocUpdateWebPlugin.exe",
"C:\\Program Files (x86)\\GUM578A.tmp\\coccocpdateres_vi.dll",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\2.5.15.103\\CocCocUpdateSetup.exe.old",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\2.5.15.103\\coccocpdate.dll",
"C:\\Program Files (x86)\\GUM578A.tmp",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\2.5.15.103",
"C:\\Users\\cuck",
"C:\\Program Files (x86)",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\2.5.15.103\\coccocpdateres_vi.dll",
"C:\\Users\\cuck\\AppData\\Local",
"C:\\Program Files (x86)\\GUM578A.tmp\\OfflineManifest.gup",
"C:\\Program Files (x86)\\GUM578A.tmp\\psmachine.dll",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\2.5.15.103\\CocCocUpdateHelper.msi",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\2.5.15.103\\CocCocUpdateSetup.exe",
"C:\\Program Files (x86)\\GUM578A.tmp\\CocCocUpdateSetup.exe"
],
"mutex": [
"Global\\CocCocS-1-5-21-699399860-4089948139-3198924279-1001{A9A86B93-B54E-4570-BE89-42418507707B}"
],
"file_failed": [
"\\\\?\\pipe\\CocCocCrashServices\\S-1-5-21-699399860-4089948139-3198924279-1001",
"C:\\Windows\\Tasks\\CocCocUpdateTaskUserS-1-5-21-699399860-4089948139-3198924279-1001Core.job",
"C:\\Windows\\Tasks\\CocCocUpdateTaskUserS-1-5-21-699399860-4089948139-3198924279-1001UA.job"
],
"guid": [
"{148bd527-a2ab-11ce-b11f-00aa00530503}",
"{2933bf81-7b36-11d2-b20e-00c04f983e60}",
"{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}",
"{f6d90f11-9c73-11d3-b32e-00c04f990bb4}",
"{2faba4c7-4da9-4013-9697-20cc3fd40f85}",
"{148bd52a-a2ab-11ce-b11f-00aa00530503}"
],
"file_read": [
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\2.5.15.103\\CocCocUpdateWebPlugin.exe",
"C:\\Program Files (x86)\\GUM578A.tmp\\CocCocTorrentUpdate.exe",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\2.5.15.103\\CocCocUpdateBroker.exe",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\2.5.15.103\\CocCocCrashHandler.exe",
"\\\\?\\PIPE\\wkssvc",
"C:\\Program Files (x86)\\GUM578A.tmp\\coccocpdateres_en.dll",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\CocCocTorrentUpdate.exe",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\2.5.15.103\\psuser.dll",
"C:\\Program Files (x86)\\GUM578A.tmp\\CocCocCrashHandler.exe",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\2.5.15.103\\coccocpdateres_en.dll",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\2.5.15.103\\CocCocUpdateOnDemand.exe",
"C:\\Program Files (x86)\\GUM578A.tmp\\psuser.dll",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\2.5.15.103\\CocCocUpdate.exe",
"C:\\Program Files (x86)\\GUM578A.tmp\\CocCocUpdateBroker.exe",
"C:\\Program Files (x86)\\GUM578A.tmp\\CocCocUpdateOnDemand.exe",
"C:\\Program Files (x86)\\GUM578A.tmp\\CocCocUpdateHelper.msi",
"C:\\Users\\cuck\\AppData\\Roaming\\CocCoc\\uid",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\2.5.15.103\\psmachine.dll",
"C:\\Program Files (x86)\\GUM578A.tmp\\CocCocUpdate.exe",
"C:\\Program Files (x86)\\GUM578A.tmp\\coccocpdate.dll",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\CocCocUpdate.exe",
"C:\\Program Files (x86)\\GUM578A.tmp\\CocCocUpdateWebPlugin.exe",
"C:\\Program Files (x86)\\GUM578A.tmp\\coccocpdateres_vi.dll",
"C:\\Windows\\Tasks\\CocCocUpdateTaskUserS-1-5-21-699399860-4089948139-3198924279-1001UA.job",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\2.5.15.103\\coccocpdate.dll",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\2.5.15.103\\CocCocUpdateSetup.exe",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\2.5.15.103\\coccocpdateres_vi.dll",
"C:\\Program Files (x86)\\GUM578A.tmp\\psmachine.dll",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\2.5.15.103\\CocCocUpdateHelper.msi",
"C:\\Program Files (x86)\\GUM578A.tmp\\CocCocUpdateSetup.exe"
],
"regkey_read": [
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Language Hotkey",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\QueryForOverlay",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\DevicePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\Attributes",
"HKEY_CURRENT_USER\\Software\\CocCoc\\Update\\coccoc_task_c",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\MaxRpcSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\MapNetDriveVerbs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\AllowFileCLSIDJunctions",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\LanguageProfile\\0x00000000\\{0001bea3-ed56-483d-a2e2-aeae25577436}\\Enable",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\QueryForInfoTip",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\Data",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HideFolderVerbs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}",
"HKEY_CURRENT_USER\\Software\\CocCoc\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}\\InstallTime",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\UseHostnameAsAlias",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\SourcePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsParseDisplayName",
"HKEY_CURRENT_USER\\Software\\CocCoc\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}\\brand",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoSetFolders",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Segoe UI",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\SystemSetupInProgress",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\ComputerName\\ActiveComputerName\\ComputerName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Time Zones\\Pacific Standard Time\\Dynamic DST\\2019",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Hostname",
"HKEY_CURRENT_USER\\Software\\CocCoc\\Update\\coccoc_task_ua",
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Hotkey",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsAliasedNotifications",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\NoFileFolderJunction",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\OOBEInProgress",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HasNavigationEnum",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsFORDISPLAY",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\UseDropHandler",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoCommonGroups",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\CTF\\EnableAnchorContext",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HideInWebView",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\Generation",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Drive\\shellex\\FolderExtensions\\{fbeb8a05-beee-4442-804e-409d6c4515e9}\\DriveMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\RestrictedAttributes",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\Generation",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HideOnDesktopPerUser",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\PinToNameSpaceTree",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\UseOldHostResolutionOrder",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Domain",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-699399860-4089948139-3198924279-1001\\State",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\DisableImprovedZoneCheck",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoPropertiesRecycleBin",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CEIPEnable",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\CallForAttributes",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\AccessProviders\\MartaExtension",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language Groups\\1",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoPropertiesMyComputer",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Time Zones\\Pacific Standard Time\\Dynamic DST\\LastEntry",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoControlPanel",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\LdapClientIntegrity",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoInternetIcon",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsUniversalDelegate",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Locale\\00000409",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\Data",
"HKEY_CURRENT_USER\\Software\\CocCoc\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}\\DayOfLastActivity",
"HKEY_CURRENT_USER\\Software\\CocCoc\\Update\\Clients\\{430FD4D0-B729-4F61-AA34-91526481799D}\\pv",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsFORPARSING",
"HKEY_CURRENT_USER\\Software\\CocCoc\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}\\DayOfLastRollCall",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SESSION MANAGER\\PendingFileRenameOperations",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Time Zones\\Pacific Standard Time\\Dynamic DST\\FirstEntry",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Time Zones\\Pacific Standard Time\\Dynamic DST\\2007",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Security_HKLM_only",
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Layout Hotkey"
],
"directory_enumerated": [
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\CocCocUpdate.exe",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\*.*"
],
"regkey_written": [
"HKEY_CURRENT_USER\\Software\\CocCoc\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}\\DayOfInstall",
"HKEY_CURRENT_USER\\Software\\CocCoc\\Update\\LastOSVersion",
"HKEY_CURRENT_USER\\Software\\CocCoc\\Update\\TorrentPath",
"HKEY_CURRENT_USER\\Software\\CocCoc\\Update\\Clients\\{430FD4D0-B729-4F61-AA34-91526481799D}\\pv",
"HKEY_CURRENT_USER\\Software\\CocCoc\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}\\DayOfLastRollCall",
"HKEY_CURRENT_USER\\Software\\CocCoc\\Update\\Clients\\{430FD4D0-B729-4F61-AA34-91526481799D}\\name",
"HKEY_CURRENT_USER\\Software\\CocCoc\\Update\\version",
"HKEY_CURRENT_USER\\Software\\CocCoc\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}\\InstallTime",
"HKEY_CURRENT_USER\\Software\\CocCoc\\Update\\UninstallCmdLine",
"HKEY_CURRENT_USER\\Software\\CocCoc\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}\\pv",
"HKEY_CURRENT_USER\\Software\\CocCoc\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}\\client",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\CocCoc Update",
"HKEY_CURRENT_USER\\Software\\CocCoc\\Update\\IsMSIHelperRegistered",
"HKEY_CURRENT_USER\\Software\\CocCoc\\Update\\path",
"HKEY_CURRENT_USER\\Software\\CocCoc\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}\\brand",
"HKEY_CURRENT_USER\\Software\\CocCoc\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}\\DayOfLastActivity"
]
},
"first_seen": 1565988787.7188,
"ppid": 1268
},
{
"process_path": "C:\\Windows\\System32\\lsass.exe",
"process_name": "lsass.exe",
"pid": 476,
"summary": {},
"first_seen": 1565988786.4688,
"ppid": 376
}
]Signatures
[
{
"markcount": 2,
"families": [],
"description": "Queries for the computername",
"severity": 1,
"marks": [
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "GetComputerNameW",
"return_value": 1,
"arguments": {
"computer_name": "CUCKPC"
},
"time": 1565988790.0157,
"tid": 2588,
"flags": {}
},
"pid": 2968,
"type": "call",
"cid": 2274
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "GetComputerNameW",
"return_value": 1,
"arguments": {
"computer_name": "CUCKPC"
},
"time": 1565988790.0157,
"tid": 2588,
"flags": {}
},
"pid": 2968,
"type": "call",
"cid": 2284
}
],
"references": [],
"name": "antivm_queries_computername"
},
{
"markcount": 1,
"families": [],
"description": "This executable has a PDB path",
"severity": 1,
"marks": [
{
"category": "pdb_path",
"ioc": "mi_exe_stub.pdb",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "has_pdb"
},
{
"markcount": 1,
"families": [],
"description": "Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available",
"severity": 1,
"marks": [
{
"call": {
"category": "system",
"status": 1,
"stacktrace": [],
"api": "GlobalMemoryStatusEx",
"return_value": 1,
"arguments": {},
"time": 1565988787.9067,
"tid": 2588,
"flags": {}
},
"pid": 2968,
"type": "call",
"cid": 167
}
],
"references": [],
"name": "antivm_memory_available"
},
{
"markcount": 1,
"families": [],
"description": "The executable contains unknown PE section names indicative of a packer (could be a false positive)",
"severity": 1,
"marks": [
{
"category": "section",
"ioc": ".gfids",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "pe_features"
},
{
"markcount": 2,
"families": [],
"description": "The file contains an unknown PE resource name possibly indicative of a packer",
"severity": 1,
"marks": [
{
"category": "resource name",
"ioc": "B",
"type": "ioc",
"description": null
},
{
"category": "resource name",
"ioc": "GOOGLEUPDATE",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "pe_unknown_resource_name"
},
{
"markcount": 2,
"families": [],
"description": "Allocates read-write-execute memory (usually to unpack itself)",
"severity": 2,
"marks": [
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2968,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x01090000"
},
"time": 1565988788.7348,
"tid": 2256,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2968,
"type": "call",
"cid": 1722
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2700,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00440000"
},
"time": 1565988790.5161,
"tid": 3048,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2700,
"type": "call",
"cid": 518
}
],
"references": [],
"name": "allocates_rwx"
},
{
"markcount": 0,
"families": [],
"description": "Checks whether any human activity is being performed by constantly checking whether the foreground window changed",
"severity": 2,
"marks": [],
"references": [
"https:\/\/www.virusbtn.com\/virusbulletin\/archive\/2015\/09\/vb201509-custom-packer.dkb"
],
"name": "antisandbox_foregroundwindows"
},
{
"markcount": 1,
"families": [],
"description": "A process attempted to delay the analysis task.",
"severity": 2,
"marks": [
{
"type": "generic",
"description": "CocCocUpdate.exe tried to sleep 120 seconds, actually delayed analysis time by 120 seconds"
}
],
"references": [],
"name": "antisandbox_sleep"
},
{
"markcount": 1,
"families": [],
"description": "Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping",
"severity": 2,
"marks": [
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "Process32NextW",
"return_value": 1,
"arguments": {
"process_name": "CocCocUpdate.exe",
"snapshot_handle": "0x00000228",
"process_identifier": 2968
},
"time": 1565988788.0628,
"tid": 2588,
"flags": {}
},
"pid": 2968,
"type": "call",
"cid": 577
}
],
"references": [],
"name": "injection_process_search"
},
{
"markcount": 1,
"families": [],
"description": "Checks adapter addresses which can be used to detect virtual network interfaces",
"severity": 2,
"marks": [
{
"call": {
"category": "network",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": -1073741772,
"api": "GetAdaptersAddresses",
"return_value": 111,
"arguments": {
"flags": 15,
"family": 0
},
"time": 1565988790.5159,
"tid": 2268,
"flags": {}
},
"pid": 264,
"type": "call",
"cid": 507
}
],
"references": [],
"name": "antivm_network_adapters"
},
{
"markcount": 2,
"families": [],
"description": "The binary likely contains encrypted or compressed data indicative of a packer",
"severity": 2,
"marks": [
{
"entropy": 7.9968583925557,
"section": {
"size_of_data": "0x00103a00",
"virtual_address": "0x00024000",
"entropy": 7.9968583925557,
"name": ".rsrc",
"virtual_size": "0x001038b4"
},
"type": "generic",
"description": "A section with a high entropy has been found"
},
{
"entropy": 0.8868488471392,
"type": "generic",
"description": "Overall entropy of this PE file is high"
}
],
"references": [
"http:\/\/www.forensickb.com\/2013\/03\/file-entropy-explained.html",
"http:\/\/virii.es\/U\/Using%20Entropy%20Analysis%20to%20Find%20Encrypted%20and%20Packed%20Malware.pdf"
],
"name": "packer_entropy"
},
{
"markcount": 2,
"families": [],
"description": "Checks for the Locally Unique Identifier on the system for a suspicious privilege",
"severity": 2,
"marks": [
{
"call": {
"category": "system",
"status": 1,
"stacktrace": [],
"api": "LookupPrivilegeValueW",
"return_value": 1,
"arguments": {
"system_name": "",
"privilege_name": "SeDebugPrivilege"
},
"time": 1565988788.0628,
"tid": 2588,
"flags": {}
},
"pid": 2968,
"type": "call",
"cid": 587
},
{
"call": {
"category": "system",
"status": 1,
"stacktrace": [],
"api": "LookupPrivilegeValueW",
"return_value": 1,
"arguments": {
"system_name": "",
"privilege_name": "SeDebugPrivilege"
},
"time": 1565988788.0777,
"tid": 2588,
"flags": {}
},
"pid": 2968,
"type": "call",
"cid": 745
}
],
"references": [],
"name": "privilege_luid_check"
},
{
"markcount": 2,
"families": [],
"description": "Uses Windows utilities for basic Windows functionality",
"severity": 2,
"marks": [
{
"category": "cmdline",
"ioc": "C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\CocCocUpdate.exe \/ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB2ZXJzaW9uPSIyLjUuMTUuMTAzIiBzaGVsbF92ZXJzaW9uPSIyLjUuMTUuMTAzIiBpc21hY2hpbmU9IjAiIHNlc3Npb25pZD0iezMyNzYxRUY0LTg3NzAtNEIyOC1CQjc5LTlBMTJBRThENDAzNn0iIHVzZXJpZD0iOUE2MUFCODgtNTY4Mi00MTRGLUIzQjAtRTgzODY5NDlEQjIyIiBpbnN0YWxsc291cmNlPSJ0YWdnZWRtaSIgcmVxdWVzdGlkPSJ7MzNFQkVDOTEtQkY0Ni00N0Y3LUFGOTktQ0Q2RThCQTJCMUI4fSIgZGVkdXA9ImNyIj48aHcgcGh5c21lbW9yeT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iNi4xIiBzcD0iU2VydmljZSBQYWNrIDEiIGFyY2g9Ing2NCIvPjxhcHAgYXBwaWQ9Ins0MzBGRDREMC1CNzI5LTRGNjEtQUEzNC05MTUyNjQ4MTc5OUR9IiB2ZXJzaW9uPSIiIG5leHR2ZXJzaW9uPSIyLjUuMTUuMTAzIiBsYW5nPSJ2aSIgYnJhbmQ9IlhYWFgiIGNsaWVudD0iezAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMH0iPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIGluc3RhbGxfdGltZV9tcz0iMTk2OSIvPjwvYXBwPjwvcmVxdWVzdD4",
"type": "ioc",
"description": null
},
{
"category": "cmdline",
"ioc": "\"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\CocCocUpdate.exe\" \/ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB2ZXJzaW9uPSIyLjUuMTUuMTAzIiBzaGVsbF92ZXJzaW9uPSIyLjUuMTUuMTAzIiBpc21hY2hpbmU9IjAiIHNlc3Npb25pZD0iezMyNzYxRUY0LTg3NzAtNEIyOC1CQjc5LTlBMTJBRThENDAzNn0iIHVzZXJpZD0iOUE2MUFCODgtNTY4Mi00MTRGLUIzQjAtRTgzODY5NDlEQjIyIiBpbnN0YWxsc291cmNlPSJ0YWdnZWRtaSIgcmVxdWVzdGlkPSJ7MzNFQkVDOTEtQkY0Ni00N0Y3LUFGOTktQ0Q2RThCQTJCMUI4fSIgZGVkdXA9ImNyIj48aHcgcGh5c21lbW9yeT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iNi4xIiBzcD0iU2VydmljZSBQYWNrIDEiIGFyY2g9Ing2NCIvPjxhcHAgYXBwaWQ9Ins0MzBGRDREMC1CNzI5LTRGNjEtQUEzNC05MTUyNjQ4MTc5OUR9IiB2ZXJzaW9uPSIiIG5leHR2ZXJzaW9uPSIyLjUuMTUuMTAzIiBsYW5nPSJ2aSIgYnJhbmQ9IlhYWFgiIGNsaWVudD0iezAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMH0iPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIGluc3RhbGxfdGltZV9tcz0iMTk2OSIvPjwvYXBwPjwvcmVxdWVzdD4",
"type": "ioc",
"description": null
}
],
"references": [
"http:\/\/blog.jpcert.or.jp\/2016\/01\/windows-commands-abused-by-attackers.html"
],
"name": "uses_windows_utilities"
},
{
"markcount": 3,
"families": [],
"description": "Installs itself for autorun at Windows startup",
"severity": 3,
"marks": [
{
"type": "generic",
"reg_key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\CocCoc Update",
"reg_value": "\"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Update\\CocCocUpdate.exe\" \/c"
},
{
"category": "file",
"ioc": "C:\\Windows\\Tasks\\CocCocUpdateTaskUserS-1-5-21-699399860-4089948139-3198924279-1001Core.job",
"type": "ioc",
"description": null
},
{
"category": "file",
"ioc": "C:\\Windows\\Tasks\\CocCocUpdateTaskUserS-1-5-21-699399860-4089948139-3198924279-1001UA.job",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "persistence_autorun"
},
{
"markcount": 2,
"families": [],
"description": "Creates or sets a registry key to a long series of bytes, possibly to store a binary or malware config",
"severity": 3,
"marks": [
{
"call": {
"category": "registry",
"status": 1,
"stacktrace": [],
"api": "NtSetValueKey",
"return_value": 0,
"arguments": {
"index": 0,
"key_handle": "0x0000000000000f84",
"value": "\u0014\u0000\u0000\u0000\u0005\u0000\u0000\u0000\u0001\u0000\u0001\u0000\u0010\u0000\u0000\u0000\u0014\u0000\u0000\u0000IL \u0006\u0010\u0000$\u0000\u0018\u0000\u0010\u0000\u0010\u0000\u00ff\u00ff\u00ff\u00ff!\u0010\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ffBM6\u0000\u0000\u0000\u0000\u0000\u0000\u00006\u0000\u0000\u0000(\u0000\u0000\u0000\u0010\u0000\u0000\u0000@\u0002\u0000\u0000\u0001\u0000 \u0000\u0000\u0000\u0000\u0000\u0000\u0090\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"reg_type": 3,
"regkey": "HKEY_CURRENT_USER\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\TrayNotify\\PastIconsStream"
},
"time": 1565988367.4096,
"tid": 1828,
"flags": {
"reg_type": "REG_BINARY"
}
},
"pid": 1788,
"type": "call",
"cid": 9185
},
{
"call": {
"category": "registry",
"status": 1,
"stacktrace": [],
"api": "NtSetValueKey",
"return_value": 0,
"arguments": {
"index": 0,
"key_handle": "0x00000000000001e0",
"value": "\u0014\u0000\u0000\u0000\u0007\u0000\u0000\u0000\u0001\u0000\u0001\u0000\u0004\u0000\u0000\u0000\u0014\u0000\u0000\u0000{\u0000S\u00003\u00008\u0000O\u0000S\u00004\u00000\u00004\u0000-\u00001\u0000Q\u00004\u00003\u0000-\u00004\u00002\u0000S\u00002\u0000-\u00009\u00003\u00000\u00005\u0000-\u00006\u00007\u0000Q\u0000R\u00000\u0000O\u00002\u00008\u0000S\u0000P\u00002\u00003\u0000}\u0000\\\u0000r\u0000k\u0000c\u0000y\u0000b\u0000e\u0000r\u0000e\u0000.\u0000r\u0000k\u0000r\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000{\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0000\u0000\u00e3\u0007\b\u0000F\u0000b\u0000y\u0000i\u0000r\u0000 \u0000C\u0000P\u0000 \u0000v\u0000f\u0000f\u0000h\u0000r\u0000f\u0000:\u0000 \u00001\u0000 \u0000z\u0000r\u0000f\u0000f\u0000n\u0000t\u0000r\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u000e\u0000\u0000\u0000v\u00ae x\u00e3#)B\u0082\u00c1\u00e4\u001c\u00b6}[\u009c\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00b3\u0086;4\u00e6\u00ee\u00d4\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\r !\u008f\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000{\u0000S\u00003\u00008\u0000O\u0000S\u00004\u00000\u00004\u0000-\u00001\u0000Q\u00004\u00003\u0000-\u00004\u00002\u0000S\u00002\u0000-\u00009\u00003\u00000\u00005\u0000-\u00006\u00007\u0000Q\u0000R\u00000\u0000O\u00002\u00008\u0000S\u0000P\u00002\u00003\u0000}\u0000\\\u0000r\u0000k\u0000c\u0000y\u0000b\u0000e\u0000r\u0000e\u0000.\u0000r\u0000k\u0000r\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000d\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0000\u0000\u00e3\u0007\b\u0000F\u0000c\u0000r\u0000n\u0000x\u0000r\u0000e\u0000f\u0000:\u0000 \u00006\u00007\u0000%\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u000f\u0000\u0000\u0000s\u00ae x\u00e3#)B\u0082\u00c1\u00e4\u001c\u00b6}[\u009c\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0086\u00e2\u009e\u00956\u0005\u00d4\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\r !\u008f\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0000\u0000{\u0000S\u00003\u00008\u0000O\u0000S\u00004\u00000\u00004\u0000-\u00001\u0000Q\u00004\u00003\u0000-\u00004\u00002\u0000S\u00002\u0000-\u00009\u00003\u00000\u00005\u0000-\u00006\u00007\u0000Q\u0000R\u00000\u0000O\u00002\u00008\u0000S\u0000P\u00002\u00003\u0000}\u0000\\\u0000r\u0000k\u0000c\u0000y\u0000b\u0000e\u0000r\u0000e\u0000.\u0000r\u0000k\u0000r\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000}\u00c0\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u00e3\u0007\b\u0000H\u0000a\u0000v\u0000q\u0000r\u0000a\u0000g\u0000v\u0000s\u0000v\u0000r\u0000q\u0000 \u0000a\u0000r\u0000g\u0000j\u0000b\u0000e\u0000x\u0000 \u0000A\u0000b\u0000 \u0000V\u0000a\u0000g\u0000r\u0000e\u0000a\u0000r\u0000g\u0000 \u0000n\u0000p\u0000p\u0000r\u0000f\u0000f\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"reg_type": 3,
"regkey": "HKEY_CURRENT_USER\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\TrayNotify\\IconStreams"
},
"time": 1565988367.4096,
"tid": 1828,
"flags": {
"reg_type": "REG_BINARY"
}
},
"pid": 1788,
"type": "call",
"cid": 9187
}
],
"references": [],
"name": "creates_largekey"
},
{
"markcount": 1,
"families": [],
"description": "Deletes executed files from disk",
"severity": 3,
"marks": [
{
"category": "file",
"ioc": "C:\\Program Files (x86)\\GUM578A.tmp",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "deletes_executed_files"
},
{
"markcount": 1,
"families": [],
"description": "Creates a windows hook that monitors keyboard input (keylogger)",
"severity": 3,
"marks": [
{
"call": {
"category": "system",
"status": 1,
"stacktrace": [],
"api": "SetWindowsHookExW",
"return_value": 7602745,
"arguments": {
"thread_identifier": 0,
"callback_function": "0x00000000ffe9ae10",
"module_address": "0x00000000ffdf0000",
"hook_identifier": 13
},
"time": 1565988399.3776,
"tid": 1828,
"flags": {
"hook_identifier": "WH_KEYBOARD_LL"
}
},
"pid": 1788,
"type": "call",
"cid": 20547
}
],
"references": [],
"name": "infostealer_keylogger"
},
{
"markcount": 15,
"families": [
"zeus"
],
"description": "Zeus P2P (Banking Trojan)",
"severity": 3,
"marks": [
{
"category": "mutex",
"ioc": "Global\\CocCocS-1-5-21-699399860-4089948139-3198924279-1001{A9A86B93-B54E-4570-BE89-42418507707B}",
"type": "ioc",
"description": null
},
{
"category": "mutex",
"ioc": "Global\\CocCocS-1-5-21-699399860-4089948139-3198924279-1001{D19BAF17-7C87-467E-8D63-6C4B1C836373}",
"type": "ioc",
"description": null
},
{
"category": "mutex",
"ioc": "Global\\CocCocS-1-5-21-699399860-4089948139-3198924279-1001{6885AE8E-C070-458d-9711-37B9BEAB65F6}",
"type": "ioc",
"description": null
},
{
"category": "mutex",
"ioc": "Global\\CocCocS-1-5-21-699399860-4089948139-3198924279-1001{66CC0160-ABB3-4066-AE47-1CA6AD5065C8}",
"type": "ioc",
"description": null
},
{
"category": "mutex",
"ioc": "Global\\CocCocS-1-5-21-699399860-4089948139-3198924279-1001{0A175FBE-AEEC-4fea-855A-2AA549A88846}",
"type": "ioc",
"description": null
},
{
"category": "udp",
"ioc": {
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 8366,
"time": 19.722671031952,
"dport": 5355,
"sport": 49840
},
"type": "ioc",
"description": null
},
{
"category": "udp",
"ioc": {
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 8686,
"time": 3.0147140026093,
"dport": 5355,
"sport": 51001
},
"type": "ioc",
"description": null
},
{
"category": "udp",
"ioc": {
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 9014,
"time": 1.0184781551361,
"dport": 5355,
"sport": 53595
},
"type": "ioc",
"description": null
},
{
"category": "udp",
"ioc": {
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 9342,
"time": 3.0237710475922,
"dport": 5355,
"sport": 53848
},
"type": "ioc",
"description": null
},
{
"category": "udp",
"ioc": {
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 9670,
"time": 1.6458480358124,
"dport": 5355,
"sport": 54255
},
"type": "ioc",
"description": null
},
{
"category": "udp",
"ioc": {
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 9998,
"time": -0.099370002746582,
"dport": 5355,
"sport": 55314
},
"type": "ioc",
"description": null
},
{
"category": "udp",
"ioc": {
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 10326,
"time": 6.1031889915466,
"dport": 5355,
"sport": 55880
},
"type": "ioc",
"description": null
},
{
"category": "udp",
"ioc": {
"src": "192.168.56.101",
"dst": "239.255.255.250",
"offset": 10646,
"time": 1.5794050693512,
"dport": 1900,
"sport": 1900
},
"type": "ioc",
"description": null
},
{
"category": "udp",
"ioc": {
"src": "192.168.56.101",
"dst": "239.255.255.250",
"offset": 30056,
"time": 1.0521490573883,
"dport": 3702,
"sport": 49152
},
"type": "ioc",
"description": null
},
{
"category": "udp",
"ioc": {
"src": "192.168.56.101",
"dst": "239.255.255.250",
"offset": 38440,
"time": 3.1093521118164,
"dport": 1900,
"sport": 53598
},
"type": "ioc",
"description": null
}
],
"references": [
"https:\/\/malwr.com\/analysis\/NmNhODg5ZWRkYjc0NDY0M2I3YTJhNDRlM2FlOTZiMjA\/",
"https:\/\/malwr.com\/analysis\/MmMwNDJlMTI0MTNkNGFjNmE0OGY3Y2I5MjhiMGI1NzI\/",
"https:\/\/malwr.com\/analysis\/MzY5ZTM2NzZhMzI3NDY2YjgzMjJiODFkODZkYzIwYmQ\/",
"https:\/\/www.virustotal.com\/de\/file\/301fcadf53e6a6167e559c84d6426960af8626d12b2e25aa41de6dce511d0568\/analysis\/#behavioural-info",
"https:\/\/www.virustotal.com\/de\/file\/d3cf49a7ac726ee27eae9d29dee648e34cb3e8fd9d494e1b347209677d62cdf9\/analysis\/#behavioural-info",
"https:\/\/www.virustotal.com\/de\/file\/d3cf49a7ac726ee27eae9d29dee648e34cb3e8fd9d494e1b347209677d62cdf9\/analysis\/#behavioural-info",
"https:\/\/www.virustotal.com\/de\/file\/301fcadf53e6a6167e559c84d6426960af8626d12b2e25aa41de6dce511d0568\/analysis\/#behavioural-info"
],
"name": "banker_zeus_p2p"
}
]Yara
The Yara rules did not detect anything in the file.
Network
{
"tls": [],
"udp": [
{
"src": "192.168.56.101",
"dst": "192.168.56.255",
"offset": 546,
"time": 3.0787079334259,
"dport": 137,
"sport": 137
},
{
"src": "192.168.56.101",
"dst": "192.168.56.255",
"offset": 6522,
"time": 9.0837240219116,
"dport": 138,
"sport": 138
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 8366,
"time": 19.722671031952,
"dport": 5355,
"sport": 49840
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 8686,
"time": 3.0147140026093,
"dport": 5355,
"sport": 51001
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 9014,
"time": 1.0184781551361,
"dport": 5355,
"sport": 53595
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 9342,
"time": 3.0237710475922,
"dport": 5355,
"sport": 53848
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 9670,
"time": 1.6458480358124,
"dport": 5355,
"sport": 54255
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 9998,
"time": -0.099370002746582,
"dport": 5355,
"sport": 55314
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 10326,
"time": 6.1031889915466,
"dport": 5355,
"sport": 55880
},
{
"src": "192.168.56.101",
"dst": "239.255.255.250",
"offset": 10646,
"time": 1.5794050693512,
"dport": 1900,
"sport": 1900
},
{
"src": "192.168.56.101",
"dst": "239.255.255.250",
"offset": 30056,
"time": 1.0521490573883,
"dport": 3702,
"sport": 49152
},
{
"src": "192.168.56.101",
"dst": "239.255.255.250",
"offset": 38440,
"time": 3.1093521118164,
"dport": 1900,
"sport": 53598
}
],
"dns_servers": [],
"http": [],
"icmp": [],
"smtp": [],
"tcp": [],
"smtp_ex": [],
"mitm": [],
"hosts": [],
"pcap_sha256": "31113b2ba95ad112bbc05b9f14db485b2819f69cf51f98130592081377c497e9",
"dns": [],
"http_ex": [],
"domains": [],
"dead_hosts": [],
"sorted_pcap_sha256": "00449884e4c04d0a662c78fd30df5dcdc64f9cccede1c84f106c5d4df69268d3",
"irc": [],
"https_ex": []
}Screenshots
Hashes [?]
| Property | Value |
|---|---|
| MD5 | 5793d42b3ed2b6fd9f6ff4d5b2f76179 |
| SHA256 | e9b3b6918ac282401509cb49d8330aa71ff0141477776820c8bfcc6f4750974c |
Error Messages
These are some of the error messages that can appear related to coccoc_vi.exe:
coccoc_vi.exe has encountered a problem and needs to close. We are sorry for the inconvenience.
coccoc_vi.exe - Application Error. The instruction at "0xXXXXXXXX" referenced memory at "0xXXXXXXXX". The memory could not be "read/written". Click on OK to terminate the program.
CocCoc Update Setup has stopped working.
End Program - coccoc_vi.exe. This program is not responding.
coccoc_vi.exe is not a valid Win32 application.
coccoc_vi.exe - Application Error. The application failed to initialize properly (0xXXXXXXXX). Click OK to terminate the application.
What will you do with coccoc_vi.exe?
To help other users, please let us know what you will do with coccoc_vi.exe:
Malware or legitimate?
If you feel that you need more information to determine if your should keep this file or remove it, please read this guide.
And now some shameless self promotion ;)
Hi, my name is Roger Karlsson. I've been running this website since 2006. I want to let you know about the FreeFixer program. FreeFixer is a freeware tool that analyzes your system and let you manually identify unwanted programs. Once you've identified some malware files, FreeFixer is pretty good at removing them. You can download FreeFixer here. It runs on Windows 2000/XP/2003/2008/2016/2019/Vista/7/8/8.1/10. Supports both 32- and 64-bit Windows.
If you have questions, feedback on FreeFixer or the freefixer.com website, need help analyzing FreeFixer's scan result or just want to say hello, please contact me. You can find my email address at the contact page.
Comments
Please share with the other users what you think about this file. What does this file do? Is it legitimate or something that your computer is better without? Do you know how it was installed on your system? Did you install it yourself or did it come bundled with some other software? Is it running smoothly or do you get some error message? Any information that will help to document this file is welcome. Thank you for your contributions.
I'm reading all new comments so don't hesitate to post a question about the file. If I don't have the answer perhaps another user can help you.
No comments posted yet.