{"diagram": [{"nodes": [{"19640": [{"name": "wuauclt.exe"}, {"pid": 19640}]}, {"2020": [{"name": "submitted.exe"}, {"pid": 2020}]}, {"19632": [{"name": "msiexec.exe"}, {"pid": 19632}]}, {"19624": [{"name": "submitted.exe"}, {"pid": 19624}]}]}, {"edges": {"202019624WriteMemory": {"action": "WriteMemory", "source": {"pid": "2020", "name": "submitted.exe"}, "destination": {"pid": "19624", "name": "submitted.exe"}}, "1962419632WriteMemory": {"action": "WriteMemory", "source": {"pid": "19624", "name": "submitted.exe"}, "destination": {"pid": "19632", "name": "msiexec.exe"}}, "1963219640WriteMemory": {"action": "WriteMemory", "source": {"pid": "19632", "name": "msiexec.exe"}, "destination": {"pid": "19640", "name": "wuauclt.exe"}}, "1963219640ProcessCreate": {"action": "ProcessCreate", "source": {"pid": "19632", "name": "msiexec.exe"}, "destination": {"pid": "19640", "name": "wuauclt.exe"}}, "202019624ProcessCreate": {"action": "ProcessCreate", "source": {"pid": "2020", "name": "submitted.exe"}, "destination": {"pid": "19624", "name": "submitted.exe"}}, "1962419632ProcessCreate": {"action": "ProcessCreate", "source": {"pid": "19624", "name": "submitted.exe"}, "destination": {"pid": "19632", "name": "msiexec.exe"}}}}], "manipulated_registry_keys": [{"Action": "SetValueKey", "Tid": "19628", "Pid": "19624", "Details": "submitted.exe\tPath=\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\tValueName:0000000B\tTitleIndex:0x00000000\tType:0x00000003\tData:0x00424790\tDataSize:0x00007157\tSTATUS:0x00000000\r\n", "Time": "3109"}, {"Action": "SetValueKey", "Tid": "19628", "Pid": "19624", "Details": "submitted.exe\tPath=\\REGISTRY\\USER\\S-1-5-21-117609710-1708537768-839522115-500\\Software\tValueName:ImageBase\tTitleIndex:0x00000000\tType:0x00000003\tData:0x00910000\tDataSize:0x000BC600\tSTATUS:0x00000000\r\n", "Time": "3140"}, {"Action": "SetValueKey", "Tid": "19628", "Pid": "19624", "Details": "submitted.exe\tPath=\\REGISTRY\\USER\\S-1-5-21-117609710-1708537768-839522115-500\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\{7e699b95-1fa9-11e3-bfbd-806d6172696f}\tValueName:BaseClass\tTitleIndex:0x00000000\tType:0x00000001\tData:0x7C9CFD10\tDataSize:0x0000000C\tSTATUS:0x00000000\r\n", "Time": "3187"}, {"Action": "SetValueKey", "Tid": "19628", "Pid": "19624", "Details": "submitted.exe\tPath=\\REGISTRY\\USER\\S-1-5-21-117609710-1708537768-839522115-500\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\{9e2eacf9-a1b6-11e0-ac0b-005056bd58f7}\tValueName:BaseClass\tTitleIndex:0x00000000\tType:0x00000001\tData:0x7C9CFD10\tDataSize:0x0000000C\tSTATUS:0x00000000\r\n", "Time": "3187"}, {"Action": "SetValueKey", "Tid": "19628", "Pid": "19624", "Details": "submitted.exe\tPath=\\REGISTRY\\USER\\S-1-5-21-117609710-1708537768-839522115-500\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\{7e699b93-1fa9-11e3-bfbd-806d6172696f}\tValueName:BaseClass\tTitleIndex:0x00000000\tType:0x00000001\tData:0x7C9CFD10\tDataSize:0x0000000C\tSTATUS:0x00000000\r\n", "Time": "3187"}, {"Action": "SetValueKey", "Tid": "19628", "Pid": "19624", "Details": "submitted.exe\tPath=\\REGISTRY\\USER\\S-1-5-21-117609710-1708537768-839522115-500\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\{7e699b92-1fa9-11e3-bfbd-806d6172696f}\tValueName:BaseClass\tTitleIndex:0x00000000\tType:0x00000001\tData:0x7C9CFD10\tDataSize:0x0000000C\tSTATUS:0x00000000\r\n", "Time": "3187"}, {"Action": "SetValueKey", "Tid": "19628", "Pid": "19624", "Details": "submitted.exe\tPath=\\REGISTRY\\USER\\S-1-5-21-117609710-1708537768-839522115-500\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\tValueName:ProxyBypass\tTitleIndex:0x00000000\tType:0x00000004\tData:0x0012E734\tDataSize:0x00000004\tSTATUS:0x00000000\r\n", "Time": "3203"}, {"Action": "SetValueKey", "Tid": "19628", "Pid": "19624", "Details": "submitted.exe\tPath=\\REGISTRY\\USER\\S-1-5-21-117609710-1708537768-839522115-500\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\tValueName:IntranetName\tTitleIndex:0x00000000\tType:0x00000004\tData:0x0012E734\tDataSize:0x00000004\tSTATUS:0x00000000\r\n", "Time": "3203"}, {"Action": "SetValueKey", "Tid": "19628", "Pid": "19624", "Details": "submitted.exe\tPath=\\REGISTRY\\USER\\S-1-5-21-117609710-1708537768-839522115-500\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\tValueName:UNCAsIntranet\tTitleIndex:0x00000000\tType:0x00000004\tData:0x0012E734\tDataSize:0x00000004\tSTATUS:0x00000000\r\n", "Time": "3203"}, {"Action": "SetValueKey", "Tid": "19628", "Pid": "19624", "Details": "submitted.exe\tPath=\\REGISTRY\\USER\\S-1-5-21-117609710-1708537768-839522115-500\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\tValueName:ProxyBypass\tTitleIndex:0x00000000\tType:0x00000004\tData:0x0012E734\tDataSize:0x00000004\tSTATUS:0x00000000\r\n", "Time": "3203"}, {"Action": "SetValueKey", "Tid": "19628", "Pid": "19624", "Details": "submitted.exe\tPath=\\REGISTRY\\USER\\S-1-5-21-117609710-1708537768-839522115-500\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\tValueName:IntranetName\tTitleIndex:0x00000000\tType:0x00000004\tData:0x0012E734\tDataSize:0x00000004\tSTATUS:0x00000000\r\n", "Time": "3203"}, {"Action": "SetValueKey", "Tid": "19628", "Pid": "19624", "Details": "submitted.exe\tPath=\\REGISTRY\\USER\\S-1-5-21-117609710-1708537768-839522115-500\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\tValueName:UNCAsIntranet\tTitleIndex:0x00000000\tType:0x00000004\tData:0x0012E734\tDataSize:0x00000004\tSTATUS:0x00000000\r\n", "Time": "3203"}, {"Action": "SetValueKey", "Tid": "19628", "Pid": "19624", "Details": "submitted.exe\tPath=\\REGISTRY\\USER\\S-1-5-21-117609710-1708537768-839522115-500\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\tValueName:Cache\tTitleIndex:0x00000000\tType:0x00000001\tData:0x0012E0FC\tDataSize:0x000000A0\tSTATUS:0x00000000\r\n", "Time": "3203"}, {"Action": "SetValueKey", "Tid": "19628", "Pid": "19624", "Details": "submitted.exe\tPath=\\REGISTRY\\USER\\S-1-5-21-117609710-1708537768-839522115-500\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\tValueName:Cookies\tTitleIndex:0x00000000\tType:0x00000001\tData:0x0012E0FC\tDataSize:0x00000060\tSTATUS:0x00000000\r\n", "Time": "3203"}, {"Action": "SetValueKey", "Tid": "19628", "Pid": "19624", "Details": "submitted.exe\tPath=\\REGISTRY\\USER\\S-1-5-21-117609710-1708537768-839522115-500\\Software\\Microsoft\\Windows\\ShellNoRoam\\MUICache\tValueName:C:\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\_install_\\msiexec.exe\tTitleIndex:0x00000000\tType:0x00000001\tData:0x0012ECF8\tDataSize:0x00000010\tSTATUS:0x00000000\r\n", "Time": "3218"}, {"Action": "SetValueKey", "Tid": "19644", "Pid": "19640", "Details": "wuauclt.exe\tPath=\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Services\\Eventlog\\Application\\ESENT\tValueName:EventMessageFile\tTitleIndex:0x00000000\tType:0x00000002\tData:0x000B6580\tDataSize:0x0000003C\tSTATUS:0x00000000\r\n", "Time": "3937"}, {"Action": "SetValueKey", "Tid": "19644", "Pid": "19640", "Details": "wuauclt.exe\tPath=\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Services\\Eventlog\\Application\\ESENT\tValueName:CategoryMessageFile\tTitleIndex:0x00000000\tType:0x00000002\tData:0x000B6580\tDataSize:0x0000003C\tSTATUS:0x00000000\r\n", "Time": "3937"}, {"Action": "SetValueKey", "Tid": "19644", "Pid": "19640", "Details": "wuauclt.exe\tPath=\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Services\\Eventlog\\Application\\ESENT\tValueName:CategoryCount\tTitleIndex:0x00000000\tType:0x00000004\tData:0x0007F89C\tDataSize:0x00000004\tSTATUS:0x00000000\r\n", "Time": "3937"}, {"Action": "SetValueKey", "Tid": "19644", "Pid": "19640", "Details": "wuauclt.exe\tPath=\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Services\\Eventlog\\Application\\ESENT\tValueName:TypesSupported\tTitleIndex:0x00000000\tType:0x00000004\tData:0x0007F89C\tDataSize:0x00000004\tSTATUS:0x00000000\r\n", "Time": "3937"}, {"Action": "SetValueKey", "Tid": "19644", "Pid": "19640", "Details": "wuauclt.exe\tPath=\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\policies\\Explorer\\Run\tValueName:35478\tTitleIndex:0x00000000\tType:0x00000001\tData:0x01260000\tDataSize:0x00000060\tSTATUS:0x00000000\r\n", "Time": "7046"}, {"Action": "SetValueKey", "Tid": "19656", "Pid": "19640", "Details": "wuauclt.exe\tPath=\\REGISTRY\\USER\\S-1-5-21-117609710-1708537768-839522115-500\\Software\tValueName:IMAGE_FILE_HEADER\tTitleIndex:0x00000000\tType:0x00000003\tData:0x012ED9D0\tDataSize:0x00000E00\tSTATUS:0x00000000\r\n", "Time": "7062"}, {"Action": "SetValueKey", "Tid": "19656", "Pid": "19640", "Details": "wuauclt.exe\tPath=\\REGISTRY\\USER\\S-1-5-21-117609710-1708537768-839522115-500\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\tValueName:Cache\tTitleIndex:0x00000000\tType:0x00000001\tData:0x0133D93C\tDataSize:0x000000A0\tSTATUS:0x00000000\r\n", "Time": "7156"}, {"Action": "SetValueKey", "Tid": "19656", "Pid": "19640", "Details": "wuauclt.exe\tPath=\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Cache\\Paths\tValueName:Directory\tTitleIndex:0x00000000\tType:0x00000001\tData:0x000C97E8\tDataSize:0x000000B8\tSTATUS:0x00000000\r\n", "Time": "7156"}, {"Action": "SetValueKey", "Tid": "19656", "Pid": "19640", "Details": "wuauclt.exe\tPath=\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Cache\\Paths\tValueName:Paths\tTitleIndex:0x00000000\tType:0x00000004\tData:0x0133DA80\tDataSize:0x00000004\tSTATUS:0x00000000\r\n", "Time": "7156"}, {"Action": "SetValueKey", "Tid": "19656", "Pid": "19640", "Details": "wuauclt.exe\tPath=\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Cache\\Paths\\path1\tValueName:CachePath\tTitleIndex:0x00000000\tType:0x00000001\tData:0x000C98A8\tDataSize:0x000000C6\tSTATUS:0x00000000\r\n", "Time": "7156"}, {"Action": "SetValueKey", "Tid": "19656", "Pid": "19640", "Details": "wuauclt.exe\tPath=\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Cache\\Paths\\path2\tValueName:CachePath\tTitleIndex:0x00000000\tType:0x00000001\tData:0x000C98A8\tDataSize:0x000000C6\tSTATUS:0x00000000\r\n", "Time": "7156"}, {"Action": "SetValueKey", "Tid": "19656", "Pid": "19640", "Details": "wuauclt.exe\tPath=\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Cache\\Paths\\path3\tValueName:CachePath\tTitleIndex:0x00000000\tType:0x00000001\tData:0x000C98A8\tDataSize:0x000000C6\tSTATUS:0x00000000\r\n", "Time": "7156"}, {"Action": "SetValueKey", "Tid": "19656", "Pid": "19640", "Details": "wuauclt.exe\tPath=\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Cache\\Paths\\path4\tValueName:CachePath\tTitleIndex:0x00000000\tType:0x00000001\tData:0x000C98A8\tDataSize:0x000000C6\tSTATUS:0x00000000\r\n", "Time": "7156"}, {"Action": "SetValueKey", "Tid": "19656", "Pid": "19640", "Details": "wuauclt.exe\tPath=\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Cache\\Paths\\path1\tValueName:CacheLimit\tTitleIndex:0x00000000\tType:0x00000004\tData:0x0133DB98\tDataSize:0x00000004\tSTATUS:0x00000000\r\n", "Time": "7156"}, {"Action": "SetValueKey", "Tid": "19656", "Pid": "19640", "Details": "wuauclt.exe\tPath=\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Cache\\Paths\\path2\tValueName:CacheLimit\tTitleIndex:0x00000000\tType:0x00000004\tData:0x0133DB98\tDataSize:0x00000004\tSTATUS:0x00000000\r\n", "Time": "7156"}, {"Action": "SetValueKey", "Tid": "19656", "Pid": "19640", "Details": "wuauclt.exe\tPath=\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Cache\\Paths\\path3\tValueName:CacheLimit\tTitleIndex:0x00000000\tType:0x00000004\tData:0x0133DB98\tDataSize:0x00000004\tSTATUS:0x00000000\r\n", "Time": "7156"}, {"Action": "SetValueKey", "Tid": "19656", "Pid": "19640", "Details": "wuauclt.exe\tPath=\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Cache\\Paths\\path4\tValueName:CacheLimit\tTitleIndex:0x00000000\tType:0x00000004\tData:0x0133DB98\tDataSize:0x00000004\tSTATUS:0x00000000\r\n", "Time": "7156"}, {"Action": "SetValueKey", "Tid": "19656", "Pid": "19640", "Details": "wuauclt.exe\tPath=\\REGISTRY\\USER\\S-1-5-21-117609710-1708537768-839522115-500\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\tValueName:Cookies\tTitleIndex:0x00000000\tType:0x00000001\tData:0x0133D93C\tDataSize:0x00000060\tSTATUS:0x00000000\r\n", "Time": "7156"}, {"Action": "SetValueKey", "Tid": "19656", "Pid": "19640", "Details": "wuauclt.exe\tPath=\\REGISTRY\\USER\\S-1-5-21-117609710-1708537768-839522115-500\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\tValueName:History\tTitleIndex:0x00000000\tType:0x00000001\tData:0x0133D93C\tDataSize:0x0000007E\tSTATUS:0x00000000\r\n", "Time": "7156"}, {"Action": "SetValueKey", "Tid": "19656", "Pid": "19640", "Details": "wuauclt.exe\tPath=\\REGISTRY\\USER\\S-1-5-21-117609710-1708537768-839522115-500\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\tValueName:ProxyBypass\tTitleIndex:0x00000000\tType:0x00000004\tData:0x0133DBDC\tDataSize:0x00000004\tSTATUS:0x00000000\r\n", "Time": "7171"}, {"Action": "SetValueKey", "Tid": "19656", "Pid": "19640", "Details": "wuauclt.exe\tPath=\\REGISTRY\\USER\\S-1-5-21-117609710-1708537768-839522115-500\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\tValueName:IntranetName\tTitleIndex:0x00000000\tType:0x00000004\tData:0x0133DBDC\tDataSize:0x00000004\tSTATUS:0x00000000\r\n", "Time": "7171"}, {"Action": "SetValueKey", "Tid": "19656", "Pid": "19640", "Details": "wuauclt.exe\tPath=\\REGISTRY\\USER\\S-1-5-21-117609710-1708537768-839522115-500\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\tValueName:UNCAsIntranet\tTitleIndex:0x00000000\tType:0x00000004\tData:0x0133DBDC\tDataSize:0x00000004\tSTATUS:0x00000000\r\n", "Time": "7171"}, {"Action": "SetValueKey", "Tid": "19656", "Pid": "19640", "Details": "wuauclt.exe\tPath=\\REGISTRY\\USER\\S-1-5-21-117609710-1708537768-839522115-500\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\tValueName:ProxyBypass\tTitleIndex:0x00000000\tType:0x00000004\tData:0x0133DBDC\tDataSize:0x00000004\tSTATUS:0x00000000\r\n", "Time": "7171"}, {"Action": "SetValueKey", "Tid": "19656", "Pid": "19640", "Details": "wuauclt.exe\tPath=\\REGISTRY\\USER\\S-1-5-21-117609710-1708537768-839522115-500\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\tValueName:IntranetName\tTitleIndex:0x00000000\tType:0x00000004\tData:0x0133DBDC\tDataSize:0x00000004\tSTATUS:0x00000000\r\n", "Time": "7171"}, {"Action": "SetValueKey", "Tid": "19656", "Pid": "19640", "Details": "wuauclt.exe\tPath=\\REGISTRY\\USER\\S-1-5-21-117609710-1708537768-839522115-500\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\tValueName:UNCAsIntranet\tTitleIndex:0x00000000\tType:0x00000004\tData:0x0133DBDC\tDataSize:0x00000004\tSTATUS:0x00000000\r\n", "Time": "7171"}, {"Action": "SetValueKey", "Tid": "19668", "Pid": "19640", "Details": "wuauclt.exe\tPath=\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\tValueName:Common AppData\tTitleIndex:0x00000000\tType:0x00000001\tData:0x0146F88C\tDataSize:0x0000006A\tSTATUS:0x00000000\r\n", "Time": "7390"}, {"Action": "SetValueKey", "Tid": "19668", "Pid": "19640", "Details": "wuauclt.exe\tPath=\\REGISTRY\\USER\\S-1-5-21-117609710-1708537768-839522115-500\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\tValueName:AppData\tTitleIndex:0x00000000\tType:0x00000001\tData:0x0146F88C\tDataSize:0x00000072\tSTATUS:0x00000000\r\n", "Time": "7390"}, {"Action": "SetValueKey", "Tid": "19668", "Pid": "19640", "Details": "wuauclt.exe\tPath=\\REGISTRY\\USER\\S-1-5-21-117609710-1708537768-839522115-500\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\tValueName:MigrateProxy\tTitleIndex:0x00000000\tType:0x00000004\tData:0x0146FB94\tDataSize:0x00000004\tSTATUS:0x00000000\r\n", "Time": "7390"}, {"Action": "SetValueKey", "Tid": "19668", "Pid": "19640", "Details": "wuauclt.exe\tPath=\\REGISTRY\\USER\\S-1-5-21-117609710-1708537768-839522115-500\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\tValueName:ProxyEnable\tTitleIndex:0x00000000\tType:0x00000004\tData:0x0146FCF8\tDataSize:0x00000004\tSTATUS:0x00000000\r\n", "Time": "7390"}, {"Action": "DeleteValueKey", "Tid": "19668", "Pid": "19640", "Details": "wuauclt.exe\tPath=\\REGISTRY\\USER\\S-1-5-21-117609710-1708537768-839522115-500\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\tValueName:ProxyServer\tKeyHandle:0x00000218\tSTATUS:0x00000000\r\n", "Time": "7390"}, {"Action": "DeleteValueKey", "Tid": "19668", "Pid": "19640", "Details": "wuauclt.exe\tPath=\\REGISTRY\\USER\\S-1-5-21-117609710-1708537768-839522115-500\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\tValueName:ProxyOverride\tKeyHandle:0x00000218\tSTATUS:0x00000000\r\n", "Time": "7390"}, {"Action": "DeleteValueKey", "Tid": "19668", "Pid": "19640", "Details": "wuauclt.exe\tPath=\\REGISTRY\\USER\\S-1-5-21-117609710-1708537768-839522115-500\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\tValueName:AutoConfigURL\tKeyHandle:0x00000218\tSTATUS:0x00000000\r\n", "Time": "7390"}, {"Action": "SetValueKey", "Tid": "19668", "Pid": "19640", "Details": "wuauclt.exe\tPath=\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Hardware Profiles\\0001\\Software\\Microsoft\\windows\\CurrentVersion\\Internet Settings\tValueName:ProxyEnable\tTitleIndex:0x00000000\tType:0x00000004\tData:0x0146FCF8\tDataSize:0x00000004\tSTATUS:0x00000000\r\n", "Time": "7390"}, {"Action": "SetValueKey", "Tid": "19668", "Pid": "19640", "Details": "wuauclt.exe\tPath=\\REGISTRY\\USER\\S-1-5-21-117609710-1708537768-839522115-500\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\tValueName:SavedLegacySettings\tTitleIndex:0x00000000\tType:0x00000003\tData:0x000DD618\tDataSize:0x00000038\tSTATUS:0x00000000\r\n", "Time": "7390"}, {"Action": "SetValueKey", "Tid": "19656", "Pid": "19640", "Details": "wuauclt.exe\tPath=\\REGISTRY\\USER\\S-1-5-21-117609710-1708537768-839522115-500\\Software\tValueName:DOS_STUB\tTitleIndex:0x00000000\tType:0x00000003\tData:0x012ECE50\tDataSize:0x00000B80\tSTATUS:0x00000000\r\n", "Time": "28468"}, {"Action": "SetValueKey", "Tid": "19656", "Pid": "19640", "Details": "wuauclt.exe\tPath=\\REGISTRY\\USER\\S-1-5-21-117609710-1708537768-839522115-500\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\tValueName:ShowSuperHidden\tTitleIndex:0x00000000\tType:0x00000004\tData:0x0133DBC0\tDataSize:0x00000004\tSTATUS:0x00000000\r\n", "Time": "71062"}, {"Action": "SetValueKey", "Tid": "19656", "Pid": "19640", "Details": "wuauclt.exe\tPath=\\REGISTRY\\USER\\S-1-5-21-117609710-1708537768-839522115-500\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\tValueName:Hidden\tTitleIndex:0x00000000\tType:0x00000004\tData:0x0133DBBC\tDataSize:0x00000004\tSTATUS:0x00000000\r\n", "Time": "71062"}, {"Action": "SetValueKey", "Tid": "19656", "Pid": "19640", "Details": "wuauclt.exe\tPath=\\REGISTRY\\USER\\S-1-5-21-117609710-1708537768-839522115-500\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\{7e699b95-1fa9-11e3-bfbd-806d6172696f}\tValueName:BaseClass\tTitleIndex:0x00000000\tType:0x00000001\tData:0x7C9CFD10\tDataSize:0x0000000C\tSTATUS:0x00000000\r\n", "Time": "71906"}, {"Action": "SetValueKey", "Tid": "19656", "Pid": "19640", "Details": "wuauclt.exe\tPath=\\REGISTRY\\USER\\S-1-5-21-117609710-1708537768-839522115-500\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\{9e2eacf9-a1b6-11e0-ac0b-005056bd58f7}\tValueName:BaseClass\tTitleIndex:0x00000000\tType:0x00000001\tData:0x7C9CFD10\tDataSize:0x0000000C\tSTATUS:0x00000000\r\n", "Time": "71906"}, {"Action": "SetValueKey", "Tid": "19656", "Pid": "19640", "Details": "wuauclt.exe\tPath=\\REGISTRY\\USER\\S-1-5-21-117609710-1708537768-839522115-500\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\{7e699b93-1fa9-11e3-bfbd-806d6172696f}\tValueName:BaseClass\tTitleIndex:0x00000000\tType:0x00000001\tData:0x7C9CFD10\tDataSize:0x0000000C\tSTATUS:0x00000000\r\n", "Time": "71906"}, {"Action": "SetValueKey", "Tid": "19656", "Pid": "19640", "Details": "wuauclt.exe\tPath=\\REGISTRY\\USER\\S-1-5-21-117609710-1708537768-839522115-500\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\{7e699b92-1fa9-11e3-bfbd-806d6172696f}\tValueName:BaseClass\tTitleIndex:0x00000000\tType:0x00000001\tData:0x7C9CFD10\tDataSize:0x0000000C\tSTATUS:0x00000000\r\n", "Time": "71906"}], "malware_modified_file": [{"Action": "OpenCreate", "Tid": "19628", "Pid": "19624", "Details": "submitted.exe\tPath=\\Device\\HarddiskVolume1\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\_install_\\msiexec.exe\t-/-FileAttribute:\tFILE_ATTRIBUTE_NORMAL\tFILE_SYNCHRONOUS_IO_NONALERT\t-/-CreateOption\tFILE_OVERWRITE_IF\t-/- ShareAccess:AccessDenied for read/write/delete", "Time": "3109"}, {"Action": "WriteFile", "Tid": "19628", "Pid": "19624", "Details": "submitted.exe\tPath=\\Device\\HarddiskVolume1\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\_install_\\msiexec.exe\tLength:97280\tByteOffset:0\tSTATUS:0x00000000\r\n", "Time": "3109"}, {"Action": "OpenCreate", "Tid": "19628", "Pid": "19624", "Details": "submitted.exe\tPath=\\Device\\HarddiskVolume1\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\06.tmp\t-/-FileAttribute:\tFILE_ATTRIBUTE_HIDDEN\tFILE_SEQUENTIAL_ONLY\t-/-CreateOption\tFILE_OVERWRITE_IF\t-/- ShareAccess:AccessDenied for read/write/delete", "Time": "3109"}, {"Action": "WriteFile", "Tid": "19628", "Pid": "19624", "Details": "submitted.exe\tPath=\\Device\\HarddiskVolume1\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\06.tmp\tLength:65536\tByteOffset:0\tSTATUS:0x00000000\r\n", "Time": "3125"}, {"Action": "Delete", "Tid": "19628", "Pid": "19624", "Details": "submitted.exe\tPath=\\Device\\HarddiskVolume1\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\06.tmp\tDeleteFile:1\tSTATUS:0x00000000\r\n", "Time": "3140"}, {"Action": "OpenCreate", "Tid": "19644", "Pid": "19640", "Details": "wuauclt.exe\tPath=\\Device\\HarddiskVolume1\\DOCUME~1\\ALLUSE~1\\LOCALS~1\\Temp\\ccmkoevq.com\t-/-FileAttribute:\tFILE_ATTRIBUTE_HIDDEN\tFILE_SYNCHRONOUS_IO_NONALERT\t-/-CreateOption\tFILE_OVERWRITE_IF\t-/- ShareAccess:AccessDenied for read/write/delete", "Time": "7031"}, {"Action": "WriteFile", "Tid": "19644", "Pid": "19640", "Details": "wuauclt.exe\tPath=\\Device\\HarddiskVolume1\\DOCUME~1\\ALLUSE~1\\LOCALS~1\\Temp\\ccmkoevq.com\tLength:32768\tByteOffset:0\tSTATUS:0x00000000\r\n", "Time": "7031"}, {"Action": "WriteFile", "Tid": "19644", "Pid": "19640", "Details": "wuauclt.exe\tPath=\\Device\\HarddiskVolume1\\DOCUME~1\\ALLUSE~1\\LOCALS~1\\Temp\\ccmkoevq.com\tLength:32768\tByteOffset:32768\tSTATUS:0x00000000\r\n", "Time": "7031"}, {"Action": "Delete", "Tid": "19656", "Pid": "19640", "Details": "wuauclt.exe\tPath=\\Device\\HarddiskVolume1\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\07.tmp\tDeleteFile:1\tSTATUS:0x00000000\r\n", "Time": "28468"}, {"Action": "Delete", "Tid": "19656", "Pid": "19640", "Details": "wuauclt.exe\tPath=\\Device\\HarddiskVolume1\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\08.tmp\tDeleteFile:1\tSTATUS:0x00000000\r\n", "Time": "49562"}, {"Action": "Delete", "Tid": "19656", "Pid": "19640", "Details": "wuauclt.exe\tPath=\\Device\\HarddiskVolume1\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\09.tmp\tDeleteFile:1\tSTATUS:0x00000000\r\n", "Time": "70671"}, {"Action": "OpenCreate", "Tid": "19656", "Pid": "19640", "Details": "wuauclt.exe\tPath=\\Device\\Harddisk1\\DP(1)0-0+3\\\u00a0\\desktop.ini\t-/-FileAttribute:\tFILE_ATTRIBUTE_HIDDEN\tFILE_SYNCHRONOUS_IO_NONALERT\t-/-CreateOption\tFILE_OVERWRITE_IF\t-/- ShareAccess:AccessDenied for read/write/delete", "Time": "71250"}, {"Action": "WriteFile", "Tid": "19656", "Pid": "19640", "Details": "wuauclt.exe\tPath=\\Device\\Harddisk1\\DP(1)0-0+3\\\u00a0\\desktop.ini\tLength:126\tByteOffset:0\tSTATUS:0x00000000\r\n", "Time": "71250"}, {"Action": "OpenCreate", "Tid": "19656", "Pid": "19640", "Details": "wuauclt.exe\tPath=\\Device\\Harddisk1\\DP(1)0-0+3\\_WPMGJ.init\t-/-FileAttribute:\tFILE_ATTRIBUTE_READONLY\tFILE_SYNCHRONOUS_IO_NONALERT\t-/-CreateOption\tFILE_OVERWRITE_IF\t-/- ShareAccess:AccessDenied for read/write/delete", "Time": "71328"}, {"Action": "WriteFile", "Tid": "19656", "Pid": "19640", "Details": "wuauclt.exe\tPath=\\Device\\Harddisk1\\DP(1)0-0+3\\_WPMGJ.init\tLength:5298\tByteOffset:0\tSTATUS:0x00000000\r\n", "Time": "71343"}, {"Action": "OpenCreate", "Tid": "19656", "Pid": "19640", "Details": "wuauclt.exe\tPath=\\Device\\Harddisk1\\DP(1)0-0+3\\desktop.ini\t-/-FileAttribute:\tFILE_ATTRIBUTE_READONLY\tFILE_SYNCHRONOUS_IO_NONALERT\t-/-CreateOption\tFILE_OVERWRITE_IF\t-/- ShareAccess:AccessDenied for read/write/delete", "Time": "71421"}, {"Action": "WriteFile", "Tid": "19656", "Pid": "19640", "Details": "wuauclt.exe\tPath=\\Device\\Harddisk1\\DP(1)0-0+3\\desktop.ini\tLength:310\tByteOffset:0\tSTATUS:0x00000000\r\n", "Time": "71421"}, {"Action": "WriteFile", "Tid": "19656", "Pid": "19640", "Details": "wuauclt.exe\tPath=\\Device\\Harddisk1\\DP(1)0-0+3\\desktop.ini\tLength:2944\tByteOffset:310\tSTATUS:0x00000000\r\n", "Time": "71437"}, {"Action": "OpenCreate", "Tid": "19656", "Pid": "19640", "Details": "wuauclt.exe\tPath=\\Device\\Harddisk1\\DP(1)0-0+3\\Thumbs.db\t-/-FileAttribute:\tFILE_ATTRIBUTE_READONLY\tFILE_SYNCHRONOUS_IO_NONALERT\t-/-CreateOption\tFILE_OVERWRITE_IF\t-/- ShareAccess:AccessDenied for read/write/delete", "Time": "71500"}, {"Action": "WriteFile", "Tid": "19656", "Pid": "19640", "Details": "wuauclt.exe\tPath=\\Device\\Harddisk1\\DP(1)0-0+3\\Thumbs.db\tLength:771584\tByteOffset:0\tSTATUS:0x00000000\r\n", "Time": "71890"}, {"Action": "OpenCreate", "Tid": "19656", "Pid": "19640", "Details": "wuauclt.exe\tPath=\\Device\\Harddisk1\\DP(1)0-0+3\\Removable Disk (1GB).lnk\t-/-FileAttribute:\tNOT DEFINE\tFILE_SYNCHRONOUS_IO_NONALERT\t-/-CreateOption\tFILE_OVERWRITE_IF\t-/- ShareAccess:FILE_SHARE_READ/WRITE", "Time": "71968"}], "malware_behaviors": [[{"id": 5}, {"title": "Tries to create or modify windows service"}, {"threat": 2}, {"rows": [[{"Action": "SetValueKey"}, {"Time": "3937"}, {"Pid": "19640"}, {"Tid": "19644"}, {"Key": "wuauclt.exe\tPath=\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Services\\Eventlog\\Application\\ESENT\tValueName:EventMessageFile\tTitleIndex:0x00000000\tType:0x00000002\tData:0x000B6580\tDataSize:0x0000003C\tSTATUS:0x00000000\r\n"}], [{"Action": "SetValueKey"}, {"Time": "3937"}, {"Pid": "19640"}, {"Tid": "19644"}, {"Key": "wuauclt.exe\tPath=\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Services\\Eventlog\\Application\\ESENT\tValueName:CategoryMessageFile\tTitleIndex:0x00000000\tType:0x00000002\tData:0x000B6580\tDataSize:0x0000003C\tSTATUS:0x00000000\r\n"}], [{"Action": "SetValueKey"}, {"Time": "3937"}, {"Pid": "19640"}, {"Tid": "19644"}, {"Key": "wuauclt.exe\tPath=\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Services\\Eventlog\\Application\\ESENT\tValueName:CategoryCount\tTitleIndex:0x00000000\tType:0x00000004\tData:0x0007F89C\tDataSize:0x00000004\tSTATUS:0x00000000\r\n"}], [{"Action": "SetValueKey"}, {"Time": "3937"}, {"Pid": "19640"}, {"Tid": "19644"}, {"Key": "wuauclt.exe\tPath=\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Services\\Eventlog\\Application\\ESENT\tValueName:TypesSupported\tTitleIndex:0x00000000\tType:0x00000004\tData:0x0007F89C\tDataSize:0x00000004\tSTATUS:0x00000000\r\n"}]]}], [{"id": 133}, {"title": "Tries to modify advanced windows explorer settings"}, {"threat": 3}, {"rows": [[{"Action": "SetValueKey"}, {"Time": "71062"}, {"Pid": "19640"}, {"Tid": "19656"}, {"Key": "wuauclt.exe\tPath=\\REGISTRY\\USER\\S-1-5-21-117609710-1708537768-839522115-500\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\tValueName:ShowSuperHidden\tTitleIndex:0x00000000\tType:0x00000004\tData:0x0133DBC0\tDataSize:0x00000004\tSTATUS:0x00000000\r\n"}], [{"Action": "SetValueKey"}, {"Time": "71062"}, {"Pid": "19640"}, {"Tid": "19656"}, {"Key": "wuauclt.exe\tPath=\\REGISTRY\\USER\\S-1-5-21-117609710-1708537768-839522115-500\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\tValueName:Hidden\tTitleIndex:0x00000000\tType:0x00000004\tData:0x0133DBBC\tDataSize:0x00000004\tSTATUS:0x00000000\r\n"}]]}], [{"id": 130}, {"title": "Drop executable file"}, {"threat": 3}, {"rows": [[{"Action": "OpenCreate"}, {"Time": "3109"}, {"Pid": "19624"}, {"Tid": "19628"}, {"Key": "submitted.exe\tPath=\\Device\\HarddiskVolume1\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\_install_\\msiexec.exe\t-/-FileAttribute:\tFILE_ATTRIBUTE_NORMAL\tFILE_SYNCHRONOUS_IO_NONALERT\t-/-CreateOption\tFILE_OVERWRITE_IF\t-/- ShareAccess:AccessDenied for read/write/delete"}], [{"Action": "WriteFile"}, {"Time": "3109"}, {"Pid": "19624"}, {"Tid": "19628"}, {"Key": "submitted.exe\tPath=\\Device\\HarddiskVolume1\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\_install_\\msiexec.exe\tLength:97280\tByteOffset:0\tSTATUS:0x00000000\r\n"}], [{"Action": "OpenCreate"}, {"Time": "7031"}, {"Pid": "19640"}, {"Tid": "19644"}, {"Key": "wuauclt.exe\tPath=\\Device\\HarddiskVolume1\\DOCUME~1\\ALLUSE~1\\LOCALS~1\\Temp\\ccmkoevq.com\t-/-FileAttribute:\tFILE_ATTRIBUTE_HIDDEN\tFILE_SYNCHRONOUS_IO_NONALERT\t-/-CreateOption\tFILE_OVERWRITE_IF\t-/- ShareAccess:AccessDenied for read/write/delete"}], [{"Action": "WriteFile"}, {"Time": "7031"}, {"Pid": "19640"}, {"Tid": "19644"}, {"Key": "wuauclt.exe\tPath=\\Device\\HarddiskVolume1\\DOCUME~1\\ALLUSE~1\\LOCALS~1\\Temp\\ccmkoevq.com\tLength:32768\tByteOffset:0\tSTATUS:0x00000000\r\n"}], [{"Action": "WriteFile"}, {"Time": "7031"}, {"Pid": "19640"}, {"Tid": "19644"}, {"Key": "wuauclt.exe\tPath=\\Device\\HarddiskVolume1\\DOCUME~1\\ALLUSE~1\\LOCALS~1\\Temp\\ccmkoevq.com\tLength:32768\tByteOffset:32768\tSTATUS:0x00000000\r\n"}]]}], [{"id": 12}, {"title": "Creates an autostart registry key"}, {"threat": 3}, {"rows": [[{"Action": "SetValueKey"}, {"Time": "7046"}, {"Pid": "19640"}, {"Tid": "19644"}, {"Key": "wuauclt.exe\tPath=\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\policies\\Explorer\\Run\tValueName:35478\tTitleIndex:0x00000000\tType:0x00000001\tData:0x01260000\tDataSize:0x00000060\tSTATUS:0x00000000\r\n"}]]}], [{"id": 28}, {"title": "Tries to change security settings of Internet Explorer: This system alteration could seriously affect safety surfing the World Wide Web"}, {"threat": 2}, {"rows": [[{"Action": "SetValueKey"}, {"Time": "3203"}, {"Pid": "19624"}, {"Tid": "19628"}, {"Key": "submitted.exe\tPath=\\REGISTRY\\USER\\S-1-5-21-117609710-1708537768-839522115-500\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\tValueName:ProxyBypass\tTitleIndex:0x00000000\tType:0x00000004\tData:0x0012E734\tDataSize:0x00000004\tSTATUS:0x00000000\r\n"}], [{"Action": "SetValueKey"}, {"Time": "3203"}, {"Pid": "19624"}, {"Tid": "19628"}, {"Key": "submitted.exe\tPath=\\REGISTRY\\USER\\S-1-5-21-117609710-1708537768-839522115-500\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\tValueName:IntranetName\tTitleIndex:0x00000000\tType:0x00000004\tData:0x0012E734\tDataSize:0x00000004\tSTATUS:0x00000000\r\n"}], [{"Action": "SetValueKey"}, {"Time": "3203"}, {"Pid": "19624"}, {"Tid": "19628"}, {"Key": "submitted.exe\tPath=\\REGISTRY\\USER\\S-1-5-21-117609710-1708537768-839522115-500\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\tValueName:UNCAsIntranet\tTitleIndex:0x00000000\tType:0x00000004\tData:0x0012E734\tDataSize:0x00000004\tSTATUS:0x00000000\r\n"}], [{"Action": "SetValueKey"}, {"Time": "3203"}, {"Pid": "19624"}, {"Tid": "19628"}, {"Key": "submitted.exe\tPath=\\REGISTRY\\USER\\S-1-5-21-117609710-1708537768-839522115-500\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\tValueName:ProxyBypass\tTitleIndex:0x00000000\tType:0x00000004\tData:0x0012E734\tDataSize:0x00000004\tSTATUS:0x00000000\r\n"}], [{"Action": "SetValueKey"}, {"Time": "3203"}, {"Pid": "19624"}, {"Tid": "19628"}, {"Key": "submitted.exe\tPath=\\REGISTRY\\USER\\S-1-5-21-117609710-1708537768-839522115-500\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\tValueName:IntranetName\tTitleIndex:0x00000000\tType:0x00000004\tData:0x0012E734\tDataSize:0x00000004\tSTATUS:0x00000000\r\n"}], [{"Action": "SetValueKey"}, {"Time": "3203"}, {"Pid": "19624"}, {"Tid": "19628"}, {"Key": "submitted.exe\tPath=\\REGISTRY\\USER\\S-1-5-21-117609710-1708537768-839522115-500\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\tValueName:UNCAsIntranet\tTitleIndex:0x00000000\tType:0x00000004\tData:0x0012E734\tDataSize:0x00000004\tSTATUS:0x00000000\r\n"}], [{"Action": "SetValueKey"}, {"Time": "7156"}, {"Pid": "19640"}, {"Tid": "19656"}, {"Key": "wuauclt.exe\tPath=\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Cache\\Paths\tValueName:Directory\tTitleIndex:0x00000000\tType:0x00000001\tData:0x000C97E8\tDataSize:0x000000B8\tSTATUS:0x00000000\r\n"}], [{"Action": "SetValueKey"}, {"Time": "7156"}, {"Pid": "19640"}, {"Tid": "19656"}, {"Key": "wuauclt.exe\tPath=\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Cache\\Paths\tValueName:Paths\tTitleIndex:0x00000000\tType:0x00000004\tData:0x0133DA80\tDataSize:0x00000004\tSTATUS:0x00000000\r\n"}], [{"Action": "SetValueKey"}, {"Time": "7156"}, {"Pid": "19640"}, {"Tid": "19656"}, {"Key": "wuauclt.exe\tPath=\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Cache\\Paths\\path1\tValueName:CachePath\tTitleIndex:0x00000000\tType:0x00000001\tData:0x000C98A8\tDataSize:0x000000C6\tSTATUS:0x00000000\r\n"}], [{"Action": "SetValueKey"}, {"Time": "7156"}, {"Pid": "19640"}, {"Tid": "19656"}, {"Key": "wuauclt.exe\tPath=\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Cache\\Paths\\path2\tValueName:CachePath\tTitleIndex:0x00000000\tType:0x00000001\tData:0x000C98A8\tDataSize:0x000000C6\tSTATUS:0x00000000\r\n"}], [{"Action": "SetValueKey"}, {"Time": "7156"}, {"Pid": "19640"}, {"Tid": "19656"}, {"Key": "wuauclt.exe\tPath=\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Cache\\Paths\\path3\tValueName:CachePath\tTitleIndex:0x00000000\tType:0x00000001\tData:0x000C98A8\tDataSize:0x000000C6\tSTATUS:0x00000000\r\n"}], [{"Action": "SetValueKey"}, {"Time": "7156"}, {"Pid": "19640"}, {"Tid": "19656"}, {"Key": "wuauclt.exe\tPath=\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Cache\\Paths\\path4\tValueName:CachePath\tTitleIndex:0x00000000\tType:0x00000001\tData:0x000C98A8\tDataSize:0x000000C6\tSTATUS:0x00000000\r\n"}], [{"Action": "SetValueKey"}, {"Time": "7156"}, {"Pid": "19640"}, {"Tid": "19656"}, {"Key": "wuauclt.exe\tPath=\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Cache\\Paths\\path1\tValueName:CacheLimit\tTitleIndex:0x00000000\tType:0x00000004\tData:0x0133DB98\tDataSize:0x00000004\tSTATUS:0x00000000\r\n"}], [{"Action": "SetValueKey"}, {"Time": "7156"}, {"Pid": "19640"}, {"Tid": "19656"}, {"Key": "wuauclt.exe\tPath=\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Cache\\Paths\\path2\tValueName:CacheLimit\tTitleIndex:0x00000000\tType:0x00000004\tData:0x0133DB98\tDataSize:0x00000004\tSTATUS:0x00000000\r\n"}], [{"Action": "SetValueKey"}, {"Time": "7156"}, {"Pid": "19640"}, {"Tid": "19656"}, {"Key": "wuauclt.exe\tPath=\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Cache\\Paths\\path3\tValueName:CacheLimit\tTitleIndex:0x00000000\tType:0x00000004\tData:0x0133DB98\tDataSize:0x00000004\tSTATUS:0x00000000\r\n"}], [{"Action": "SetValueKey"}, {"Time": "7156"}, {"Pid": "19640"}, {"Tid": "19656"}, {"Key": "wuauclt.exe\tPath=\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Cache\\Paths\\path4\tValueName:CacheLimit\tTitleIndex:0x00000000\tType:0x00000004\tData:0x0133DB98\tDataSize:0x00000004\tSTATUS:0x00000000\r\n"}], [{"Action": "SetValueKey"}, {"Time": "7171"}, {"Pid": "19640"}, {"Tid": "19656"}, {"Key": "wuauclt.exe\tPath=\\REGISTRY\\USER\\S-1-5-21-117609710-1708537768-839522115-500\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\tValueName:ProxyBypass\tTitleIndex:0x00000000\tType:0x00000004\tData:0x0133DBDC\tDataSize:0x00000004\tSTATUS:0x00000000\r\n"}], [{"Action": "SetValueKey"}, {"Time": "7171"}, {"Pid": "19640"}, {"Tid": "19656"}, {"Key": "wuauclt.exe\tPath=\\REGISTRY\\USER\\S-1-5-21-117609710-1708537768-839522115-500\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\tValueName:IntranetName\tTitleIndex:0x00000000\tType:0x00000004\tData:0x0133DBDC\tDataSize:0x00000004\tSTATUS:0x00000000\r\n"}], [{"Action": "SetValueKey"}, {"Time": "7171"}, {"Pid": "19640"}, {"Tid": "19656"}, {"Key": "wuauclt.exe\tPath=\\REGISTRY\\USER\\S-1-5-21-117609710-1708537768-839522115-500\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\tValueName:UNCAsIntranet\tTitleIndex:0x00000000\tType:0x00000004\tData:0x0133DBDC\tDataSize:0x00000004\tSTATUS:0x00000000\r\n"}], [{"Action": "SetValueKey"}, {"Time": "7171"}, {"Pid": "19640"}, {"Tid": "19656"}, {"Key": "wuauclt.exe\tPath=\\REGISTRY\\USER\\S-1-5-21-117609710-1708537768-839522115-500\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\tValueName:ProxyBypass\tTitleIndex:0x00000000\tType:0x00000004\tData:0x0133DBDC\tDataSize:0x00000004\tSTATUS:0x00000000\r\n"}], [{"Action": "SetValueKey"}, {"Time": "7171"}, {"Pid": "19640"}, {"Tid": "19656"}, {"Key": "wuauclt.exe\tPath=\\REGISTRY\\USER\\S-1-5-21-117609710-1708537768-839522115-500\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\tValueName:IntranetName\tTitleIndex:0x00000000\tType:0x00000004\tData:0x0133DBDC\tDataSize:0x00000004\tSTATUS:0x00000000\r\n"}], [{"Action": "SetValueKey"}, {"Time": "7171"}, {"Pid": "19640"}, {"Tid": "19656"}, {"Key": "wuauclt.exe\tPath=\\REGISTRY\\USER\\S-1-5-21-117609710-1708537768-839522115-500\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\tValueName:UNCAsIntranet\tTitleIndex:0x00000000\tType:0x00000004\tData:0x0133DBDC\tDataSize:0x00000004\tSTATUS:0x00000000\r\n"}], [{"Action": "SetValueKey"}, {"Time": "7390"}, {"Pid": "19640"}, {"Tid": "19668"}, {"Key": "wuauclt.exe\tPath=\\REGISTRY\\USER\\S-1-5-21-117609710-1708537768-839522115-500\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\tValueName:MigrateProxy\tTitleIndex:0x00000000\tType:0x00000004\tData:0x0146FB94\tDataSize:0x00000004\tSTATUS:0x00000000\r\n"}], [{"Action": "SetValueKey"}, {"Time": "7390"}, {"Pid": "19640"}, {"Tid": "19668"}, {"Key": "wuauclt.exe\tPath=\\REGISTRY\\USER\\S-1-5-21-117609710-1708537768-839522115-500\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\tValueName:ProxyEnable\tTitleIndex:0x00000000\tType:0x00000004\tData:0x0146FCF8\tDataSize:0x00000004\tSTATUS:0x00000000\r\n"}], [{"Action": "SetValueKey"}, {"Time": "7390"}, {"Pid": "19640"}, {"Tid": "19668"}, {"Key": "wuauclt.exe\tPath=\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Hardware Profiles\\0001\\Software\\Microsoft\\windows\\CurrentVersion\\Internet Settings\tValueName:ProxyEnable\tTitleIndex:0x00000000\tType:0x00000004\tData:0x0146FCF8\tDataSize:0x00000004\tSTATUS:0x00000000\r\n"}], [{"Action": "SetValueKey"}, {"Time": "7390"}, {"Pid": "19640"}, {"Tid": "19668"}, {"Key": "wuauclt.exe\tPath=\\REGISTRY\\USER\\S-1-5-21-117609710-1708537768-839522115-500\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\tValueName:SavedLegacySettings\tTitleIndex:0x00000000\tType:0x00000003\tData:0x000DD618\tDataSize:0x00000038\tSTATUS:0x00000000\r\n"}]]}], [{"id": 152}, {"title": "Tries to hide files"}, {"threat": 3}, {"rows": [[{"Action": "SetFileInfo"}, {"Time": "3078"}, {"Pid": "2020"}, {"Tid": "19620"}, {"Key": "submitted.exe\tPath=\\Device\\HarddiskVolume1\\Share\\new_sandBoxLog\\submitted.exe\t-/-FileAttribute:\tFILE_ATTRIBUTE_HIDDEN"}], [{"Action": "SetFileInfo"}, {"Time": "71265"}, {"Pid": "19640"}, {"Tid": "19656"}, {"Key": "wuauclt.exe\tPath=\\Device\\Harddisk1\\DP(1)0-0+3\\\u00a0\t-/-FileAttribute:\tFILE_ATTRIBUTE_HIDDEN"}]]}], [{"id": 47}, {"title": "Writes to an ini file"}, {"threat": 1}, {"rows": [[{"Action": "OpenCreate"}, {"Time": "71250"}, {"Pid": "19640"}, {"Tid": "19656"}, {"Key": "wuauclt.exe\tPath=\\Device\\Harddisk1\\DP(1)0-0+3\\\u00a0\\desktop.ini\t-/-FileAttribute:\tFILE_ATTRIBUTE_HIDDEN\tFILE_SYNCHRONOUS_IO_NONALERT\t-/-CreateOption\tFILE_OVERWRITE_IF\t-/- ShareAccess:AccessDenied for read/write/delete"}], [{"Action": "WriteFile"}, {"Time": "71250"}, {"Pid": "19640"}, {"Tid": "19656"}, {"Key": "wuauclt.exe\tPath=\\Device\\Harddisk1\\DP(1)0-0+3\\\u00a0\\desktop.ini\tLength:126\tByteOffset:0\tSTATUS:0x00000000\r\n"}], [{"Action": "OpenCreate"}, {"Time": "71421"}, {"Pid": "19640"}, {"Tid": "19656"}, {"Key": "wuauclt.exe\tPath=\\Device\\Harddisk1\\DP(1)0-0+3\\desktop.ini\t-/-FileAttribute:\tFILE_ATTRIBUTE_READONLY\tFILE_SYNCHRONOUS_IO_NONALERT\t-/-CreateOption\tFILE_OVERWRITE_IF\t-/- ShareAccess:AccessDenied for read/write/delete"}], [{"Action": "WriteFile"}, {"Time": "71421"}, {"Pid": "19640"}, {"Tid": "19656"}, {"Key": "wuauclt.exe\tPath=\\Device\\Harddisk1\\DP(1)0-0+3\\desktop.ini\tLength:310\tByteOffset:0\tSTATUS:0x00000000\r\n"}], [{"Action": "WriteFile"}, {"Time": "71437"}, {"Pid": "19640"}, {"Tid": "19656"}, {"Key": "wuauclt.exe\tPath=\\Device\\Harddisk1\\DP(1)0-0+3\\desktop.ini\tLength:2944\tByteOffset:310\tSTATUS:0x00000000\r\n"}]]}], [{"id": 18}, {"title": "Tries to write to foreign memory regions"}, {"threat": 2}, {"rows": [[{"Action": "WriteMemory"}, {"Time": "3078"}, {"Pid": "2020"}, {"Tid": "19620"}, {"Key": "submitted.exe\tTargetPID:19624\tTargetName:submitted.exe\tBaseAddress:65536\tSTATUS:0x00000000\r\n"}], [{"Action": "WriteMemory"}, {"Time": "3078"}, {"Pid": "2020"}, {"Tid": "19620"}, {"Key": "submitted.exe\tTargetPID:19624\tTargetName:submitted.exe\tBaseAddress:131072\tSTATUS:0x00000000\r\n"}], [{"Action": "WriteMemory"}, {"Time": "3078"}, {"Pid": "2020"}, {"Tid": "19620"}, {"Key": "submitted.exe\tTargetPID:19624\tTargetName:submitted.exe\tBaseAddress:2147336208\tSTATUS:0x00000000\r\n"}], [{"Action": "WriteMemory"}, {"Time": "3078"}, {"Pid": "2020"}, {"Tid": "19620"}, {"Key": "submitted.exe\tTargetPID:19624\tTargetName:submitted.exe\tBaseAddress:2147336680\tSTATUS:0x00000000\r\n"}], [{"Action": "WriteMemory"}, {"Time": "3078"}, {"Pid": "2020"}, {"Tid": "19620"}, {"Key": "submitted.exe\tTargetPID:19624\tTargetName:submitted.exe\tBaseAddress:4194304\tSTATUS:0x00000000\r\n"}], [{"Action": "WriteMemory"}, {"Time": "3078"}, {"Pid": "2020"}, {"Tid": "19620"}, {"Key": "submitted.exe\tTargetPID:19624\tTargetName:submitted.exe\tBaseAddress:4198400\tSTATUS:0x00000000\r\n"}], [{"Action": "WriteMemory"}, {"Time": "3078"}, {"Pid": "2020"}, {"Tid": "19620"}, {"Key": "submitted.exe\tTargetPID:19624\tTargetName:submitted.exe\tBaseAddress:4227072\tSTATUS:0x00000000\r\n"}], [{"Action": "WriteMemory"}, {"Time": "3078"}, {"Pid": "2020"}, {"Tid": "19620"}, {"Key": "submitted.exe\tTargetPID:19624\tTargetName:submitted.exe\tBaseAddress:4243456\tSTATUS:0x00000000\r\n"}], [{"Action": "WriteMemory"}, {"Time": "3078"}, {"Pid": "2020"}, {"Tid": "19620"}, {"Key": "submitted.exe\tTargetPID:19624\tTargetName:submitted.exe\tBaseAddress:4378624\tSTATUS:0x00000000\r\n"}], [{"Action": "WriteMemory"}, {"Time": "3078"}, {"Pid": "2020"}, {"Tid": "19620"}, {"Key": "submitted.exe\tTargetPID:19624\tTargetName:submitted.exe\tBaseAddress:4382720\tSTATUS:0x00000000\r\n"}], [{"Action": "WriteMemory"}, {"Time": "3265"}, {"Pid": "19624"}, {"Tid": "19628"}, {"Key": "submitted.exe\tTargetPID:19632\tTargetName:msiexec.exe\tBaseAddress:65536\tSTATUS:0x00000000\r\n"}], [{"Action": "WriteMemory"}, {"Time": "3265"}, {"Pid": "19624"}, {"Tid": "19628"}, {"Key": "submitted.exe\tTargetPID:19632\tTargetName:msiexec.exe\tBaseAddress:131072\tSTATUS:0x00000000\r\n"}], [{"Action": "WriteMemory"}, {"Time": "3265"}, {"Pid": "19624"}, {"Tid": "19628"}, {"Key": "submitted.exe\tTargetPID:19632\tTargetName:msiexec.exe\tBaseAddress:2147344400\tSTATUS:0x00000000\r\n"}], [{"Action": "WriteMemory"}, {"Time": "3265"}, {"Pid": "19624"}, {"Tid": "19628"}, {"Key": "submitted.exe\tTargetPID:19632\tTargetName:msiexec.exe\tBaseAddress:2147344872\tSTATUS:0x00000000\r\n"}], [{"Action": "WriteMemory"}, {"Time": "3718"}, {"Pid": "19632"}, {"Tid": "19636"}, {"Key": "msiexec.exe\tTargetPID:19640\tTargetName:wuauclt.exe\tBaseAddress:65536\tSTATUS:0x00000000\r\n"}], [{"Action": "WriteMemory"}, {"Time": "3718"}, {"Pid": "19632"}, {"Tid": "19636"}, {"Key": "msiexec.exe\tTargetPID:19640\tTargetName:wuauclt.exe\tBaseAddress:131072\tSTATUS:0x00000000\r\n"}], [{"Action": "WriteMemory"}, {"Time": "3718"}, {"Pid": "19632"}, {"Tid": "19636"}, {"Key": "msiexec.exe\tTargetPID:19640\tTargetName:wuauclt.exe\tBaseAddress:2147348496\tSTATUS:0x00000000\r\n"}], [{"Action": "WriteMemory"}, {"Time": "3718"}, {"Pid": "19632"}, {"Tid": "19636"}, {"Key": "msiexec.exe\tTargetPID:19640\tTargetName:wuauclt.exe\tBaseAddress:196608\tSTATUS:0x00000000\r\n"}], [{"Action": "WriteMemory"}, {"Time": "3718"}, {"Pid": "19632"}, {"Tid": "19636"}, {"Key": "msiexec.exe\tTargetPID:19640\tTargetName:wuauclt.exe\tBaseAddress:2147348968\tSTATUS:0x00000000\r\n"}]]}], [{"id": 13}, {"title": "Tries to delete itself after installation"}, {"threat": 2}, {"rows": [[{"Action": "Delete"}, {"Time": "3140"}, {"Pid": "19624"}, {"Tid": "19628"}, {"Key": "submitted.exe\tPath=\\Device\\HarddiskVolume1\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\06.tmp\tDeleteFile:1\tSTATUS:0x00000000\r\n"}], [{"Action": "Delete"}, {"Time": "28468"}, {"Pid": "19640"}, {"Tid": "19656"}, {"Key": "wuauclt.exe\tPath=\\Device\\HarddiskVolume1\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\07.tmp\tDeleteFile:1\tSTATUS:0x00000000\r\n"}], [{"Action": "Delete"}, {"Time": "49562"}, {"Pid": "19640"}, {"Tid": "19656"}, {"Key": "wuauclt.exe\tPath=\\Device\\HarddiskVolume1\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\08.tmp\tDeleteFile:1\tSTATUS:0x00000000\r\n"}], [{"Action": "Delete"}, {"Time": "70671"}, {"Pid": "19640"}, {"Tid": "19656"}, {"Key": "wuauclt.exe\tPath=\\Device\\HarddiskVolume1\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\09.tmp\tDeleteFile:1\tSTATUS:0x00000000\r\n"}]]}], [{"id": 88}, {"title": "Enables a proxy for the internet explorer"}, {"threat": 2}, {"rows": [[{"Action": "SetValueKey"}, {"Time": "3203"}, {"Pid": "19624"}, {"Tid": "19628"}, {"Key": "submitted.exe\tPath=\\REGISTRY\\USER\\S-1-5-21-117609710-1708537768-839522115-500\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\tValueName:ProxyBypass\tTitleIndex:0x00000000\tType:0x00000004\tData:0x0012E734\tDataSize:0x00000004\tSTATUS:0x00000000\r\n"}], [{"Action": "SetValueKey"}, {"Time": "3203"}, {"Pid": "19624"}, {"Tid": "19628"}, {"Key": "submitted.exe\tPath=\\REGISTRY\\USER\\S-1-5-21-117609710-1708537768-839522115-500\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\tValueName:IntranetName\tTitleIndex:0x00000000\tType:0x00000004\tData:0x0012E734\tDataSize:0x00000004\tSTATUS:0x00000000\r\n"}], [{"Action": "SetValueKey"}, {"Time": "3203"}, {"Pid": "19624"}, {"Tid": "19628"}, {"Key": "submitted.exe\tPath=\\REGISTRY\\USER\\S-1-5-21-117609710-1708537768-839522115-500\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\tValueName:UNCAsIntranet\tTitleIndex:0x00000000\tType:0x00000004\tData:0x0012E734\tDataSize:0x00000004\tSTATUS:0x00000000\r\n"}], [{"Action": "SetValueKey"}, {"Time": "3203"}, {"Pid": "19624"}, {"Tid": "19628"}, {"Key": "submitted.exe\tPath=\\REGISTRY\\USER\\S-1-5-21-117609710-1708537768-839522115-500\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\tValueName:ProxyBypass\tTitleIndex:0x00000000\tType:0x00000004\tData:0x0012E734\tDataSize:0x00000004\tSTATUS:0x00000000\r\n"}], [{"Action": "SetValueKey"}, {"Time": "3203"}, {"Pid": "19624"}, {"Tid": "19628"}, {"Key": "submitted.exe\tPath=\\REGISTRY\\USER\\S-1-5-21-117609710-1708537768-839522115-500\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\tValueName:IntranetName\tTitleIndex:0x00000000\tType:0x00000004\tData:0x0012E734\tDataSize:0x00000004\tSTATUS:0x00000000\r\n"}], [{"Action": "SetValueKey"}, {"Time": "3203"}, {"Pid": "19624"}, {"Tid": "19628"}, {"Key": "submitted.exe\tPath=\\REGISTRY\\USER\\S-1-5-21-117609710-1708537768-839522115-500\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\tValueName:UNCAsIntranet\tTitleIndex:0x00000000\tType:0x00000004\tData:0x0012E734\tDataSize:0x00000004\tSTATUS:0x00000000\r\n"}], [{"Action": "SetValueKey"}, {"Time": "7156"}, {"Pid": "19640"}, {"Tid": "19656"}, {"Key": "wuauclt.exe\tPath=\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Cache\\Paths\tValueName:Directory\tTitleIndex:0x00000000\tType:0x00000001\tData:0x000C97E8\tDataSize:0x000000B8\tSTATUS:0x00000000\r\n"}], [{"Action": "SetValueKey"}, {"Time": "7156"}, {"Pid": "19640"}, {"Tid": "19656"}, {"Key": "wuauclt.exe\tPath=\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Cache\\Paths\tValueName:Paths\tTitleIndex:0x00000000\tType:0x00000004\tData:0x0133DA80\tDataSize:0x00000004\tSTATUS:0x00000000\r\n"}], [{"Action": "SetValueKey"}, {"Time": "7156"}, {"Pid": "19640"}, {"Tid": "19656"}, {"Key": "wuauclt.exe\tPath=\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Cache\\Paths\\path1\tValueName:CachePath\tTitleIndex:0x00000000\tType:0x00000001\tData:0x000C98A8\tDataSize:0x000000C6\tSTATUS:0x00000000\r\n"}], [{"Action": "SetValueKey"}, {"Time": "7156"}, {"Pid": "19640"}, {"Tid": "19656"}, {"Key": "wuauclt.exe\tPath=\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Cache\\Paths\\path2\tValueName:CachePath\tTitleIndex:0x00000000\tType:0x00000001\tData:0x000C98A8\tDataSize:0x000000C6\tSTATUS:0x00000000\r\n"}], [{"Action": "SetValueKey"}, {"Time": "7156"}, {"Pid": "19640"}, {"Tid": "19656"}, {"Key": "wuauclt.exe\tPath=\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Cache\\Paths\\path3\tValueName:CachePath\tTitleIndex:0x00000000\tType:0x00000001\tData:0x000C98A8\tDataSize:0x000000C6\tSTATUS:0x00000000\r\n"}], [{"Action": "SetValueKey"}, {"Time": "7156"}, {"Pid": "19640"}, {"Tid": "19656"}, {"Key": "wuauclt.exe\tPath=\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Cache\\Paths\\path4\tValueName:CachePath\tTitleIndex:0x00000000\tType:0x00000001\tData:0x000C98A8\tDataSize:0x000000C6\tSTATUS:0x00000000\r\n"}], [{"Action": "SetValueKey"}, {"Time": "7156"}, {"Pid": "19640"}, {"Tid": "19656"}, {"Key": "wuauclt.exe\tPath=\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Cache\\Paths\\path1\tValueName:CacheLimit\tTitleIndex:0x00000000\tType:0x00000004\tData:0x0133DB98\tDataSize:0x00000004\tSTATUS:0x00000000\r\n"}], [{"Action": "SetValueKey"}, {"Time": "7156"}, {"Pid": "19640"}, {"Tid": "19656"}, {"Key": "wuauclt.exe\tPath=\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Cache\\Paths\\path2\tValueName:CacheLimit\tTitleIndex:0x00000000\tType:0x00000004\tData:0x0133DB98\tDataSize:0x00000004\tSTATUS:0x00000000\r\n"}], [{"Action": "SetValueKey"}, {"Time": "7156"}, {"Pid": "19640"}, {"Tid": "19656"}, {"Key": "wuauclt.exe\tPath=\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Cache\\Paths\\path3\tValueName:CacheLimit\tTitleIndex:0x00000000\tType:0x00000004\tData:0x0133DB98\tDataSize:0x00000004\tSTATUS:0x00000000\r\n"}], [{"Action": "SetValueKey"}, {"Time": "7156"}, {"Pid": "19640"}, {"Tid": "19656"}, {"Key": "wuauclt.exe\tPath=\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Cache\\Paths\\path4\tValueName:CacheLimit\tTitleIndex:0x00000000\tType:0x00000004\tData:0x0133DB98\tDataSize:0x00000004\tSTATUS:0x00000000\r\n"}], [{"Action": "SetValueKey"}, {"Time": "7171"}, {"Pid": "19640"}, {"Tid": "19656"}, {"Key": "wuauclt.exe\tPath=\\REGISTRY\\USER\\S-1-5-21-117609710-1708537768-839522115-500\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\tValueName:ProxyBypass\tTitleIndex:0x00000000\tType:0x00000004\tData:0x0133DBDC\tDataSize:0x00000004\tSTATUS:0x00000000\r\n"}], [{"Action": "SetValueKey"}, {"Time": "7171"}, {"Pid": "19640"}, {"Tid": "19656"}, {"Key": "wuauclt.exe\tPath=\\REGISTRY\\USER\\S-1-5-21-117609710-1708537768-839522115-500\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\tValueName:IntranetName\tTitleIndex:0x00000000\tType:0x00000004\tData:0x0133DBDC\tDataSize:0x00000004\tSTATUS:0x00000000\r\n"}], [{"Action": "SetValueKey"}, {"Time": "7171"}, {"Pid": "19640"}, {"Tid": "19656"}, {"Key": "wuauclt.exe\tPath=\\REGISTRY\\USER\\S-1-5-21-117609710-1708537768-839522115-500\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\tValueName:UNCAsIntranet\tTitleIndex:0x00000000\tType:0x00000004\tData:0x0133DBDC\tDataSize:0x00000004\tSTATUS:0x00000000\r\n"}], [{"Action": "SetValueKey"}, {"Time": "7171"}, {"Pid": "19640"}, {"Tid": "19656"}, {"Key": "wuauclt.exe\tPath=\\REGISTRY\\USER\\S-1-5-21-117609710-1708537768-839522115-500\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\tValueName:ProxyBypass\tTitleIndex:0x00000000\tType:0x00000004\tData:0x0133DBDC\tDataSize:0x00000004\tSTATUS:0x00000000\r\n"}], [{"Action": "SetValueKey"}, {"Time": "7171"}, {"Pid": "19640"}, {"Tid": "19656"}, {"Key": "wuauclt.exe\tPath=\\REGISTRY\\USER\\S-1-5-21-117609710-1708537768-839522115-500\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\tValueName:IntranetName\tTitleIndex:0x00000000\tType:0x00000004\tData:0x0133DBDC\tDataSize:0x00000004\tSTATUS:0x00000000\r\n"}], [{"Action": "SetValueKey"}, {"Time": "7171"}, {"Pid": "19640"}, {"Tid": "19656"}, {"Key": "wuauclt.exe\tPath=\\REGISTRY\\USER\\S-1-5-21-117609710-1708537768-839522115-500\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\tValueName:UNCAsIntranet\tTitleIndex:0x00000000\tType:0x00000004\tData:0x0133DBDC\tDataSize:0x00000004\tSTATUS:0x00000000\r\n"}], [{"Action": "SetValueKey"}, {"Time": "7390"}, {"Pid": "19640"}, {"Tid": "19668"}, {"Key": "wuauclt.exe\tPath=\\REGISTRY\\USER\\S-1-5-21-117609710-1708537768-839522115-500\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\tValueName:MigrateProxy\tTitleIndex:0x00000000\tType:0x00000004\tData:0x0146FB94\tDataSize:0x00000004\tSTATUS:0x00000000\r\n"}], [{"Action": "SetValueKey"}, {"Time": "7390"}, {"Pid": "19640"}, {"Tid": "19668"}, {"Key": "wuauclt.exe\tPath=\\REGISTRY\\USER\\S-1-5-21-117609710-1708537768-839522115-500\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\tValueName:ProxyEnable\tTitleIndex:0x00000000\tType:0x00000004\tData:0x0146FCF8\tDataSize:0x00000004\tSTATUS:0x00000000\r\n"}], [{"Action": "SetValueKey"}, {"Time": "7390"}, {"Pid": "19640"}, {"Tid": "19668"}, {"Key": "wuauclt.exe\tPath=\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Hardware Profiles\\0001\\Software\\Microsoft\\windows\\CurrentVersion\\Internet Settings\tValueName:ProxyEnable\tTitleIndex:0x00000000\tType:0x00000004\tData:0x0146FCF8\tDataSize:0x00000004\tSTATUS:0x00000000\r\n"}], [{"Action": "SetValueKey"}, {"Time": "7390"}, {"Pid": "19640"}, {"Tid": "19668"}, {"Key": "wuauclt.exe\tPath=\\REGISTRY\\USER\\S-1-5-21-117609710-1708537768-839522115-500\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\tValueName:SavedLegacySettings\tTitleIndex:0x00000000\tType:0x00000003\tData:0x000DD618\tDataSize:0x00000038\tSTATUS:0x00000000\r\n"}]]}], [{"id": 2}, {"title": "Tries to create temporary file"}, {"threat": 1}, {"rows": [[{"Action": "WriteFile"}, {"Time": "3109"}, {"Pid": "19624"}, {"Tid": "19628"}, {"Key": "submitted.exe\tPath=\\Device\\HarddiskVolume1\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\_install_\\msiexec.exe\tLength:97280\tByteOffset:0\tSTATUS:0x00000000\r\n"}], [{"Action": "WriteFile"}, {"Time": "3125"}, {"Pid": "19624"}, {"Tid": "19628"}, {"Key": "submitted.exe\tPath=\\Device\\HarddiskVolume1\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\06.tmp\tLength:65536\tByteOffset:0\tSTATUS:0x00000000\r\n"}], [{"Action": "WriteFile"}, {"Time": "7031"}, {"Pid": "19640"}, {"Tid": "19644"}, {"Key": "wuauclt.exe\tPath=\\Device\\HarddiskVolume1\\DOCUME~1\\ALLUSE~1\\LOCALS~1\\Temp\\ccmkoevq.com\tLength:32768\tByteOffset:0\tSTATUS:0x00000000\r\n"}], [{"Action": "WriteFile"}, {"Time": "7031"}, {"Pid": "19640"}, {"Tid": "19644"}, {"Key": "wuauclt.exe\tPath=\\Device\\HarddiskVolume1\\DOCUME~1\\ALLUSE~1\\LOCALS~1\\Temp\\ccmkoevq.com\tLength:32768\tByteOffset:32768\tSTATUS:0x00000000\r\n"}]]}], [{"id": 141}, {"title": "Modifies windows policies"}, {"threat": 3}, {"rows": [[{"Action": "SetValueKey"}, {"Time": "7046"}, {"Pid": "19640"}, {"Tid": "19644"}, {"Key": "wuauclt.exe\tPath=\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\policies\\Explorer\\Run\tValueName:35478\tTitleIndex:0x00000000\tType:0x00000001\tData:0x01260000\tDataSize:0x00000060\tSTATUS:0x00000000\r\n"}]]}], [{"id": 132}, {"title": "Manipulates files on removable disk"}, {"threat": 2}, {"rows": [[{"Action": "OpenCreate"}, {"Time": "71250"}, {"Pid": "19640"}, {"Tid": "19656"}, {"Key": "wuauclt.exe\tPath=\\Device\\Harddisk1\\DP(1)0-0+3\\\u00a0\\desktop.ini\t-/-FileAttribute:\tFILE_ATTRIBUTE_HIDDEN\tFILE_SYNCHRONOUS_IO_NONALERT\t-/-CreateOption\tFILE_OVERWRITE_IF\t-/- ShareAccess:AccessDenied for read/write/delete"}], [{"Action": "WriteFile"}, {"Time": "71250"}, {"Pid": "19640"}, {"Tid": "19656"}, {"Key": "wuauclt.exe\tPath=\\Device\\Harddisk1\\DP(1)0-0+3\\\u00a0\\desktop.ini\tLength:126\tByteOffset:0\tSTATUS:0x00000000\r\n"}], [{"Action": "OpenCreate"}, {"Time": "71328"}, {"Pid": "19640"}, {"Tid": "19656"}, {"Key": "wuauclt.exe\tPath=\\Device\\Harddisk1\\DP(1)0-0+3\\_WPMGJ.init\t-/-FileAttribute:\tFILE_ATTRIBUTE_READONLY\tFILE_SYNCHRONOUS_IO_NONALERT\t-/-CreateOption\tFILE_OVERWRITE_IF\t-/- ShareAccess:AccessDenied for read/write/delete"}], [{"Action": "WriteFile"}, {"Time": "71343"}, {"Pid": "19640"}, {"Tid": "19656"}, {"Key": "wuauclt.exe\tPath=\\Device\\Harddisk1\\DP(1)0-0+3\\_WPMGJ.init\tLength:5298\tByteOffset:0\tSTATUS:0x00000000\r\n"}], [{"Action": "OpenCreate"}, {"Time": "71421"}, {"Pid": "19640"}, {"Tid": "19656"}, {"Key": "wuauclt.exe\tPath=\\Device\\Harddisk1\\DP(1)0-0+3\\desktop.ini\t-/-FileAttribute:\tFILE_ATTRIBUTE_READONLY\tFILE_SYNCHRONOUS_IO_NONALERT\t-/-CreateOption\tFILE_OVERWRITE_IF\t-/- ShareAccess:AccessDenied for read/write/delete"}], [{"Action": "WriteFile"}, {"Time": "71421"}, {"Pid": "19640"}, {"Tid": "19656"}, {"Key": "wuauclt.exe\tPath=\\Device\\Harddisk1\\DP(1)0-0+3\\desktop.ini\tLength:310\tByteOffset:0\tSTATUS:0x00000000\r\n"}], [{"Action": "WriteFile"}, {"Time": "71437"}, {"Pid": "19640"}, {"Tid": "19656"}, {"Key": "wuauclt.exe\tPath=\\Device\\Harddisk1\\DP(1)0-0+3\\desktop.ini\tLength:2944\tByteOffset:310\tSTATUS:0x00000000\r\n"}], [{"Action": "OpenCreate"}, {"Time": "71500"}, {"Pid": "19640"}, {"Tid": "19656"}, {"Key": "wuauclt.exe\tPath=\\Device\\Harddisk1\\DP(1)0-0+3\\Thumbs.db\t-/-FileAttribute:\tFILE_ATTRIBUTE_READONLY\tFILE_SYNCHRONOUS_IO_NONALERT\t-/-CreateOption\tFILE_OVERWRITE_IF\t-/- ShareAccess:AccessDenied for read/write/delete"}], [{"Action": "WriteFile"}, {"Time": "71546"}, {"Pid": "19640"}, {"Tid": "19656"}, {"Key": "wuauclt.exe\tPath=\\Device\\Harddisk1\\DP(1)0-0+3\\$ConvertToNonresident\tLength:65536\tByteOffset:0\tSTATUS:0x00000000\r\n"}], [{"Action": "WriteFile"}, {"Time": "71593"}, {"Pid": "19640"}, {"Tid": "19656"}, {"Key": "wuauclt.exe\tPath=\\Device\\Harddisk1\\DP(1)0-0+3\\$ConvertToNonresident\tLength:65536\tByteOffset:65536\tSTATUS:0x00000000\r\n"}], [{"Action": "WriteFile"}, {"Time": "71656"}, {"Pid": "19640"}, {"Tid": "19656"}, {"Key": "wuauclt.exe\tPath=\\Device\\Harddisk1\\DP(1)0-0+3\\$ConvertToNonresident\tLength:65536\tByteOffset:131072\tSTATUS:0x00000000\r\n"}], [{"Action": "WriteFile"}, {"Time": "71703"}, {"Pid": "19640"}, {"Tid": "19656"}, {"Key": "wuauclt.exe\tPath=\\Device\\Harddisk1\\DP(1)0-0+3\\$ConvertToNonresident\tLength:65536\tByteOffset:196608\tSTATUS:0x00000000\r\n"}], [{"Action": "WriteFile"}, {"Time": "71750"}, {"Pid": "19640"}, {"Tid": "19656"}, {"Key": "wuauclt.exe\tPath=\\Device\\Harddisk1\\DP(1)0-0+3\\$ConvertToNonresident\tLength:65536\tByteOffset:262144\tSTATUS:0x00000000\r\n"}], [{"Action": "WriteFile"}, {"Time": "71796"}, {"Pid": "19640"}, {"Tid": "19656"}, {"Key": "wuauclt.exe\tPath=\\Device\\Harddisk1\\DP(1)0-0+3\\$ConvertToNonresident\tLength:65536\tByteOffset:327680\tSTATUS:0x00000000\r\n"}], [{"Action": "WriteFile"}, {"Time": "71843"}, {"Pid": "19640"}, {"Tid": "19656"}, {"Key": "wuauclt.exe\tPath=\\Device\\Harddisk1\\DP(1)0-0+3\\$ConvertToNonresident\tLength:65536\tByteOffset:393216\tSTATUS:0x00000000\r\n"}], [{"Action": "WriteFile"}, {"Time": "71890"}, {"Pid": "19640"}, {"Tid": "19656"}, {"Key": "wuauclt.exe\tPath=\\Device\\Harddisk1\\DP(1)0-0+3\\$ConvertToNonresident\tLength:65536\tByteOffset:458752\tSTATUS:0x00000000\r\n"}], [{"Action": "WriteFile"}, {"Time": "71890"}, {"Pid": "19640"}, {"Tid": "19656"}, {"Key": "wuauclt.exe\tPath=\\Device\\Harddisk1\\DP(1)0-0+3\\Thumbs.db\tLength:771584\tByteOffset:0\tSTATUS:0x00000000\r\n"}], [{"Action": "OpenCreate"}, {"Time": "71968"}, {"Pid": "19640"}, {"Tid": "19656"}, {"Key": "wuauclt.exe\tPath=\\Device\\Harddisk1\\DP(1)0-0+3\\Removable Disk (1GB).lnk\t-/-FileAttribute:\tNOT DEFINE\tFILE_SYNCHRONOUS_IO_NONALERT\t-/-CreateOption\tFILE_OVERWRITE_IF\t-/- ShareAccess:FILE_SHARE_READ/WRITE"}]]}], [{"id": 114}, {"title": "Changes status of \"show hidden files and folder"}, {"threat": 3}, {"rows": [[{"Action": "SetValueKey"}, {"Time": "71062"}, {"Pid": "19640"}, {"Tid": "19656"}, {"Key": "wuauclt.exe\tPath=\\REGISTRY\\USER\\S-1-5-21-117609710-1708537768-839522115-500\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\tValueName:ShowSuperHidden\tTitleIndex:0x00000000\tType:0x00000004\tData:0x0133DBC0\tDataSize:0x00000004\tSTATUS:0x00000000\r\n"}], [{"Action": "SetValueKey"}, {"Time": "71062"}, {"Pid": "19640"}, {"Tid": "19656"}, {"Key": "wuauclt.exe\tPath=\\REGISTRY\\USER\\S-1-5-21-117609710-1708537768-839522115-500\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\tValueName:Hidden\tTitleIndex:0x00000000\tType:0x00000004\tData:0x0133DBBC\tDataSize:0x00000004\tSTATUS:0x00000000\r\n"}]]}], [{"id": 57}, {"title": "Create Mutex"}, {"threat": 2}, {"rows": [[{"Action": "CreateMutant"}, {"Time": "3156"}, {"Pid": "19624"}, {"Tid": "19628"}, {"Key": "submitted.exe\tPath=Null\tpid:19624\ttid:19628\taction:NtCreateMutant\tMutantHandle:0x0012D5DC\tDesiredAccess:0x001F0001\tObjectAttributes->ObjectName:(NULL)\tInitialOwner:0\tMutantHandle_before:0x00000001\tMutantHandle__out:0x00000114\tSTATUS:0x00000000\r\n"}], [{"Action": "CreateMutant"}, {"Time": "3156"}, {"Pid": "19624"}, {"Tid": "19628"}, {"Key": "submitted.exe\tPath=Null\tpid:19624\ttid:19628\taction:NtCreateMutant\tMutantHandle:0x0012D5DC\tDesiredAccess:0x001F0001\tObjectAttributes->ObjectName:(NULL)\tInitialOwner:0\tMutantHandle_before:0x7C81E4DF\tMutantHandle__out:0x0000011C\tSTATUS:0x00000000\r\n"}], [{"Action": "CreateMutant"}, {"Time": "3187"}, {"Pid": "19624"}, {"Tid": "19628"}, {"Key": "submitted.exe\tPath=Null\tpid:19624\ttid:19628\taction:NtCreateMutant\tMutantHandle:0x0012DFCC\tDesiredAccess:0x001F0001\tObjectAttributes->ObjectName:(NULL)\tInitialOwner:0\tMutantHandle_before:0x0012DFEC\tMutantHandle__out:0x0000013C\tSTATUS:0x00000000\r\n"}], [{"Action": "CreateMutant"}, {"Time": "3187"}, {"Pid": "19624"}, {"Tid": "19628"}, {"Key": "submitted.exe\tPath=Null\tpid:19624\ttid:19628\taction:NtCreateMutant\tMutantHandle:0x0012DFCC\tDesiredAccess:0x001F0001\tObjectAttributes->ObjectName:(NULL)\tInitialOwner:0\tMutantHandle_before:0x0012DFEC\tMutantHandle__out:0x00000148\tSTATUS:0x00000000\r\n"}], [{"Action": "CreateMutant"}, {"Time": "3187"}, {"Pid": "19624"}, {"Tid": "19628"}, {"Key": "submitted.exe\tPath=Null\tpid:19624\ttid:19628\taction:NtCreateMutant\tMutantHandle:0x0012DFCC\tDesiredAccess:0x001F0001\tObjectAttributes->ObjectName:(NULL)\tInitialOwner:0\tMutantHandle_before:0x0012DFEC\tMutantHandle__out:0x00000150\tSTATUS:0x00000000\r\n"}], [{"Action": "CreateMutant"}, {"Time": "3203"}, {"Pid": "19624"}, {"Tid": "19628"}, {"Key": "submitted.exe\tPath=Null\tpid:19624\ttid:19628\taction:NtCreateMutant\tMutantHandle:0x0012DA40\tDesiredAccess:0x001F0001\tObjectAttributes->ObjectName:ZonesCounterMutex\tInitialOwner:0\tMutantHandle_before:0x77260000\tMutantHandle__out:0x00000164\tSTATUS:0x40000000\r\n"}], [{"Action": "CreateMutant"}, {"Time": "3203"}, {"Pid": "19624"}, {"Tid": "19628"}, {"Key": "submitted.exe\tPath=Null\tpid:19624\ttid:19628\taction:NtCreateMutant\tMutantHandle:0x0012DA34\tDesiredAccess:0x001F0001\tObjectAttributes->ObjectName:ZonesCacheCounterMutex\tInitialOwner:0\tMutantHandle_before:0x77260000\tMutantHandle__out:0x00000168\tSTATUS:0x40000000\r\n"}], [{"Action": "CreateMutant"}, {"Time": "3203"}, {"Pid": "19624"}, {"Tid": "19628"}, {"Key": "submitted.exe\tPath=Null\tpid:19624\ttid:19628\taction:NtCreateMutant\tMutantHandle:0x0012DA34\tDesiredAccess:0x001F0001\tObjectAttributes->ObjectName:ZonesLockedCacheCounterMutex\tInitialOwner:0\tMutantHandle_before:0x77260000\tMutantHandle__out:0x0000016C\tSTATUS:0x40000000\r\n"}], [{"Action": "CreateMutant"}, {"Time": "3859"}, {"Pid": "19640"}, {"Tid": "19644"}, {"Key": "wuauclt.exe\tPath=Null\tpid:19640\ttid:19644\taction:NtCreateMutant\tMutantHandle:0x0007E9C0\tDesiredAccess:0x001F0001\tObjectAttributes->ObjectName:SHIMLIB_LOG_MUTEX\tInitialOwner:0\tMutantHandle_before:0x00000000\tMutantHandle__out:0x00000000\tSTATUS:0xC0000022\r\n"}], [{"Action": "CreateMutant"}, {"Time": "4000"}, {"Pid": "19640"}, {"Tid": "19644"}, {"Key": "wuauclt.exe\tPath=Null\tpid:19640\ttid:19644\taction:NtCreateMutant\tMutantHandle:0x0007F6D0\tDesiredAccess:0x001F0001\tObjectAttributes->ObjectName:(NULL)\tInitialOwner:0\tMutantHandle_before:0x0007F6F0\tMutantHandle__out:0x00000050\tSTATUS:0x00000000\r\n"}], [{"Action": "CreateMutant"}, {"Time": "4000"}, {"Pid": "19640"}, {"Tid": "19644"}, {"Key": "wuauclt.exe\tPath=Null\tpid:19640\ttid:19644\taction:NtCreateMutant\tMutantHandle:0x0007F6D0\tDesiredAccess:0x001F0001\tObjectAttributes->ObjectName:(NULL)\tInitialOwner:0\tMutantHandle_before:0x0007F6F0\tMutantHandle__out:0x00000058\tSTATUS:0x00000000\r\n"}], [{"Action": "CreateMutant"}, {"Time": "4000"}, {"Pid": "19640"}, {"Tid": "19644"}, {"Key": "wuauclt.exe\tPath=Null\tpid:19640\ttid:19644\taction:NtCreateMutant\tMutantHandle:0x0007F6D0\tDesiredAccess:0x001F0001\tObjectAttributes->ObjectName:(NULL)\tInitialOwner:0\tMutantHandle_before:0x0007F6F0\tMutantHandle__out:0x00000060\tSTATUS:0x00000000\r\n"}], [{"Action": "CreateMutant"}, {"Time": "4000"}, {"Pid": "19640"}, {"Tid": "19644"}, {"Key": "wuauclt.exe\tPath=Null\tpid:19640\ttid:19644\taction:NtCreateMutant\tMutantHandle:0x0007F954\tDesiredAccess:0x001F0001\tObjectAttributes->ObjectName:(NULL)\tInitialOwner:0\tMutantHandle_before:0x00000001\tMutantHandle__out:0x00000068\tSTATUS:0x00000000\r\n"}], [{"Action": "CreateMutant"}, {"Time": "4000"}, {"Pid": "19640"}, {"Tid": "19644"}, {"Key": "wuauclt.exe\tPath=Null\tpid:19640\ttid:19644\taction:NtCreateMutant\tMutantHandle:0x0007F954\tDesiredAccess:0x001F0001\tObjectAttributes->ObjectName:(NULL)\tInitialOwner:0\tMutantHandle_before:0x7C81E4DF\tMutantHandle__out:0x00000070\tSTATUS:0x00000000\r\n"}], [{"Action": "CreateMutant"}, {"Time": "7015"}, {"Pid": "19640"}, {"Tid": "19644"}, {"Key": "wuauclt.exe\tPath=Null\tpid:19640\ttid:19644\taction:NtCreateMutant\tMutantHandle:0x0007FD08\tDesiredAccess:0x001F0001\tObjectAttributes->ObjectName:2756086422\tInitialOwner:0\tMutantHandle_before:0x001B1F18\tMutantHandle__out:0x000000A4\tSTATUS:0x00000000\r\n"}], [{"Action": "CreateMutant"}, {"Time": "7046"}, {"Pid": "19640"}, {"Tid": "19648"}, {"Key": "wuauclt.exe\tPath=Null\tpid:19640\ttid:19648\taction:NtCreateMutant\tMutantHandle:0x0127F6FC\tDesiredAccess:0x001F0001\tObjectAttributes->ObjectName:ZonesCounterMutex\tInitialOwner:0\tMutantHandle_before:0x77260000\tMutantHandle__out:0x000000E8\tSTATUS:0x40000000\r\n"}], [{"Action": "CreateMutant"}, {"Time": "7046"}, {"Pid": "19640"}, {"Tid": "19648"}, {"Key": "wuauclt.exe\tPath=Null\tpid:19640\ttid:19648\taction:NtCreateMutant\tMutantHandle:0x0127F6F0\tDesiredAccess:0x001F0001\tObjectAttributes->ObjectName:ZonesCacheCounterMutex\tInitialOwner:0\tMutantHandle_before:0x77260000\tMutantHandle__out:0x000000EC\tSTATUS:0x40000000\r\n"}], [{"Action": "CreateMutant"}, {"Time": "7046"}, {"Pid": "19640"}, {"Tid": "19648"}, {"Key": "wuauclt.exe\tPath=Null\tpid:19640\ttid:19648\taction:NtCreateMutant\tMutantHandle:0x0127F6F0\tDesiredAccess:0x001F0001\tObjectAttributes->ObjectName:ZonesLockedCacheCounterMutex\tInitialOwner:0\tMutantHandle_before:0x77260000\tMutantHandle__out:0x000000F0\tSTATUS:0x40000000\r\n"}], [{"Action": "CreateMutant"}, {"Time": "7062"}, {"Pid": "19640"}, {"Tid": "19648"}, {"Key": "wuauclt.exe\tPath=Null\tpid:19640\ttid:19648\taction:NtCreateMutant\tMutantHandle:0x0127FEE0\tDesiredAccess:0x001F0001\tObjectAttributes->ObjectName:CCC\tInitialOwner:0\tMutantHandle_before:0x012EAA94\tMutantHandle__out:0x00000104\tSTATUS:0x00000000\r\n"}], [{"Action": "CreateMutant"}, {"Time": "7062"}, {"Pid": "19640"}, {"Tid": "19648"}, {"Key": "wuauclt.exe\tPath=Null\tpid:19640\ttid:19648\taction:NtCreateMutant\tMutantHandle:0x0127FEE0\tDesiredAccess:0x001F0001\tObjectAttributes->ObjectName:TLS\tInitialOwner:0\tMutantHandle_before:0x00000104\tMutantHandle__out:0x00000108\tSTATUS:0x00000000\r\n"}], [{"Action": "CreateMutant"}, {"Time": "7171"}, {"Pid": "19640"}, {"Tid": "19656"}, {"Key": "wuauclt.exe\tPath=Null\tpid:19640\ttid:19656\taction:NtCreateMutant\tMutantHandle:0x0133E348\tDesiredAccess:0x001F0001\tObjectAttributes->ObjectName:(NULL)\tInitialOwner:0\tMutantHandle_before:0x00000178\tMutantHandle__out:0x0000017C\tSTATUS:0x00000000\r\n"}], [{"Action": "CreateMutant"}, {"Time": "7296"}, {"Pid": "19640"}, {"Tid": "19668"}, {"Key": "wuauclt.exe\tPath=Null\tpid:19640\ttid:19668\taction:NtCreateMutant\tMutantHandle:0x0146F700\tDesiredAccess:0x001F0001\tObjectAttributes->ObjectName:(NULL)\tInitialOwner:0\tMutantHandle_before:0x76EB0000\tMutantHandle__out:0x000001C0\tSTATUS:0x00000000\r\n"}], [{"Action": "CreateMutant"}, {"Time": "7296"}, {"Pid": "19640"}, {"Tid": "19668"}, {"Key": "wuauclt.exe\tPath=Null\tpid:19640\ttid:19668\taction:NtCreateMutant\tMutantHandle:0x0146F69C\tDesiredAccess:0x001F0001\tObjectAttributes->ObjectName:RasPbFile\tInitialOwner:0\tMutantHandle_before:0x00000000\tMutantHandle__out:0x00000000\tSTATUS:0xC0000022\r\n"}]]}], [{"id": 19}, {"title": "Tries to create a thread in another existing process"}, {"threat": 3}, {"rows": [[{"Action": "ThreadCreate"}, {"Time": "3078"}, {"Pid": "2020"}, {"Tid": "19620"}, {"Key": "submitted.exe\tTargetPid:19624\tThreadId:19628\r\n"}], [{"Action": "ThreadCreate"}, {"Time": "3265"}, {"Pid": "19624"}, {"Tid": "19628"}, {"Key": "submitted.exe\tTargetPid:19632\tThreadId:19636\r\n"}], [{"Action": "ThreadCreate"}, {"Time": "3718"}, {"Pid": "19632"}, {"Tid": "19636"}, {"Key": "msiexec.exe\tTargetPid:19640\tThreadId:19644\r\n"}]]}], [{"id": 4}, {"title": "Tries to spawn process"}, {"threat": 1}, {"rows": [[{"Action": "ProcessCreate"}, {"Time": "3078"}, {"Pid": "2020"}, {"Tid": "19620"}, {"Key": "submitted.exe\tTargetPid:19624\tTargetName:submitted.exe\tCommandLine:\"C:\\Share\\new_sandBoxLog\\submitted.exe\" \tDebugMode:0\r\n"}], [{"Action": "ProcessCreate"}, {"Time": "3265"}, {"Pid": "19624"}, {"Tid": "19628"}, {"Key": "submitted.exe\tTargetPid:19632\tTargetName:msiexec.exe\tCommandLine:\"C:\\Share\\new_sandBoxLog\\submitted.exe\"\tDebugMode:0\r\n"}], [{"Action": "ProcessCreate"}, {"Time": "3718"}, {"Pid": "19632"}, {"Tid": "19636"}, {"Key": "msiexec.exe\tTargetPid:19640\tTargetName:wuauclt.exe\tCommandLine:\"C:\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\_install_\\msiexec.exe\" \tDebugMode:0\r\n"}]]}], [{"id": 138}, {"title": "Creates or modifies shortcuts"}, {"threat": 3}, {"rows": [[{"Action": "OpenCreate"}, {"Time": "71968"}, {"Pid": "19640"}, {"Tid": "19656"}, {"Key": "wuauclt.exe\tPath=\\Device\\Harddisk1\\DP(1)0-0+3\\Removable Disk (1GB).lnk\t-/-FileAttribute:\tNOT DEFINE\tFILE_SYNCHRONOUS_IO_NONALERT\t-/-CreateOption\tFILE_OVERWRITE_IF\t-/- ShareAccess:FILE_SHARE_READ/WRITE"}]]}]], "malware_processes": {"0": {"LinkID": 0, "Source": " ", "Time": "1359", "Action": " ", "ProcessIDdest": "2020", "ProcessNameDest": "submitted.exe"}, "1": {"LinkID": 4869, "Destination": "submitted.exe[19624]", "Source": "submitted.exe[2020]", "Time": "3078", "Action": "WriteMemory", "ProcessIDdest": "19624", "ProcessNameDest": "submitted.exe"}, "2": {"LinkID": 6040, "Destination": "msiexec.exe[19632]", "Source": "submitted.exe[19624]", "Time": "3265", "Action": "WriteMemory", "ProcessIDdest": "19632", "ProcessNameDest": "msiexec.exe"}, "3": {"LinkID": 6313, "Destination": "wuauclt.exe[19640]", "Source": "msiexec.exe[19632]", "Time": "3718", "Action": "WriteMemory", "ProcessIDdest": "19640", "ProcessNameDest": "wuauclt.exe"}}, "benign_behaviors": [], "all_processes": [{"Process Name": "firefox.exe", "PID": 2044, "Registry": 0, "File": 0, "Memory": 0}, {"Process Name": "csrss.exe", "PID": 620, "Registry": 388, "File": 1326, "Memory": 144}, {"Process Name": "explorer.exe", "PID": 1424, "Registry": 12, "File": 0, "Memory": 0}, {"Process Name": "svchost.exe", "PID": 1076, "Registry": 0, "File": 0, "Memory": 0}, {"Process Name": "lsass.exe", "PID": 700, "Registry": 8, "File": 0, "Memory": 0}, {"Process Name": "submitted.exe", "PID": 19624, "Registry": 0, "File": 0, "Memory": 0}, {"Process Name": "wuauclt.exe", "PID": 19640, "Registry": 72, "File": 12, "Memory": 8}, {"Process Name": "services.exe", "PID": 688, "Registry": 895, "File": 0, "Memory": 0}, {"Process Name": "svchost.exe", "PID": 932, "Registry": 0, "File": 0, "Memory": 0}, {"Process Name": "svchost.exe", "PID": 1016, "Registry": 0, "File": 0, "Memory": 0}, {"Process Name": "winlogon.exe", "PID": 644, "Registry": 0, "File": 0, "Memory": 0}], "malware_created_file": [{"Action": "OpenCreate", "Tid": "19628", "Pid": "19624", "Details": "submitted.exe\tPath=\\Device\\HarddiskVolume1\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\_install_\t-/-FileAttribute:\tFILE_ATTRIBUTE_NORMAL\tFILE_DIRECTORY_FILE\t-/-CreateOption\tFILE_CREATE\t-/- ShareAccess:FILE_SHARE_READ/WRITE", "Time": "3109"}, {"Action": "OpenCreate", "Tid": "19628", "Pid": "19624", "Details": "submitted.exe\tPath=\\Device\\HarddiskVolume1\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\06.tmp\t-/-FileAttribute:\tFILE_ATTRIBUTE_NORMAL\tFILE_SYNCHRONOUS_IO_NONALERT\t-/-CreateOption\tFILE_CREATE\t-/- ShareAccess:AccessDenied for read/write/delete", "Time": "3109"}, {"Action": "OpenCreate", "Tid": "19644", "Pid": "19640", "Details": "wuauclt.exe\tPath=\\Device\\HarddiskVolume1\\Documents and Settings\\All Users\\Local Settings\t-/-FileAttribute:\tFILE_ATTRIBUTE_NORMAL\tFILE_DIRECTORY_FILE\t-/-CreateOption\tFILE_CREATE\t-/- ShareAccess:FILE_SHARE_READ/WRITE", "Time": "7015"}, {"Action": "OpenCreate", "Tid": "19644", "Pid": "19640", "Details": "wuauclt.exe\tPath=\\Device\\HarddiskVolume1\\Documents and Settings\\All Users\\Local Settings\\Temp\t-/-FileAttribute:\tFILE_ATTRIBUTE_NORMAL\tFILE_DIRECTORY_FILE\t-/-CreateOption\tFILE_CREATE\t-/- ShareAccess:FILE_SHARE_READ/WRITE", "Time": "7015"}, {"Action": "OpenCreate", "Tid": "19656", "Pid": "19640", "Details": "wuauclt.exe\tPath=\\Device\\HarddiskVolume1\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\07.tmp\t-/-FileAttribute:\tFILE_ATTRIBUTE_NORMAL\tFILE_SYNCHRONOUS_IO_NONALERT\t-/-CreateOption\tFILE_CREATE\t-/- ShareAccess:AccessDenied for read/write/delete", "Time": "7062"}, {"Action": "OpenCreate", "Tid": "19656", "Pid": "19640", "Details": "wuauclt.exe\tPath=\\Device\\HarddiskVolume1\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\08.tmp\t-/-FileAttribute:\tFILE_ATTRIBUTE_NORMAL\tFILE_SYNCHRONOUS_IO_NONALERT\t-/-CreateOption\tFILE_CREATE\t-/- ShareAccess:AccessDenied for read/write/delete", "Time": "28468"}, {"Action": "OpenCreate", "Tid": "19656", "Pid": "19640", "Details": "wuauclt.exe\tPath=\\Device\\HarddiskVolume1\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\09.tmp\t-/-FileAttribute:\tFILE_ATTRIBUTE_NORMAL\tFILE_SYNCHRONOUS_IO_NONALERT\t-/-CreateOption\tFILE_CREATE\t-/- ShareAccess:AccessDenied for read/write/delete", "Time": "49562"}, {"Action": "OpenCreate", "Tid": "19656", "Pid": "19640", "Details": "wuauclt.exe\tPath=\\Device\\Harddisk1\\DP(1)0-0+3\\\u00a0\t-/-FileAttribute:\tFILE_ATTRIBUTE_NORMAL\tFILE_DIRECTORY_FILE\t-/-CreateOption\tFILE_CREATE\t-/- ShareAccess:FILE_SHARE_READ/WRITE", "Time": "71140"}]}