<?xml version="1.0" encoding="UTF-8"?>
<file name="jquery-3_2_1_min_js.js"
JavaScript file--list--
: script in HTML pages"
="
jquery-3_2_1_min_js
"
( SCRIPT )
( UNKOWN )
" report_level="-1" apt_level="-1" sha1="1055018c28ab41087ef9ccefe411606893dabea2" SHA256="87083882cc6015984eb0411a99d3981817f5dc5c90ba24f0940420c5548d82de" SHA512="dcff2b5c2b8625d3593a7531ff4ddcd633939cc9f7acfeb79c18a9e6038fdaa99487960075502f159d44f902d965b0b5aed32b41bfa66a1dc07d85b5d5152b58" md5="c9f5aeeca3ad37bf2aa006139b935f0a" xmd5="1c761a889b51d0820f4d9adc02eedd84" hmd5="50_731eec25e775ebab3fa3dc11c800f0dd" CRC32="1413ff29" SSDEEP="1536:YNhEyjjTikEJO4edXXe9J578go6MWX2xkj8e4c4j2ll2AckaXEP6n15HZ+FhFcQ7:uxc2yjx4j2uX/kcQDU8Cu9" URL="https://www.vgt.pl/js/jquery-3.2.1.min.js"
="/*! jQue
2F 2A 21 20 6A 51 75 65
" size="86659" type="js" error="0" virusresult="" vp_name="img_office07_pdf8_ie7" reportType="final" start_time="2025-04-26 07:14:37" system="winxp" filemagic="ASCII text, with very long lines (32058)" end_time="2025-04-26 07:19:57" exiftool="File Name : jquery-3_2_1_min_js.js--list--File Size : 85 KiB--list--File Modification Date/Time : 2025:04:26 07:14:37+08:00--list--File Access Date/Time : 2025:04:26 07:14:37+08:00--list--File Inode Change Date/Time : 2025:04:26 07:14:37+08:00--list--File Type : TXT--list--File Type Extension : txt--list--MIME Type : text/plain--list--MIME Encoding : us-ascii--list--Newlines : Unix LF--list--Line Count : 4--list--Word Count : 1298--list--" fileDie="Binary: Format: plain text[LF]--list--" time_out="300"><action_list category="System" descr="
" level="-2" name="
<action api_name="versionInfo" call_name="versionInfo" call_pid="0" field="start_boot" name="versionInfo" type="System">
<exInfo_list>
<exInfo descr="
" value="20250410_1700"/>
<exInfo descr="
" value="3.0"/>
</exInfo_list>
</action>
</action_list><action_list attck_id="0x000000" category="System" descr="
" level="-2" name="
" policy_id="250ec5fb7be0007e9221a2cb67207029">
<action api_name="AnalyzeStart" call_name="" call_pid="0" call_time="07:14:47.000" err_code="0" field="start_boot" name="AnalyzeStart" ret_value="0" status_value="0" type="System" uniq_id="0">
<apiArg_list count="0"/>
<exInfo_list count="0"/>
</action>
</action_list><action_list attck_id="0x000000" category="System" descr="28.53, 60, 2025-04-26_07:14:46==2025-04-26_07:14:47" level="-2" name="
" policy_id="529c1098d1fdb6d548e8741c51bb8899">
<action api_name="Machine" call_name="" call_pid="0" call_time="07:14:47.001" err_code="0" field="start_boot" name="VasInfo" ret_value="0" status_value="0" type="System" uniq_id="0">
<apiArg_list count="0"/>
<exInfo_list count="3">
<exInfo descr="
" value="28.53"/>
<exInfo descr="
" value="60"/>
<exInfo descr="
" value="2025-04-26_07:14:46==2025-04-26_07:14:47"/>
</exInfo_list>
</action>
</action_list><action_list attck_id="0x000000" category="Process" descr="
" level="-2" name="
" policy_id="8623ec2522b38a72438034a598ff280b">
<action api_name="Fake_BeCreated" call_name="SyStem.exe" call_pid="784" call_time="07:14:47.002" err_code="0" field="start_boot" name="BeCreated" ret_value="0" status_value="0" type="Process" uniq_id="5">
<apiArg_list count="0"/>
<exInfo_list count="2">
<exInfo descr="
" value="retrats.exe"/>
<exInfo descr="
ID" value="1132"/>
</exInfo_list>
</action>
</action_list><action_list attck_id="0x000000" category="Process" descr="
" level="-2" name="
" policy_id="8335fcafda9e6fc88149a0f33bebd626">
<action api_name="Fake_BeCreatedEx" call_name="SyStem.exe" call_pid="784" call_time="07:14:47.003" err_code="0" field="start_boot" name="BeCreatedEx" ret_value="0" status_value="0" type="Process" uniq_id="5">
<apiArg_list count="0"/>
<exInfo_list count="7">
<exInfo descr="
" value="retrats.exe"/>
<exInfo descr="
ID" value="1132"/>
<exInfo descr="
" value="D:\SyStem.exe"/>
<exInfo descr="
" value="direct"/>
<exInfo descr="
" value="D:\SyStem.exe"/>
<exInfo descr="
" value="0"/>
<exInfo value="2"/>
</exInfo_list>
</action>
</action_list><action_list attck_id="0x000000" category="Process" descr="
" level="0" name="
" policy_id="9a33de0b388aab54c6abb44d39ca3f9f">
<action api_name="Fake_BeCreated" call_name="wscript.exe" call_pid="1164" call_time="07:14:50.004" err_code="0" field="start_boot" name="BeCreated" ret_value="0" status_value="0" type="Process" uniq_id="29">
<apiArg_list count="0"/>
<exInfo_list count="2">
<exInfo descr="
" value="SyStem.exe"/>
<exInfo descr="
ID" value="784"/>
</exInfo_list>
</action>
</action_list><action_list attck_id="0x000000" category="Process" descr="
"C:\WINDOWS\System32\WScript.exe" "C:\program\10587\jquery-3_2_1_min_js.js"
direct
" level="0" name="
" policy_id="817ac8dc9ee447d5ecc76bc6d5633102">
<action api_name="Fake_BeCreatedEx" call_name="wscript.exe" call_pid="1164" call_time="07:14:50.005" err_code="0" field="start_boot" name="BeCreatedEx" ret_value="0" status_value="0" type="Process" uniq_id="29">
<apiArg_list count="0"/>
<exInfo_list count="7">
<exInfo descr="
" value="SyStem.exe"/>
<exInfo descr="
ID" value="784"/>
<exInfo descr="
" value=""C:\WINDOWS\System32\WScript.exe" "C:\program\10587\jquery-3_2_1_min_js.js" "/>
<exInfo descr="
" value="direct"/>
<exInfo descr="
" value="C:\WINDOWS\system32\wscript.exe"/>
<exInfo descr="
" value="1"/>
<exInfo value="5"/>
</exInfo_list>
</action>
</action_list><action_list attck_id="0x000000" category="Memory" descr="
C:\WINDOWS\system32\advapi32.dll" level="0" name="
" policy_id="da2c97d38a53f58586c55385aa282e93">
<action api_name="LoadLibraryExW" call_name="wscript.exe" call_pid="1164" call_time="07:14:50.083" err_code="0" field="start_boot" name="LoadLibrary" ret_value="0" status_value="0" type="Memory" uniq_id="29">
<apiArg_list count="3">
<apiArg value="00000000"/>
<apiArg value="00000000"/>
<apiArg value="00000000"/>
</apiArg_list>
<exInfo_list count="3">
<exInfo descr="
" value="C:\WINDOWS\system32\advapi32.dll"/>
<exInfo descr="
" value="00077da0000"/>
<exInfo descr="
" value="000a9000"/>
</exInfo_list>
</action>
</action_list><action_list attck_id="0x000000" category="Memory" descr="
C:\WINDOWS\system32\rpcrt4.dll" level="0" name="
" policy_id="da2c97d38a53f58586c55385aa282e93">
<action api_name="LoadLibraryExW" call_name="wscript.exe" call_pid="1164" call_time="07:14:50.089" err_code="0" field="start_boot" name="LoadLibrary" ret_value="0" status_value="0" type="Memory" uniq_id="29">
<apiArg_list count="3">
<apiArg value="00000000"/>
<apiArg value="00000000"/>
<apiArg value="00000000"/>
</apiArg_list>
<exInfo_list count="3">
<exInfo descr="
" value="C:\WINDOWS\system32\rpcrt4.dll"/>
<exInfo descr="
" value="00077e50000"/>
<exInfo descr="
" value="00092000"/>
</exInfo_list>
</action>
</action_list><action_list attck_id="0x000000" category="Memory" descr="
C:\WINDOWS\system32\secur32.dll" level="0" name="
" policy_id="da2c97d38a53f58586c55385aa282e93">
<action api_name="LoadLibraryExW" call_name="wscript.exe" call_pid="1164" call_time="07:14:50.094" err_code="0" field="start_boot" name="LoadLibrary" ret_value="0" status_value="0" type="Memory" uniq_id="29">
<apiArg_list count="3">
<apiArg value="00000000"/>
<apiArg value="00000000"/>
<apiArg value="00000000"/>
</apiArg_list>
<exInfo_list count="3">
<exInfo descr="
" value="C:\WINDOWS\system32\secur32.dll"/>
<exInfo descr="
" value="00077fc0000"/>
<exInfo descr="
" value="00011000"/>
</exInfo_list>
</action>
</action_list><action_list attck_id="0x000000" category="Memory" descr="
C:\WINDOWS\system32\user32.dll" level="0" name="
" policy_id="da2c97d38a53f58586c55385aa282e93">
<action api_name="LoadLibraryExW" call_name="wscript.exe" call_pid="1164" call_time="07:14:50.099" err_code="0" field="start_boot" name="LoadLibrary" ret_value="0" status_value="0" type="Memory" uniq_id="29">
<apiArg_list count="3">
<apiArg value="00000000"/>
<apiArg value="00000000"/>
<apiArg value="00000000"/>
</apiArg_list>
<exInfo_list count="3">
<exInfo descr="
" value="C:\WINDOWS\system32\user32.dll"/>
<exInfo descr="
" value="00077d10000"/>
<exInfo descr="
" value="00090000"/>
</exInfo_list>
</action>
</action_list><action_list attck_id="0x000000" category="Memory" descr="
C:\WINDOWS\system32\gdi32.dll" level="0" name="
" policy_id="da2c97d38a53f58586c55385aa282e93">
<action api_name="LoadLibraryExW" call_name="wscript.exe" call_pid="1164" call_time="07:14:50.104" err_code="0" field="start_boot" name="LoadLibrary" ret_value="0" status_value="0" type="Memory" uniq_id="29">
<apiArg_list count="3">
<apiArg value="00000000"/>
<apiArg value="00000000"/>
<apiArg value="00000000"/>
</apiArg_list>
<exInfo_list count="3">
<exInfo descr="
" value="C:\WINDOWS\system32\gdi32.dll"/>
<exInfo descr="
" value="00077ef0000"/>
<exInfo descr="
" value="00049000"/>
</exInfo_list>
</action>
</action_list><action_list attck_id="0x000000" category="Memory" descr="
C:\WINDOWS\system32\msvcrt.dll" level="0" name="
" policy_id="da2c97d38a53f58586c55385aa282e93">
<action api_name="LoadLibraryExW" call_name="wscript.exe" call_pid="1164" call_time="07:14:50.109" err_code="0" field="start_boot" name="LoadLibrary" ret_value="0" status_value="0" type="Memory" uniq_id="29">
<apiArg_list count="3">
<apiArg value="00000000"/>
<apiArg value="00000000"/>
<apiArg value="00000000"/>
</apiArg_list>
<exInfo_list count="3">
<exInfo descr="
" value="C:\WINDOWS\system32\msvcrt.dll"/>
<exInfo descr="
" value="00077be0000"/>
<exInfo descr="
" value="00058000"/>
</exInfo_list>
</action>
</action_list><action_list attck_id="0x000000" category="Memory" descr="
C:\WINDOWS\system32\oleaut32.dll" level="0" name="
" policy_id="da2c97d38a53f58586c55385aa282e93">
<action api_name="LoadLibraryExW" call_name="wscript.exe" call_pid="1164" call_time="07:14:50.126" err_code="0" field="start_boot" name="LoadLibrary" ret_value="0" status_value="0" type="Memory" uniq_id="29">
<apiArg_list count="3">
<apiArg value="00000000"/>
<apiArg value="00000000"/>
<apiArg value="00000000"/>
</apiArg_list>
<exInfo_list count="3">
<exInfo descr="
" value="C:\WINDOWS\system32\oleaut32.dll"/>
<exInfo descr="
" value="000770f0000"/>
<exInfo descr="
" value="0008b000"/>
</exInfo_list>
</action>
</action_list><action_list attck_id="0x000000" category="Memory" descr="
C:\WINDOWS\system32\ole32.dll" level="0" name="
" policy_id="da2c97d38a53f58586c55385aa282e93">
<action api_name="LoadLibraryExW" call_name="wscript.exe" call_pid="1164" call_time="07:14:50.139" err_code="0" field="start_boot" name="LoadLibrary" ret_value="0" status_value="0" type="Memory" uniq_id="29">
<apiArg_list count="3">
<apiArg value="00000000"/>
<apiArg value="00000000"/>
<apiArg value="00000000"/>
</apiArg_list>
<exInfo_list count="3">
<exInfo descr="
" value="C:\WINDOWS\system32\ole32.dll"/>
<exInfo descr="
" value="00076990000"/>
<exInfo descr="
" value="00013d000"/>
</exInfo_list>
</action>
</action_list><action_list attck_id="0x000000" category="Memory" descr="
C:\WINDOWS\system32\version.dll" level="0" name="
" policy_id="da2c97d38a53f58586c55385aa282e93">
<action api_name="LoadLibraryExW" call_name="wscript.exe" call_pid="1164" call_time="07:14:50.151" err_code="0" field="start_boot" name="LoadLibrary" ret_value="0" status_value="0" type="Memory" uniq_id="29">
<apiArg_list count="3">
<apiArg value="00000000"/>
<apiArg value="00000000"/>
<apiArg value="00000000"/>
</apiArg_list>
<exInfo_list count="3">
<exInfo descr="
" value="C:\WINDOWS\system32\version.dll"/>
<exInfo descr="
" value="00077bd0000"/>
<exInfo descr="
" value="0008000"/>
</exInfo_list>
</action>
</action_list><action_list attck_id="0x000000" category="File" descr="
C:\WINDOWS\System32\ShimEng.dll
" level="-1" name="
" policy_id="6f7987a29b9478f7246cb146204e278c">
<action api_name="NtQueryAttributesFile" call_name="wscript.exe" call_pid="1164" call_time="07:14:50.161" err_code="0" field="start_boot" name="QueryFileAttributes" ret_value="0" status_value="0" type="File" uniq_id="29">
<apiArg_list count="2">
<apiArg value="0013f628"/>
<apiArg value="0013f600"/>
</apiArg_list>
<exInfo_list count="1">
<exInfo descr="
" value="C:\WINDOWS\System32\ShimEng.dll"/>
</exInfo_list>
</action>
</action_list><action_list attck_id="0x000000" category="Memory" descr="
C:\WINDOWS\system32\shimeng.dll" level="0" name="
" policy_id="da2c97d38a53f58586c55385aa282e93">
<action api_name="LoadLibraryExW" call_name="wscript.exe" call_pid="1164" call_time="07:14:50.168" err_code="0" field="start_boot" name="LoadLibrary" ret_value="0" status_value="0" type="Memory" uniq_id="29">
<apiArg_list count="3">
<apiArg value="00000000"/>
<apiArg value="00000000"/>
<apiArg value="00000000"/>
</apiArg_list>
<exInfo_list count="3">
<exInfo descr="
" value="C:\WINDOWS\system32\shimeng.dll"/>
<exInfo descr="
" value="0005cc30000"/>
<exInfo descr="
" value="00026000"/>
</exInfo_list>
</action>
</action_list><action_list attck_id="0x1060004" category="File" descr="
\SystemRoot\AppPatch\systest.sdb" level="-1" name="
" policy_id="d8acebf36b2921029cf5409ea7804537">
<action api_name="NtCreateFile" call_name="wscript.exe" call_pid="1164" call_time="07:14:50.191" err_code="0" field="start_boot" name="CheckFileExist" ret_value="c0000034" status_value="0" type="File" uniq_id="29">
<apiArg_list count="11">
<apiArg value="0013f67c"/>
<apiArg value="80100080"/>
<apiArg value="0013f648"/>
<apiArg value="0013f66c"/>
<apiArg value="00000000"/>
<apiArg value="00000080"/>
<apiArg value="00000001"/>
<apiArg value="00000001"/>
<apiArg value="00000060"/>
<apiArg value="00000000"/>
<apiArg value="00000000"/>
</apiArg_list>
<exInfo_list count="1">
<exInfo descr="
" value="\SystemRoot\AppPatch\systest.sdb"/>
</exInfo_list>
</action>
</action_list><action_list attck_id="0x1060004" category="File" descr="
\Device\NamedPipe\ShimViewer" level="-1" name="
" policy_id="d8acebf36b2921029cf5409ea7804537">
<action api_name="NtCreateFile" call_name="wscript.exe" call_pid="1164" call_time="07:14:50.196" err_code="0" field="start_boot" name="CheckFileExist" ret_value="c0000034" status_value="0" type="File" uniq_id="29">
<apiArg_list count="11">
<apiArg value="0013f700"/>
<apiArg value="00120116"/>
<apiArg value="0013f6d8"/>
<apiArg value="0013f6f8"/>
<apiArg value="00000000"/>
<apiArg value="00000080"/>
<apiArg value="00000000"/>
<apiArg value="00000001"/>
<apiArg value="00000000"/>
<apiArg value="00000000"/>
<apiArg value="00000000"/>
</apiArg_list>
<exInfo_list count="1">
<exInfo descr="
" value="\Device\NamedPipe\ShimViewer"/>
</exInfo_list>
</action>
</action_list><action_list attck_id="0x000000" category="File" descr="
C:\WINDOWS\AppPatch\AcGenral.DLL
" level="-1" name="
" policy_id="6f7987a29b9478f7246cb146204e278c">
<action api_name="NtQueryAttributesFile" call_name="wscript.exe" call_pid="1164" call_time="07:14:50.230" err_code="0" field="start_boot" name="QueryFileAttributes" ret_value="0" status_value="c0000034" type="File" uniq_id="29">
<apiArg_list count="2">
<apiArg value="0013ed1c"/>
<apiArg value="0013ecf4"/>
</apiArg_list>
<exInfo_list count="1">
<exInfo descr="
" value="C:\WINDOWS\AppPatch\AcGenral.DLL"/>
</exInfo_list>
</action>
</action_list><action_list attck_id="0x000000" category="Memory" descr="
C:\WINDOWS\AppPatch\acgenral.dll" level="0" name="
" policy_id="da2c97d38a53f58586c55385aa282e93">
<action api_name="LoadLibraryExW" call_name="wscript.exe" call_pid="1164" call_time="07:14:50.248" err_code="0" field="start_boot" name="LoadLibrary" ret_value="0" status_value="0" type="Memory" uniq_id="29">
<apiArg_list count="3">
<apiArg value="00000000"/>
<apiArg value="00000000"/>
<apiArg value="00000000"/>
</apiArg_list>
<exInfo_list count="3">
<exInfo descr="
" value="C:\WINDOWS\AppPatch\acgenral.dll"/>
<exInfo descr="
" value="00058fb0000"/>
<exInfo descr="
" value="0001ca000"/>
</exInfo_list>
</action>
</action_list><action_list attck_id="0x000000" category="File" descr="
C:\WINDOWS\System32\WINMM.dll
" level="-1" name="
" policy_id="6f7987a29b9478f7246cb146204e278c">
<action api_name="NtQueryAttributesFile" call_name="wscript.exe" call_pid="1164" call_time="07:14:50.252" err_code="0" field="start_boot" name="QueryFileAttributes" ret_value="0" status_value="c0000034" type="File" uniq_id="29">
<apiArg_list count="2">
<apiArg value="0013e64c"/>
<apiArg value="0013e624"/>
</apiArg_list>
<exInfo_list count="1">
<exInfo descr="
" value="C:\WINDOWS\System32\WINMM.dll"/>
</exInfo_list>
</action>
</action_list><action_list attck_id="0x000000" category="Memory" descr="
C:\WINDOWS\system32\winmm.dll" level="0" name="
" policy_id="da2c97d38a53f58586c55385aa282e93">
<action api_name="LoadLibraryExW" call_name="wscript.exe" call_pid="1164" call_time="07:14:50.256" err_code="0" field="start_boot" name="LoadLibrary" ret_value="0" status_value="0" type="Memory" uniq_id="29">
<apiArg_list count="3">
<apiArg value="00000000"/>
<apiArg value="00000000"/>
<apiArg value="00000000"/>
</apiArg_list>
<exInfo_list count="3">
<exInfo descr="
" value="C:\WINDOWS\system32\winmm.dll"/>
<exInfo descr="
" value="00076b10000"/>
<exInfo descr="
" value="0002a000"/>
</exInfo_list>
</action>
</action_list><action_list attck_id="0x000000" category="File" descr="
C:\WINDOWS\System32\MSACM32.dll
" level="-1" name="
" policy_id="6f7987a29b9478f7246cb146204e278c">
<action api_name="NtQueryAttributesFile" call_name="wscript.exe" call_pid="1164" call_time="07:14:50.260" err_code="0" field="start_boot" name="QueryFileAttributes" ret_value="0" status_value="c0000034" type="File" uniq_id="29">
<apiArg_list count="2">
<apiArg value="0013e64c"/>
<apiArg value="0013e624"/>
</apiArg_list>
<exInfo_list count="1">
<exInfo descr="
" value="C:\WINDOWS\System32\MSACM32.dll"/>
</exInfo_list>
</action>
</action_list><action_list attck_id="0x000000" category="Memory" descr="
C:\WINDOWS\system32\msacm32.dll" level="0" name="
" policy_id="da2c97d38a53f58586c55385aa282e93">
<action api_name="LoadLibraryExW" call_name="wscript.exe" call_pid="1164" call_time="07:14:50.264" err_code="0" field="start_boot" name="LoadLibrary" ret_value="0" status_value="0" type="Memory" uniq_id="29">
<apiArg_list count="3">
<apiArg value="00000000"/>
<apiArg value="00000000"/>
<apiArg value="00000000"/>
</apiArg_list>
<exInfo_list count="3">
<exInfo descr="
" value="C:\WINDOWS\system32\msacm32.dll"/>
<exInfo descr="
" value="00077bb0000"/>
<exInfo descr="
" value="00015000"/>
</exInfo_list>
</action>
</action_list><action_list attck_id="0x000000" category="Memory" descr="
C:\WINDOWS\system32\shell32.dll" level="0" name="
" policy_id="da2c97d38a53f58586c55385aa282e93">
<action api_name="LoadLibraryExW" call_name="wscript.exe" call_pid="1164" call_time="07:14:50.275" err_code="0" field="start_boot" name="LoadLibrary" ret_value="0" status_value="0" type="Memory" uniq_id="29">
<apiArg_list count="3">
<apiArg value="00000000"/>
<apiArg value="00000000"/>
<apiArg value="00000000"/>
</apiArg_list>
<exInfo_list count="3">
<exInfo descr="
" value="C:\WINDOWS\system32\shell32.dll"/>
<exInfo descr="
" value="0007d590000"/>
<exInfo descr="
" value="0007f4000"/>
</exInfo_list>
</action>
</action_list><action_list attck_id="0x000000" category="Memory" descr="
C:\WINDOWS\system32\shlwapi.dll" level="0" name="
" policy_id="da2c97d38a53f58586c55385aa282e93">
<action api_name="LoadLibraryExW" call_name="wscript.exe" call_pid="1164" call_time="07:14:50.288" err_code="0" field="start_boot" name="LoadLibrary" ret_value="0" status_value="0" type="Memory" uniq_id="29">
<apiArg_list count="3">
<apiArg value="00000000"/>
<apiArg value="00000000"/>
<apiArg value="00000000"/>
</apiArg_list>
<exInfo_list count="3">
<exInfo descr="
" value="C:\WINDOWS\system32\shlwapi.dll"/>
<exInfo descr="
" value="00077f40000"/>
<exInfo descr="
" value="00076000"/>
</exInfo_list>
</action>
</action_list><action_list attck_id="0x000000" category="Memory" descr="
C:\WINDOWS\system32\userenv.dll" level="0" name="
" policy_id="da2c97d38a53f58586c55385aa282e93">
<action api_name="LoadLibraryExW" call_name="wscript.exe" call_pid="1164" call_time="07:14:50.302" err_code="0" field="start_boot" name="LoadLibrary" ret_value="0" status_value="0" type="Memory" uniq_id="29">
<apiArg_list count="3">
<apiArg value="00000000"/>
<apiArg value="00000000"/>
<apiArg value="00000000"/>
</apiArg_list>
<exInfo_list count="3">
<exInfo descr="
" value="C:\WINDOWS\system32\userenv.dll"/>
<exInfo descr="
" value="000759d0000"/>
<exInfo descr="
" value="000af000"/>
</exInfo_list>
</action>
</action_list><action_list attck_id="0x000000" category="File" descr="
C:\WINDOWS\System32\UxTheme.dll
" level="-1" name="
" policy_id="6f7987a29b9478f7246cb146204e278c">
<action api_name="NtQueryAttributesFile" call_name="wscript.exe" call_pid="1164" call_time="07:14:50.313" err_code="0" field="start_boot" name="QueryFileAttributes" ret_value="0" status_value="c0000034" type="File" uniq_id="29">
<apiArg_list count="2">
<apiArg value="0013e64c"/>
<apiArg value="0013e624"/>
</apiArg_list>
<exInfo_list count="1">
<exInfo descr="
" value="C:\WINDOWS\System32\UxTheme.dll"/>
</exInfo_list>
</action>
</action_list><action_list attck_id="0x000000" category="Memory" descr="
C:\WINDOWS\system32\uxtheme.dll" level="0" name="
" policy_id="da2c97d38a53f58586c55385aa282e93">
<action api_name="LoadLibraryExW" call_name="wscript.exe" call_pid="1164" call_time="07:14:50.317" err_code="0" field="start_boot" name="LoadLibrary" ret_value="0" status_value="0" type="Memory" uniq_id="29">
<apiArg_list count="3">
<apiArg value="00000000"/>
<apiArg value="00000000"/>
<apiArg value="00000000"/>
</apiArg_list>
<exInfo_list count="3">
<exInfo descr="
" value="C:\WINDOWS\system32\uxtheme.dll"/>
<exInfo descr="
" value="0005adc0000"/>
<exInfo descr="
" value="00037000"/>
</exInfo_list>
</action>
</action_list><action_list attck_id="0x000000" category="System" descr="
SHIMLIB_LOG_MUTEX" level="-1" name="
" policy_id="880e3333fd9e211137792adf3b47d64b">
<action api_name="NtCreateMutant" call_name="wscript.exe" call_pid="1164" call_time="07:14:50.376" err_code="6" field="start_boot" name="CreateMutex" ret_value="40000000" status_value="c0000008" type="System" uniq_id="29">
<apiArg_list count="4">
<apiArg value="0013e9a4"/>
<apiArg value="001f0001"/>
<apiArg value="0013e984"/>
<apiArg value="00000000"/>
</apiArg_list>
<exInfo_list count="1">
<exInfo descr="
" value="SHIMLIB_LOG_MUTEX"/>
</exInfo_list>
</action>
</action_list><action_list attck_id="0x1060004" category="File" descr="
\Device\NamedPipe\ShimViewer" level="-1" name="
" policy_id="d8acebf36b2921029cf5409ea7804537">
<action api_name="NtCreateFile" call_name="wscript.exe" call_pid="1164" call_time="07:14:50.402" err_code="cb" field="start_boot" name="CheckFileExist" ret_value="c0000034" status_value="c0000100" type="File" uniq_id="29">
<apiArg_list count="11">
<apiArg value="0013f0ec"/>
<apiArg value="00120116"/>
<apiArg value="0013f0b4"/>
<apiArg value="0013f0e4"/>
<apiArg value="00000000"/>
<apiArg value="00000080"/>
<apiArg value="00000000"/>
<apiArg value="00000001"/>
<apiArg value="00000000"/>
<apiArg value="00000000"/>
<apiArg value="00000000"/>
</apiArg_list>
<exInfo_list count="1">
<exInfo descr="
" value="\Device\NamedPipe\ShimViewer"/>
</exInfo_list>
</action>
</action_list><action_list attck_id="0x000000" category="Reg" descr="
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Diagnostics" level="0" name="
" policy_id="bf6f03f99322f1e4cad8f1c780541ef7">
<action api_name="RegOpenKeyExW" call_name="wscript.exe" call_pid="1164" call_time="07:14:50.486" err_code="cb" field="start_boot" name="RegOpenKey" ret_value="2" status_value="c0000034" type="Reg" uniq_id="29">
<apiArg_list count="5">
<apiArg value="80000002"/>
<apiArg value="77da9828"/>
<apiArg value="00000000"/>
<apiArg value="00020019"/>
<apiArg value="0013f7a4"/>
</apiArg_list>
<exInfo_list count="1">
<exInfo descr="
" value="HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"/>
</exInfo_list>
</action>
</action_list><action_list attck_id="0x000000" category="File" descr="
C:\WINDOWS\system32\IMM32.DLL
" level="-1" name="
" policy_id="6f7987a29b9478f7246cb146204e278c">
<action api_name="NtQueryAttributesFile" call_name="wscript.exe" call_pid="1164" call_time="07:14:50.502" err_code="cb" field="start_boot" name="QueryFileAttributes" ret_value="0" status_value="c0000034" type="File" uniq_id="29">
<apiArg_list count="2">
<apiArg value="0013e9a4"/>
<apiArg value="0013e97c"/>
</apiArg_list>
<exInfo_list count="1">
<exInfo descr="
" value="C:\WINDOWS\system32\IMM32.DLL"/>
</exInfo_list>
</action>
</action_list><action_list attck_id="0x000000" category="Memory" descr="
C:\WINDOWS\system32\imm32.dll" level="0" name="
" policy_id="da2c97d38a53f58586c55385aa282e93">
<action api_name="LoadLibraryExW" call_name="wscript.exe" call_pid="1164" call_time="07:14:50.521" err_code="0" field="start_boot" name="LoadLibrary" ret_value="0" status_value="0" type="Memory" uniq_id="29">
<apiArg_list count="3">
<apiArg value="00000000"/>
<apiArg value="00000000"/>
<apiArg value="00000000"/>
</apiArg_list>
<exInfo_list count="3">
<exInfo descr="
" value="C:\WINDOWS\system32\imm32.dll"/>
<exInfo descr="
" value="00076300000"/>
<exInfo descr="
" value="0001d000"/>
</exInfo_list>
</action>
</action_list><action_list attck_id="0x000000" category="File" descr="
C:\WINDOWS\system32\IMM32.DLL
" level="-1" name="
" policy_id="6f7987a29b9478f7246cb146204e278c">
<action api_name="NtQueryAttributesFile" call_name="wscript.exe" call_pid="1164" call_time="07:14:50.531" err_code="7e" field="start_boot" name="QueryFileAttributes" ret_value="0" status_value="c0000135" type="File" uniq_id="29">
<apiArg_list count="2">
<apiArg value="0013de70"/>
<apiArg value="0013de48"/>
</apiArg_list>
<exInfo_list count="1">
<exInfo descr="
" value="C:\WINDOWS\system32\IMM32.DLL"/>
</exInfo_list>
</action>
</action_list><action_list attck_id="0x000000" category="Memory" descr="
C:\WINDOWS\system32\lpk.dll" level="0" name="
" policy_id="da2c97d38a53f58586c55385aa282e93">
<action api_name="LoadLibraryExW" call_name="wscript.exe" call_pid="1164" call_time="07:14:50.540" err_code="0" field="start_boot" name="LoadLibrary" ret_value="0" status_value="0" type="Memory" uniq_id="29">
<apiArg_list count="3">
<apiArg value="00000000"/>
<apiArg value="00000000"/>
<apiArg value="00000000"/>
</apiArg_list>
<exInfo_list count="3">
<exInfo descr="
" value="C:\WINDOWS\system32\lpk.dll"/>
<exInfo descr="
" value="00062c20000"/>
<exInfo descr="
" value="0009000"/>
</exInfo_list>
</action>
</action_list><action_list attck_id="0x000000" category="File" descr="
C:\WINDOWS\System32\USP10.dll
" level="-1" name="
" policy_id="6f7987a29b9478f7246cb146204e278c">
<action api_name="NtQueryAttributesFile" call_name="wscript.exe" call_pid="1164" call_time="07:14:50.543" err_code="7e" field="start_boot" name="QueryFileAttributes" ret_value="0" status_value="c0000135" type="File" uniq_id="29">
<apiArg_list count="2">
<apiArg value="0013e7b8"/>
<apiArg value="0013e790"/>
</apiArg_list>
<exInfo_list count="1">
<exInfo descr="
" value="C:\WINDOWS\System32\USP10.dll"/>
</exInfo_list>
</action>
</action_list><action_list attck_id="0x000000" category="Memory" descr="
C:\WINDOWS\system32\usp10.dll" level="0" name="
" policy_id="da2c97d38a53f58586c55385aa282e93">
<action api_name="LoadLibraryExW" call_name="wscript.exe" call_pid="1164" call_time="07:14:50.547" err_code="0" field="start_boot" name="LoadLibrary" ret_value="0" status_value="0" type="Memory" uniq_id="29">
<apiArg_list count="3">
<apiArg value="00000000"/>
<apiArg value="00000000"/>
<apiArg value="00000000"/>
</apiArg_list>
<exInfo_list count="3">
<exInfo descr="
" value="C:\WINDOWS\system32\usp10.dll"/>
<exInfo descr="
" value="00073fa0000"/>
<exInfo descr="
" value="0006b000"/>
</exInfo_list>
</action>
</action_list><action_list attck_id="0x10a003f" category="System" descr="
" level="-1" name="
" policy_id="c467f6abc0a9b580343c13f877815733">
<action api_name="Fake_DetectDebugger" call_name="wscript.exe" call_pid="1164" call_time="07:14:50.629" err_code="6" field="start_boot" name="DetectDebugger" ret_value="0" status_value="c0000008" type="System" uniq_id="29">
<apiArg_list count="4">
<apiArg value="00000008"/>
<apiArg value="e10ab230"/>
<apiArg value="00000bd8"/>
<apiArg value="f75cc9e0"/>
</apiArg_list>
<exInfo_list count="1">
<exInfo descr="
" value="PerfEvaluate"/>
</exInfo_list>
</action>
</action_list><action_list attck_id="0x1040025" category="Reg" descr="
Unknown Key\Seed
ab707943ea11ea8cc0af1dadd076779b74bcf75ab071190c281cf9628c2fc6d0" level="0" name="
" policy_id="3f310168ca3478ecdeb96530ad614af8">
<action api_name="NtSetValueKey" call_name="wscript.exe" call_pid="1164" call_time="07:14:50.631" err_code="6" field="start_boot" name="SetKeyValue" ret_value="0" status_value="c0000008" type="Reg" uniq_id="29">
<apiArg_list count="6">
<apiArg value="80000530"/>
<apiArg value="f75cc9a8"/>
<apiArg value="00000000"/>
<apiArg value="00000003"/>
<apiArg value="f75ccb0c"/>
<apiArg value="00000050"/>
</apiArg_list>
<exInfo_list count="5">
<exInfo descr="
Key" value="Unknown Key"/>
<exInfo descr="
Value" value="Seed"/>
<exInfo descr="
" value="Unknown Key\Seed"/>
<exInfo descr="
Type" value="0003"/>
<exInfo descr="
Data" value="ab707943ea11ea8cc0af1dadd076779b74bcf75ab071190c281cf9628c2fc6d0"/>
</exInfo_list>
</action>
</action_list><action_list attck_id="0x000000" category="Reg" descr="
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT" level="0" name="
" policy_id="bf6f03f99322f1e4cad8f1c780541ef7">
<action api_name="RegOpenKeyExA" call_name="wscript.exe" call_pid="1164" call_time="07:14:50.650" err_code="2" field="start_boot" name="RegOpenKey" ret_value="2" status_value="c0000034" type="Reg" uniq_id="29">
<apiArg_list count="5">
<apiArg value="80000002"/>
<apiArg value="770f17b4"/>
<apiArg value="00000000"/>
<apiArg value="00000001"/>
<apiArg value="0013f868"/>
</apiArg_list>
<exInfo_list count="1">
<exInfo descr="
" value="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT"/>
</exInfo_list>
</action>
</action_list><action_list attck_id="0x000000" category="Reg" descr="
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT\UserEra" level="0" name="
" policy_id="bf6f03f99322f1e4cad8f1c780541ef7">
<action api_name="RegOpenKeyExA" call_name="wscript.exe" call_pid="1164" call_time="07:14:50.656" err_code="2" field="start_boot" name="RegOpenKey" ret_value="2" status_value="c0000034" type="Reg" uniq_id="29">
<apiArg_list count="5">
<apiArg value="80000002"/>
<apiArg value="770f1c7c"/>
<apiArg value="00000000"/>
<apiArg value="00000009"/>
<apiArg value="0013f844"/>
</apiArg_list>
<exInfo_list count="1">
<exInfo descr="
" value="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT\UserEra"/>
</exInfo_list>
</action>
</action_list><action_list attck_id="0x000000" category="Reg" descr="
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT" level="0" name="
" policy_id="bf6f03f99322f1e4cad8f1c780541ef7">
<action api_name="RegOpenKeyExA" call_name="wscript.exe" call_pid="1164" call_time="07:14:50.657" err_code="2" field="start_boot" name="RegOpenKey" ret_value="2" status_value="c0000034" type="Reg" uniq_id="29">
<apiArg_list count="5">
<apiArg value="80000002"/>
<apiArg value="770f17b4"/>
<apiArg value="00000000"/>
<apiArg value="00000001"/>
<apiArg value="0013f888"/>
</apiArg_list>
<exInfo_list count="1">
<exInfo descr="
" value="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT"/>
</exInfo_list>
</action>
</action_list><action_list attck_id="0x000000" category="Reg" descr="
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\MediaResources\acm" level="0" name="
" policy_id="bf6f03f99322f1e4cad8f1c780541ef7">
<action api_name="RegOpenKeyExW" call_name="wscript.exe" call_pid="1164" call_time="07:14:50.738" err_code="0" field="start_boot" name="RegOpenKey" ret_value="2" status_value="c0000034" type="Reg" uniq_id="29">
<apiArg_list count="5">
<apiArg value="80000002"/>
<apiArg value="77bb18f8"/>
<apiArg value="00000000"/>
<apiArg value="00000009"/>
<apiArg value="0013f340"/>
</apiArg_list>
<exInfo_list count="1">
<exInfo descr="
" value="HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\MediaResources\acm"/>
</exInfo_list>
</action>
</action_list><action_list attck_id="0x000000" category="Reg" descr="
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Performance" level="0" name="
" policy_id="bf6f03f99322f1e4cad8f1c780541ef7">
<action api_name="RegOpenKeyExA" call_name="wscript.exe" call_pid="1164" call_time="07:14:50.741" err_code="0" field="start_boot" name="RegOpenKey" ret_value="2" status_value="c0000034" type="Reg" uniq_id="29">
<apiArg_list count="5">
<apiArg value="80000002"/>
<apiArg value="77f44fdc"/>
<apiArg value="00000000"/>
<apiArg value="02000000"/>
<apiArg value="0013f8ac"/>
</apiArg_list>
<exInfo_list count="1">
<exInfo descr="
" value="HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Performance"/>
</exInfo_list>
</action>
</action_list><action_list attck_id="0x1060004" category="File" descr="
C:\WINDOWS\System32\WScript.exe.Local\" level="-1" name="
" policy_id="d4b1ef612469b81734b34e817494c0f1">
<action api_name="NtQueryAttributesFile" call_name="wscript.exe" call_pid="1164" call_time="07:14:50.767" err_code="b7" field="start_boot" name="CheckFileExist" ret_value="c0000034" status_value="0" type="File" uniq_id="29">
<apiArg_list count="2">
<apiArg value="0013e7ec"/>
<apiArg value="0013e7c4"/>
</apiArg_list>
<exInfo_list count="1">
<exInfo descr="
" value="C:\WINDOWS\System32\WScript.exe.Local\"/>
</exInfo_list>
</action>
</action_list><action_list attck_id="0x000000" category="File" descr="
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83
" level="-1" name="
" policy_id="6f7987a29b9478f7246cb146204e278c">
<action api_name="NtQueryAttributesFile" call_name="wscript.exe" call_pid="1164" call_time="07:14:50.768" err_code="b7" field="start_boot" name="QueryFileAttributes" ret_value="0" status_value="0" type="File" uniq_id="29">
<apiArg_list count="2">
<apiArg value="0013e834"/>
<apiArg value="0013e804"/>
</apiArg_list>
<exInfo_list count="1">
<exInfo descr="
" value="C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83"/>
</exInfo_list>
</action>
</action_list><action_list attck_id="0x000000" category="Memory" descr="
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll" level="0" name="
" policy_id="da2c97d38a53f58586c55385aa282e93">
<action api_name="LoadLibraryExW" call_name="wscript.exe" call_pid="1164" call_time="07:14:50.778" err_code="0" field="start_boot" name="LoadLibrary" ret_value="0" status_value="0" type="Memory" uniq_id="29">
<apiArg_list count="3">
<apiArg value="00000000"/>
<apiArg value="00000000"/>
<apiArg value="00000000"/>
</apiArg_list>
<exInfo_list count="3">
<exInfo descr="
" value="C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll"/>
<exInfo descr="
" value="00077180000"/>
<exInfo descr="
" value="000103000"/>
</exInfo_list>
</action>
</action_list><action_list attck_id="0x000000" category="File" descr="
C:\WINDOWS\WindowsShell.Manifest
" level="-1" name="
" policy_id="6f7987a29b9478f7246cb146204e278c">
<action api_name="NtQueryAttributesFile" call_name="wscript.exe" call_pid="1164" call_time="07:14:50.832" err_code="b7" field="start_boot" name="QueryFileAttributes" ret_value="0" status_value="0" type="File" uniq_id="29">
<apiArg_list count="2">
<apiArg value="0013e2b4"/>
<apiArg value="0013e28c"/>
</apiArg_list>
<exInfo_list count="1">
<exInfo descr="
" value="C:\WINDOWS\WindowsShell.Manifest"/>
</exInfo_list>
</action>
</action_list><action_list attck_id="0x000000" category="File" descr="
C:\WINDOWS\WindowsShell.Manifest" level="-1" name="
" policy_id="a582a1e03bc2cba52e37bd28525d5af9">
<action api_name="NtReadFile" call_name="wscript.exe" call_pid="1164" call_time="07:14:50.834" err_code="0" field="start_boot" name="ReadFile" ret_value="60" status_value="0" type="File" uniq_id="29">
<apiArg_list count="16">
<apiArg value="00000068"/>
<apiArg value="00000000"/>
<apiArg value="00000002"/>
<apiArg value="00000000"/>
<apiArg value="00000000"/>
<apiArg value="00000000"/>
<apiArg value="00000000"/>
<apiArg value="00000000"/>
<apiArg value="00000000"/>
<apiArg value="00158d80"/>
<apiArg value="0013e61a"/>
<apiArg value="02080000"/>
<apiArg value="0013e604"/>
<apiArg value="000a0008"/>
<apiArg value="7c814e90"/>
<apiArg value="00000000"/>
</apiArg_list>
<exInfo_list count="1">
<exInfo descr="
" value="C:\WINDOWS\WindowsShell.Manifest"/>
</exInfo_list>
</action>
</action_list><action_list attck_id="0x000000" category="Memory" descr="
C:\WINDOWS\system32\comctl32.dll" level="0" name="
" policy_id="da2c97d38a53f58586c55385aa282e93">
<action api_name="LoadLibraryExW" call_name="wscript.exe" call_pid="1164" call_time="07:14:50.891" err_code="0" field="start_boot" name="LoadLibrary" ret_value="0" status_value="0" type="Memory" uniq_id="29">
<apiArg_list count="3">
<apiArg value="00000000"/>
<apiArg value="00000000"/>
<apiArg value="00000000"/>
</apiArg_list>
<exInfo_list count="3">
<exInfo descr="
" value="C:\WINDOWS\system32\comctl32.dll"/>
<exInfo descr="
" value="0005d170000"/>
<exInfo descr="
" value="0009a000"/>
</exInfo_list>
</action>
</action_list><action_list attck_id="0x000000" category="File" descr="
C:\WINDOWS\System32\WScript.exe
" level="-1" name="
" policy_id="6f7987a29b9478f7246cb146204e278c">
<action api_name="NtQueryAttributesFile" call_name="wscript.exe" call_pid="1164" call_time="07:14:50.993" err_code="b7" field="start_boot" name="QueryFileAttributes" ret_value="0" status_value="c0000034" type="File" uniq_id="29">
<apiArg_list count="2">
<apiArg value="0013ead0"/>
<apiArg value="0013eaa8"/>
</apiArg_list>
<exInfo_list count="1">
<exInfo descr="
" value="C:\WINDOWS\System32\WScript.exe"/>
</exInfo_list>
</action>
</action_list><action_list attck_id="0x000000" category="File" descr="
C:\WINDOWS\system32\zh-cn\wscript.exe.mui" level="-1" name="
" policy_id="a426ca02c07908137170d3fb329aaff0">
<action api_name="NtReadFile" call_name="wscript.exe" call_pid="1164" call_time="07:14:50.998" err_code="0" field="start_boot" name="ReadFile" ret_value="6c" status_value="c0000034" type="File" uniq_id="29">
<apiArg_list count="16">
<apiArg value="00000068"/>
<apiArg value="00000000"/>
<apiArg value="00000008"/>
<apiArg value="00000000"/>
<apiArg value="00000000"/>
<apiArg value="00000000"/>
<apiArg value="01016eec"/>
<apiArg value="01000000"/>
<apiArg value="01000000"/>
<apiArg value="0013f3bc"/>
<apiArg value="0101656f"/>
<apiArg value="0013f1b0"/>
<apiArg value="00000001"/>
<apiArg value="00000001"/>
<apiArg value="01000000"/>
<apiArg value="00000000"/>
</apiArg_list>
<exInfo_list count="1">
<exInfo descr="
" value="C:\WINDOWS\system32\zh-cn\wscript.exe.mui"/>
</exInfo_list>
</action>
</action_list><action_list attck_id="0x000000" category="File" descr="
C:\WINDOWS\system32\rpcss.dll
" level="-1" name="
" policy_id="6f7987a29b9478f7246cb146204e278c">
<action api_name="NtQueryAttributesFile" call_name="wscript.exe" call_pid="1164" call_time="07:14:50.010" err_code="0" field="start_boot" name="QueryFileAttributes" ret_value="0" status_value="c0000034" type="File" uniq_id="29">
<apiArg_list count="2">
<apiArg value="0013f5d8"/>
<apiArg value="0013f5b0"/>
</apiArg_list>
<exInfo_list count="1">
<exInfo descr="
" value="C:\WINDOWS\system32\rpcss.dll"/>
</exInfo_list>
</action>
</action_list><action_list attck_id="0x10a003f" category="System" descr="
" level="-1" name="
" policy_id="c467f6abc0a9b580343c13f877815733">
<action api_name="Fake_DetectDebugger" call_name="wscript.exe" call_pid="1164" call_time="07:14:50.033" err_code="7e" field="start_boot" name="DetectDebugger" ret_value="0" status_value="c0000135" type="System" uniq_id="29">
<apiArg_list count="4">
<apiArg value="00000008"/>
<apiArg value="e108f230"/>
<apiArg value="00000bd8"/>
<apiArg value="f75cc9e0"/>
</apiArg_list>
<exInfo_list count="1">
<exInfo descr="
" value="PerfEvaluate"/>
</exInfo_list>
</action>
</action_list><action_list attck_id="0x1040025" category="Reg" descr="
Unknown Key\Seed
25c3fbf31202030a5aec61edb71d5af89ba45b1073ab1dec0c5068c3af473d6" level="0" name="
" policy_id="3f310168ca3478ecdeb96530ad614af8">
<action api_name="NtSetValueKey" call_name="wscript.exe" call_pid="1164" call_time="07:14:50.035" err_code="7e" field="start_boot" name="SetKeyValue" ret_value="0" status_value="c0000135" type="Reg" uniq_id="29">
<apiArg_list count="6">
<apiArg value="80000530"/>
<apiArg value="f75cc9a8"/>
<apiArg value="00000000"/>
<apiArg value="00000003"/>
<apiArg value="f75ccb0c"/>
<apiArg value="00000050"/>
</apiArg_list>
<exInfo_list count="5">
<exInfo descr="
Key" value="Unknown Key"/>
<exInfo descr="
Value" value="Seed"/>
<exInfo descr="
" value="Unknown Key\Seed"/>
<exInfo descr="
Type" value="0003"/>
<exInfo descr="
Data" value="25c3fbf31202030a5aec61edb71d5af89ba45b1073ab1dec0c5068c3af473d6"/>
</exInfo_list>
</action>
</action_list><action_list attck_id="0x10a003f" category="System" descr="
" level="-1" name="
" policy_id="c467f6abc0a9b580343c13f877815733">
<action api_name="Fake_DetectDebugger" call_name="wscript.exe" call_pid="1164" call_time="07:14:50.045" err_code="7e" field="start_boot" name="DetectDebugger" ret_value="0" status_value="c0000135" type="System" uniq_id="29">
<apiArg_list count="4">
<apiArg value="00000008"/>
<apiArg value="e1090230"/>
<apiArg value="00000bd8"/>
<apiArg value="f75cc9e0"/>
</apiArg_list>
<exInfo_list count="1">
<exInfo descr="
" value="PerfEvaluate"/>
</exInfo_list>
</action>
</action_list><action_list attck_id="0x1040025" category="Reg" descr="
Unknown Key\Seed
af4086ca7766ada22ad09368dbfa74db3ec259321f5c69174e052c07ba48309" level="0" name="
" policy_id="3f310168ca3478ecdeb96530ad614af8">
<action api_name="NtSetValueKey" call_name="wscript.exe" call_pid="1164" call_time="07:14:50.047" err_code="7e" field="start_boot" name="SetKeyValue" ret_value="0" status_value="c0000135" type="Reg" uniq_id="29">
<apiArg_list count="6">
<apiArg value="80000530"/>
<apiArg value="f75cc9a8"/>
<apiArg value="00000000"/>
<apiArg value="00000003"/>
<apiArg value="f75ccb0c"/>
<apiArg value="00000050"/>
</apiArg_list>
<exInfo_list count="5">
<exInfo descr="
Key" value="Unknown Key"/>
<exInfo descr="
Value" value="Seed"/>
<exInfo descr="
" value="Unknown Key\Seed"/>
<exInfo descr="
Type" value="0003"/>
<exInfo descr="
Data" value="af4086ca7766ada22ad09368dbfa74db3ec259321f5c69174e052c07ba48309"/>
</exInfo_list>
</action>
</action_list><action_list attck_id="0x10a003f" category="System" descr="
" level="-1" name="
" policy_id="c467f6abc0a9b580343c13f877815733">
<action api_name="Fake_DetectDebugger" call_name="wscript.exe" call_pid="1164" call_time="07:14:50.056" err_code="7e" field="start_boot" name="DetectDebugger" ret_value="0" status_value="c0000135" type="System" uniq_id="29">
<apiArg_list count="4">
<apiArg value="00000008"/>
<apiArg value="e1092230"/>
<apiArg value="00000bd8"/>
<apiArg value="f75cc9e0"/>
</apiArg_list>
<exInfo_list count="1">
<exInfo descr="
" value="PerfEvaluate"/>
</exInfo_list>
</action>
</action_list><action_list attck_id="0x1040025" category="Reg" descr="
Unknown Key\Seed
bc029eaa082a34b594529a94bcbcb93bc30c065b4420da4debdf89e4f93960f5" level="0" name="
" policy_id="3f310168ca3478ecdeb96530ad614af8">
<action api_name="NtSetValueKey" call_name="wscript.exe" call_pid="1164" call_time="07:14:50.058" err_code="7e" field="start_boot" name="SetKeyValue" ret_value="0" status_value="c0000135" type="Reg" uniq_id="29">
<apiArg_list count="6">
<apiArg value="80000530"/>
<apiArg value="f75cc9a8"/>
<apiArg value="00000000"/>
<apiArg value="00000003"/>
<apiArg value="f75ccb0c"/>
<apiArg value="00000050"/>
</apiArg_list>
<exInfo_list count="5">
<exInfo descr="
Key" value="Unknown Key"/>
<exInfo descr="
Value" value="Seed"/>
<exInfo descr="
" value="Unknown Key\Seed"/>
<exInfo descr="
Type" value="0003"/>
<exInfo descr="
Data" value="bc029eaa082a34b594529a94bcbcb93bc30c065b4420da4debdf89e4f93960f5"/>
</exInfo_list>
</action>
</action_list><action_list attck_id="0x10a003f" category="System" descr="
" level="-1" name="
" policy_id="c467f6abc0a9b580343c13f877815733">
<action api_name="Fake_DetectDebugger" call_name="wscript.exe" call_pid="1164" call_time="07:14:50.067" err_code="7e" field="start_boot" name="DetectDebugger" ret_value="0" status_value="c0000135" type="System" uniq_id="29">
<apiArg_list count="4">
<apiArg value="00000008"/>
<apiArg value="e1098230"/>
<apiArg value="00000bd8"/>
<apiArg value="f75cc9e0"/>
</apiArg_list>
<exInfo_list count="1">
<exInfo descr="
" value="PerfEvaluate"/>
</exInfo_list>
</action>
</action_list><action_list attck_id="0x1040025" category="Reg" descr="
Unknown Key\Seed
3567fd8b37719fbdacec333e5c3058339ad3f334bc0d933f9c6faf06ae39332a" level="0" name="
" policy_id="3f310168ca3478ecdeb96530ad614af8">
<action api_name="NtSetValueKey" call_name="wscript.exe" call_pid="1164" call_time="07:14:50.069" err_code="7e" field="start_boot" name="SetKeyValue" ret_value="0" status_value="c0000135" type="Reg" uniq_id="29">
<apiArg_list count="6">
<apiArg value="80000530"/>
<apiArg value="f75cc9a8"/>
<apiArg value="00000000"/>
<apiArg value="00000003"/>
<apiArg value="f75ccb0c"/>
<apiArg value="00000050"/>
</apiArg_list>
<exInfo_list count="5">
<exInfo descr="
Key" value="Unknown Key"/>
<exInfo descr="
Value" value="Seed"/>
<exInfo descr="
" value="Unknown Key\Seed"/>
<exInfo descr="
Type" value="0003"/>
<exInfo descr="
Data" value="3567fd8b37719fbdacec333e5c3058339ad3f334bc0d933f9c6faf06ae39332a"/>
</exInfo_list>
</action>
</action_list><action_list attck_id="0x10a003f" category="System" descr="
" level="-1" name="
" policy_id="c467f6abc0a9b580343c13f877815733">
<action api_name="Fake_DetectDebugger" call_name="wscript.exe" call_pid="1164" call_time="07:14:50.078" err_code="7e" field="start_boot" name="DetectDebugger" ret_value="0" status_value="c0000135" type="System" uniq_id="29">
<apiArg_list count="4">
<apiArg value="00000008"/>
<apiArg value="e109a230"/>
<apiArg value="00000bd8"/>
<apiArg value="f75cc9e0"/>
</apiArg_list>
<exInfo_list count="1">
<exInfo descr="
" value="PerfEvaluate"/>
</exInfo_list>
</action>
</action_list><action_list attck_id="0x1040025" category="Reg" descr="
Unknown Key\Seed
bdc88078111d84c2e2820a36408bd48cb01448f90a69c861c70727a2e91ae148" level="0" name="
" policy_id="3f310168ca3478ecdeb96530ad614af8">
<action api_name="NtSetValueKey" call_name="wscript.exe" call_pid="1164" call_time="07:14:50.080" err_code="7e" field="start_boot" name="SetKeyValue" ret_value="0" status_value="c0000135" type="Reg" uniq_id="29">
<apiArg_list count="6">
<apiArg value="80000530"/>
<apiArg value="f75cc9a8"/>
<apiArg value="00000000"/>
<apiArg value="00000003"/>
<apiArg value="f75ccb0c"/>
<apiArg value="00000050"/>
</apiArg_list>
<exInfo_list count="5">
<exInfo descr="
Key" value="Unknown Key"/>
<exInfo descr="
Value" value="Seed"/>
<exInfo descr="
" value="Unknown Key\Seed"/>
<exInfo descr="
Type" value="0003"/>
<exInfo descr="
Data" value="bdc88078111d84c2e2820a36408bd48cb01448f90a69c861c70727a2e91ae148"/>
</exInfo_list>
</action>
</action_list><action_list attck_id="0x10a003f" category="System" descr="
" level="-1" name="
" policy_id="c467f6abc0a9b580343c13f877815733">
<action api_name="Fake_DetectDebugger" call_name="wscript.exe" call_pid="1164" call_time="07:14:50.089" err_code="7e" field="start_boot" name="DetectDebugger" ret_value="0" status_value="c0000135" type="System" uniq_id="29">
<apiArg_list count="4">
<apiArg value="00000008"/>
<apiArg value="e109b230"/>
<apiArg value="00000bd8"/>
<apiArg value="f75cc9e0"/>
</apiArg_list>
<exInfo_list count="1">
<exInfo descr="
" value="PerfEvaluate"/>
</exInfo_list>
</action>
</action_list><action_list attck_id="0x1040025" category="Reg" descr="
Unknown Key\Seed
ed26554f3a04d03cccc0aadbbb8a83912157f7c68a092f4ef08b4bf6f050178c" level="0" name="
" policy_id="3f310168ca3478ecdeb96530ad614af8">
<action api_name="NtSetValueKey" call_name="wscript.exe" call_pid="1164" call_time="07:14:50.091" err_code="7e" field="start_boot" name="SetKeyValue" ret_value="0" status_value="c0000135" type="Reg" uniq_id="29">
<apiArg_list count="6">
<apiArg value="80000530"/>
<apiArg value="f75cc9a8"/>
<apiArg value="00000000"/>
<apiArg value="00000003"/>
<apiArg value="f75ccb0c"/>
<apiArg value="00000050"/>
</apiArg_list>
<exInfo_list count="5">
<exInfo descr="
Key" value="Unknown Key"/>
<exInfo descr="
Value" value="Seed"/>
<exInfo descr="
" value="Unknown Key\Seed"/>
<exInfo descr="
Type" value="0003"/>
<exInfo descr="
Data" value="ed26554f3a04d03cccc0aadbbb8a83912157f7c68a092f4ef08b4bf6f050178c"/>
</exInfo_list>
</action>
</action_list><action_list attck_id="0x10a003f" category="System" descr="
" level="-1" name="
" policy_id="c467f6abc0a9b580343c13f877815733">
<action api_name="Fake_DetectDebugger" call_name="wscript.exe" call_pid="1164" call_time="07:14:50.100" err_code="7e" field="start_boot" name="DetectDebugger" ret_value="0" status_value="c0000135" type="System" uniq_id="29">
<apiArg_list count="4">
<apiArg value="00000008"/>
<apiArg value="e109c230"/>
<apiArg value="00000bd8"/>
<apiArg value="f75cc9e0"/>
</apiArg_list>
<exInfo_list count="1">
<exInfo descr="
" value="PerfEvaluate"/>
</exInfo_list>
</action>
</action_list><action_list attck_id="0x1040025" category="Reg" descr="
Unknown Key\Seed
ab6484e4b7d5393e76e72e2fc9faa0f4cb8268264a1c5d927c688b6e03b1253c" level="0" name="
" policy_id="3f310168ca3478ecdeb96530ad614af8">
<action api_name="NtSetValueKey" call_name="wscript.exe" call_pid="1164" call_time="07:14:50.102" err_code="7e" field="start_boot" name="SetKeyValue" ret_value="0" status_value="c0000135" type="Reg" uniq_id="29">
<apiArg_list count="6">
<apiArg value="80000530"/>
<apiArg value="f75cc9a8"/>
<apiArg value="00000000"/>
<apiArg value="00000003"/>
<apiArg value="f75ccb0c"/>
<apiArg value="00000050"/>
</apiArg_list>
<exInfo_list count="5">
<exInfo descr="
Key" value="Unknown Key"/>
<exInfo descr="
Value" value="Seed"/>
<exInfo descr="
" value="Unknown Key\Seed"/>
<exInfo descr="
Type" value="0003"/>
<exInfo descr="
Data" value="ab6484e4b7d5393e76e72e2fc9faa0f4cb8268264a1c5d927c688b6e03b1253c"/>
</exInfo_list>
</action>
</action_list><action_list attck_id="0x000000" category="File" descr="
C:\WINDOWS\system32\MSCTF.dll
" level="-1" name="
" policy_id="6f7987a29b9478f7246cb146204e278c">
<action api_name="NtQueryAttributesFile" call_name="wscript.exe" call_pid="1164" call_time="07:14:50.116" err_code="7e" field="start_boot" name="QueryFileAttributes" ret_value="0" status_value="c0000135" type="File" uniq_id="29">
<apiArg_list count="2">
<apiArg value="0013efa4"/>
<apiArg value="0013ef7c"/>
</apiArg_list>
<exInfo_list count="1">
<exInfo descr="
" value="C:\WINDOWS\system32\MSCTF.dll"/>
</exInfo_list>
</action>
</action_list><action_list attck_id="0x000000" category="Memory" descr="
C:\WINDOWS\system32\msctf.dll" level="0" name="
" policy_id="da2c97d38a53f58586c55385aa282e93">
<action api_name="LoadLibraryExW" call_name="wscript.exe" call_pid="1164" call_time="07:14:50.127" err_code="0" field="start_boot" name="LoadLibrary" ret_value="0" status_value="0" type="Memory" uniq_id="29">
<apiArg_list count="3">
<apiArg value="00000000"/>
<apiArg value="00000000"/>
<apiArg value="00000000"/>
</apiArg_list>
<exInfo_list count="3">
<exInfo descr="
" value="C:\WINDOWS\system32\msctf.dll"/>
<exInfo descr="
" value="00074680000"/>
<exInfo descr="
" value="0004c000"/>
</exInfo_list>
</action>
</action_list><action_list attck_id="0x000000" category="File" descr="
C:\WINDOWS\system32\ntdll.dll
" level="-1" name="
" policy_id="6f7987a29b9478f7246cb146204e278c">
<action api_name="NtQueryAttributesFile" call_name="wscript.exe" call_pid="1164" call_time="07:14:50.143" err_code="7e" field="start_boot" name="QueryFileAttributes" ret_value="0" status_value="c0000135" type="File" uniq_id="29">
<apiArg_list count="2">
<apiArg value="0013e684"/>
<apiArg value="0013e65c"/>
</apiArg_list>
<exInfo_list count="1">
<exInfo descr="
" value="C:\WINDOWS\system32\ntdll.dll"/>
</exInfo_list>
</action>
</action_list><action_list attck_id="0x000000" category="File" descr="
C:\WINDOWS\system32\imm32.dll
" level="-1" name="
" policy_id="6f7987a29b9478f7246cb146204e278c">
<action api_name="NtQueryAttributesFile" call_name="wscript.exe" call_pid="1164" call_time="07:14:50.147" err_code="7e" field="start_boot" name="QueryFileAttributes" ret_value="0" status_value="c0000135" type="File" uniq_id="29">
<apiArg_list count="2">
<apiArg value="0013e68c"/>
<apiArg value="0013e664"/>
</apiArg_list>
<exInfo_list count="1">
<exInfo descr="
" value="C:\WINDOWS\system32\imm32.dll"/>
</exInfo_list>
</action>
</action_list><action_list attck_id="0x000000" category="Reg" descr="
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\WScript.exe" level="0" name="
" policy_id="bf6f03f99322f1e4cad8f1c780541ef7">
<action api_name="RegOpenKeyExA" call_name="wscript.exe" call_pid="1164" call_time="07:14:50.153" err_code="b7" field="start_boot" name="RegOpenKey" ret_value="2" status_value="c0000034" type="Reg" uniq_id="29">
<apiArg_list count="5">
<apiArg value="80000002"/>
<apiArg value="0013ef64"/>
<apiArg value="00000000"/>
<apiArg value="00020019"/>
<apiArg value="0013ed30"/>
</apiArg_list>
<exInfo_list count="1">
<exInfo descr="
" value="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\WScript.exe"/>
</exInfo_list>
</action>
</action_list><action_list attck_id="0x000000" category="System" descr="
CTF.LBES.MutexDefaultS-1-5-21-1343024091-842925246-1801674531-1003" level="-1" name="
" policy_id="d02cc2b7a11ad6345c9cbe6566ab7d9f">
<action api_name="NtCreateMutant" call_name="wscript.exe" call_pid="1164" call_time="07:14:50.157" err_code="b7" field="start_boot" name="CreateMutex" ret_value="40000000" status_value="0" type="System" uniq_id="29">
<apiArg_list count="4">
<apiArg value="0013f028"/>
<apiArg value="001f0001"/>
<apiArg value="0013f008"/>
<apiArg value="00000000"/>
</apiArg_list>
<exInfo_list count="1">
<exInfo descr="
" value="CTF.LBES.MutexDefaultS-1-5-21-1343024091-842925246-1801674531-1003"/>
</exInfo_list>
</action>
</action_list><action_list attck_id="0x000000" category="System" descr="
CTF.Compart.MutexDefaultS-1-5-21-1343024091-842925246-1801674531-1003" level="-1" name="
" policy_id="d02cc2b7a11ad6345c9cbe6566ab7d9f">
<action api_name="NtCreateMutant" call_name="wscript.exe" call_pid="1164" call_time="07:14:50.158" err_code="b7" field="start_boot" name="CreateMutex" ret_value="40000000" status_value="0" type="System" uniq_id="29">
<apiArg_list count="4">
<apiArg value="0013f028"/>
<apiArg value="001f0001"/>
<apiArg value="0013f008"/>
<apiArg value="00000000"/>
</apiArg_list>
<exInfo_list count="1">
<exInfo descr="
" value="CTF.Compart.MutexDefaultS-1-5-21-1343024091-842925246-1801674531-1003"/>
</exInfo_list>
</action>
</action_list><action_list attck_id="0x000000" category="System" descr="
CTF.Asm.MutexDefaultS-1-5-21-1343024091-842925246-1801674531-1003" level="-1" name="
" policy_id="d02cc2b7a11ad6345c9cbe6566ab7d9f">
<action api_name="NtCreateMutant" call_name="wscript.exe" call_pid="1164" call_time="07:14:50.159" err_code="b7" field="start_boot" name="CreateMutex" ret_value="40000000" status_value="0" type="System" uniq_id="29">
<apiArg_list count="4">
<apiArg value="0013f028"/>
<apiArg value="001f0001"/>
<apiArg value="0013f008"/>
<apiArg value="00000000"/>
</apiArg_list>
<exInfo_list count="1">
<exInfo descr="
" value="CTF.Asm.MutexDefaultS-1-5-21-1343024091-842925246-1801674531-1003"/>
</exInfo_list>
</action>
</action_list><action_list attck_id="0x000000" category="System" descr="
CTF.Layouts.MutexDefaultS-1-5-21-1343024091-842925246-1801674531-1003" level="-1" name="
" policy_id="d02cc2b7a11ad6345c9cbe6566ab7d9f">
<action api_name="NtCreateMutant" call_name="wscript.exe" call_pid="1164" call_time="07:14:50.160" err_code="b7" field="start_boot" name="CreateMutex" ret_value="40000000" status_value="0" type="System" uniq_id="29">
<apiArg_list count="4">
<apiArg value="0013f028"/>
<apiArg value="001f0001"/>
<apiArg value="0013f008"/>
<apiArg value="00000000"/>
</apiArg_list>
<exInfo_list count="1">
<exInfo descr="
" value="CTF.Layouts.MutexDefaultS-1-5-21-1343024091-842925246-1801674531-1003"/>
</exInfo_list>
</action>
</action_list><action_list attck_id="0x000000" category="System" descr="
CTF.TMD.MutexDefaultS-1-5-21-1343024091-842925246-1801674531-1003" level="-1" name="
" policy_id="d02cc2b7a11ad6345c9cbe6566ab7d9f">
<action api_name="NtCreateMutant" call_name="wscript.exe" call_pid="1164" call_time="07:14:50.161" err_code="b7" field="start_boot" name="CreateMutex" ret_value="40000000" status_value="0" type="System" uniq_id="29">
<apiArg_list count="4">
<apiArg value="0013f028"/>
<apiArg value="001f0001"/>
<apiArg value="0013f008"/>
<apiArg value="00000000"/>
</apiArg_list>
<exInfo_list count="1">
<exInfo descr="
" value="CTF.TMD.MutexDefaultS-1-5-21-1343024091-842925246-1801674531-1003"/>
</exInfo_list>
</action>
</action_list><action_list attck_id="0x000000" category="File" descr="
C:\WINDOWS\system32\KERNEL32.dll
" level="-1" name="
" policy_id="6f7987a29b9478f7246cb146204e278c">
<action api_name="NtQueryAttributesFile" call_name="wscript.exe" call_pid="1164" call_time="07:14:50.169" err_code="b7" field="start_boot" name="QueryFileAttributes" ret_value="0" status_value="0" type="File" uniq_id="29">
<apiArg_list count="2">
<apiArg value="0013e5d8"/>
<apiArg value="0013e5b0"/>
</apiArg_list>
<exInfo_list count="1">
<exInfo descr="
" value="C:\WINDOWS\system32\KERNEL32.dll"/>
</exInfo_list>
</action>
</action_list><action_list attck_id="0x000000" category="Reg" descr="
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\PagedBuffers" level="0" name="
" policy_id="bf6f03f99322f1e4cad8f1c780541ef7">
<action api_name="RegOpenKeyExW" call_name="wscript.exe" call_pid="1164" call_time="07:14:50.178" err_code="0" field="start_boot" name="RegOpenKey" ret_value="2" status_value="c0000034" type="Reg" uniq_id="29">
<apiArg_list count="5">
<apiArg value="80000002"/>
<apiArg value="77e6c5b0"/>
<apiArg value="00000000"/>
<apiArg value="00020019"/>
<apiArg value="0013f70c"/>
</apiArg_list>
<exInfo_list count="1">
<exInfo descr="
" value="HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\PagedBuffers"/>
</exInfo_list>
</action>
</action_list><action_list attck_id="0x000000" category="Reg" descr="
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WScript.exe\RpcThreadPoolThrottle" level="0" name="
" policy_id="bf6f03f99322f1e4cad8f1c780541ef7">
<action api_name="RegOpenKeyExW" call_name="wscript.exe" call_pid="1164" call_time="07:14:50.182" err_code="0" field="start_boot" name="RegOpenKey" ret_value="2" status_value="c0000034" type="Reg" uniq_id="29">
<apiArg_list count="5">
<apiArg value="80000002"/>
<apiArg value="0013f450"/>
<apiArg value="00000000"/>
<apiArg value="00020019"/>
<apiArg value="0013f448"/>
</apiArg_list>
<exInfo_list count="1">
<exInfo descr="
" value="HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WScript.exe\RpcThreadPoolThrottle"/>
</exInfo_list>
</action>
</action_list><action_list attck_id="0x000000" category="Reg" descr="
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc" level="0" name="
" policy_id="bf6f03f99322f1e4cad8f1c780541ef7">
<action api_name="RegOpenKeyExW" call_name="wscript.exe" call_pid="1164" call_time="07:14:50.192" err_code="0" field="start_boot" name="RegOpenKey" ret_value="2" status_value="c0000034" type="Reg" uniq_id="29">
<apiArg_list count="5">
<apiArg value="80000002"/>
<apiArg value="77e6cc98"/>
<apiArg value="00000000"/>
<apiArg value="00020019"/>
<apiArg value="0013f71c"/>
</apiArg_list>
<exInfo_list count="1">
<exInfo descr="
" value="HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc"/>
</exInfo_list>
</action>
</action_list><action_list attck_id="0x10a003f" category="System" descr="
" level="-1" name="
" policy_id="c467f6abc0a9b580343c13f877815733">
<action api_name="Fake_DetectDebugger" call_name="wscript.exe" call_pid="1164" call_time="07:14:50.193" err_code="0" field="start_boot" name="DetectDebugger" ret_value="1" status_value="c0000034" type="System" uniq_id="29">
<apiArg_list count="1">
<apiArg value="0013f6c0"/>
</apiArg_list>
<exInfo_list count="1">
<exInfo descr="
" value="MemoryOperation"/>
</exInfo_list>
</action>
</action_list><action_list attck_id="0x000000" category="File" descr="
C:\WINDOWS\system32\winlogon.exe
" level="-1" name="
" policy_id="6f7987a29b9478f7246cb146204e278c">
<action api_name="NtQueryAttributesFile" call_name="wscript.exe" call_pid="1164" call_time="07:14:50.200" err_code="0" field="start_boot" name="QueryFileAttributes" ret_value="0" status_value="c0000034" type="File" uniq_id="29">
<apiArg_list count="2">
<apiArg value="0013ee34"/>
<apiArg value="0013ee0c"/>
</apiArg_list>
<exInfo_list count="1">
<exInfo descr="
" value="C:\WINDOWS\system32\winlogon.exe"/>
</exInfo_list>
</action>
</action_list><action_list attck_id="0x101001F" category="System" descr="
ID {E60C73E6-88F9-11CF-9AF1-0020AF6E72F4}_0
(WinSta0\Default,C:\WINDOWS\System32\WScript.exe,1164,0,10)
Unknown" level="0" name="RPC
" policy_id="2d3f1729c6b697fd96e430662dd20db3">
<action api_name="NdrpClientMarshal" call_name="wscript.exe" call_pid="1164" call_time="07:14:50.213" err_code="abadbeef" field="start_boot" name="RpcClientRequest" ret_value="abadbeef" status_value="abadbeef" type="Process" uniq_id="29">
<apiArg_list count="2">
<apiArg value="0013f358"/>
<apiArg value="00000000"/>
</apiArg_list>
<exInfo_list count="3">
<exInfo descr="RPC
ID" value="{E60C73E6-88F9-11CF-9AF1-0020AF6E72F4}_0"/>
<exInfo descr="
" value="(WinSta0\Default,C:\WINDOWS\System32\WScript.exe,1164,0,10)"/>
<exInfo descr="RPC
" value="Unknown"/>
</exInfo_list>
</action>
</action_list><action_list attck_id="0x000000" category="File" descr="
C:\WINDOWS\System32\xpsp2res.dll
" level="-1" name="
" policy_id="6f7987a29b9478f7246cb146204e278c">
<action api_name="NtQueryAttributesFile" call_name="wscript.exe" call_pid="1164" call_time="07:14:50.234" err_code="0" field="start_boot" name="QueryFileAttributes" ret_value="0" status_value="c0000034" type="File" uniq_id="29">
<apiArg_list count="2">
<apiArg value="0013ef78"/>
<apiArg value="0013ef50"/>
</apiArg_list>
<exInfo_list count="1">
<exInfo descr="
" value="C:\WINDOWS\System32\xpsp2res.dll"/>
</exInfo_list>
</action>
</action_list><action_list attck_id="0x000000" category="Memory" descr="
C:\WINDOWS\system32\xpsp2res.dll" level="0" name="
" policy_id="da2c97d38a53f58586c55385aa282e93">
<action api_name="LoadLibraryExW" call_name="wscript.exe" call_pid="1164" call_time="07:14:50.239" err_code="0" field="start_boot" name="LoadLibrary" ret_value="0" status_value="0" type="Memory" uniq_id="29">
<apiArg_list count="3">
<apiArg value="00000000"/>
<apiArg value="00000000"/>
<apiArg value="00000000"/>
</apiArg_list>
<exInfo_list count="3">
<exInfo descr="
" value="C:\WINDOWS\system32\xpsp2res.dll"/>
<exInfo descr="
" value="0009f0000"/>
<exInfo descr="
" value="000549000"/>
</exInfo_list>
</action>
</action_list><action_list attck_id="0x1060001" category="System" descr="
" level="0" name="
" policy_id="93dbab0994c271d6c61206a6b3454077">
<action api_name="GetComputerNameW" call_name="wscript.exe" call_pid="1164" call_time="07:14:50.252" err_code="cb" field="start_boot" name="GetComputerName" ret_value="1" status_value="c0000100" type="System" uniq_id="29">
<apiArg_list count="2">
<apiArg value="77edb3ec"/>
<apiArg value="77edb070"/>
</apiArg_list>
<exInfo_list count="0"/>
</action>
</action_list><action_list attck_id="0x000000" category="File" descr="
NamedPipe\lsarpc" level="-1" name="
" policy_id="b5805f9bd24ef5d2923955c88b77337e">
<action api_name="NtWriteFile" call_name="wscript.exe" call_pid="1164" call_time="07:14:50.263" err_code="0" field="start_boot" name="WriteFile" ret_value="0" status_value="c000007c" type="File" uniq_id="29">
<apiArg_list count="9">
<apiArg value="000000dc"/>
<apiArg value="000000a1"/>
<apiArg value="00000000"/>
<apiArg value="00000000"/>
<apiArg value="0013f30c"/>
<apiArg value="0015fcd8"/>
<apiArg value="00000048"/>
<apiArg value="0013f2dc"/>
<apiArg value="00000000"/>
</apiArg_list>
<exInfo_list count="1">
<exInfo descr="
" value="NamedPipe\lsarpc"/>
</exInfo_list>
</action>
</action_list><action_list attck_id="0x000000" category="File" descr="
NamedPipe\lsarpc" level="-1" name="
" policy_id="16feb2b4176817dc3ebf366497576f1a">
<action api_name="NtReadFile" call_name="wscript.exe" call_pid="1164" call_time="07:14:50.266" err_code="0" field="start_boot" name="ReadFile" ret_value="0" status_value="c000007c" type="File" uniq_id="29">
<apiArg_list count="9">
<apiArg value="000000dc"/>
<apiArg value="000000a1"/>
<apiArg value="00000000"/>
<apiArg value="00000000"/>
<apiArg value="001565b4"/>
<apiArg value="0015fde8"/>
<apiArg value="00000400"/>
<apiArg value="0013f2e0"/>
<apiArg value="00000000"/>
</apiArg_list>
<exInfo_list count="1">
<exInfo descr="
" value="NamedPipe\lsarpc"/>
</exInfo_list>
</action>
</action_list><action_list attck_id="0x0000000" category="Process" descr="
ID {12345778-1234-ABCD-EF00-0123456789AB}_44
Unknown" level="-1" name="RPC
" policy_id="2d5e7238a7f5248186a0fd1f966b421a">
<action api_name="NdrpClientMarshal" call_name="wscript.exe" call_pid="1164" call_time="07:14:50.269" err_code="abadbeef" field="start_boot" name="RpcClientRequest" ret_value="abadbeef" status_value="abadbeef" type="Process" uniq_id="29">
<apiArg_list count="2">
<apiArg value="0013f64c"/>
<apiArg value="00000000"/>
</apiArg_list>
<exInfo_list count="3">
<exInfo descr="RPC
ID" value="{12345778-1234-ABCD-EF00-0123456789AB}_44"/>
<exInfo descr="
" value="()"/>
<exInfo descr="RPC
" value="Unknown"/>
</exInfo_list>
</action>
</action_list><action_list attck_id="0x101001F" category="System" descr="
ID {12345778-1234-ABCD-EF00-0123456789AB}_57
(00160218)
Unknown" level="0" name="RPC
" policy_id="2d3f1729c6b697fd96e430662dd20db3">
<action api_name="NdrpClientMarshal" call_name="wscript.exe" call_pid="1164" call_time="07:14:50.273" err_code="abadbeef" field="start_boot" name="RpcClientRequest" ret_value="abadbeef" status_value="abadbeef" type="Process" uniq_id="29">
<apiArg_list count="2">
<apiArg value="0013f5d8"/>
<apiArg value="00000000"/>
</apiArg_list>
<exInfo_list count="3">
<exInfo descr="RPC
ID" value="{12345778-1234-ABCD-EF00-0123456789AB}_57"/>
<exInfo descr="
" value="(00160218)"/>
<exInfo descr="RPC
" value="Unknown"/>
</exInfo_list>
</action>
</action_list><action_list attck_id="0x101001F" category="System" descr="
ID {12345778-1234-ABCD-EF00-0123456789AB}_0
(00160218)
Unknown" level="0" name="RPC
" policy_id="2d3f1729c6b697fd96e430662dd20db3">
<action api_name="NdrpClientMarshal" call_name="wscript.exe" call_pid="1164" call_time="07:14:50.276" err_code="abadbeef" field="start_boot" name="RpcClientRequest" ret_value="abadbeef" status_value="abadbeef" type="Process" uniq_id="29">
<apiArg_list count="2">
<apiArg value="0013f66c"/>
<apiArg value="00000000"/>
</apiArg_list>
<exInfo_list count="3">
<exInfo descr="RPC
ID" value="{12345778-1234-ABCD-EF00-0123456789AB}_0"/>
<exInfo descr="
" value="(00160218)"/>
<exInfo descr="RPC
" value="Unknown"/>
</exInfo_list>
</action>
</action_list><action_list attck_id="0x000000" category="File" descr="
C:\WINDOWS\system32\wscript.exe" level="-1" name="
" policy_id="a426ca02c07908137170d3fb329aaff0">
<action api_name="NtReadFile" call_name="wscript.exe" call_pid="1164" call_time="07:14:50.286" err_code="0" field="start_boot" name="ReadFile" ret_value="0" status_value="c0000034" type="File" uniq_id="29">
<apiArg_list count="9">
<apiArg value="0000008c"/>
<apiArg value="00000000"/>
<apiArg value="00000000"/>
<apiArg value="00000000"/>
<apiArg value="0013e768"/>
<apiArg value="0013e82c"/>
<apiArg value="00000004"/>
<apiArg value="00000000"/>
<apiArg value="00000000"/>
</apiArg_list>
<exInfo_list count="1">
<exInfo descr="
" value="C:\WINDOWS\system32\wscript.exe"/>
</exInfo_list>
</action>
</action_list><action_list attck_id="0x000000" category="File" descr="
C:\WINDOWS\System32\SXS.DLL
" level="-1" name="
" policy_id="6f7987a29b9478f7246cb146204e278c">
<action api_name="NtQueryAttributesFile" call_name="wscript.exe" call_pid="1164" call_time="07:14:50.338" err_code="0" field="start_boot" name="QueryFileAttributes" ret_value="0" status_value="c0000034" type="File" uniq_id="29">
<apiArg_list count="2">
<apiArg value="0013e9f4"/>
<apiArg value="0013e9cc"/>
</apiArg_list>
<exInfo_list count="1">
<exInfo descr="
" value="C:\WINDOWS\System32\SXS.DLL"/>
</exInfo_list>
</action>
</action_list><action_list attck_id="0x000000" category="Memory" descr="
C:\WINDOWS\system32\sxs.dll" level="0" name="
" policy_id="da2c97d38a53f58586c55385aa282e93">
<action api_name="LoadLibraryExW" call_name="wscript.exe" call_pid="1164" call_time="07:14:50.343" err_code="0" field="start_boot" name="LoadLibrary" ret_value="0" status_value="0" type="Memory" uniq_id="29">
<apiArg_list count="3">
<apiArg value="00000000"/>
<apiArg value="00000000"/>
<apiArg value="00000000"/>
</apiArg_list>
<exInfo_list count="3">
<exInfo descr="
" value="C:\WINDOWS\system32\sxs.dll"/>
<exInfo descr="
" value="00075e00000"/>
<exInfo descr="
" value="000ae000"/>
</exInfo_list>
</action>
</action_list><action_list attck_id="0x000000" category="File" descr="
C:\WINDOWS\system32\msctfime.ime
" level="-1" name="
" policy_id="6f7987a29b9478f7246cb146204e278c">
<action api_name="NtQueryAttributesFile" call_name="wscript.exe" call_pid="1164" call_time="07:14:50.401" err_code="0" field="start_boot" name="QueryFileAttributes" ret_value="0" status_value="0" type="File" uniq_id="29">
<apiArg_list count="2">
<apiArg value="0112eb50"/>
<apiArg value="0112eb28"/>
</apiArg_list>
<exInfo_list count="1">
<exInfo descr="
" value="C:\WINDOWS\system32\msctfime.ime"/>
</exInfo_list>
</action>
</action_list><action_list attck_id="0x000000" category="File" descr="
C:\WINDOWS\system32\msctfime.ime" level="-1" name="
" policy_id="7f626c4c90ceb6787905e62e8f94c22c">
<action api_name="NtReadFile" call_name="wscript.exe" call_pid="1164" call_time="07:14:50.410" err_code="0" field="start_boot" name="ReadFile" ret_value="e4" status_value="0" type="File" uniq_id="29">
<apiArg_list count="16">
<apiArg value="000000e8"/>
<apiArg value="00000000"/>
<apiArg value="00000002"/>
<apiArg value="00000000"/>
<apiArg value="00000000"/>
<apiArg value="00000000"/>
<apiArg value="00000000"/>
<apiArg value="7c80ac9f"/>
<apiArg value="00000000"/>
<apiArg value="00158b00"/>
<apiArg value="0112ed34"/>
<apiArg value="02080000"/>
<apiArg value="0112ed0c"/>
<apiArg value="000a0008"/>
<apiArg value="7c814e90"/>
<apiArg value="00000000"/>
</apiArg_list>
<exInfo_list count="1">
<exInfo descr="
" value="C:\WINDOWS\system32\msctfime.ime"/>
</exInfo_list>
</action>
</action_list><action_list attck_id="0x000000" category="File" descr="
C:\WINDOWS\system32\msctfime.ime
" level="-1" name="
" policy_id="6f7987a29b9478f7246cb146204e278c">
<action api_name="NtQueryAttributesFile" call_name="wscript.exe" call_pid="1164" call_time="07:14:50.424" err_code="0" field="start_boot" name="QueryFileAttributes" ret_value="0" status_value="0" type="File" uniq_id="29">
<apiArg_list count="2">
<apiArg value="0112eb48"/>
<apiArg value="0112eb20"/>
</apiArg_list>
<exInfo_list count="1">
<exInfo descr="
" value="C:\WINDOWS\system32\msctfime.ime"/>
</exInfo_list>
</action>
</action_list><action_list attck_id="0x000000" category="File" descr="
C:\WINDOWS\system32\msctfime.ime" level="-1" name="
" policy_id="7f626c4c90ceb6787905e62e8f94c22c">
<action api_name="NtReadFile" call_name="wscript.exe" call_pid="1164" call_time="07:14:50.433" err_code="0" field="start_boot" name="ReadFile" ret_value="e4" status_value="0" type="File" uniq_id="29">
<apiArg_list count="16">
<apiArg value="000000e8"/>
<apiArg value="00000000"/>
<apiArg value="00000002"/>
<apiArg value="00000000"/>
<apiArg value="00000000"/>
<apiArg value="00000000"/>
<apiArg value="00000000"/>
<apiArg value="7c80ac9f"/>
<apiArg value="00000000"/>
<apiArg value="00158b00"/>
<apiArg value="0112ed2c"/>
<apiArg value="02080000"/>
<apiArg value="0112ed04"/>
<apiArg value="000a0008"/>
<apiArg value="7c814e90"/>
<apiArg value="00000000"/>
</apiArg_list>
<exInfo_list count="1">
<exInfo descr="
" value="C:\WINDOWS\system32\msctfime.ime"/>
</exInfo_list>
</action>
</action_list><action_list attck_id="0x000000" category="File" descr="
C:\WINDOWS\system32\msctfime.ime
" level="-1" name="
" policy_id="6f7987a29b9478f7246cb146204e278c">
<action api_name="NtQueryAttributesFile" call_name="wscript.exe" call_pid="1164" call_time="07:14:51.449" err_code="0" field="start_boot" name="QueryFileAttributes" ret_value="0" status_value="0" type="File" uniq_id="29">
<apiArg_list count="2">
<apiArg value="0112eb34"/>
<apiArg value="0112eb0c"/>
</apiArg_list>
<exInfo_list count="1">
<exInfo descr="
" value="C:\WINDOWS\system32\msctfime.ime"/>
</exInfo_list>
</action>
</action_list><action_list attck_id="0x000000" category="Memory" descr="
C:\WINDOWS\system32\msctfime.ime" level="0" name="
" policy_id="da2c97d38a53f58586c55385aa282e93">
<action api_name="LoadLibraryExW" call_name="wscript.exe" call_pid="1164" call_time="07:14:51.460" err_code="0" field="start_boot" name="LoadLibrary" ret_value="0" status_value="0" type="Memory" uniq_id="29">
<apiArg_list count="3">
<apiArg value="00000000"/>
<apiArg value="00000000"/>
<apiArg value="00000000"/>
</apiArg_list>
<exInfo_list count="3">
<exInfo descr="
" value="C:\WINDOWS\system32\msctfime.ime"/>
<exInfo descr="
" value="00073640000"/>
<exInfo descr="
" value="0002e000"/>
</exInfo_list>
</action>
</action_list><action_list attck_id="0x000000" category="File" descr="
C:\WINDOWS\system32\ole32.dll
" level="-1" name="
" policy_id="6f7987a29b9478f7246cb146204e278c">
<action api_name="NtQueryAttributesFile" call_name="wscript.exe" call_pid="1164" call_time="07:14:51.504" err_code="0" field="start_boot" name="QueryFileAttributes" ret_value="0" status_value="0" type="File" uniq_id="29">
<apiArg_list count="2">
<apiArg value="0112e2b8"/>
<apiArg value="0112e290"/>
</apiArg_list>
<exInfo_list count="1">
<exInfo descr="
" value="C:\WINDOWS\system32\ole32.dll"/>
</exInfo_list>
</action>
</action_list><action_list attck_id="0x000000" category="File" descr="
C:\WINDOWS\system32\ntdll.dll
" level="-1" name="
" policy_id="6f7987a29b9478f7246cb146204e278c">
<action api_name="NtQueryAttributesFile" call_name="wscript.exe" call_pid="1164" call_time="07:14:51.507" err_code="0" field="start_boot" name="QueryFileAttributes" ret_value="0" status_value="0" type="File" uniq_id="29">
<apiArg_list count="2">
<apiArg value="0112edc8"/>
<apiArg value="0112eda0"/>
</apiArg_list>
<exInfo_list count="1">
<exInfo descr="
" value="C:\WINDOWS\system32\ntdll.dll"/>
</exInfo_list>
</action>
</action_list><action_list attck_id="0x000000" category="File" descr="
C:\WINDOWS\system32\msctfime.ime
" level="-1" name="
" policy_id="6f7987a29b9478f7246cb146204e278c">
<action api_name="NtQueryAttributesFile" call_name="wscript.exe" call_pid="1164" call_time="07:14:51.522" err_code="0" field="start_boot" name="QueryFileAttributes" ret_value="0" status_value="0" type="File" uniq_id="29">
<apiArg_list count="2">
<apiArg value="0112e9f0"/>
<apiArg value="0112e9c8"/>
</apiArg_list>
<exInfo_list count="1">
<exInfo descr="
" value="C:\WINDOWS\system32\msctfime.ime"/>
</exInfo_list>
</action>
</action_list><action_list attck_id="0x000000" category="File" descr="
C:\WINDOWS\System32\CLBCATQ.DLL
" level="-1" name="
" policy_id="6f7987a29b9478f7246cb146204e278c">
<action api_name="NtQueryAttributesFile" call_name="wscript.exe" call_pid="1164" call_time="07:14:51.554" err_code="0" field="start_boot" name="QueryFileAttributes" ret_value="0" status_value="0" type="File" uniq_id="29">
<apiArg_list count="2">
<apiArg value="0013e830"/>
<apiArg value="0013e808"/>
</apiArg_list>
<exInfo_list count="1">
<exInfo descr="
" value="C:\WINDOWS\System32\CLBCATQ.DLL"/>
</exInfo_list>
</action>
</action_list><action_list attck_id="0x000000" category="Memory" descr="
C:\WINDOWS\system32\clbcatq.dll" level="0" name="
" policy_id="da2c97d38a53f58586c55385aa282e93">
<action api_name="LoadLibraryExW" call_name="wscript.exe" call_pid="1164" call_time="07:14:51.558" err_code="0" field="start_boot" name="LoadLibrary" ret_value="0" status_value="0" type="Memory" uniq_id="29">
<apiArg_list count="3">
<apiArg value="00000000"/>
<apiArg value="00000000"/>
<apiArg value="00000000"/>
</apiArg_list>
<exInfo_list count="3">
<exInfo descr="
" value="C:\WINDOWS\system32\clbcatq.dll"/>
<exInfo descr="
" value="00076fa0000"/>
<exInfo descr="
" value="0007f000"/>
</exInfo_list>
</action>
</action_list><action_list attck_id="0x000000" category="File" descr="
C:\WINDOWS\System32\COMRes.dll
" level="-1" name="
" policy_id="6f7987a29b9478f7246cb146204e278c">
<action api_name="NtQueryAttributesFile" call_name="wscript.exe" call_pid="1164" call_time="07:14:51.562" err_code="0" field="start_boot" name="QueryFileAttributes" ret_value="0" status_value="0" type="File" uniq_id="29">
<apiArg_list count="2">
<apiArg value="0013e500"/>
<apiArg value="0013e4d8"/>
</apiArg_list>
<exInfo_list count="1">
<exInfo descr="
" value="C:\WINDOWS\System32\COMRes.dll"/>
</exInfo_list>
</action>
</action_list><action_list attck_id="0x000000" category="Memory" descr="
C:\WINDOWS\system32\comres.dll" level="0" name="
" policy_id="da2c97d38a53f58586c55385aa282e93">
<action api_name="LoadLibraryExW" call_name="wscript.exe" call_pid="1164" call_time="07:14:51.566" err_code="0" field="start_boot" name="LoadLibrary" ret_value="0" status_value="0" type="Memory" uniq_id="29">
<apiArg_list count="3">
<apiArg value="00000000"/>
<apiArg value="00000000"/>
<apiArg value="00000000"/>
</apiArg_list>
<exInfo_list count="3">
<exInfo descr="
" value="C:\WINDOWS\system32\comres.dll"/>
<exInfo descr="
" value="00077020000"/>
<exInfo descr="
" value="0009a000"/>
</exInfo_list>
</action>
</action_list><action_list attck_id="0x000000" category="Reg" descr="
HKEY_LOCAL_MACHINE\Software\Microsoft\COM3\Debug" level="0" name="
" policy_id="bf6f03f99322f1e4cad8f1c780541ef7">
<action api_name="RegOpenKeyExW" call_name="wscript.exe" call_pid="1164" call_time="07:14:51.595" err_code="0" field="start_boot" name="RegOpenKey" ret_value="2" status_value="c0000034" type="Reg" uniq_id="29">
<apiArg_list count="5">
<apiArg value="80000002"/>
<apiArg value="76fa4b24"/>
<apiArg value="00000000"/>
<apiArg value="000f003f"/>
<apiArg value="0013e8d4"/>
</apiArg_list>
<exInfo_list count="1">
<exInfo descr="
" value="HKEY_LOCAL_MACHINE\Software\Microsoft\COM3\Debug"/>
</exInfo_list>
</action>
</action_list><action_list attck_id="0x000000" category="File" descr="
C:\WINDOWS\Registration
" level="-1" name="
" policy_id="6f7987a29b9478f7246cb146204e278c">
<action api_name="NtQueryAttributesFile" call_name="wscript.exe" call_pid="1164" call_time="07:14:51.601" err_code="0" field="start_boot" name="QueryFileAttributes" ret_value="0" status_value="c0000034" type="File" uniq_id="29">
<apiArg_list count="2">
<apiArg value="0013e884"/>
<apiArg value="0013e85c"/>
</apiArg_list>
<exInfo_list count="1">
<exInfo descr="
" value="C:\WINDOWS\Registration"/>
</exInfo_list>
</action>
</action_list><action_list attck_id="0x000000" category="File" descr="
C:\WINDOWS\Registration\R000000000007.clb" level="-1" name="
" policy_id="a582a1e03bc2cba52e37bd28525d5af9">
<action api_name="NtReadFile" call_name="wscript.exe" call_pid="1164" call_time="07:14:51.645" err_code="0" field="start_boot" name="ReadFile" ret_value="0" status_value="0" type="File" uniq_id="29">
<apiArg_list count="9">
<apiArg value="00000160"/>
<apiArg value="00000000"/>
<apiArg value="00000000"/>
<apiArg value="00000000"/>
<apiArg value="0013eb0c"/>
<apiArg value="00169090"/>
<apiArg value="000056f8"/>
<apiArg value="00000000"/>
<apiArg value="00000000"/>
</apiArg_list>
<exInfo_list count="1">
<exInfo descr="
" value="C:\WINDOWS\Registration\R000000000007.clb"/>
</exInfo_list>
</action>
</action_list><action_list attck_id="0x000000" category="Reg" descr="
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{F414C260-6AC0-11CF-B6D1-00AA00BBBB58}\TreatAs" level="0" name="
" policy_id="bf6f03f99322f1e4cad8f1c780541ef7">
<action api_name="RegOpenKeyExW" call_name="wscript.exe" call_pid="1164" call_time="07:14:51.667" err_code="0" field="start_boot" name="RegOpenKey" ret_value="2" status_value="c0000034" type="Reg" uniq_id="29">
<apiArg_list count="5">
<apiArg value="00000162"/>
<apiArg value="7699c3e0"/>
<apiArg value="00000000"/>
<apiArg value="00000001"/>
<apiArg value="0013eeac"/>
</apiArg_list>
<exInfo_list count="1">
<exInfo descr="
" value="HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{F414C260-6AC0-11CF-B6D1-00AA00BBBB58}\TreatAs"/>
</exInfo_list>
</action>
</action_list><action_list attck_id="0x000000" category="Reg" descr="
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{F414C260-6AC0-11CF-B6D1-00AA00BBBB58}\InprocServerX86" level="0" name="
" policy_id="bf6f03f99322f1e4cad8f1c780541ef7">
<action api_name="RegOpenKeyExW" call_name="wscript.exe" call_pid="1164" call_time="07:14:51.678" err_code="0" field="start_boot" name="RegOpenKey" ret_value="2" status_value="c0000034" type="Reg" uniq_id="29">
<apiArg_list count="5">
<apiArg value="00000162"/>
<apiArg value="7699c474"/>
<apiArg value="00000000"/>
<apiArg value="02000000"/>
<apiArg value="0013ef48"/>
</apiArg_list>
<exInfo_list count="1">
<exInfo descr="
" value="HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{F414C260-6AC0-11CF-B6D1-00AA00BBBB58}\InprocServerX86"/>
</exInfo_list>
</action>
</action_list><action_list attck_id="0x000000" category="Reg" descr="
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{F414C260-6AC0-11CF-B6D1-00AA00BBBB58}\LocalServer32" level="0" name="
" policy_id="bf6f03f99322f1e4cad8f1c780541ef7">
<action api_name="RegOpenKeyExW" call_name="wscript.exe" call_pid="1164" call_time="07:14:51.680" err_code="0" field="start_boot" name="RegOpenKey" ret_value="2" status_value="c0000034" type="Reg" uniq_id="29">
<apiArg_list count="5">
<apiArg value="00000162"/>
<apiArg value="7699c458"/>
<apiArg value="00000000"/>
<apiArg value="02000000"/>
<apiArg value="0013ef68"/>
</apiArg_list>
<exInfo_list count="1">
<exInfo descr="
" value="HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{F414C260-6AC0-11CF-B6D1-00AA00BBBB58}\LocalServer32"/>
</exInfo_list>
</action>
</action_list><action_list attck_id="0x000000" category="Reg" descr="
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{F414C260-6AC0-11CF-B6D1-00AA00BBBB58}\InprocHandler32" level="0" name="
" policy_id="bf6f03f99322f1e4cad8f1c780541ef7">
<action api_name="RegOpenKeyExW" call_name="wscript.exe" call_pid="1164" call_time="07:14:51.686" err_code="0" field="start_boot" name="RegOpenKey" ret_value="2" status_value="c0000034" type="Reg" uniq_id="29">
<apiArg_list count="5">
<apiArg value="00000162"/>
<apiArg value="7699c420"/>
<apiArg value="00000000"/>
<apiArg value="02000000"/>
<apiArg value="0013ef68"/>
</apiArg_list>
<exInfo_list count="1">
<exInfo descr="
" value="HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{F414C260-6AC0-11CF-B6D1-00AA00BBBB58}\InprocHandler32"/>
</exInfo_list>
</action>
</action_list><action_list attck_id="0x000000" category="Reg" descr="
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{F414C260-6AC0-11CF-B6D1-00AA00BBBB58}\InprocHandlerX86" level="0" name="
" policy_id="bf6f03f99322f1e4cad8f1c780541ef7">
<action api_name="RegOpenKeyExW" call_name="wscript.exe" call_pid="1164" call_time="07:14:51.688" err_code="0" field="start_boot" name="RegOpenKey" ret_value="2" status_value="c0000034" type="Reg" uniq_id="29">
<apiArg_list count="5">
<apiArg value="00000162"/>
<apiArg value="7699c494"/>
<apiArg value="00000000"/>
<apiArg value="02000000"/>
<apiArg value="0013ef68"/>
</apiArg_list>
<exInfo_list count="1">
<exInfo descr="
" value="HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{F414C260-6AC0-11CF-B6D1-00AA00BBBB58}\InprocHandlerX86"/>
</exInfo_list>
</action>
</action_list><action_list attck_id="0x000000" category="Reg" descr="
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{F414C260-6AC0-11CF-B6D1-00AA00BBBB58}\LocalServer32" level="0" name="
" policy_id="bf6f03f99322f1e4cad8f1c780541ef7">
<action api_name="RegOpenKeyExW" call_name="wscript.exe" call_pid="1164" call_time="07:14:51.690" err_code="0" field="start_boot" name="RegOpenKey" ret_value="2" status_value="c0000034" type="Reg" uniq_id="29">