What is 1bbot.exe?
1bbot.exe is usually located in the 'c:\downloads\' folder.
Some of the anti-virus scanners at VirusTotal detected 1bbot.exe.
If you have additional information about the file, please share it with the FreeFixer users by posting a comment at the bottom of this page.
Digital signatures [?]
1bbot.exe is not signed.
VirusTotal report
31 of the 73 anti-virus programs at VirusTotal detected the 1bbot.exe file. That's a 42% detection rate.
| Scanner | Detection Name |
|---|---|
| AegisLab | Trojan.Win32.Generic.4!c |
| AhnLab-V3 | Trojan/Win32.Agent.R267769 |
| Alibaba | TrojanSpy:Application/Generic.26d0ef31 |
| APEX | Malicious |
| Avast | Win64:Trojan-gen |
| AVG | Win64:Trojan-gen |
| Avira | TR/Spy.Agent.doyuz |
| CrowdStrike | win/malicious_confidence_80% (W) |
| Cyren | W64/Trojan.YZAG-6445 |
| DrWeb | Trojan.PWS.Siggen2.14818 |
| eGambit | Unsafe.AI_Score_93% |
| ESET-NOD32 | a variant of Win64/Spy.Agent.BE |
| F-Secure | Trojan.TR/Spy.Agent.doyuz |
| FireEye | Generic.mg.6fb4bdcae4081cd6 |
| Fortinet | W64/Agent.BE!tr |
| GData | Win64.Trojan.Agent.UOZDD3 |
| Ikarus | Trojan.Win64.Spy |
| K7AntiVirus | Spyware ( 0054c5931 ) |
| K7GW | Spyware ( 0054c5931 ) |
| Malwarebytes | Spyware.CryptBot |
| MAX | malware (ai score=99) |
| McAfee | Trojan-FQXN!6FB4BDCAE408 |
| McAfee-GW-Edition | BehavesLike.Win64.BadFile.vh |
| Microsoft | Trojan:Win32/Tiggre!plock |
| Paloalto | generic.ml |
| Qihoo-360 | Win32/Trojan.Spy.633 |
| SentinelOne | DFI - Suspicious PE |
| Sophos | Mal/Generic-S |
| Symantec | Trojan.Gen.2 |
| TACHYON | Trojan/W64.Agent.2974720 |
| TrendMicro-HouseCall | TROJ_GEN.R002H0CEI19 |
Sandbox Report
The following information was gathered by executing the file inside Cuckoo Sandbox.
Summary
Successfully executed process in sandbox.
Summary
{
"connects_ip": [
"127.0.0.1"
],
"downloads_file": [
"http:\/\/ip-api.com\/line"
],
"file_created": [
"C:\\ProgramData\\73lVaqo4tj\\moz_cookies.db-wal",
"C:\\ProgramData\\73lVaqo4tj\\ilj1xUM6V.zip",
"C:\\ProgramData\\73lVaqo4tj\\moz_cookies.db-shm",
"C:\\ProgramData\\73lVaqo4tj\\Files\\Browsers\\_FileCC.txt",
"C:\\ProgramData\\73lVaqo4tj\\Files\\Browsers\\_FileForms.txt",
"C:\\ProgramData\\73lVaqo4tj\\Files\\Browsers\\Cookies\\Mozilla_Firefox_Cookies_qk8iUj2.txt",
"C:\\ProgramData\\73lVaqo4tj\\Files\\_Info.txt",
"C:\\ProgramData\\73lVaqo4tj\\Files\\Browsers\\_FilePasswords.txt",
"C:\\ProgramData\\73lVaqo4tj\\Files\\Browsers\\_FileCookies.txt",
"C:\\ProgramData\\73lVaqo4tj\\Files\\_Screen.jpg"
],
"directory_created": [
"C:\\ProgramData\\Pader",
"C:\\ProgramData\\73lVaqo4tj\\Files",
"C:\\ProgramData\\73lVaqo4tj\\Files\\Coins\\ElectronCash",
"C:\\ProgramData\\73lVaqo4tj",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Caches",
"C:\\ProgramData\\73lVaqo4tj\\Files\\Browsers",
"C:\\ProgramData\\73lVaqo4tj\\Files\\Files",
"C:\\ProgramData\\73lVaqo4tj\\Files\\Coins\\Electrum",
"C:\\ProgramData\\73lVaqo4tj\\Files\\Browsers\\Cookies",
"C:\\ProgramData\\73lVaqo4tj\\Files\\Coins\\Electrum-btcp",
"C:\\ProgramData\\73lVaqo4tj\\Files\\Files\\Other",
"C:\\ProgramData\\73lVaqo4tj\\Files\\Coins",
"C:\\ProgramData\\73lVaqo4tj\\Files\\Files\\Desktop"
],
"dll_loaded": [
"gdiplus.dll",
"C:\\Windows\\System32\\mswsock.dll",
"urlmon.dll",
"kernel32",
"api-ms-win-core-sysinfo-l1-2-1",
"api-ms-win-core-localization-l1-2-1",
"api-ms-win-core-fibers-l1-1-1",
"dwmapi.dll",
"KERNEL32.dll",
"UxTheme.dll",
"C:\\Windows\\system32\\ole32.dll",
"DUI70.dll",
"ntdll.dll",
"C:\\Windows\\system32\\napinsp.dll",
"api-ms-win-core-synch-l1-2-0",
"ntmarta.dll",
"API-MS-WIN-Service-Management-L1-1-0.dll",
"PROPSYS.dll",
"WININET.dll",
"API-MS-Win-Core-LocalRegistry-L1-1-0.dll",
"DHCPCSVC.DLL",
"OLEAUT32.DLL",
"RASMAN.DLL",
"C:\\Windows\\WinSxS\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_2b24536c71ed437a\\gdiplus.dll",
"ole32.dll",
"USER32.dll",
"Comctl32.dll",
"API-MS-Win-Security-SDDL-L1-1-0.dll",
"API-MS-WIN-Service-winsvc-L1-1-0.dll",
"C:\\Windows\\system32\\DUser.dll",
"rtutils.dll",
"IPHLPAPI.DLL",
"wininet.dll",
"WindowsCodecs.dll",
"C:\\Windows\\system32\\xmllite.dll",
"RASAPI32.dll",
"CRYPT32.dll",
"C:\\Windows\\system32\\pnrpnsp.dll",
"SHELL32.dll",
"DNSAPI.dll",
"C:\\Windows\\System32\\winrnr.dll",
"DUser.dll",
"comctl32.dll",
"C:\\Windows\\system32\\oleaut32.dll",
"WS2_32.dll",
"NTDLL",
"kernel32.dll",
"GDI32.dll",
"ADVAPI32.dll",
"SETUPAPI.dll",
"OLEACC.dll",
"user32.dll",
"OLEAUT32.dll"
],
"file_opened": [
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\",
"C:\\ProgramData",
"C:\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\I6GMLZZB\\",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\updates\\",
"C:\\ProgramData\\73lVaqo4tj\\Files",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\Low\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\bookmarkbackups\\",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\default\\moz-safe-about+home\\idb\\",
"C:\\ProgramData\\73lVaqo4tj\\Files\\Browsers\\_FileCookies.txt",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Credentials\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\1\\6\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\default\\moz-safe-about+home\\idb\\3312185054sbndi_pspte.files\\",
"C:\\ProgramData\\73lVaqo4tj\\moz_cookies.db",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Media Player\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Virtualized\\",
"C:\\ProgramData\\73lVaqo4tj\\Files\\Coins\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00040617\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds\\",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\mozilla-temp-files\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\datareporting\\",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\4\\7\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Credentials\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\permanent\\chrome\\idb\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\WER\\ReportArchive\\",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\4\\7\\b\\",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\1\\6\\6\\",
"C:\\Users\\cuck\\Desktop\\desktop.ini",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Caches\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Libraries\\",
"C:\\Users\\cuck\\Saved Games\\",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\",
"C:\\Users\\cuck\\Favorites\\Windows Live\\",
"C:\\Windows\\System32\\en-US\\KERNELBASE.dll.mui",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\",
"C:\\Program Files\\",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\1\\6\\6\\b\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE\\",
"C:\\Users\\cuck\\Favorites\\Links\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\1024\\",
"C:\\Windows\\System32\\oleaccrc.dll",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds\\Feeds for United States~\\",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\OfflineCache\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Network Shortcuts\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\cache2\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\SHYNOLTK\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\events\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds Cache\\VU6ZINQW\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\",
"C:\\Users\\cuck\\AppData\\Roaming\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\crashes\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\1KH9UWN0\\",
"C:\\ProgramData\\73lVaqo4tj\\Files\\Files\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\sessionstore-backups\\",
"C:\\Users\\cuck\\AppData\\LocalLow\\Mozilla\\",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\",
"C:\\Users\\cuck\\Documents\\desktop.ini",
"C:\\ProgramData\\73lVaqo4tj\\Files\\Browsers\\_FileForms.txt",
"C:\\Users\\cuck\\Favorites\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Burn\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\datareporting\\archived\\2018-06\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\QQUHP74Z\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-699399860-4089948139-3198924279-1001\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Media Center Programs\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Printer Shortcuts\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\default\\",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\1\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\EIDFNJNY\\",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\temporary\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Accessibility\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\datareporting\\archived\\",
"C:\\Users\\cuck\\Videos\\",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\safebrowsing\\google4\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\default\\about+newtab\\idb\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WPDNSE\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\SystemExtensionsDev\\",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\jumpListCache\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\gmp\\WINNT_x86-msvc\\",
"C:\\Users\\cuck\\AppData\\Roaming",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\",
"C:\\Users\\cuck\\Favorites\\Links for United States\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\SendTo\\",
"C:\\ProgramData\\73lVaqo4tj\\Files\\Browsers\\",
"C:\\ProgramData\\73lVaqo4tj\\Files\\_Screen.jpg",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Extensions\\",
"C:\\Users\\cuck\\Documents",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Explorer\\",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\f\\e\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Mail\\",
"C:\\ProgramData\\73lVaqo4tj\\Files\\_Info.txt",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\f\\",
"C:\\ProgramData\\73lVaqo4tj\\Files\\Browsers\\_FilePasswords.txt",
"C:\\Users\\cuck\\AppData\\Local\\pip\\",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\1\\6\\6\\b\\1\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\ccbd259f8eee1a6b5962d04cf78a301e52c41742de53589db507db16185c9de9.bin",
"C:\\Windows\\Fonts\\staticcache.dat",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\",
"C:\\Users\\cuck\\AppData\\LocalLow\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Crypto\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-699399860-4089948139-3198924279-1001\\",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Low\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Identities\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\default\\moz-safe-about+home\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\default\\about+newtab\\idb\\3312185054sbndi_pspte.files\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\",
"C:\\ProgramData\\73lVaqo4tj\\47283761.txt",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\f\\e\\d\\0\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\",
"C:\\Users\\cuck\\Favorites\\Microsoft Websites\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Caches\\cversions.1.db",
"C:\\ProgramData\\73lVaqo4tj\\Files\\Browsers\\Cookies\\Mozilla_Firefox_Cookies_qk8iUj2.txt",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\4\\e\\e\\3\\1\\",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\4\\e\\e\\",
"C:\\Users\\cuck\\Contacts\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\3X0GYJB7\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\saved-telemetry-pings\\",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\4\\e\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\crashes\\events\\",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\",
"C:\\ProgramData\\73lVaqo4tj\\Files\\Browsers\\_FileCC.txt",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\gmp\\",
"C:\\Users\\cuck\\Downloads\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Identities\\{183045C5-6B41-4C94-A7FA-BE70B5E7A9D3}\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\minidumps\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\",
"C:\\Windows\\resources\\Themes\\Aero\\Shell\\NormalColor\\ShellStyle.dll",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\",
"C:\\Users\\cuck\\Links\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.files\\",
"C:\\Users",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\4\\e\\e\\3\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\permanent\\chrome\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\Firefox\\",
"C:\\ProgramData\\73lVaqo4tj\\Files\\Files\\Desktop\\",
"C:\\Users\\desktop.ini",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\f\\e\\d\\",
"C:\\ProgramData\\73lVaqo4tj\\Files\\Coins\\ElectronCash\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE\\Low\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\WER\\",
"C:\\Users\\cuck",
"C:\\Users\\cuck\\Desktop",
"C:\\Users\\cuck\\Favorites\\MSN Websites\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Sidebar\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\MSHist012019040920190410\\",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\4\\7\\b\\7\\2\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Burn\\Burn\\",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\b\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache\\Low\\",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\thumbnails\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000004.db",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Media\\",
"C:\\ProgramData\\73lVaqo4tj\\Files\\Files",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds Cache\\ZQR1HVQK\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\WER\\ERC\\",
"C:\\ProgramData\\73lVaqo4tj\\Files\\_FilePasswords.txt",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds Cache\\K6VAOA4J\\",
"C:\\Users\\cuck\\AppData\\",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\b\\b\\8\\7\\6\\",
"C:\\Windows\\System32\\ras\\",
"C:\\Users\\cuck\\Searches\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Active\\",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\4\\7\\b\\7\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\",
"C:\\ProgramData\\73lVaqo4tj",
"C:\\Users\\cuck\\AppData",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds Cache\\6KHYU14N\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Network\\Connections\\",
"C:\\Users\\cuck\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\",
"C:\\ProgramData\\73lVaqo4tj\\Files\\Files\\Other\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Internet Explorer\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Protect\\",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\f\\e\\d\\0\\e\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\default\\about+newtab\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\D3L171UH\\",
"C:\\ProgramData\\73lVaqo4tj\\Files\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\permanent\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Network\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\OFC88ECH\\",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\b\\b\\8\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\",
"C:\\ProgramData\\73lVaqo4tj\\Files\\Browsers\\Cookies\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\Low\\",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\cache2\\entries\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets\\",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\permanent\\chrome\\idb\\1657114595AmcateirvtiSty.files\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Themes\\",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\",
"C:\\ProgramData\\73lVaqo4tj\\ilj1xUM6V.zip",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\startupCache\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\",
"C:\\Users\\cuck\\Pictures\\",
"C:\\Users\\cuck\\AppData\\Local\\",
"C:\\Users\\cuck\\Music\\",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\GameExplorer\\",
"C:\\Users\\cuck\\Desktop\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\b\\b\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\",
"C:\\ProgramData\\73lVaqo4tj\\Files\\Coins\\Electrum-btcp\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds Cache\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\SystemCertificates\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\permanent\\chrome\\idb\\3561288849sdhlie.files\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Ringtones\\",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\safebrowsing\\",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\4\\",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\b\\b\\8\\7\\",
"C:\\ProgramData\\73lVaqo4tj\\Files\\Coins\\Electrum\\",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\cache2\\doomed\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\1033\\",
"C:\\Users\\cuck\\AppData\\Local\\VirtualStore\\",
"C:\\Users\\cuck\\Documents\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Pending Pings\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\"
],
"file_copied": [
[
"C:\\Users\\cuck\\AppData\\Local\\Torch\\User Data\\Default\\Cookies",
"C:\\Users\\cuck\\AppData\\Local\\Torch\\User Data\\Default\\CookiesCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Slimjet\\User Data\\Default\\Cookies",
"C:\\Users\\cuck\\AppData\\Local\\Slimjet\\User Data\\Default\\CookiesCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 3\\Web Data",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 3\\WebDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\CentBrowser\\User Data\\Default\\Cookies",
"C:\\Users\\cuck\\AppData\\Local\\CentBrowser\\User Data\\Default\\CookiesCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Default\\Web Data",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Default\\WebDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Browser\\User Data\\Default\\Web Data",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Browser\\User Data\\Default\\WebDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\CookiesCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Torch\\User Data\\Default\\Login Data",
"C:\\Users\\cuck\\AppData\\Local\\Torch\\User Data\\Default\\LoginDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Slimjet\\User Data\\Default\\Web Data",
"C:\\Users\\cuck\\AppData\\Local\\Slimjet\\User Data\\Default\\WebDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 2\\Login Data",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 2\\LoginDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 3\\Web Data",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 3\\WebDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Vivaldi\\User Data\\Default\\Cookies",
"C:\\Users\\cuck\\AppData\\Local\\Vivaldi\\User Data\\Default\\CookiesCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 1\\Login Data",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 1\\LoginDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 3\\Cookies",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 3\\CookiesCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Comodo\\Dragon\\User Data\\Default\\Web Data",
"C:\\Users\\cuck\\AppData\\Local\\Comodo\\Dragon\\User Data\\Default\\WebDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\CentBrowser\\User Data\\Default\\Web Data",
"C:\\Users\\cuck\\AppData\\Local\\CentBrowser\\User Data\\Default\\WebDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 3\\Cookies",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 3\\CookiesCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 2\\Web Data",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 2\\WebDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Roaming\\brave\\Cookies",
"C:\\Users\\cuck\\AppData\\Roaming\\brave\\CookiesCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 2\\Cookies",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 2\\CookiesCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 2\\Web Data",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 2\\WebDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 1\\Cookies",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 1\\CookiesCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 1\\Web Data",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 1\\WebDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Default\\Cookies",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Default\\CookiesCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\360Chrome\\Chrome\\User Data\\Default\\Login Data",
"C:\\Users\\cuck\\AppData\\Local\\360Chrome\\Chrome\\User Data\\Default\\LoginDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Browser\\User Data\\Default\\Cookies",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Browser\\User Data\\Default\\CookiesCopy"
],
[
"C:\\Users\\cuck\\AppData\\Roaming\\Opera Software\\Opera Stable\\Login Data",
"C:\\Users\\cuck\\AppData\\Roaming\\Opera Software\\Opera Stable\\LoginDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Data",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\WebDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 2\\Login Data",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 2\\LoginDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Roaming\\brave\\Web Data",
"C:\\Users\\cuck\\AppData\\Roaming\\brave\\WebDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Roaming\\Opera Software\\Opera Stable\\Web Data",
"C:\\Users\\cuck\\AppData\\Roaming\\Opera Software\\Opera Stable\\WebDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Browser\\User Data\\Default\\Login Data",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Browser\\User Data\\Default\\LoginDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 1\\Cookies",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 1\\CookiesCopy"
],
[
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\cookies.sqlite",
"C:\\ProgramData\\73lVaqo4tj\\moz_cookies.db"
],
[
"C:\\ProgramData\\73lVaqo4tj\\Files\\Browsers\\_FilePasswords.txt",
"C:\\ProgramData\\73lVaqo4tj\\Files\\_FilePasswords.txt"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 2\\Cookies",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 2\\CookiesCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 3\\Login Data",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 3\\LoginDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\CentBrowser\\User Data\\Default\\Login Data",
"C:\\Users\\cuck\\AppData\\Local\\CentBrowser\\User Data\\Default\\LoginDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Vivaldi\\User Data\\Default\\Web Data",
"C:\\Users\\cuck\\AppData\\Local\\Vivaldi\\User Data\\Default\\WebDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Roaming\\Opera Software\\Opera Stable\\Cookies",
"C:\\Users\\cuck\\AppData\\Roaming\\Opera Software\\Opera Stable\\CookiesCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 1\\Web Data",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 1\\WebDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Torch\\User Data\\Default\\Web Data",
"C:\\Users\\cuck\\AppData\\Local\\Torch\\User Data\\Default\\WebDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\360Chrome\\Chrome\\User Data\\Default\\Web Data",
"C:\\Users\\cuck\\AppData\\Local\\360Chrome\\Chrome\\User Data\\Default\\WebDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Vivaldi\\User Data\\Default\\Login Data",
"C:\\Users\\cuck\\AppData\\Local\\Vivaldi\\User Data\\Default\\LoginDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\LoginDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 3\\Login Data",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 3\\LoginDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Comodo\\Dragon\\User Data\\Default\\Login Data",
"C:\\Users\\cuck\\AppData\\Local\\Comodo\\Dragon\\User Data\\Default\\LoginDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Roaming\\brave\\Login Data",
"C:\\Users\\cuck\\AppData\\Roaming\\brave\\LoginDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Comodo\\Dragon\\User Data\\Default\\Cookies",
"C:\\Users\\cuck\\AppData\\Local\\Comodo\\Dragon\\User Data\\Default\\CookiesCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\360Chrome\\Chrome\\User Data\\Default\\Cookies",
"C:\\Users\\cuck\\AppData\\Local\\360Chrome\\Chrome\\User Data\\Default\\CookiesCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 1\\Login Data",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 1\\LoginDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Default\\Login Data",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Default\\LoginDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Slimjet\\User Data\\Default\\Login Data",
"C:\\Users\\cuck\\AppData\\Local\\Slimjet\\User Data\\Default\\LoginDataCopy"
]
],
"connects_host": [
"lvter.info"
],
"regkey_opened": [
"HKEY_CURRENT_USER\\Software\\Microsoft\\windows\\CurrentVersion\\Internet Settings\\Wpad",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\3",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Security",
"HKEY_CLASSES_ROOT\\CLSID\\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\\Instance\\Disabled",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Segoe UI",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Class\\{4D36E968-E325-11CE-BFC1-08002BE10318}\\0000",
"HKEY_CLASSES_ROOT\\CLSID\\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\\Instance",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink",
"HKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\DataStore_V1.0",
"HKEY_CURRENT_USER\\Software\\Microsoft\\windows\\CurrentVersion\\Internet Settings\\Connections",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Security",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Extensible Cache",
"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall"
],
"resolves_host": [
"wpad",
"cuckpc",
"ip-api.com"
],
"file_written": [
"C:\\ProgramData\\73lVaqo4tj\\ilj1xUM6V.zip",
"C:\\ProgramData\\73lVaqo4tj\\47283761.txt",
"C:\\ProgramData\\73lVaqo4tj\\Files\\Browsers\\Cookies\\Mozilla_Firefox_Cookies_qk8iUj2.txt",
"C:\\ProgramData\\73lVaqo4tj\\Files\\_Info.txt",
"C:\\ProgramData\\73lVaqo4tj\\Files\\Browsers\\_FileCookies.txt",
"C:\\ProgramData\\73lVaqo4tj\\Files\\_Screen.jpg"
],
"file_deleted": [
"C:\\Users\\cuck\\AppData\\Local\\CentBrowser\\User Data\\Default\\WebDataCopy",
"C:\\ProgramData\\73lVaqo4tj\\moz_cookies.db-shm",
"C:\\Users\\cuck\\AppData\\Roaming\\brave\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 3\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 3\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 3\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\CentBrowser\\User Data\\Default\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Default\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 1\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\Comodo\\Dragon\\User Data\\Default\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 3\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 1\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Default\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 1\\LoginDataCopy",
"C:\\ProgramData\\73lVaqo4tj\\Files\\Browsers\\_FileCC.txt",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 1\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Vivaldi\\User Data\\Default\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\Torch\\User Data\\Default\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\360Chrome\\Chrome\\User Data\\Default\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Roaming\\Opera Software\\Opera Stable\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\360Chrome\\Chrome\\User Data\\Default\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 2\\WebDataCopy",
"C:\\ProgramData\\73lVaqo4tj\\moz_cookies.db-wal",
"C:\\Users\\cuck\\AppData\\Local\\Vivaldi\\User Data\\Default\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 2\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\Comodo\\Dragon\\User Data\\Default\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Roaming\\brave\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\Torch\\User Data\\Default\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 3\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Default\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Comodo\\Dragon\\User Data\\Default\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Browser\\User Data\\Default\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Roaming\\Opera Software\\Opera Stable\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Vivaldi\\User Data\\Default\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Slimjet\\User Data\\Default\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Browser\\User Data\\Default\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 2\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Roaming\\brave\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Slimjet\\User Data\\Default\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Browser\\User Data\\Default\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 2\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 2\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 1\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\360Chrome\\Chrome\\User Data\\Default\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\Torch\\User Data\\Default\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\CentBrowser\\User Data\\Default\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Slimjet\\User Data\\Default\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 1\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 3\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Roaming\\Opera Software\\Opera Stable\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 2\\LoginDataCopy"
],
"file_exists": [
"C:\\Users\\cuck\\AppData\\Local\\CentBrowser\\User Data\\Default\\WebDataCopy",
"C:\\ProgramData\\73lVaqo4tj\\moz_cookies.db-shm",
"C:\\Users\\cuck\\AppData\\Roaming\\brave\\LoginDataCopy",
"C:\\Windows\\SysWOW64",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 3\\LoginDataCopy",
"C:\\ProgramData\\Avg",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 3\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 3\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\CentBrowser\\User Data\\Default\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Default\\CookiesCopy",
"C:\\ProgramData\\73lVaqo4tj\\Files\\Coins\\ElectronCash\\wallets",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 1\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\Comodo\\Dragon\\User Data\\Default\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 3\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 1\\WebDataCopy",
"C:\\ProgramData\\Pader",
"C:\\ProgramData\\73lVaqo4tj\\moz_cookies.db",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 1\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Roaming\\Opera Software\\Opera Stable\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 1\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Vivaldi\\User Data\\Default\\CookiesCopy",
"C:\\ProgramData\\73lVaqo4tj\\Files\\Coins\\com.liberty.jaxx",
"C:\\ProgramData\\73lVaqo4tj\\Files\\Coins\\Monero",
"C:\\Users\\cuck\\AppData\\Local\\Torch\\User Data\\Default\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\360Chrome\\Chrome\\User Data\\Default\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Roaming\\Opera Software\\Opera Stable\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\360Chrome\\Chrome\\User Data\\Default\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 2\\WebDataCopy",
"C:\\ProgramData\\73lVaqo4tj\\moz_cookies.db-wal",
"C:\\Users\\cuck\\AppData\\Local\\Vivaldi\\User Data\\Default\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 2\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\Comodo\\Dragon\\User Data\\Default\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Default\\LoginDataCopy",
"C:\\ProgramData\\73lVaqo4tj\\Files\\Coins\\Jaxx",
"C:\\Users\\cuck\\AppData\\Roaming\\brave\\CookiesCopy",
"C:\\ProgramData\\73lVaqo4tj\\Files\\Coins\\MultiBitHD",
"C:\\Users\\cuck\\AppData\\Local\\Torch\\User Data\\Default\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 3\\CookiesCopy",
"C:\\ProgramData\\AVAST Software",
"C:\\ProgramData\\73lVaqo4tj\\Files\\Coins\\Exodus",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\WebDataCopy",
"C:\\ProgramData\\73lVaqo4tj\\Files\\Coins\\Electrum-btcp\\wallets",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Default\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Comodo\\Dragon\\User Data\\Default\\LoginDataCopy",
"C:\\ProgramData\\73lVaqo4tj\\Files\\Coins\\Exodus Eden",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Browser\\User Data\\Default\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\Vivaldi\\User Data\\Default\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Slimjet\\User Data\\Default\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Browser\\User Data\\Default\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 2\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Roaming\\brave\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Slimjet\\User Data\\Default\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Browser\\User Data\\Default\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 2\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 3\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 1\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\360Chrome\\Chrome\\User Data\\Default\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\Torch\\User Data\\Default\\WebDataCopy",
"C:\\ProgramData\\73lVaqo4tj\\moz_cookies.db-journal",
"C:\\Users\\cuck\\AppData\\Local\\CentBrowser\\User Data\\Default\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Slimjet\\User Data\\Default\\LoginDataCopy",
"C:\\ProgramData\\73lVaqo4tj\\Files\\Coins\\Electrum\\wallets",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 1\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 2\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Roaming\\Opera Software\\Opera Stable\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 2\\LoginDataCopy"
],
"mutex": [
"IESQMMUTEX_0_208"
],
"file_failed": [
"C:\\Users\\cuck\\AppData\\Local\\Application Data\\",
"C:\\Users\\cuck\\Local Settings\\",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 3\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Roaming\\Exodus Eden",
"C:\\Users\\cuck\\Cookies\\",
"C:\\Program Files\\Windows NT\\nss3.dll",
"C:\\Users\\cuck\\Documents\\My Music\\",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 1\\LoginDataCopy",
"C:\\Program Files\\Windows Mail\\nss3.dll",
"C:\\Users\\cuck\\AppData\\Local\\360Chrome\\Chrome\\User Data\\Default\\WebDataCopy",
"C:\\ProgramData\\Microsoft\\Network\\Connections\\Pbk\\",
"C:\\Users\\cuck\\AppData\\Local\\History\\",
"C:\\ProgramData\\73lVaqo4tj\\Files\\Files\\Desktop",
"C:\\ProgramData\\73lVaqo4tj\\Files\\Browsers\\_FileCookies.txt\\",
"C:\\Users\\cuck\\AppData\\Local\\Torch\\User Data\\Default\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\WebDataCopy",
"C:\\Users\\cuck\\Desktop\\secret.txt",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Browser\\User Data\\Default\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Roaming\\brave\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\360Chrome\\Chrome\\User Data\\Default\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\360Chrome\\Chrome\\User Data\\Default\\LoginDataCopy",
"C:\\Program Files\\Windows Defender\\nss3.dll",
"C:\\Users\\cuck\\AppData\\Roaming\\Opera Software\\Opera Stable\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Roaming\\brave\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Roaming\\MultiBitHD",
"C:\\ProgramData\\73lVaqo4tj\\Files\\Browsers\\Cookies\\Mozilla_Firefox_Cookies_qk8iUj2.txt\\",
"C:\\Users\\cuck\\Recent\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Opera Software\\Opera Stable\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Roaming\\Exodus",
"C:\\Program Files\\DVD Maker\\nss3.dll",
"C:\\ProgramData\\73lVaqo4tj\\Files\\_Screen.jpg\\",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Default\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\Temporary Internet Files\\",
"C:\\Program Files\\Common Files\\nss3.dll",
"C:\\ProgramData\\73lVaqo4tj\\Files\\_FilePasswords.txt\\",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 1\\LoginDataCopy",
"C:\\Program Files\\Windows Photo Viewer\\nss3.dll",
"C:\\Users\\cuck\\AppData\\Local\\Torch\\User Data\\Default\\LoginDataCopy",
"C:\\ProgramData\\73lVaqo4tj\\Files\\Browsers\\Cookies",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Browser\\User Data\\Default\\CookiesCopy",
"C:\\Program Files\\Windows Portable Devices\\nss3.dll",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 2\\CookiesCopy",
"C:\\Users\\cuck\\Application Data\\",
"C:\\ProgramData\\73lVaqo4tj\\Files\\Coins\\Electrum",
"C:\\Users\\cuck\\AppData\\Roaming\\Jaxx",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Slimjet\\User Data\\Default\\WebDataCopy",
"C:\\Users\\cuck\\Documents\\My Pictures\\",
"C:\\Users\\cuck\\Templates\\",
"C:\\Users\\cuck\\AppData\\Local\\Torch\\User Data\\Default\\WebDataCopy",
"C:\\Users\\cuck\\Documents\\Monero",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 3\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 2\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\CentBrowser\\User Data\\Default\\WebDataCopy",
"C:\\ProgramData\\73lVaqo4tj\\47283761.txt",
"C:\\ProgramData\\73lVaqo4tj\\Files\\Browsers\\_FilePasswords.txt\\",
"C:\\Users\\cuck\\AppData\\Roaming\\ElectronCash",
"C:\\Users\\cuck\\AppData\\Roaming\\Electrum-btcp",
"C:\\Users\\cuck\\NetHood\\",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 1\\CookiesCopy",
"C:\\Users\\cuck\\SendTo\\",
"C:\\Program Files\\Windows Sidebar\\nss3.dll",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Default\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Roaming\\Opera Software\\Opera Stable\\WebDataCopy",
"C:\\Program Files\\Windows Journal\\nss3.dll",
"C:\\Users\\cuck\\AppData\\Local\\Vivaldi\\User Data\\Default\\WebDataCopy",
"C:\\ProgramData\\73lVaqo4tj\\Files\\Coins\\ElectronCash",
"C:\\Users\\cuck\\Documents\\My Videos\\",
"C:\\ProgramData\\73lVaqo4tj\\Files\\Browsers\\_FileForms.txt\\",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Default\\WebDataCopy",
"C:\\ProgramData\\73lVaqo4tj\\Files\\Coins\\Electrum-btcp",
"C:\\Users\\cuck\\AppData\\Local\\Comodo\\Dragon\\User Data\\Default\\LoginDataCopy",
"C:\\ProgramData\\73lVaqo4tj\\Files\\Files\\Other",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 2\\WebDataCopy",
"C:\\Users\\cuck\\Start Menu\\",
"C:\\Users\\cuck\\AppData\\Local\\Slimjet\\User Data\\Default\\CookiesCopy",
"C:\\Program Files\\Internet Explorer\\nss3.dll",
"C:\\Users\\cuck\\AppData\\Local\\Comodo\\Dragon\\User Data\\Default\\WebDataCopy",
"C:\\ProgramData\\73lVaqo4tj\\Files\\Files",
"C:\\Users\\cuck\\AppData\\Local\\CentBrowser\\User Data\\Default\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Slimjet\\User Data\\Default\\LoginDataCopy",
"C:\\Program Files\\MSBuild\\nss3.dll",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 1\\CookiesCopy",
"C:\\Program Files\\Windows Media Player\\nss3.dll",
"C:\\ProgramData\\73lVaqo4tj\\Files\\_Info.txt\\",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 3\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 3\\WebDataCopy",
"C:\\Program Files\\Uninstall Information\\nss3.dll",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 3\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 1\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Roaming\\Electrum",
"C:\\Users\\cuck\\AppData\\Roaming\\com.liberty.jaxx",
"C:\\Users\\cuck\\Desktop\\report.doc",
"C:\\Users\\cuck\\AppData\\Local\\Vivaldi\\User Data\\Default\\CookiesCopy",
"C:\\ProgramData\\73lVaqo4tj\\Files\\Browsers",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 2\\WebDataCopy",
"C:\\Users\\cuck\\My Documents\\",
"C:\\Users\\cuck\\AppData\\Local\\CentBrowser\\User Data\\Default\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\Comodo\\Dragon\\User Data\\Default\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Roaming\\brave\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Browser\\User Data\\Default\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\Vivaldi\\User Data\\Default\\LoginDataCopy",
"C:\\Program Files\\Reference Assemblies\\nss3.dll",
"C:\\nss3.dll",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 2\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 1\\WebDataCopy",
"C:\\Users\\cuck\\PrintHood\\",
"C:\\ProgramData\\73lVaqo4tj\\Files\\Coins",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 3\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 2\\LoginDataCopy",
"C:\\Users\\cuck\\Downloads\\download.exe"
],
"guid": [
"{ea1afb91-9e28-4b86-90e9-9e9f8a5eefaf}",
"{a1faf330-ef97-11ce-9bc9-00aa00608e01}",
"{3eef301f-b596-4c0b-bd92-013beafce793}",
"{0c9fb851-e5c9-43eb-a370-f0677b13874c}",
"{078759d3-423b-48ad-ab6a-5638c2884dbe}",
"{a47979d2-c419-11d9-a5b4-001185ad2b89}",
"{dcb00000-570f-4a9b-8d69-199fdba5723b}",
"{56fdf344-fd6d-11d0-958a-006097c9a090}",
"{eb6339bf-eb6a-437a-82da-a56e7e4f9cdc}",
"{9e175b6d-f52a-11d8-b9a5-505054503030}",
"{dcb00c01-570f-4a9b-8d69-199fdba5723b}",
"{f8383852-fcd3-11d1-a6b9-006097df5bd4}",
"{5762f2a7-4658-4c7a-a4ac-bdabfe154e0d}",
"{d0074ffd-570f-4a9b-8d69-199fdba5723b}",
"{b056521a-9b10-425e-b616-1fcd828db3b1}",
"{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}"
],
"file_read": [
"C:\\ProgramData\\73lVaqo4tj\\moz_cookies.db",
"C:\\Windows\\Fonts\\staticcache.dat",
"C:\\Users\\cuck\\Documents\\desktop.ini",
"C:\\Users\\desktop.ini",
"C:\\Users\\cuck\\Desktop\\desktop.ini",
"C:\\ProgramData\\73lVaqo4tj\\Files\\Browsers\\Cookies\\Mozilla_Firefox_Cookies_qk8iUj2.txt",
"C:\\ProgramData\\73lVaqo4tj\\Files\\_Info.txt",
"C:\\ProgramData\\73lVaqo4tj\\ilj1xUM6V.zip",
"C:\\ProgramData\\73lVaqo4tj\\Files\\Browsers\\_FileCookies.txt",
"C:\\ProgramData\\73lVaqo4tj\\Files\\_Screen.jpg"
],
"regkey_read": [
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Language Hotkey",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\inifile\\AlwaysShowExt",
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Hotkey",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\RASMANCS\\FileTracingMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\LanguageProfile\\0x00000000\\{0001bea3-ed56-483d-a2e2-aeae25577436}\\Enable",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\RASAPI32\\EnableConsoleTracing",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsFORPARSING",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\NoFileFolderConnection",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\UseHostnameAsAlias",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\RASAPI32\\FileTracingMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-699399860-4089948139-3198924279-1001\\ProfileImagePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoSetFolders",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Filter",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ini\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\QueryForOverlay",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\SourcePath",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\Generation",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\AutoProxyDetectType",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\NoFileFolderJunction",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\UseOldHostResolutionOrder",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Domain",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ReleaseId",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language Groups\\1",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\EnableAnchorContext",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{BCD1DE7E-2DB1-418B-B047-4A74E101F8C1}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ini\\Content Type",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\UseDropHandler",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane10",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane11",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane12",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane13",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane14",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane15",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane16",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoInternetIcon",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProductName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\DontShowSuperHidden",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\HideIcons",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{2A1C9EB2-DF62-4154-B800-63278FCB8037}\\ProxyStubClsid32\\(Default)",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\MaxUndoItems",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\RASAPI32\\ConsoleTracingMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsAliasedNotifications",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\AutoCheckSelect",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\BrowseInPlace",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\MaxUndoItems",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\ClassicShell",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\InprocServer32\\InprocServer32",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\\DefaultConnectionSettings",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}",
"HKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0\\ProcessorNameString",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\AlwaysShowExt",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\DataStore_V1.0\\DataFilePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\RASMANCS\\EnableConsoleTracing",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\NeverShowExt",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\text\\IsShortcut",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\CurrentBuildNumber",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Locale\\00000409",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{618736E0-3C3D-11CF-810C-00AA00389B71}\\ProxyStubClsid32\\(Default)",
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Layout Hotkey",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\RestrictedAttributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\text\\NeverShowExt",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\IsShortcut",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\Data",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoCommonGroups",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\InprocServer32\\(Default)",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\IconsOnly",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\NoNetCrawling",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HideOnDesktopPerUser",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\DocObject",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\CLASS\\{4D36E968-E325-11CE-BFC1-08002BE10318}\\0000\\DriverDesc",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\inifile\\IsShortcut",
"HKEY_CURRENT_USER\\Control Panel\\Desktop\\MuiCached\\MachinePreferredUILanguages",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\LdapClientIntegrity",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Security\\DisableSecuritySettingsCheck",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\AutoDetect",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HideInWebView",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\inifile\\DocObject",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\SeparateProcess",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\BrowseInPlace",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ini\\PerceivedType",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\EnableConsoleTracing",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsFORDISPLAY",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\RASMANCS\\EnableFileTracing",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\DontPrettyPath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\AllowFileCLSIDJunctions",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\WMR\\Disable",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\DevicePath",
"HKEY_CURRENT_USER\\Control Panel\\Desktop\\PreferredUILanguages",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoNetCrawling",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\WebView",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\QueryForInfoTip",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\InprocServer32\\ThreadingModel",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Hostname",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\text\\AlwaysShowExt",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowCompColor",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\RASMANCS\\ConsoleTracingMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{55272A00-42CB-11CE-8135-00AA004BB851}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{8A40A45D-055C-4B62-ABD7-6D613E2CEAEC}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\Attributes",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\MapNetDrvBtn",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\DocObject",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\IsShortcut",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\inifile\\NeverShowExt",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoPropertiesRecycleBin",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{26656EAA-54EB-4E6F-8F85-4F0EF901A406}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\AccessProviders\\MartaExtension",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoPropertiesMyComputer",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\TurnOffSPIAnimations",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\inifile\\BrowseInPlace",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\text\\BrowseInPlace",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\RASMANCS\\MaxFileSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\PinToNameSpaceTree",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HasNavigationEnum",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Security\\DisableSecuritySettingsCheck",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\WpadLastNetwork",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\3\\1A10",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellState",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\RASMANCS\\FileDirectory",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowTypeOverlay",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\Data",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\HideFileExt",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\RASAPI32\\EnableFileTracing",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\DataStore_V1.0\\Disable",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HideFolderVerbs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\NeverShowExt",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane8",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane9",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane6",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane7",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane4",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane5",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane2",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane3",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane1",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Hidden",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\MapNetDriveVerbs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\SeparateProcess",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\Generation",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\DocObject",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\RASAPI32\\MaxFileSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\NeverShowExt",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\CallForAttributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\IsShortcut",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\ProgramData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\RASAPI32\\FileDirectory",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowSuperHidden",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\AppData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoControlPanel",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoSimpleStartMenu",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowInfoTip",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoWebView",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsParseDisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\text\\DocObject",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\BrowseInPlace",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsUniversalDelegate"
],
"regkey_written": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\RASMANCS\\FileDirectory",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}\\WpadDecisionReason",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\RASMANCS\\EnableFileTracing",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}\\WpadDecision",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\RASMANCS\\MaxFileSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\RASMANCS\\FileTracingMask",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}\\WpadNetworkName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\RASAPI32\\MaxFileSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\RASAPI32\\EnableConsoleTracing",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\\DefaultConnectionSettings",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\RASAPI32\\EnableFileTracing",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}\\WpadDecisionTime",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\WpadLastNetwork",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\RASAPI32\\ConsoleTracingMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\RASAPI32\\FileDirectory",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\RASMANCS\\EnableConsoleTracing",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\RASMANCS\\ConsoleTracingMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\RASAPI32\\FileTracingMask"
]
}Dropped
[
{
"yara": [],
"sha1": "608eeb7488042453c9ca40f7e1398fc1a270f3f4",
"name": "fd4c9fda9cd3f9ae_moz_cookies.db-shm",
"filepath": "C:\\ProgramData\\73lVaqo4tj\\moz_cookies.db-shm",
"type": "data",
"sha256": "fd4c9fda9cd3f9ae7c962b0ddf37232294d55580e1aa165aa06129b8549389eb",
"urls": [],
"crc32": "DDC506B6",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/1911\/files\/fd4c9fda9cd3f9ae_moz_cookies.db-shm",
"ssdeep": null,
"size": 32768,
"sha512": "d8d75760f29b1e27ac9430bc4f4ffcec39f1590be5aef2bfb5a535850302e067c288ef59cf3b2c5751009a22a6957733f9f80fa18f2b0d33d90c068a3f08f3b0",
"pids": [],
"md5": "b7c14ec6110fa820ca6b65f5aec85911"
},
{
"yara": [],
"sha1": "627b9e3d41da2020e45873a8df5b7132e0ceafe2",
"name": "fed80b6610ef5251__filecookies.txt",
"filepath": "C:\\ProgramData\\73lVaqo4tj\\Files\\Browsers\\_FileCookies.txt",
"type": "ASCII text, with CRLF line terminators",
"sha256": "fed80b6610ef52513df50756ea9dbbcfdb5bb2fa11fbc51a7df3ca7a7bba8d07",
"urls": [],
"crc32": "3D67CD20",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/1911\/files\/fed80b6610ef5251__filecookies.txt",
"ssdeep": null,
"size": 1973,
"sha512": "fe39bca670f7ba04c9a6ada940ecb3230a6e2fd69ad1b70bc82f86fe198ddf242ba598930846e7ae369490a5686c4bfe0d65d2b3545002ebc4ed90d85a158c64",
"pids": [
2456
],
"md5": "e69ea12301c45964b1a6322dfeb90667"
},
{
"yara": [],
"sha1": "5ce8b85e2d00fadeb91f05ed9e2a36c54b7712f7",
"name": "dd25740b0e1ac374__info.txt",
"filepath": "C:\\ProgramData\\73lVaqo4tj\\Files\\_Info.txt",
"type": "Little-endian UTF-16 Unicode text, with CRLF, CR line terminators",
"sha256": "dd25740b0e1ac374fb89cf7a49e6481570492bc35479095570efa30d1d51200d",
"urls": [],
"crc32": "5D305BB0",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/1911\/files\/dd25740b0e1ac374__info.txt",
"ssdeep": null,
"size": 2662,
"sha512": "502a6d516fd6dc38f26b3840d136bcc8ed72eb0f6dea0fe160e14dab3af82eaac34814e7a54682c4bf91405b255634a72fb320e7e0ab29e89924579a182a1d43",
"pids": [
2456
],
"md5": "d18f82cd722d38b66f5e8884dc42b0ad"
},
{
"yara": [],
"sha1": "3773c62639574b6711018d4e7a3b73a4c7517d2e",
"name": "5e89b5234d4a7951_ilj1xum6v.zip",
"filepath": "C:\\ProgramData\\73lVaqo4tj\\ilj1xUM6V.zip",
"type": "Zip archive data, at least v2.0 to extract",
"sha256": "5e89b5234d4a795152345db49a99525bea5a81a27f40f9fbdf6e5535908180af",
"urls": [],
"crc32": "99E43A44",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/1911\/files\/5e89b5234d4a7951_ilj1xum6v.zip",
"ssdeep": null,
"size": 10778,
"sha512": "1cbf227a30c6b2bbc7a3098188b8eaa406aad944bee593119f7ba05fc55a8ded20047d14fe8be8fab5d9f81a72f7ed6c8c124bd0e61d55a9eb9c6ea8843369cc",
"pids": [
2456
],
"md5": "1f2eb1a4584f64de85cc2273112e5723"
},
{
"yara": [],
"sha1": "a597af3916b836d47db8b0f3b65c4662b2212133",
"name": "7f1b212a70c296f5__screen.jpg",
"filepath": "C:\\ProgramData\\73lVaqo4tj\\Files\\_Screen.jpg",
"type": "JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 800x600, frames 3",
"sha256": "7f1b212a70c296f5516e5ed3d2bfc9f1b45fac90cd6bd1725a0f2e197db2b096",
"urls": [],
"crc32": "D8275784",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/1911\/files\/7f1b212a70c296f5__screen.jpg",
"ssdeep": null,
"size": 14111,
"sha512": "60c083f1c244c801d1b14c3ffd8a4a82ddb2d8fb7d2d293fae64b83051c1aac2b703ba4b6d5fc97a625cfa6cebd848777d668db20e3652da7a47efcd885ffd89",
"pids": [
2456
],
"md5": "ceab6a2b0157be8003497cf3e3803e35"
},
{
"yara": [],
"sha1": "da39a3ee5e6b4b0d3255bfef95601890afd80709",
"name": "e3b0c44298fc1c14__FileCC.txt",
"type": "empty",
"sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"urls": [],
"crc32": "00000000",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/1911\/files\/e3b0c44298fc1c14__FileCC.txt",
"ssdeep": null,
"size": 0,
"sha512": "cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e",
"md5": "d41d8cd98f00b204e9800998ecf8427e"
}
]Generic
[
{
"process_path": "C:\\Users\\cuck\\AppData\\Local\\Temp\\ccbd259f8eee1a6b5962d04cf78a301e52c41742de53589db507db16185c9de9.bin",
"process_name": "ccbd259f8eee1a6b5962d04cf78a301e52c41742de53589db507db16185c9de9.bin",
"pid": 2456,
"summary": {
"connects_ip": [
"127.0.0.1"
],
"downloads_file": [
"http:\/\/ip-api.com\/line"
],
"file_created": [
"C:\\ProgramData\\73lVaqo4tj\\moz_cookies.db-wal",
"C:\\ProgramData\\73lVaqo4tj\\ilj1xUM6V.zip",
"C:\\ProgramData\\73lVaqo4tj\\moz_cookies.db-shm",
"C:\\ProgramData\\73lVaqo4tj\\Files\\Browsers\\_FileCC.txt",
"C:\\ProgramData\\73lVaqo4tj\\Files\\Browsers\\_FileForms.txt",
"C:\\ProgramData\\73lVaqo4tj\\Files\\Browsers\\Cookies\\Mozilla_Firefox_Cookies_qk8iUj2.txt",
"C:\\ProgramData\\73lVaqo4tj\\Files\\_Info.txt",
"C:\\ProgramData\\73lVaqo4tj\\Files\\Browsers\\_FilePasswords.txt",
"C:\\ProgramData\\73lVaqo4tj\\Files\\Browsers\\_FileCookies.txt",
"C:\\ProgramData\\73lVaqo4tj\\Files\\_Screen.jpg"
],
"directory_created": [
"C:\\ProgramData\\Pader",
"C:\\ProgramData\\73lVaqo4tj\\Files",
"C:\\ProgramData\\73lVaqo4tj\\Files\\Coins\\ElectronCash",
"C:\\ProgramData\\73lVaqo4tj",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Caches",
"C:\\ProgramData\\73lVaqo4tj\\Files\\Browsers",
"C:\\ProgramData\\73lVaqo4tj\\Files\\Files",
"C:\\ProgramData\\73lVaqo4tj\\Files\\Coins\\Electrum",
"C:\\ProgramData\\73lVaqo4tj\\Files\\Browsers\\Cookies",
"C:\\ProgramData\\73lVaqo4tj\\Files\\Coins\\Electrum-btcp",
"C:\\ProgramData\\73lVaqo4tj\\Files\\Files\\Other",
"C:\\ProgramData\\73lVaqo4tj\\Files\\Coins",
"C:\\ProgramData\\73lVaqo4tj\\Files\\Files\\Desktop"
],
"dll_loaded": [
"gdiplus.dll",
"C:\\Windows\\System32\\mswsock.dll",
"urlmon.dll",
"kernel32",
"api-ms-win-core-sysinfo-l1-2-1",
"api-ms-win-core-localization-l1-2-1",
"api-ms-win-core-fibers-l1-1-1",
"dwmapi.dll",
"KERNEL32.dll",
"UxTheme.dll",
"C:\\Windows\\system32\\ole32.dll",
"DUI70.dll",
"ntdll.dll",
"C:\\Windows\\system32\\napinsp.dll",
"api-ms-win-core-synch-l1-2-0",
"ntmarta.dll",
"API-MS-WIN-Service-Management-L1-1-0.dll",
"PROPSYS.dll",
"WININET.dll",
"API-MS-Win-Core-LocalRegistry-L1-1-0.dll",
"DHCPCSVC.DLL",
"OLEAUT32.DLL",
"RASMAN.DLL",
"C:\\Windows\\WinSxS\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_2b24536c71ed437a\\gdiplus.dll",
"ole32.dll",
"USER32.dll",
"Comctl32.dll",
"API-MS-Win-Security-SDDL-L1-1-0.dll",
"API-MS-WIN-Service-winsvc-L1-1-0.dll",
"C:\\Windows\\system32\\DUser.dll",
"rtutils.dll",
"IPHLPAPI.DLL",
"wininet.dll",
"WindowsCodecs.dll",
"C:\\Windows\\system32\\xmllite.dll",
"RASAPI32.dll",
"CRYPT32.dll",
"C:\\Windows\\system32\\pnrpnsp.dll",
"SHELL32.dll",
"DNSAPI.dll",
"C:\\Windows\\System32\\winrnr.dll",
"DUser.dll",
"comctl32.dll",
"C:\\Windows\\system32\\oleaut32.dll",
"WS2_32.dll",
"NTDLL",
"kernel32.dll",
"GDI32.dll",
"ADVAPI32.dll",
"SETUPAPI.dll",
"OLEACC.dll",
"user32.dll",
"OLEAUT32.dll"
],
"file_opened": [
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\",
"C:\\ProgramData",
"C:\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\I6GMLZZB\\",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\updates\\",
"C:\\ProgramData\\73lVaqo4tj\\Files",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\Low\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\bookmarkbackups\\",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\default\\moz-safe-about+home\\idb\\",
"C:\\ProgramData\\73lVaqo4tj\\Files\\Browsers\\_FileCookies.txt",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Credentials\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\1\\6\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\default\\moz-safe-about+home\\idb\\3312185054sbndi_pspte.files\\",
"C:\\ProgramData\\73lVaqo4tj\\moz_cookies.db",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Media Player\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Virtualized\\",
"C:\\ProgramData\\73lVaqo4tj\\Files\\Coins\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00040617\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds\\",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\mozilla-temp-files\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\datareporting\\",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\4\\7\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Credentials\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\permanent\\chrome\\idb\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\WER\\ReportArchive\\",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\4\\7\\b\\",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\1\\6\\6\\",
"C:\\Users\\cuck\\Desktop\\desktop.ini",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Caches\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Libraries\\",
"C:\\Users\\cuck\\Saved Games\\",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\",
"C:\\Users\\cuck\\Favorites\\Windows Live\\",
"C:\\Windows\\System32\\en-US\\KERNELBASE.dll.mui",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\",
"C:\\Program Files\\",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\1\\6\\6\\b\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE\\",
"C:\\Users\\cuck\\Favorites\\Links\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\1024\\",
"C:\\Windows\\System32\\oleaccrc.dll",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds\\Feeds for United States~\\",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\OfflineCache\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Network Shortcuts\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\cache2\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\SHYNOLTK\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\events\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds Cache\\VU6ZINQW\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\",
"C:\\Users\\cuck\\AppData\\Roaming\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\crashes\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\1KH9UWN0\\",
"C:\\ProgramData\\73lVaqo4tj\\Files\\Files\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\sessionstore-backups\\",
"C:\\Users\\cuck\\AppData\\LocalLow\\Mozilla\\",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\",
"C:\\Users\\cuck\\Documents\\desktop.ini",
"C:\\ProgramData\\73lVaqo4tj\\Files\\Browsers\\_FileForms.txt",
"C:\\Users\\cuck\\Favorites\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Burn\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\datareporting\\archived\\2018-06\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\QQUHP74Z\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-699399860-4089948139-3198924279-1001\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Media Center Programs\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Printer Shortcuts\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\default\\",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\1\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\EIDFNJNY\\",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\temporary\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Accessibility\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\datareporting\\archived\\",
"C:\\Users\\cuck\\Videos\\",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\safebrowsing\\google4\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\default\\about+newtab\\idb\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WPDNSE\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\SystemExtensionsDev\\",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\jumpListCache\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\gmp\\WINNT_x86-msvc\\",
"C:\\Users\\cuck\\AppData\\Roaming",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\",
"C:\\Users\\cuck\\Favorites\\Links for United States\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\SendTo\\",
"C:\\ProgramData\\73lVaqo4tj\\Files\\Browsers\\",
"C:\\ProgramData\\73lVaqo4tj\\Files\\_Screen.jpg",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Extensions\\",
"C:\\Users\\cuck\\Documents",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Explorer\\",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\f\\e\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Mail\\",
"C:\\ProgramData\\73lVaqo4tj\\Files\\_Info.txt",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\f\\",
"C:\\ProgramData\\73lVaqo4tj\\Files\\Browsers\\_FilePasswords.txt",
"C:\\Users\\cuck\\AppData\\Local\\pip\\",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\1\\6\\6\\b\\1\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\ccbd259f8eee1a6b5962d04cf78a301e52c41742de53589db507db16185c9de9.bin",
"C:\\Windows\\Fonts\\staticcache.dat",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\",
"C:\\Users\\cuck\\AppData\\LocalLow\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Crypto\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-699399860-4089948139-3198924279-1001\\",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Low\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Identities\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\default\\moz-safe-about+home\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\default\\about+newtab\\idb\\3312185054sbndi_pspte.files\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\",
"C:\\ProgramData\\73lVaqo4tj\\47283761.txt",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\f\\e\\d\\0\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\",
"C:\\Users\\cuck\\Favorites\\Microsoft Websites\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Caches\\cversions.1.db",
"C:\\ProgramData\\73lVaqo4tj\\Files\\Browsers\\Cookies\\Mozilla_Firefox_Cookies_qk8iUj2.txt",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\4\\e\\e\\3\\1\\",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\4\\e\\e\\",
"C:\\Users\\cuck\\Contacts\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\3X0GYJB7\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\saved-telemetry-pings\\",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\4\\e\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\crashes\\events\\",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\",
"C:\\ProgramData\\73lVaqo4tj\\Files\\Browsers\\_FileCC.txt",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\gmp\\",
"C:\\Users\\cuck\\Downloads\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Identities\\{183045C5-6B41-4C94-A7FA-BE70B5E7A9D3}\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\minidumps\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\",
"C:\\Windows\\resources\\Themes\\Aero\\Shell\\NormalColor\\ShellStyle.dll",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\",
"C:\\Users\\cuck\\Links\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.files\\",
"C:\\Users",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\4\\e\\e\\3\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\permanent\\chrome\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\Firefox\\",
"C:\\ProgramData\\73lVaqo4tj\\Files\\Files\\Desktop\\",
"C:\\Users\\desktop.ini",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\f\\e\\d\\",
"C:\\ProgramData\\73lVaqo4tj\\Files\\Coins\\ElectronCash\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE\\Low\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\WER\\",
"C:\\Users\\cuck",
"C:\\Users\\cuck\\Desktop",
"C:\\Users\\cuck\\Favorites\\MSN Websites\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Sidebar\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\MSHist012019040920190410\\",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\4\\7\\b\\7\\2\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Burn\\Burn\\",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\b\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache\\Low\\",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\thumbnails\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000004.db",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Media\\",
"C:\\ProgramData\\73lVaqo4tj\\Files\\Files",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds Cache\\ZQR1HVQK\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\WER\\ERC\\",
"C:\\ProgramData\\73lVaqo4tj\\Files\\_FilePasswords.txt",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds Cache\\K6VAOA4J\\",
"C:\\Users\\cuck\\AppData\\",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\b\\b\\8\\7\\6\\",
"C:\\Windows\\System32\\ras\\",
"C:\\Users\\cuck\\Searches\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Active\\",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\4\\7\\b\\7\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\",
"C:\\ProgramData\\73lVaqo4tj",
"C:\\Users\\cuck\\AppData",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds Cache\\6KHYU14N\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Network\\Connections\\",
"C:\\Users\\cuck\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\",
"C:\\ProgramData\\73lVaqo4tj\\Files\\Files\\Other\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Internet Explorer\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Protect\\",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\f\\e\\d\\0\\e\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\default\\about+newtab\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\D3L171UH\\",
"C:\\ProgramData\\73lVaqo4tj\\Files\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\permanent\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Network\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\OFC88ECH\\",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\b\\b\\8\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\",
"C:\\ProgramData\\73lVaqo4tj\\Files\\Browsers\\Cookies\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\Low\\",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\cache2\\entries\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets\\",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\permanent\\chrome\\idb\\1657114595AmcateirvtiSty.files\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Themes\\",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\",
"C:\\ProgramData\\73lVaqo4tj\\ilj1xUM6V.zip",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\startupCache\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\",
"C:\\Users\\cuck\\Pictures\\",
"C:\\Users\\cuck\\AppData\\Local\\",
"C:\\Users\\cuck\\Music\\",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\GameExplorer\\",
"C:\\Users\\cuck\\Desktop\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\b\\b\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\",
"C:\\ProgramData\\73lVaqo4tj\\Files\\Coins\\Electrum-btcp\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds Cache\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\SystemCertificates\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\permanent\\chrome\\idb\\3561288849sdhlie.files\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Ringtones\\",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\safebrowsing\\",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\4\\",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\b\\b\\8\\7\\",
"C:\\ProgramData\\73lVaqo4tj\\Files\\Coins\\Electrum\\",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\cache2\\doomed\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\1033\\",
"C:\\Users\\cuck\\AppData\\Local\\VirtualStore\\",
"C:\\Users\\cuck\\Documents\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Pending Pings\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\"
],
"file_copied": [
[
"C:\\Users\\cuck\\AppData\\Local\\Torch\\User Data\\Default\\Cookies",
"C:\\Users\\cuck\\AppData\\Local\\Torch\\User Data\\Default\\CookiesCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Slimjet\\User Data\\Default\\Cookies",
"C:\\Users\\cuck\\AppData\\Local\\Slimjet\\User Data\\Default\\CookiesCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 3\\Web Data",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 3\\WebDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\CentBrowser\\User Data\\Default\\Cookies",
"C:\\Users\\cuck\\AppData\\Local\\CentBrowser\\User Data\\Default\\CookiesCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Default\\Web Data",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Default\\WebDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Browser\\User Data\\Default\\Web Data",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Browser\\User Data\\Default\\WebDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\CookiesCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Torch\\User Data\\Default\\Login Data",
"C:\\Users\\cuck\\AppData\\Local\\Torch\\User Data\\Default\\LoginDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Slimjet\\User Data\\Default\\Web Data",
"C:\\Users\\cuck\\AppData\\Local\\Slimjet\\User Data\\Default\\WebDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 2\\Login Data",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 2\\LoginDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 3\\Web Data",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 3\\WebDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Vivaldi\\User Data\\Default\\Cookies",
"C:\\Users\\cuck\\AppData\\Local\\Vivaldi\\User Data\\Default\\CookiesCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 1\\Login Data",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 1\\LoginDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 3\\Cookies",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 3\\CookiesCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Comodo\\Dragon\\User Data\\Default\\Web Data",
"C:\\Users\\cuck\\AppData\\Local\\Comodo\\Dragon\\User Data\\Default\\WebDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\CentBrowser\\User Data\\Default\\Web Data",
"C:\\Users\\cuck\\AppData\\Local\\CentBrowser\\User Data\\Default\\WebDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 3\\Cookies",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 3\\CookiesCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 2\\Web Data",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 2\\WebDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Roaming\\brave\\Cookies",
"C:\\Users\\cuck\\AppData\\Roaming\\brave\\CookiesCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 2\\Cookies",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 2\\CookiesCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 2\\Web Data",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 2\\WebDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 1\\Cookies",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 1\\CookiesCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 1\\Web Data",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 1\\WebDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Default\\Cookies",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Default\\CookiesCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\360Chrome\\Chrome\\User Data\\Default\\Login Data",
"C:\\Users\\cuck\\AppData\\Local\\360Chrome\\Chrome\\User Data\\Default\\LoginDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Browser\\User Data\\Default\\Cookies",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Browser\\User Data\\Default\\CookiesCopy"
],
[
"C:\\Users\\cuck\\AppData\\Roaming\\Opera Software\\Opera Stable\\Login Data",
"C:\\Users\\cuck\\AppData\\Roaming\\Opera Software\\Opera Stable\\LoginDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Data",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\WebDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 2\\Login Data",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 2\\LoginDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Roaming\\brave\\Web Data",
"C:\\Users\\cuck\\AppData\\Roaming\\brave\\WebDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Roaming\\Opera Software\\Opera Stable\\Web Data",
"C:\\Users\\cuck\\AppData\\Roaming\\Opera Software\\Opera Stable\\WebDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Browser\\User Data\\Default\\Login Data",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Browser\\User Data\\Default\\LoginDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 1\\Cookies",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 1\\CookiesCopy"
],
[
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\cookies.sqlite",
"C:\\ProgramData\\73lVaqo4tj\\moz_cookies.db"
],
[
"C:\\ProgramData\\73lVaqo4tj\\Files\\Browsers\\_FilePasswords.txt",
"C:\\ProgramData\\73lVaqo4tj\\Files\\_FilePasswords.txt"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 2\\Cookies",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 2\\CookiesCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 3\\Login Data",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 3\\LoginDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\CentBrowser\\User Data\\Default\\Login Data",
"C:\\Users\\cuck\\AppData\\Local\\CentBrowser\\User Data\\Default\\LoginDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Vivaldi\\User Data\\Default\\Web Data",
"C:\\Users\\cuck\\AppData\\Local\\Vivaldi\\User Data\\Default\\WebDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Roaming\\Opera Software\\Opera Stable\\Cookies",
"C:\\Users\\cuck\\AppData\\Roaming\\Opera Software\\Opera Stable\\CookiesCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 1\\Web Data",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 1\\WebDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Torch\\User Data\\Default\\Web Data",
"C:\\Users\\cuck\\AppData\\Local\\Torch\\User Data\\Default\\WebDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\360Chrome\\Chrome\\User Data\\Default\\Web Data",
"C:\\Users\\cuck\\AppData\\Local\\360Chrome\\Chrome\\User Data\\Default\\WebDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Vivaldi\\User Data\\Default\\Login Data",
"C:\\Users\\cuck\\AppData\\Local\\Vivaldi\\User Data\\Default\\LoginDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\LoginDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 3\\Login Data",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 3\\LoginDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Comodo\\Dragon\\User Data\\Default\\Login Data",
"C:\\Users\\cuck\\AppData\\Local\\Comodo\\Dragon\\User Data\\Default\\LoginDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Roaming\\brave\\Login Data",
"C:\\Users\\cuck\\AppData\\Roaming\\brave\\LoginDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Comodo\\Dragon\\User Data\\Default\\Cookies",
"C:\\Users\\cuck\\AppData\\Local\\Comodo\\Dragon\\User Data\\Default\\CookiesCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\360Chrome\\Chrome\\User Data\\Default\\Cookies",
"C:\\Users\\cuck\\AppData\\Local\\360Chrome\\Chrome\\User Data\\Default\\CookiesCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 1\\Login Data",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 1\\LoginDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Default\\Login Data",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Default\\LoginDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Slimjet\\User Data\\Default\\Login Data",
"C:\\Users\\cuck\\AppData\\Local\\Slimjet\\User Data\\Default\\LoginDataCopy"
]
],
"connects_host": [
"lvter.info"
],
"regkey_opened": [
"HKEY_CURRENT_USER\\Software\\Microsoft\\windows\\CurrentVersion\\Internet Settings\\Wpad",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\3",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Security",
"HKEY_CLASSES_ROOT\\CLSID\\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\\Instance\\Disabled",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Segoe UI",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Class\\{4D36E968-E325-11CE-BFC1-08002BE10318}\\0000",
"HKEY_CLASSES_ROOT\\CLSID\\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\\Instance",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink",
"HKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\DataStore_V1.0",
"HKEY_CURRENT_USER\\Software\\Microsoft\\windows\\CurrentVersion\\Internet Settings\\Connections",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Security",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Extensible Cache",
"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall"
],
"resolves_host": [
"wpad",
"cuckpc",
"ip-api.com"
],
"file_written": [
"C:\\ProgramData\\73lVaqo4tj\\ilj1xUM6V.zip",
"C:\\ProgramData\\73lVaqo4tj\\47283761.txt",
"C:\\ProgramData\\73lVaqo4tj\\Files\\Browsers\\Cookies\\Mozilla_Firefox_Cookies_qk8iUj2.txt",
"C:\\ProgramData\\73lVaqo4tj\\Files\\_Info.txt",
"C:\\ProgramData\\73lVaqo4tj\\Files\\Browsers\\_FileCookies.txt",
"C:\\ProgramData\\73lVaqo4tj\\Files\\_Screen.jpg"
],
"file_deleted": [
"C:\\Users\\cuck\\AppData\\Local\\CentBrowser\\User Data\\Default\\WebDataCopy",
"C:\\ProgramData\\73lVaqo4tj\\moz_cookies.db-shm",
"C:\\Users\\cuck\\AppData\\Roaming\\brave\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 3\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 3\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 3\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\CentBrowser\\User Data\\Default\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Default\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 1\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\Comodo\\Dragon\\User Data\\Default\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 3\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 1\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Default\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 1\\LoginDataCopy",
"C:\\ProgramData\\73lVaqo4tj\\Files\\Browsers\\_FileCC.txt",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 1\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Vivaldi\\User Data\\Default\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\Torch\\User Data\\Default\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\360Chrome\\Chrome\\User Data\\Default\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Roaming\\Opera Software\\Opera Stable\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\360Chrome\\Chrome\\User Data\\Default\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 2\\WebDataCopy",
"C:\\ProgramData\\73lVaqo4tj\\moz_cookies.db-wal",
"C:\\Users\\cuck\\AppData\\Local\\Vivaldi\\User Data\\Default\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 2\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\Comodo\\Dragon\\User Data\\Default\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Roaming\\brave\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\Torch\\User Data\\Default\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 3\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Default\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Comodo\\Dragon\\User Data\\Default\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Browser\\User Data\\Default\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Roaming\\Opera Software\\Opera Stable\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Vivaldi\\User Data\\Default\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Slimjet\\User Data\\Default\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Browser\\User Data\\Default\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 2\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Roaming\\brave\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Slimjet\\User Data\\Default\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Browser\\User Data\\Default\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 2\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 2\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 1\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\360Chrome\\Chrome\\User Data\\Default\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\Torch\\User Data\\Default\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\CentBrowser\\User Data\\Default\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Slimjet\\User Data\\Default\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 1\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 3\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Roaming\\Opera Software\\Opera Stable\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 2\\LoginDataCopy"
],
"file_exists": [
"C:\\Users\\cuck\\AppData\\Local\\CentBrowser\\User Data\\Default\\WebDataCopy",
"C:\\ProgramData\\73lVaqo4tj\\moz_cookies.db-shm",
"C:\\Users\\cuck\\AppData\\Roaming\\brave\\LoginDataCopy",
"C:\\Windows\\SysWOW64",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 3\\LoginDataCopy",
"C:\\ProgramData\\Avg",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 3\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 3\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\CentBrowser\\User Data\\Default\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Default\\CookiesCopy",
"C:\\ProgramData\\73lVaqo4tj\\Files\\Coins\\ElectronCash\\wallets",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 1\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\Comodo\\Dragon\\User Data\\Default\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 3\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 1\\WebDataCopy",
"C:\\ProgramData\\Pader",
"C:\\ProgramData\\73lVaqo4tj\\moz_cookies.db",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 1\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Roaming\\Opera Software\\Opera Stable\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 1\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Vivaldi\\User Data\\Default\\CookiesCopy",
"C:\\ProgramData\\73lVaqo4tj\\Files\\Coins\\com.liberty.jaxx",
"C:\\ProgramData\\73lVaqo4tj\\Files\\Coins\\Monero",
"C:\\Users\\cuck\\AppData\\Local\\Torch\\User Data\\Default\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\360Chrome\\Chrome\\User Data\\Default\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Roaming\\Opera Software\\Opera Stable\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\360Chrome\\Chrome\\User Data\\Default\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 2\\WebDataCopy",
"C:\\ProgramData\\73lVaqo4tj\\moz_cookies.db-wal",
"C:\\Users\\cuck\\AppData\\Local\\Vivaldi\\User Data\\Default\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 2\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\Comodo\\Dragon\\User Data\\Default\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Default\\LoginDataCopy",
"C:\\ProgramData\\73lVaqo4tj\\Files\\Coins\\Jaxx",
"C:\\Users\\cuck\\AppData\\Roaming\\brave\\CookiesCopy",
"C:\\ProgramData\\73lVaqo4tj\\Files\\Coins\\MultiBitHD",
"C:\\Users\\cuck\\AppData\\Local\\Torch\\User Data\\Default\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 3\\CookiesCopy",
"C:\\ProgramData\\AVAST Software",
"C:\\ProgramData\\73lVaqo4tj\\Files\\Coins\\Exodus",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\WebDataCopy",
"C:\\ProgramData\\73lVaqo4tj\\Files\\Coins\\Electrum-btcp\\wallets",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Default\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Comodo\\Dragon\\User Data\\Default\\LoginDataCopy",
"C:\\ProgramData\\73lVaqo4tj\\Files\\Coins\\Exodus Eden",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Browser\\User Data\\Default\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\Vivaldi\\User Data\\Default\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Slimjet\\User Data\\Default\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Browser\\User Data\\Default\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 2\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Roaming\\brave\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Slimjet\\User Data\\Default\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Browser\\User Data\\Default\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 2\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 3\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 1\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\360Chrome\\Chrome\\User Data\\Default\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\Torch\\User Data\\Default\\WebDataCopy",
"C:\\ProgramData\\73lVaqo4tj\\moz_cookies.db-journal",
"C:\\Users\\cuck\\AppData\\Local\\CentBrowser\\User Data\\Default\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Slimjet\\User Data\\Default\\LoginDataCopy",
"C:\\ProgramData\\73lVaqo4tj\\Files\\Coins\\Electrum\\wallets",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 1\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 2\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Roaming\\Opera Software\\Opera Stable\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 2\\LoginDataCopy"
],
"mutex": [
"IESQMMUTEX_0_208"
],
"file_failed": [
"C:\\Users\\cuck\\AppData\\Local\\Application Data\\",
"C:\\Users\\cuck\\Local Settings\\",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 3\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Roaming\\Exodus Eden",
"C:\\Users\\cuck\\Cookies\\",
"C:\\Program Files\\Windows NT\\nss3.dll",
"C:\\Users\\cuck\\Documents\\My Music\\",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 1\\LoginDataCopy",
"C:\\Program Files\\Windows Mail\\nss3.dll",
"C:\\Users\\cuck\\AppData\\Local\\360Chrome\\Chrome\\User Data\\Default\\WebDataCopy",
"C:\\ProgramData\\Microsoft\\Network\\Connections\\Pbk\\",
"C:\\Users\\cuck\\AppData\\Local\\History\\",
"C:\\ProgramData\\73lVaqo4tj\\Files\\Files\\Desktop",
"C:\\ProgramData\\73lVaqo4tj\\Files\\Browsers\\_FileCookies.txt\\",
"C:\\Users\\cuck\\AppData\\Local\\Torch\\User Data\\Default\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\WebDataCopy",
"C:\\Users\\cuck\\Desktop\\secret.txt",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Browser\\User Data\\Default\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Roaming\\brave\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\360Chrome\\Chrome\\User Data\\Default\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\360Chrome\\Chrome\\User Data\\Default\\LoginDataCopy",
"C:\\Program Files\\Windows Defender\\nss3.dll",
"C:\\Users\\cuck\\AppData\\Roaming\\Opera Software\\Opera Stable\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Roaming\\brave\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Roaming\\MultiBitHD",
"C:\\ProgramData\\73lVaqo4tj\\Files\\Browsers\\Cookies\\Mozilla_Firefox_Cookies_qk8iUj2.txt\\",
"C:\\Users\\cuck\\Recent\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Opera Software\\Opera Stable\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Roaming\\Exodus",
"C:\\Program Files\\DVD Maker\\nss3.dll",
"C:\\ProgramData\\73lVaqo4tj\\Files\\_Screen.jpg\\",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Default\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\Temporary Internet Files\\",
"C:\\Program Files\\Common Files\\nss3.dll",
"C:\\ProgramData\\73lVaqo4tj\\Files\\_FilePasswords.txt\\",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 1\\LoginDataCopy",
"C:\\Program Files\\Windows Photo Viewer\\nss3.dll",
"C:\\Users\\cuck\\AppData\\Local\\Torch\\User Data\\Default\\LoginDataCopy",
"C:\\ProgramData\\73lVaqo4tj\\Files\\Browsers\\Cookies",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Browser\\User Data\\Default\\CookiesCopy",
"C:\\Program Files\\Windows Portable Devices\\nss3.dll",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 2\\CookiesCopy",
"C:\\Users\\cuck\\Application Data\\",
"C:\\ProgramData\\73lVaqo4tj\\Files\\Coins\\Electrum",
"C:\\Users\\cuck\\AppData\\Roaming\\Jaxx",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Slimjet\\User Data\\Default\\WebDataCopy",
"C:\\Users\\cuck\\Documents\\My Pictures\\",
"C:\\Users\\cuck\\Templates\\",
"C:\\Users\\cuck\\AppData\\Local\\Torch\\User Data\\Default\\WebDataCopy",
"C:\\Users\\cuck\\Documents\\Monero",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 3\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 2\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\CentBrowser\\User Data\\Default\\WebDataCopy",
"C:\\ProgramData\\73lVaqo4tj\\47283761.txt",
"C:\\ProgramData\\73lVaqo4tj\\Files\\Browsers\\_FilePasswords.txt\\",
"C:\\Users\\cuck\\AppData\\Roaming\\ElectronCash",
"C:\\Users\\cuck\\AppData\\Roaming\\Electrum-btcp",
"C:\\Users\\cuck\\NetHood\\",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 1\\CookiesCopy",
"C:\\Users\\cuck\\SendTo\\",
"C:\\Program Files\\Windows Sidebar\\nss3.dll",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Default\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Roaming\\Opera Software\\Opera Stable\\WebDataCopy",
"C:\\Program Files\\Windows Journal\\nss3.dll",
"C:\\Users\\cuck\\AppData\\Local\\Vivaldi\\User Data\\Default\\WebDataCopy",
"C:\\ProgramData\\73lVaqo4tj\\Files\\Coins\\ElectronCash",
"C:\\Users\\cuck\\Documents\\My Videos\\",
"C:\\ProgramData\\73lVaqo4tj\\Files\\Browsers\\_FileForms.txt\\",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Default\\WebDataCopy",
"C:\\ProgramData\\73lVaqo4tj\\Files\\Coins\\Electrum-btcp",
"C:\\Users\\cuck\\AppData\\Local\\Comodo\\Dragon\\User Data\\Default\\LoginDataCopy",
"C:\\ProgramData\\73lVaqo4tj\\Files\\Files\\Other",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 2\\WebDataCopy",
"C:\\Users\\cuck\\Start Menu\\",
"C:\\Users\\cuck\\AppData\\Local\\Slimjet\\User Data\\Default\\CookiesCopy",
"C:\\Program Files\\Internet Explorer\\nss3.dll",
"C:\\Users\\cuck\\AppData\\Local\\Comodo\\Dragon\\User Data\\Default\\WebDataCopy",
"C:\\ProgramData\\73lVaqo4tj\\Files\\Files",
"C:\\Users\\cuck\\AppData\\Local\\CentBrowser\\User Data\\Default\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Slimjet\\User Data\\Default\\LoginDataCopy",
"C:\\Program Files\\MSBuild\\nss3.dll",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 1\\CookiesCopy",
"C:\\Program Files\\Windows Media Player\\nss3.dll",
"C:\\ProgramData\\73lVaqo4tj\\Files\\_Info.txt\\",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 3\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 3\\WebDataCopy",
"C:\\Program Files\\Uninstall Information\\nss3.dll",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 3\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 1\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Roaming\\Electrum",
"C:\\Users\\cuck\\AppData\\Roaming\\com.liberty.jaxx",
"C:\\Users\\cuck\\Desktop\\report.doc",
"C:\\Users\\cuck\\AppData\\Local\\Vivaldi\\User Data\\Default\\CookiesCopy",
"C:\\ProgramData\\73lVaqo4tj\\Files\\Browsers",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 2\\WebDataCopy",
"C:\\Users\\cuck\\My Documents\\",
"C:\\Users\\cuck\\AppData\\Local\\CentBrowser\\User Data\\Default\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\Comodo\\Dragon\\User Data\\Default\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Roaming\\brave\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Browser\\User Data\\Default\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\Vivaldi\\User Data\\Default\\LoginDataCopy",
"C:\\Program Files\\Reference Assemblies\\nss3.dll",
"C:\\nss3.dll",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 2\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 1\\WebDataCopy",
"C:\\Users\\cuck\\PrintHood\\",
"C:\\ProgramData\\73lVaqo4tj\\Files\\Coins",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 3\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 2\\LoginDataCopy",
"C:\\Users\\cuck\\Downloads\\download.exe"
],
"guid": [
"{ea1afb91-9e28-4b86-90e9-9e9f8a5eefaf}",
"{a1faf330-ef97-11ce-9bc9-00aa00608e01}",
"{3eef301f-b596-4c0b-bd92-013beafce793}",
"{0c9fb851-e5c9-43eb-a370-f0677b13874c}",
"{078759d3-423b-48ad-ab6a-5638c2884dbe}",
"{a47979d2-c419-11d9-a5b4-001185ad2b89}",
"{dcb00000-570f-4a9b-8d69-199fdba5723b}",
"{56fdf344-fd6d-11d0-958a-006097c9a090}",
"{eb6339bf-eb6a-437a-82da-a56e7e4f9cdc}",
"{9e175b6d-f52a-11d8-b9a5-505054503030}",
"{dcb00c01-570f-4a9b-8d69-199fdba5723b}",
"{f8383852-fcd3-11d1-a6b9-006097df5bd4}",
"{5762f2a7-4658-4c7a-a4ac-bdabfe154e0d}",
"{d0074ffd-570f-4a9b-8d69-199fdba5723b}",
"{b056521a-9b10-425e-b616-1fcd828db3b1}",
"{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}"
],
"file_read": [
"C:\\ProgramData\\73lVaqo4tj\\moz_cookies.db",
"C:\\Windows\\Fonts\\staticcache.dat",
"C:\\Users\\cuck\\Documents\\desktop.ini",
"C:\\Users\\desktop.ini",
"C:\\Users\\cuck\\Desktop\\desktop.ini",
"C:\\ProgramData\\73lVaqo4tj\\Files\\Browsers\\Cookies\\Mozilla_Firefox_Cookies_qk8iUj2.txt",
"C:\\ProgramData\\73lVaqo4tj\\Files\\_Info.txt",
"C:\\ProgramData\\73lVaqo4tj\\ilj1xUM6V.zip",
"C:\\ProgramData\\73lVaqo4tj\\Files\\Browsers\\_FileCookies.txt",
"C:\\ProgramData\\73lVaqo4tj\\Files\\_Screen.jpg"
],
"regkey_read": [
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Language Hotkey",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\inifile\\AlwaysShowExt",
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Hotkey",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\RASMANCS\\FileTracingMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\LanguageProfile\\0x00000000\\{0001bea3-ed56-483d-a2e2-aeae25577436}\\Enable",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\RASAPI32\\EnableConsoleTracing",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsFORPARSING",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\NoFileFolderConnection",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\UseHostnameAsAlias",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\RASAPI32\\FileTracingMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-699399860-4089948139-3198924279-1001\\ProfileImagePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoSetFolders",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Filter",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ini\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\QueryForOverlay",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\SourcePath",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\Generation",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\AutoProxyDetectType",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\NoFileFolderJunction",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\UseOldHostResolutionOrder",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Domain",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ReleaseId",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language Groups\\1",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\EnableAnchorContext",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{BCD1DE7E-2DB1-418B-B047-4A74E101F8C1}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ini\\Content Type",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\UseDropHandler",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane10",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane11",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane12",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane13",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane14",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane15",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane16",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoInternetIcon",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProductName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\DontShowSuperHidden",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\HideIcons",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{2A1C9EB2-DF62-4154-B800-63278FCB8037}\\ProxyStubClsid32\\(Default)",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\MaxUndoItems",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\RASAPI32\\ConsoleTracingMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsAliasedNotifications",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\AutoCheckSelect",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\BrowseInPlace",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\MaxUndoItems",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\ClassicShell",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\InprocServer32\\InprocServer32",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\\DefaultConnectionSettings",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}",
"HKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0\\ProcessorNameString",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\AlwaysShowExt",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\DataStore_V1.0\\DataFilePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\RASMANCS\\EnableConsoleTracing",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\NeverShowExt",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\text\\IsShortcut",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\CurrentBuildNumber",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Locale\\00000409",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{618736E0-3C3D-11CF-810C-00AA00389B71}\\ProxyStubClsid32\\(Default)",
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Layout Hotkey",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\RestrictedAttributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\text\\NeverShowExt",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\IsShortcut",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\Data",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoCommonGroups",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\InprocServer32\\(Default)",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\IconsOnly",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\NoNetCrawling",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HideOnDesktopPerUser",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\DocObject",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\CLASS\\{4D36E968-E325-11CE-BFC1-08002BE10318}\\0000\\DriverDesc",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\inifile\\IsShortcut",
"HKEY_CURRENT_USER\\Control Panel\\Desktop\\MuiCached\\MachinePreferredUILanguages",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\LdapClientIntegrity",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Security\\DisableSecuritySettingsCheck",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\AutoDetect",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HideInWebView",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\inifile\\DocObject",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\SeparateProcess",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\BrowseInPlace",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ini\\PerceivedType",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\EnableConsoleTracing",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsFORDISPLAY",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\RASMANCS\\EnableFileTracing",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\DontPrettyPath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\AllowFileCLSIDJunctions",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\WMR\\Disable",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\DevicePath",
"HKEY_CURRENT_USER\\Control Panel\\Desktop\\PreferredUILanguages",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoNetCrawling",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\WebView",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\QueryForInfoTip",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\InprocServer32\\ThreadingModel",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Hostname",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\text\\AlwaysShowExt",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowCompColor",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\RASMANCS\\ConsoleTracingMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{55272A00-42CB-11CE-8135-00AA004BB851}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{8A40A45D-055C-4B62-ABD7-6D613E2CEAEC}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\Attributes",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\MapNetDrvBtn",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\DocObject",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\IsShortcut",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\inifile\\NeverShowExt",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoPropertiesRecycleBin",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{26656EAA-54EB-4E6F-8F85-4F0EF901A406}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\AccessProviders\\MartaExtension",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoPropertiesMyComputer",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\TurnOffSPIAnimations",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\inifile\\BrowseInPlace",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\text\\BrowseInPlace",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\RASMANCS\\MaxFileSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\PinToNameSpaceTree",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HasNavigationEnum",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Security\\DisableSecuritySettingsCheck",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\WpadLastNetwork",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\3\\1A10",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellState",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\RASMANCS\\FileDirectory",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowTypeOverlay",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\Data",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\HideFileExt",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\RASAPI32\\EnableFileTracing",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\DataStore_V1.0\\Disable",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HideFolderVerbs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\NeverShowExt",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane8",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane9",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane6",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane7",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane4",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane5",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane2",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane3",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane1",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Hidden",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\MapNetDriveVerbs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\SeparateProcess",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\Generation",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\DocObject",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\RASAPI32\\MaxFileSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\NeverShowExt",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\CallForAttributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\IsShortcut",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\ProgramData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\RASAPI32\\FileDirectory",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowSuperHidden",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\AppData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoControlPanel",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoSimpleStartMenu",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowInfoTip",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoWebView",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsParseDisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\text\\DocObject",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\BrowseInPlace",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsUniversalDelegate"
],
"regkey_written": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\RASMANCS\\FileDirectory",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}\\WpadDecisionReason",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\RASMANCS\\EnableFileTracing",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}\\WpadDecision",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\RASMANCS\\MaxFileSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\RASMANCS\\FileTracingMask",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}\\WpadNetworkName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\RASAPI32\\MaxFileSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\RASAPI32\\EnableConsoleTracing",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\\DefaultConnectionSettings",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\RASAPI32\\EnableFileTracing",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}\\WpadDecisionTime",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\WpadLastNetwork",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\RASAPI32\\ConsoleTracingMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\RASAPI32\\FileDirectory",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\RASMANCS\\EnableConsoleTracing",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\RASMANCS\\ConsoleTracingMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\RASAPI32\\FileTracingMask"
]
},
"first_seen": 1566287586.5156,
"ppid": 2780
},
{
"process_path": "C:\\Windows\\System32\\lsass.exe",
"process_name": "lsass.exe",
"pid": 476,
"summary": {},
"first_seen": 1566287586.3438,
"ppid": 376
}
]Signatures
[
{
"markcount": 1,
"families": [],
"description": "Queries for the computername",
"severity": 1,
"marks": [
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "GetComputerNameW",
"return_value": 1,
"arguments": {
"computer_name": "CUCKPC"
},
"time": 1566287171.8469,
"tid": 2676,
"flags": {}
},
"pid": 2456,
"type": "call",
"cid": 5550
}
],
"references": [],
"name": "antivm_queries_computername"
},
{
"markcount": 1,
"families": [],
"description": "Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available",
"severity": 1,
"marks": [
{
"call": {
"category": "system",
"status": 1,
"stacktrace": [],
"api": "GlobalMemoryStatusEx",
"return_value": 1,
"arguments": {},
"time": 1566287171.8629,
"tid": 2676,
"flags": {}
},
"pid": 2456,
"type": "call",
"cid": 5583
}
],
"references": [],
"name": "antivm_memory_available"
},
{
"markcount": 3,
"families": [],
"description": "The executable contains unknown PE section names indicative of a packer (could be a false positive)",
"severity": 1,
"marks": [
{
"category": "section",
"ioc": ".gfids",
"type": "ioc",
"description": null
},
{
"category": "section",
"ioc": ".ede0",
"type": "ioc",
"description": null
},
{
"category": "section",
"ioc": ".ede1",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "pe_features"
},
{
"markcount": 2,
"families": [],
"description": "Allocates read-write-execute memory (usually to unpack itself)",
"severity": 2,
"marks": [
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2456,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 671744,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x0000000140001000"
},
"time": 1566287157.1749,
"tid": 2676,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2456,
"type": "call",
"cid": 8
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2456,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"allocation_type": 4096,
"base_address": "0x0000000002c20000"
},
"time": 1566287160.0659,
"tid": 2872,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2456,
"type": "call",
"cid": 1860
}
],
"references": [],
"name": "allocates_rwx"
},
{
"markcount": 1,
"families": [],
"description": "A process attempted to delay the analysis task.",
"severity": 2,
"marks": [
{
"type": "generic",
"description": "ccbd259f8eee1a6b5962d04cf78a301e52c41742de53589db507db16185c9de9.bin tried to sleep 125 seconds, actually delayed analysis time by 125 seconds"
}
],
"references": [],
"name": "antisandbox_sleep"
},
{
"markcount": 24,
"families": [],
"description": "Steals private information from local Internet browsers",
"severity": 2,
"marks": [
{
"category": "file",
"ioc": "C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 2\\WebDataCopy",
"type": "ioc",
"description": null
},
{
"category": "file",
"ioc": "C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 2\\CookiesCopy",
"type": "ioc",
"description": null
},
{
"category": "file",
"ioc": "C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 1\\LoginDataCopy",
"type": "ioc",
"description": null
},
{
"category": "file",
"ioc": "C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\LoginDataCopy",
"type": "ioc",
"description": null
},
{
"category": "file",
"ioc": "C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 3\\LoginDataCopy",
"type": "ioc",
"description": null
},
{
"category": "file",
"ioc": "C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 2\\LoginDataCopy",
"type": "ioc",
"description": null
},
{
"category": "file",
"ioc": "C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\WebDataCopy",
"type": "ioc",
"description": null
},
{
"category": "file",
"ioc": "C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 1\\WebDataCopy",
"type": "ioc",
"description": null
},
{
"category": "file",
"ioc": "C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 1\\CookiesCopy",
"type": "ioc",
"description": null
},
{
"category": "file",
"ioc": "C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 3\\WebDataCopy",
"type": "ioc",
"description": null
},
{
"category": "file",
"ioc": "C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 3\\CookiesCopy",
"type": "ioc",
"description": null
},
{
"category": "file",
"ioc": "C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\CookiesCopy",
"type": "ioc",
"description": null
},
{
"category": "file",
"ioc": "C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Default\\LoginDataCopy",
"type": "ioc",
"description": null
},
{
"category": "file",
"ioc": "C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 2\\WebDataCopy",
"type": "ioc",
"description": null
},
{
"category": "file",
"ioc": "C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 1\\LoginDataCopy",
"type": "ioc",
"description": null
},
{
"category": "file",
"ioc": "C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 1\\WebDataCopy",
"type": "ioc",
"description": null
},
{
"category": "file",
"ioc": "C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 3\\LoginDataCopy",
"type": "ioc",
"description": null
},
{
"category": "file",
"ioc": "C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 3\\WebDataCopy",
"type": "ioc",
"description": null
},
{
"category": "file",
"ioc": "C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 2\\CookiesCopy",
"type": "ioc",
"description": null
},
{
"category": "file",
"ioc": "C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 2\\LoginDataCopy",
"type": "ioc",
"description": null
},
{
"category": "file",
"ioc": "C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Default\\CookiesCopy",
"type": "ioc",
"description": null
},
{
"category": "file",
"ioc": "C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 3\\CookiesCopy",
"type": "ioc",
"description": null
},
{
"category": "file",
"ioc": "C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 1\\CookiesCopy",
"type": "ioc",
"description": null
},
{
"category": "file",
"ioc": "C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Default\\WebDataCopy",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "infostealer_browser"
},
{
"markcount": 1,
"families": [],
"description": "Checks adapter addresses which can be used to detect virtual network interfaces",
"severity": 2,
"marks": [
{
"call": {
"category": "network",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": -1073741772,
"api": "GetAdaptersAddresses",
"return_value": 111,
"arguments": {
"flags": 0,
"family": 0
},
"time": 1566287166.9099,
"tid": 2256,
"flags": {}
},
"pid": 2456,
"type": "call",
"cid": 5250
}
],
"references": [],
"name": "antivm_network_adapters"
},
{
"markcount": 2,
"families": [],
"description": "The binary likely contains encrypted or compressed data indicative of a packer",
"severity": 2,
"marks": [
{
"entropy": 7.2418819463105,
"section": {
"size_of_data": "0x0027b400",
"virtual_address": "0x001cf000",
"entropy": 7.2418819463105,
"name": ".ede1",
"virtual_size": "0x0027b3d0"
},
"type": "generic",
"description": "A section with a high entropy has been found"
},
{
"entropy": 0.875,
"type": "generic",
"description": "Overall entropy of this PE file is high"
}
],
"references": [
"http:\/\/www.forensickb.com\/2013\/03\/file-entropy-explained.html",
"http:\/\/virii.es\/U\/Using%20Entropy%20Analysis%20to%20Find%20Encrypted%20and%20Packed%20Malware.pdf"
],
"name": "packer_entropy"
},
{
"markcount": 1,
"families": [],
"description": "Queries for potentially installed applications",
"severity": 2,
"marks": [
{
"call": {
"category": "registry",
"status": 0,
"stacktrace": [],
"last_error": 183,
"nt_status": -1073741772,
"api": "RegOpenKeyExW",
"return_value": 2,
"arguments": {
"access": "0x00020119",
"base_handle": "0xffffffff80000001",
"key_handle": "0x0000000000000000",
"regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall",
"regkey_r": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall",
"options": 0
},
"time": 1566287172.0349,
"tid": 2676,
"flags": {}
},
"pid": 2456,
"type": "call",
"cid": 6778
}
],
"references": [],
"name": "queries_programs"
},
{
"markcount": 2,
"families": [],
"description": "Attempts to identify installed AV products by installation directory",
"severity": 3,
"marks": [
{
"category": "file",
"ioc": "C:\\ProgramData\\AVAST Software",
"type": "ioc",
"description": null
},
{
"category": "file",
"ioc": "C:\\ProgramData\\Avg",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "antiav_detectfile"
},
{
"markcount": 1,
"families": [],
"description": "Checks the CPU name from registry, possibly for anti-virtualization",
"severity": 3,
"marks": [
{
"category": "registry",
"ioc": "HKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0\\ProcessorNameString",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "antivm_generic_cpu"
},
{
"markcount": 2,
"families": [],
"description": "Attempts to access Bitcoin\/ALTCoin wallets",
"severity": 3,
"marks": [
{
"category": "file",
"ioc": "C:\\ProgramData\\73lVaqo4tj\\Files\\Coins\\Electrum\\",
"type": "ioc",
"description": null
},
{
"category": "file",
"ioc": "C:\\ProgramData\\73lVaqo4tj\\Files\\Coins\\Electrum\\wallets",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "infostealer_bitcoin"
},
{
"markcount": 5,
"families": [],
"description": "Sets or modifies WPAD proxy autoconfiguration file for traffic interception",
"severity": 3,
"marks": [
{
"call": {
"category": "registry",
"status": 1,
"stacktrace": [],
"api": "RegSetValueExA",
"return_value": 0,
"arguments": {
"key_handle": "0x0000000000000414",
"value": 1,
"regkey_r": "WpadDecisionReason",
"reg_type": 4,
"regkey": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}\\WpadDecisionReason"
},
"time": 1566287169.4879,
"tid": 2256,
"flags": {
"reg_type": "REG_DWORD"
}
},
"pid": 2456,
"type": "call",
"cid": 5263
},
{
"call": {
"category": "registry",
"status": 1,
"stacktrace": [],
"api": "RegSetValueExA",
"return_value": 0,
"arguments": {
"key_handle": "0x0000000000000414",
"value": "pa \u00d4[W\u00d5\u0001",
"regkey_r": "WpadDecisionTime",
"reg_type": 3,
"regkey": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}\\WpadDecisionTime"
},
"time": 1566287169.4879,
"tid": 2256,
"flags": {
"reg_type": "REG_BINARY"
}
},
"pid": 2456,
"type": "call",
"cid": 5264
},
{
"call": {
"category": "registry",
"status": 1,
"stacktrace": [],
"api": "RegSetValueExA",
"return_value": 0,
"arguments": {
"key_handle": "0x0000000000000414",
"value": 3,
"regkey_r": "WpadDecision",
"reg_type": 4,
"regkey": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}\\WpadDecision"
},
"time": 1566287169.4879,
"tid": 2256,
"flags": {
"reg_type": "REG_DWORD"
}
},
"pid": 2456,
"type": "call",
"cid": 5265
},
{
"call": {
"category": "registry",
"status": 1,
"stacktrace": [],
"api": "RegSetValueExW",
"return_value": 0,
"arguments": {
"key_handle": "0x0000000000000414",
"value": "Unidentified network",
"regkey_r": "WpadNetworkName",
"reg_type": 1,
"regkey": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}\\WpadNetworkName"
},
"time": 1566287169.4879,
"tid": 2256,
"flags": {
"reg_type": "REG_SZ"
}
},
"pid": 2456,
"type": "call",
"cid": 5266
},
{
"call": {
"category": "registry",
"status": 1,
"stacktrace": [],
"api": "RegSetValueExW",
"return_value": 0,
"arguments": {
"key_handle": "0x0000000000000410",
"value": "{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}",
"regkey_r": "WpadLastNetwork",
"reg_type": 1,
"regkey": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\WpadLastNetwork"
},
"time": 1566287169.5349,
"tid": 2256,
"flags": {
"reg_type": "REG_SZ"
}
},
"pid": 2456,
"type": "call",
"cid": 5350
}
],
"references": [],
"name": "modifies_proxy_wpad"
}
]Yara
The Yara rules did not detect anything in the file.
Network
{
"tls": [],
"udp": [
{
"src": "192.168.56.101",
"dst": "192.168.56.255",
"offset": 546,
"time": 3.2411279678345,
"dport": 137,
"sport": 137
},
{
"src": "192.168.56.101",
"dst": "192.168.56.255",
"offset": 14946,
"time": 9.4685008525848,
"dport": 138,
"sport": 138
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 16790,
"time": 3.2495520114899,
"dport": 5355,
"sport": 51001
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 17118,
"time": 1.0131568908691,
"dport": 5355,
"sport": 53595
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 17446,
"time": 3.531201839447,
"dport": 5355,
"sport": 53848
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 17774,
"time": 1.6646020412445,
"dport": 5355,
"sport": 54255
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 18102,
"time": -0.10018801689148,
"dport": 5355,
"sport": 55314
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 18430,
"time": 11.824935913086,
"dport": 5355,
"sport": 55880
},
{
"src": "192.168.56.101",
"dst": "239.255.255.250",
"offset": 18750,
"time": 1.5780069828033,
"dport": 1900,
"sport": 1900
},
{
"src": "192.168.56.101",
"dst": "239.255.255.250",
"offset": 38160,
"time": 1.0342090129852,
"dport": 3702,
"sport": 49152
},
{
"src": "192.168.56.101",
"dst": "239.255.255.250",
"offset": 46544,
"time": 3.2395670413971,
"dport": 1900,
"sport": 53598
}
],
"dns_servers": [],
"http": [],
"icmp": [],
"smtp": [],
"tcp": [],
"smtp_ex": [],
"mitm": [],
"hosts": [],
"pcap_sha256": "51b83161c17cc3b7137ead8fee51d2d5c35df583c138d1294e8a7a5083011775",
"dns": [],
"http_ex": [],
"domains": [],
"dead_hosts": [],
"sorted_pcap_sha256": "0300fd845a008fb22d064361f27edd313a976feb2f7b1aa91c6d98560b2b0041",
"irc": [],
"https_ex": []
}Screenshots
1bbot.exe removal instructions
The instructions below shows how to remove 1bbot.exe with help from the FreeFixer removal tool. Basically, you install FreeFixer, scan your computer, check the 1bbot.exe file for removal, restart your computer and scan it again to verify that 1bbot.exe has been successfully removed. Here are the removal instructions in more detail:
- Download and install FreeFixer: http://www.freefixer.com/download.html
- Start FreeFixer and press the Start Scan button. The scan will finish in approximately five minutes.
- When the scan is finished, locate 1bbot.exe in the scan result and tick the checkbox next to the 1bbot.exe file. Do not check any other file for removal unless you are 100% sure you want to delete it. Tip: Press CTRL-F to open up FreeFixer's search dialog to quickly locate 1bbot.exe in the scan result.
c:\downloads\1bbot.exe 
- Scroll down to the bottom of the scan result and press the Fix button. FreeFixer will now delete the 1bbot.exe file.
- Restart your computer.
- Start FreeFixer and scan your computer again. If 1bbot.exe still remains in the scan result, proceed with the next step. If 1bbot.exe is gone from the scan result you're done.
- If 1bbot.exe still remains in the scan result, check its checkbox again in the scan result and click Fix.
- Restart your computer.
- Start FreeFixer and scan your computer again. Verify that 1bbot.exe no longer appear in the scan result.
Hashes [?]
| Property | Value |
|---|---|
| MD5 | 6fb4bdcae4081cd69db1a954218d5a6f |
| SHA256 | ccbd259f8eee1a6b5962d04cf78a301e52c41742de53589db507db16185c9de9 |
Error Messages
These are some of the error messages that can appear related to 1bbot.exe:
1bbot.exe has encountered a problem and needs to close. We are sorry for the inconvenience.
1bbot.exe - Application Error. The instruction at "0xXXXXXXXX" referenced memory at "0xXXXXXXXX". The memory could not be "read/written". Click on OK to terminate the program.
1bbot.exe has stopped working.
End Program - 1bbot.exe. This program is not responding.
1bbot.exe is not a valid Win32 application.
1bbot.exe - Application Error. The application failed to initialize properly (0xXXXXXXXX). Click OK to terminate the application.
What will you do with 1bbot.exe?
To help other users, please let us know what you will do with 1bbot.exe:
Comments
Please share with the other users what you think about this file. What does this file do? Is it legitimate or something that your computer is better without? Do you know how it was installed on your system? Did you install it yourself or did it come bundled with some other software? Is it running smoothly or do you get some error message? Any information that will help to document this file is welcome. Thank you for your contributions.
I'm reading all new comments so don't hesitate to post a question about the file. If I don't have the answer perhaps another user can help you.
No comments posted yet.