What is Racingcar.exe?
Racingcar.exe is part of amkja and developed by according to the Racingcar.exe version information.
Racingcar.exe's description is "amkja Setup "
Racingcar.exe is usually located in the 'c:\users\%USERNAME%\appdata\local\temp\' folder.
Some of the anti-virus scanners at VirusTotal detected Racingcar.exe.
If you have additional information about the file, please share it with the FreeFixer users by posting a comment at the bottom of this page.
Vendor and version information [?]
The following is the available information on Racingcar.exe:
| Property | Value |
|---|---|
| Product name | amkja |
| Company name | |
| File description | amkja Setup |
| Comments | This installation was built with Inno Setup. |
| Legal copyright | |
| Product version | 7.3.1 |
| File version |
Here's a screenshot of the file properties when displayed by Windows Explorer:
| Product name | amkja .. |
| Company name | .. |
| File description | amkja Setup .. |
| Comments | This installation was built with Inn.. |
| Legal copyright | .. |
| Product version | 7.3.1 .. |
| File version |
Digital signatures [?]
Racingcar.exe is not signed.
VirusTotal report
26 of the 69 anti-virus programs at VirusTotal detected the Racingcar.exe file. That's a 38% detection rate.
| Scanner | Detection Name |
|---|---|
| APEX | Malicious |
| Arcabit | Trojan.Generic.D29E3ADA |
| AVG | Win32:Adware-gen [Adw] |
| Avira | ADWARE/CsdiMonetize.Gen |
| BitDefender | Trojan.GenericKD.43924186 |
| BitDefenderTheta | Gen:NN.ZemsilF.34254.Cm0@ay8zT3d |
| Cynet | Malicious (score: 85) |
| DrWeb | Adware.WizzMonetize.1 |
| Elastic | malicious (high confidence) |
| Emsisoft | Trojan.GenericKD.43924186 (B) |
| ESET-NOD32 | multiple detections |
| F-Secure | Heuristic.HEUR/AGEN.1101524 |
| FireEye | Trojan.GenericKD.43924186 |
| GData | Trojan.GenericKD.43924186 |
| Invincea | Generic ML PUA (PUA) |
| Jiangmin | AdWare.MSIL.mftc |
| Kaspersky | not-a-virus:HEUR:AdWare.MSIL.Csdi.gen |
| MAX | malware (ai score=89) |
| Microsoft | Trojan:Win32/Hynamer.B!ml |
| MicroWorld-eScan | Trojan.GenericKD.43924186 |
| NANO-Antivirus | Trojan.InnoSetup.Dwn.ezdpiz |
| Qihoo-360 | Generic/Virus.Adware.c25 |
| Sophos | Generic PUA GO (PUA) |
| Symantec | PUA.Gen.2 |
| Webroot | W32.Trojan.Gen |
| ZoneAlarm | not-a-virus:HEUR:AdWare.MSIL.Csdi.gen |
Sandbox Report
The following information was gathered by executing the file inside Cuckoo Sandbox.
Summary
Successfully executed process in sandbox.
Summary
{
"file_created": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-6IB5Q.tmp\\_isetup\\_setup64.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-839KS.tmp\\_isetup\\_isdecmp.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-6IB5Q.tmp\\psvince.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-839KS.tmp\\_isetup\\_setup64.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-6IB5Q.tmp\\itdownload.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-839KS.tmp\\is-56R6I.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-6IB5Q.tmp\\idp.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-IQTOO.tmp\\Gadouha.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-6IB5Q.tmp\\_isetup\\_isdecmp.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-839KS.tmp\\is-SLFMP.tmp",
"C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\CONFIG\\enterprisesec.config.cch.new",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-SVT21.tmp\\eaae2c7e8a07d3301279f8217a8cf34df54386359a1195655a5e036573e298b0.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-839KS.tmp\\is-MKS0P.tmp",
"C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\CONFIG\\security.config.cch.new"
],
"file_recreated": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-839KS.tmp\\Hamdouna.exe.config",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-839KS.tmp\\Gadouha.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-839KS.tmp\\Hamdouna.exe",
"\\Device\\KsecDD"
],
"directory_created": [
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\64bit",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-839KS.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-839KS.tmp\\_isetup",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\CLR Security Config",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-SVT21.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-6IB5Q.tmp",
"C:\\Users\\cuck\\AppData",
"C:\\Users\\cuck\\AppData\\Local\\Programs\\Common",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-IQTOO.tmp",
"C:\\Program Files (x86)\\amkja",
"C:\\Users\\cuck",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-6IB5Q.tmp\\_isetup",
"C:\\Users\\cuck\\AppData\\Roaming",
"C:\\Users",
"C:\\Users\\cuck\\AppData\\Local\\Programs",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312",
"C:\\Users\\cuck\\AppData\\Local"
],
"dll_loaded": [
"C:\\Windows\\system32\\sfc.dll",
"DNSAPI.dll",
"UxTheme.dll",
"C:\\Windows\\system32\\ole32.dll",
"dwmapi.dll",
"cryptsp.dll",
"C:\\Windows\\system32\\uxtheme.dll",
"C:\\Windows\\system32\\propsys.dll",
"C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\rasapi32.dll",
"C:\\Windows\\SysWOW64\\bcryptprimitives.dll",
"SspiCli.dll",
"advapi32.dll",
"comctl32",
"ole32.dll",
"SHLWAPI.dll",
"ws2_32.dll",
"C:\\Windows\\system32\\shlwapi.dll",
"C:\\Windows\\system32\\comres.dll",
"C:\\Windows\\system32\\version.dll",
"C:\\Windows\\System32\\mswsock.dll",
"C:\\Windows\\system32\\shfolder.dll",
"C:\\Windows\\system32\\shell32.dll",
"iphlpapi.dll",
"CFGMGR32.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_64\\mscorlib\\9469491f37d9c35b596968b206615309\\mscorlib.ni.dll",
"C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\winhttp.dll",
"rpcrt4.dll",
"C:\\Windows\\system32\\clbcatq.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-6IB5Q.tmp\\itdownload.dll",
"C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\ws2_32.dll",
"kernel32.dll",
"API-MS-Win-Security-SDDL-L1-1-0.dll",
"ntdll.dll",
"C:\\Windows\\system32\\napinsp.dll",
"C:\\Windows\\system32\\apphelp.dll",
"API-MS-Win-Core-LocalRegistry-L1-1-0.dll",
"IMM32.dll",
"rtutils.dll",
"IPHLPAPI.DLL",
"ADVAPI32.dll",
"profapi.dll",
"comctl32.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-6IB5Q.tmp\\idp.dll",
"RpcRtRemote.dll",
"C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\ole32.dll",
"shfolder.dll",
"DEVRTL.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_64\\System.Windows.Forms\\6c352ff9e3603b0e69d969ff7e7632f5\\System.Windows.Forms.ni.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_64\\System.Drawing\\5910828a337dbe848dc90c7ae0a7dee2\\System.Drawing.ni.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-839KS.tmp\\_isetup\\_isdecmp.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_64\\System.Configuration\\091b931d0f6408001747dbbbb05dbe66\\System.Configuration.ni.dll",
"gdi32.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-6IB5Q.tmp\\psvince.dll",
"C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\culture.dll",
"C:\\Windows\\syswow64\\MSCTF.dll",
"CRYPTSP.dll",
"C:\\Windows\\system32\\cryptbase.dll",
"credssp.dll",
"ntdll",
"API-MS-WIN-Service-winsvc-L1-1-0.dll",
"C:\\Windows\\system32\\pnrpnsp.dll",
"C:\\Windows\\system32\\oleacc.dll",
"C:\\Windows\\system32\\setupapi.dll",
"NSI.dll",
"C:\\Windows\\system32\\NLAapi.dll",
"C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\iphlpapi.dll",
"shell32.dll",
"SETUPAPI.dll",
"WS2_32.dll",
"C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\shell32.dll",
"C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\mscorjit.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_64\\System.Xml\\ee795155543768ea67eecddc686a1e9e\\System.Xml.ni.dll",
"winhttp.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_64\\System\\adff7dd9fe8e541775c46b6363401b22\\System.ni.dll",
"API-MS-WIN-Service-Management-L1-1-0.dll",
"C:\\Windows\\system32\\Rstrtmgr.dll",
"OLEAUT32.DLL",
"RASMAN.DLL",
"C:\\Windows\\system32\\IMM32.DLL",
"C:\\Windows\\system32\\dwmapi.dll",
"C:\\Windows\\system32\\profapi.dll",
"rasapi32.dll",
"OLEAUT32.dll",
"RPCRT4.dll",
"C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\mscorwks.dll",
"C:\\Windows\\System32\\winrnr.dll",
"C:\\Windows\\system32\\userenv.dll",
"mscoree.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-6IB5Q.tmp\\_isetup\\_isdecmp.dll",
"AdvApi32.dll",
"C:\\Windows\\system32\\ntmarta.dll"
],
"file_opened": [
"C:\\Windows\\System32\\imageres.dll",
"C:\\",
"C:\\Program Files (x86)\\amkja\\714991681.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-839KS.tmp\\is-56R6I.tmp",
"C:\\Users\\cuck\\",
"C:\\Windows\\assembly\\GAC_MSIL\\System.Drawing\\2.0.0.0__b03f5f7f11d50a3a\\",
"C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\CONFIG\\enterprisesec.config.cch.new",
"C:\\Program Files (x86)\\amkja\\714991681.exe.config",
"C:\\Windows\\SysWOW64\\en-US\\KERNELBASE.dll.mui",
"C:\\Program Files (x86)\\",
"C:\\Windows\\System32",
"C:\\Windows\\",
"C:\\Windows\\System32\\netmsg.dll",
"C:\\Windows\\assembly\\GAC_64\\mscorlib\\2.0.0.0__b77a5c561934e089\\sorttbls.nlp",
"C:\\Users\\",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-839KS.tmp\\is-SLFMP.tmp",
"C:\\Windows\\System32\\l_intl.nls",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_64\\index143.dat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\",
"C:\\Windows\\assembly\\GAC_MSIL\\System.Windows.Forms\\2.0.0.0__b77a5c561934e089\\",
"C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-IQTOO.tmp\\",
"C:\\Windows\\winsxs\\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\\",
"C:\\Windows\\System32\\shell32.dll",
"C:\\Windows\\assembly\\GAC_MSIL\\System.Configuration\\2.0.0.0__b03f5f7f11d50a3a\\",
"C:\\Windows\\System32\\en-US\\KERNELBASE.dll.mui",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-839KS.tmp\\Gadouha.exe",
"C:\\Users\\cuck\\AppData\\Local\\",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\eaae2c7e8a07d3301279f8217a8cf34df54386359a1195655a5e036573e298b0.bin",
"C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\mscorrc.dll",
"C:\\Windows\\assembly\\pubpol4.dat",
"C:\\Windows\\System32\\drivers\\etc\\hosts",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-839KS.tmp\\is-MKS0P.tmp",
"C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\CONFIG\\security.config.cch",
"C:\\Windows\\assembly\\GAC_MSIL\\System.Xml\\2.0.0.0__b77a5c561934e089\\",
"C:\\Windows\\System32\\oleaccrc.dll",
"C:\\Program Files (x86)\\amkja\\714991681.exe.Config",
"C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\CONFIG\\enterprisesec.config.cch",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls",
"C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\",
"c:\\Users\\cuck\\AppData\\Local\\Temp\\is-IQTOO.tmp\\Gadouha.tmp",
"C:\\Windows\\assembly\\GAC_64\\mscorlib\\2.0.0.0__b77a5c561934e089\\",
"C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\CONFIG\\security.config.cch.new",
"C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\CONFIG\\machine.config",
"C:\\Program Files (x86)\\amkja\\",
"C:\\Windows\\assembly\\GAC_64\\mscorlib\\2.0.0.0__b77a5c561934e089\\sortkey.nlp",
"C:\\Program Files (x86)\\desktop.ini",
"C:\\Users\\cuck\\AppData\\"
],
"file_copied": [
[
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-839KS.tmp\\Hamdouna.exe",
"C:\\Program Files (x86)\\amkja\\714991681.exe"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-839KS.tmp\\Hamdouna.exe.config",
"C:\\Program Files (x86)\\amkja\\714991681.exe.config"
]
],
"regkey_opened": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\181938c6\\7950e2c5",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.Accessibility__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\DnsClient",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\KnownFolderSettings",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\19ab8d57\\1bd7b0d8\\8f",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Deployment__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion\\GACChangeNotification\\Default",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\6faf58\\19ab8d57",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\LanguageProfile\\0x00000000\\{0001bea3-ed56-483d-a2e2-aeae25577436}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\41c04c7e\\7f3b6ac4\\80",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\KnownClasses",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\Compatibility\\eaae2c7e8a07d3301279f8217a8cf34df54386359a1195655a5e036573e298b0.tmp",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\Rpc",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager",
"HKEY_LOCAL_MACHINE\\Software",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\RestartManager",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Installer\\Assemblies\\Global",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\Policy\\standards",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options",
"HKEY_CLASSES_ROOT\\Drive\\shellex\\FolderExtensions",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\6dc7d4c0\\a5cd4db\\87",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-699399860-4089948139-3198924279-1001",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\msasn1",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\3ced59c5\\1b2590b1\\85",
"HKEY_CURRENT_USER\\Software\\Borland\\Locales",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Icons",
"HKEY_CURRENT_USER\\Software\\Microsoft\\CTF\\DirectSwitchHotkeys",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion",
"HKEY_CURRENT_USER\\Software\\Borland\\Delphi\\Locales",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\6faf58\\19ab8d57\\8e",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\zjka_is1",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\Explorer",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\Policy\\Standards",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\61e7e666\\c991064\\83",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\DnsCache\\Parameters",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\3175ab79\\107c66d",
"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\61e7e666\\c991064",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\index143",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\Policy\\",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\Compatibility\\Gadouha.tmp",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\475dce40\\2d382ce6\\8d",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\Explorer",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Fusion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Security__b03f5f7f11d50a3a",
"HKEY_CLASSES_ROOT\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder",
"HKEY_CLASSES_ROOT\\CLSID\\{00BB2763-6A77-11D0-A535-00C04FD7D062}\\InProcServer32",
"HKEY_LOCAL_MACHINE\\System\\Setup",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\Policy\\standards\\v2.0.50727",
"HKEY_CURRENT_USER\\Software\\Policies",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\v2.0.50727\\Security\\Policy",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}\\PropertyBag",
"HKEY_CLASSES_ROOT\\CLSID\\{03C036F1-A186-11D0-824A-00AA005B4383}\\InProcServer32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System__b77a5c561934e089",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\StrongName",
"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\PropertyBag",
"HKEY_CURRENT_USER\\Software\\Microsoft\\CTF\\LayoutIcon\\0409\\0000041d",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Class\\{4d36e972-e325-11ce-bfc1-08002be10318}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Runtime.Serialization.Formatters.Soap__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets\\Internet\\MediaPermission",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\System\\DNSClient",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AutoComplete",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Xml__b77a5c561934e089",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Action Center\\Checks\\{01979c6a-42fa-414c-b8aa-eee2c8202018}.check.100",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\PropertyBag",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\KnownFolders",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Setup",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets\\LocalIntranet",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Applications\\eaae2c7e8a07d3301279f8217a8cf34df54386359a1195655a5e036573e298b0.tmp",
"HKEY_CLASSES_ROOT\\Drive\\shellex\\FolderExtensions\\{fbeb8a05-beee-4442-804e-409d6c4515e9}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\eaae2c7e8a07d3301279f8217a8cf34df54386359a1195655a5e036573e298b0.tmp",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AutoComplete",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\Managed\\S-1-5-21-699399860-4089948139-3198924279-1001\\Installer\\Assemblies\\C:|Program Files (x86)|amkja|714991681.exe.Config",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Installer\\Assemblies\\Global",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\75638fee\\7566cac\\8c",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\2dd6ac50\\163e1f5e\\8a",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\.NET CLR Networking\\Performance",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\Policy\\AppPatch",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Drawing__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\zjka_is1",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\c991064\\2bd33e1c\\81",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\eaae2c7e8a07d3301279f8217a8cf34df54386359a1195655a5e036573e298b0.tmp",
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\181938c6\\7950e2c5\\82",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\Policy\\v2.0",
"HKEY_CURRENT_USER\\Software\\Microsoft\\.NETFramework",
"HKEY_LOCAL_MACHINE\\Software\\Policies",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\714991681.exe",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\5c4b5a48\\7901e0f4",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\LDAP",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\159a66b8\\424bd4d8",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AutoComplete",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\Policy\\APTCA",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AutoComplete",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\424bd4d8\\1c83327b\\8e",
"HKEY_CURRENT_USER\\Software",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\Managed\\S-1-5-21-699399860-4089948139-3198924279-1001\\Installer\\Assemblies\\Global",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets\\Internet\\WebBrowserPermission",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Data.SqlXml__b77a5c561934e089",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StuckRects2",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control",
"HKEY_CURRENT_USER\\Control Panel\\Desktop",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets\\LocalIntranet\\MediaPermission",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Installer\\Assemblies\\C:|Program Files (x86)|amkja|714991681.exe.Config",
"HKEY_CURRENT_USER\\Software\\Microsoft\\.NETFramework\\Policy\\Standards",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\crypt32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Windows.Forms__b77a5c561934e089",
"HKEY_CURRENT_USER\\Software\\Microsoft\\RestartManager\\Session0000",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Rpc",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}\\PropertyBag",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\Policy\\Upgrades",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Configuration__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets\\LocalIntranet\\WebBrowserPermission",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\3f50fe4f\\6f1da7aa\\90",
"HKEY_LOCAL_MACHINE\\software\\microsoft\\windows\\currentversion\\setup\\PnpLockdownFiles",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Installer\\Assemblies\\C:|Program Files (x86)|amkja|714991681.exe.Config",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion\\PublisherPolicy\\Default",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{3697C5FA-60DD-4B56-92D4-74A569205C16}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AutoComplete\\Client\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\30bc7c4f\\3f50fe4f\\90",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\3cca06a0\\6dc7d4c0\\84",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\7950e2c5\\19b8f67f\\82",
"HKEY_LOCAL_MACHINE\\Software\\Borland\\Locales",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AutoComplete",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\.net clr networking\\Performance",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets\\Internet",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\internal\\jit\\Perf",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\159a66b8\\424bd4d8\\8f"
],
"command_line": [
"C:\\Program Files (x86)\\amkja\\714991681.exe 1 ",
"\"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-839KS.tmp\\Gadouha.exe\" \/p=oih",
"\"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-SVT21.tmp\\eaae2c7e8a07d3301279f8217a8cf34df54386359a1195655a5e036573e298b0.tmp\" \/SL5=\"$60262,1280131,216064,C:\\Users\\cuck\\AppData\\Local\\Temp\\eaae2c7e8a07d3301279f8217a8cf34df54386359a1195655a5e036573e298b0.bin\" ",
"\"C:\\Program Files (x86)\\amkja\\714991681.exe\" 0 0 0 0",
"\"C:\\Program Files (x86)\\amkja\\714991681.exe\" 1 ",
"\"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-IQTOO.tmp\\Gadouha.tmp\" \/SL5=\"$70262,537450,79360,C:\\Users\\cuck\\AppData\\Local\\Temp\\is-839KS.tmp\\Gadouha.exe\" \/p=oih"
],
"file_written": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-6IB5Q.tmp\\_isetup\\_setup64.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-839KS.tmp\\_isetup\\_isdecmp.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-839KS.tmp\\is-SLFMP.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-839KS.tmp\\Hamdouna.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-6IB5Q.tmp\\psvince.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-839KS.tmp\\_isetup\\_setup64.tmp",
"C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\CONFIG\\security.config",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-6IB5Q.tmp\\itdownload.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-839KS.tmp\\is-56R6I.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-6IB5Q.tmp\\idp.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-IQTOO.tmp\\Gadouha.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-839KS.tmp\\Gadouha.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-6IB5Q.tmp\\_isetup\\_isdecmp.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-839KS.tmp\\Hamdouna.exe.config",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-SVT21.tmp\\eaae2c7e8a07d3301279f8217a8cf34df54386359a1195655a5e036573e298b0.tmp",
"C:\\Windows\\System32\\drivers\\etc\\hosts",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-839KS.tmp\\is-MKS0P.tmp",
"C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\CONFIG\\enterprisesec.config"
],
"regkey_deleted": [
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\Bags\\1\\Desktop\\GroupCollapseState",
"HKEY_CURRENT_USER\\System\\CurrentControlSet\\Control\\Network\\ShowWirelessConnectingOnStart",
"HKEY_CURRENT_USER\\Software\\Microsoft\\RestartManager\\Session0000\\Sequence",
"HKEY_CURRENT_USER\\Software\\Microsoft\\RestartManager\\Session0000\\SessionHash",
"HKEY_CURRENT_USER\\Software\\Microsoft\\RestartManager\\Session0000\\Owner",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\Bags\\1\\Desktop\\ItemPos800x600x96(1)",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\Bags\\1\\Desktop\\ItemOrder",
"HKEY_CURRENT_USER\\Software\\Microsoft\\RestartManager\\Session0000\\RegFilesHash",
"HKEY_CURRENT_USER\\Software\\Microsoft\\RestartManager\\Session0000\\RegFiles0000"
],
"file_deleted": [
"C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\CONFIG\\enterprisesec.config.cch.2056.38504109",
"C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\CONFIG\\security.config.cch.1348.38516312",
"C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\CONFIG\\security.config.cch.2056.38504093",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\64bit\\security.config.cch.1348.38516484",
"C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\CONFIG\\enterprisesec.config.cch.1348.38516312",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-SVT21.tmp\\eaae2c7e8a07d3301279f8217a8cf34df54386359a1195655a5e036573e298b0.tmp",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\64bit\\security.config.cch.2056.38504671"
],
"directory_removed": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-SVT21.tmp"
],
"file_exists": [
"C:\\Program Files (x86)\\amkja\\714991681.exe",
"C:\\",
"C:\\Windows\\Globalization\\en-us.nlp",
"C:\\cuckoo_2824.ini",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-6IB5Q.tmp\\itdownload.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-839KS.tmp\\is-56R6I.tmp",
"C:\\Users\\cuck\\Desktop",
"C:\\Users\\cuck\\AppData\\Local\\Temp",
"C:\\cuckoo_2736.ini",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-IQTOO.tmp\\Gadouha.tmp",
"C:\\Program Files (x86)\\amkja\\Newtonsoft.Json.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-SVT21.tmp\\eaae2c7e8a07d3301279f8217a8cf34df54386359a1195655a5e036573e298b0.tmp",
"C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\CONFIG\\enterprisesec.config",
"C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\CONFIG\\machine.config",
"C:\\Windows\\Globalization\\en.nlp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-6IB5Q.tmp\\psvince.dll",
"C:\\Users\\cuck\\AppData\\Local",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-839KS.tmp\\Hamdouna.exe.config",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\64bit\\security.config",
"C:\\cuckoo_1348.ini",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-IQTOO.tmp",
"C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\CONFIG\\enterprisesec.config.default",
"C:\\cuckoo_1788.ini",
"C:\\cuckoo_1556.ini",
"C:\\Users\\cuck\\AppData\\Local\\Programs",
"C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\CONFIG\\security.config",
"C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\CONFIG\\security.config.default",
"C:\\Program Files (x86)\\amkja\\Newtonsoft.Json\\Newtonsoft.Json.dll",
"C:\\Windows\\winsxs\\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\\msvcr80.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-839KS.tmp",
"C:\\Windows\\assembly\\GAC\\PublisherPolicy.tme",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-839KS.tmp\\Hamdouna.exe",
"C:\\Users\\cuck\\AppData\\Local\\Programs\\Common",
"C:\\cuckoo_1676.ini",
"C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\fusion.localgac",
"C:\\Program Files (x86)\\amkja\\Newtonsoft.Json.exe",
"C:\\Program Files (x86)\\amkja",
"C:\\Users\\cuck",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-839KS.tmp\\Gadouha.exe",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\64bit\\security.config.default",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-839KS.tmp\\is-MKS0P.tmp",
"C:\\Program Files (x86)\\amkja\\714991681.exe.Config",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-6IB5Q.tmp",
"C:\\Program Files (x86)\\amkja\\Newtonsoft.Json\\Newtonsoft.Json.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-SVT21.tmp",
"C:\\Program Files (x86)",
"C:\\cuckoo_2056.ini",
"C:\\Windows\\System32\\MSCOREE.DLL.local",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-839KS.tmp\\is-SLFMP.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-6IB5Q.tmp\\idp.dll"
],
"mutex": [
"Local\\Shell.CMruPidlList",
"Local\\RstrMgr-3887CAB8-533F-4C85-B0DC-3E5639F8D511-Session0000",
"Local\\RstrMgr3887CAB8-533F-4C85-B0DC-3E5639F8D511",
"Global\\.net clr networking",
"RasPbFile"
],
"file_failed": [
"C:\\Windows\\winsxs\\FileMaps\\users_cuck_appdata_local_temp_is-839ks.tmp_31458b8157a7828a.cdf-ms",
"C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\CONFIG\\enterprisesec.config.cch",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-839KS.tmp\\Hamdouna.exe",
"C:\\cuckoo_1676.ini",
"C:\\Windows\\Microsoft.NET\\Framework64\\Upgrades.2.0.50727\\",
"C:\\cuckoo_2824.ini",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\64bit\\security.config",
"C:\\cuckoo_1348.ini",
"C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\CONFIG\\enterprisesec.config",
"C:\\cuckoo_2736.ini",
"C:\\cuckoo_1788.ini",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-839KS.tmp\\Gadouha.exe",
"C:\\cuckoo_2056.ini",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\64bit\\security.config.cch",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\64bit\\security.config.cch.new",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Preferences",
"C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\CONFIG\\security.config",
"C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\CONFIG\\security.config.cch",
"C:\\cuckoo_1556.ini"
],
"resolves_host": [
"pc.publicnewsetup.com",
"wpad",
"cuckpc"
],
"guid": [
"{ea1afb91-9e28-4b86-90e9-9e9f8a5eefaf}",
"{c08956a2-1cd3-11d1-b1c5-00805fc1270e}",
"{00bb2763-6a77-11d0-a535-00c04fd7d062}",
"{660b90c8-73a9-4b58-8cae-355b7f55341b}",
"{ba126ae5-2166-11d1-b1d0-00805fc1270e}",
"{00bb2765-6a77-11d0-a535-00c04fd7d062}",
"{9b63616c-36b2-46bc-959f-c1593952d19b}",
"{1a1f4206-0688-4e7f-be03-d82ec69df9a5}",
"{42aedc87-2188-41fd-b9a3-0c966feabec1}",
"{00000000-0000-0000-c000-000000000046}",
"{d0074ffd-570f-4a9b-8d69-199fdba5723b}",
"{000214e6-0000-0000-c000-000000000046}",
"{2fb499a3-cfce-480f-a5f3-2453db7a2b7a}",
"{5e078e03-8265-4bbe-9487-d242edbef910}",
"{ba126ad1-2166-11d1-b1d0-00805fc1270e}",
"{56fdf344-fd6d-11d0-958a-006097c9a090}",
"{faedcf69-31fe-11d1-aad2-00805fc1270e}",
"{eac04bc0-3791-11d2-bb95-0060977b464c}",
"{a47979d2-c419-11d9-a5b4-001185ad2b89}",
"{46a6eeff-908e-4dc6-92a6-64be9177b41c}",
"{7007acc7-3202-11d1-aad2-00805fc1270e}",
"{807c1e6c-1d00-453f-b920-b61bb7cdd997}",
"{03c036f1-a186-11d0-824a-00aa005b4383}"
],
"file_read": [
"C:\\Program Files (x86)\\amkja\\714991681.exe.Config",
"C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\CONFIG\\enterprisesec.config.cch",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-839KS.tmp\\Gadouha.exe",
"C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\CONFIG\\machine.config",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\eaae2c7e8a07d3301279f8217a8cf34df54386359a1195655a5e036573e298b0.bin",
"C:\\Program Files (x86)\\amkja\\714991681.exe.config",
"C:\\Program Files (x86)\\desktop.ini",
"C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\CONFIG\\security.config.cch"
],
"regkey_read": [
"HKEY_CURRENT_USER\\Software\\Microsoft\\RestartManager\\Session0000\\Sequence",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\MaxRpcSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\159a66b8\\424bd4d8\\8f\\EvalationData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\FolderTypeID",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\NetBT\\Parameters\\ScopeId",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-699399860-4089948139-3198924279-1001\\ProfileImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Interfaces\\{EF381EA0-4D07-418D-A490-68AF67CE948B}\\EnableMulticast",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoSetFolders",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}\\Icon",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{2227A280-3AEA-1069-A2DE-08002B30309D}\\ShellFolder\\PinToNameSpaceTree",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledProcesses\\C70CE05B",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\475dce40\\2d382ce6\\8d\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\Extensions\\RemoteRpcDll",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Favorites",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Domain",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\DisableImprovedZoneCheck",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\19ab8d57\\1bd7b0d8\\8f\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}\\StreamResource",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\Stream",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\LocalizedName",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\AccListViewV6",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}\\InitFolderHandler",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\\ShellFolder\\Attributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\714991681_RASMANCS\\FileTracingMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NoClientChecks",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\DownloadCacheQuotaInKB",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\RegistrationTtl",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Programs",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\.NET CLR Networking\\Performance\\IsMultiInstance",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\Attributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\Name",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\6faf58\\19ab8d57\\8e\\MVID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\c991064\\2bd33e1c\\81\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\ParsingName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\714991681_RASAPI32\\EnableConsoleTracing",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\3f50fe4f\\6f1da7aa\\90\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\714991681_RASMANCS\\EnableFileTracing",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\DnsSecureNameQueryFallback",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsAliasedNotifications",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SecurityProviders\\SecurityProviders",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\159a66b8\\424bd4d8\\8f\\ConfigMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\mscorlib,2.0.0.0,,b77a5c561934e089,AMD64",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Comment",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CommonFilesDir",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\.NET CLR Networking\\Performance\\Library",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Interfaces\\{EF381EA0-4D07-418D-A490-68AF67CE948B}\\RegistrationEnabled",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\75638fee\\7566cac\\8c\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets\\LocalIntranet\\MediaPermission\\Xml",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\InfoTip",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\c991064\\2bd33e1c\\81\\Modules",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\UpdateSecurityLevel",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}\\StreamResourceType",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\ParentFolder",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\\ShellFolder\\HideInWebView",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\181938c6\\7950e2c5\\82\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}\\Security",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\GCStressStart",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\DevicePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\7950e2c5\\19b8f67f\\82\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\181938c6\\7950e2c5\\82\\ILDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\CommonFilesDir",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\75638fee\\7566cac\\8c\\LastModTime",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\RegistrationMaxAddressCount",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\RegisteredOrganization",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\NetBT\\Parameters\\NodeType",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\LegacyPolicyTimeStamp",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\714991681_RASAPI32\\ConsoleTracingMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\Attributes",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\UseHostsFile",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Security",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\DnsQueryTimeouts",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\LatestIndex",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\WinHttp\\Tracing\\Enabled",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\3ced59c5\\1b2590b1\\85\\DisplayName",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\BagMRU Size",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{2227A280-3AEA-1069-A2DE-08002B30309D}\\LocalizedString",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\TURNOFFDEBUGINFO",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\NetBT\\Parameters\\DhcpNodeType",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{2227A280-3AEA-1069-A2DE-08002B30309D}\\ShellFolder\\NoFileFolderJunction",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{2227A280-3AEA-1069-A2DE-08002B30309D}\\ShellFolder\\HideOnDesktopPerUser",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\Latest",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\c991064\\2bd33e1c\\81\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\DevicePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\TokenSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\\ShellFolder\\WantsFORPARSING",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\\System.ItemNameDisplay",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\Data",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\61e7e666\\c991064\\83\\ConfigString",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\Generation",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}\\Attributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{00BB2763-6A77-11D0-A535-00C04FD7D062}\\InProcServer32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\EnableLog",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\WaitForNameErrorOnAll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\6faf58\\19ab8d57\\8e\\ILDependencies",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\DnsTest",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\3cca06a0\\6dc7d4c0\\84\\ConfigString",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Description",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\QueryIpMatching",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\CseOn",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Interfaces\\{EF381EA0-4D07-418D-A490-68AF67CE948B}\\DhcpDomain",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\StreamResourceType",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\3f50fe4f\\6f1da7aa\\90\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\6dc7d4c0\\a5cd4db\\87\\Status",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\MulticastSenderFlags",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}\\Description",
"HKEY_CURRENT_USER\\Control Panel\\Desktop\\SmoothScroll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\VersioningLog",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\DisableMSIPeek",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\DirectAccessQueryOrder",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE\\MaximumAllowedAllocationSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\6dc7d4c0\\a5cd4db\\87\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\30bc7c4f\\3f50fe4f\\90\\MVID",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@C:\\Windows\\system32\\netshell.dll,-1200",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}\\ParsingName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Version",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\PrioritizeRecordData",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ListviewAlphaSelect",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\3cca06a0\\6dc7d4c0\\84\\NIDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\c991064\\2bd33e1c\\81\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\PublishExpandedPath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\LanguageProfile\\0x00000000\\{0001bea3-ed56-483d-a2e2-aeae25577436}\\Enable",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Icon",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}\\Name",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\RegisterAdapterName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\StreamResource",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\DisableReverseAddressRegistrations",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}\\InfoTip",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}\\Roamable",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\181938c6\\7950e2c5\\82\\ConfigMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Data.SqlXml,2.0.0.0,,b77a5c561934e089,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\2dd6ac50\\163e1f5e\\8a\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}\\LocalizedName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\SourcePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\MulticastResponderFlags",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\714991681_RASMANCS\\FileDirectory",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\181938c6\\7950e2c5\\82\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\RestrictedAttributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\PreCreate",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\UseOldHostResolutionOrder",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\30bc7c4f\\3f50fe4f\\90\\ILDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\\InProcServer32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{2227A280-3AEA-1069-A2DE-08002B30309D}\\ShellFolder\\WantsFORPARSING",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets\\Internet\\WebBrowserPermission\\Xml",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\159a66b8\\424bd4d8\\8f\\ILDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\7950e2c5\\19b8f67f\\82\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\ParentFolder",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\DevOverrideEnable",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\424bd4d8\\1c83327b\\8e\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}\\ParentFolder",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\61e7e666\\c991064\\83\\ConfigMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\714991681_RASAPI32\\FileTracingMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\Roamable",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}\\Name",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\OnlyUseLatestCLR",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\\ShellFolder\\RestrictedAttributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\NoFileFolderJunction",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\UseDomainNameDevolution",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\WpadOverride",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Locale\\00000409",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Interfaces\\{EF381EA0-4D07-418D-A490-68AF67CE948B}\\MaxNumberOfAddressesToRegister",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\30bc7c4f\\3f50fe4f\\90\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\159a66b8\\424bd4d8\\8f\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\3cca06a0\\6dc7d4c0\\84\\MVID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{2227A280-3AEA-1069-A2DE-08002B30309D}\\ShellFolder\\WantsFORDISPLAY",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets\\LocalIntranet\\WebBrowserPermission\\Xml",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoCommonGroups",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\ClearRecentDocsOnExit",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\PinToNameSpaceTree",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}\\FolderTypeID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledSessions\\MachineThrottling",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{2227A280-3AEA-1069-A2DE-08002B30309D}\\ShellFolder\\UseDropHandler",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\LocalRedirectOnly",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\424bd4d8\\1c83327b\\8e\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsFORPARSING",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SQMServiceList\\SQMServiceList",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\RelativePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\EnableConsoleTracing",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\475dce40\\2d382ce6\\8d\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{00000134-0000-0000-C000-000000000046}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}\\ParentFolder",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\GCStressStartAtJit",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\ParsingName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\3ced59c5\\1b2590b1\\85\\SIG",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Desktop",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{2227A280-3AEA-1069-A2DE-08002B30309D}\\ShellFolder\\QueryForInfoTip",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\DnsQuickQueryTimeouts",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\LoggingLevel",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Hostname",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Interfaces\\{EF381EA0-4D07-418D-A490-68AF67CE948B}\\DisableAdapterDomainName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\AllowUnqualifiedQuery",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\DnsQuickQueryTimeouts",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\RegistrationRefreshInterval",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\c991064\\2bd33e1c\\81\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}\\LocalRedirectOnly",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ProgramFilesDir (x86)",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Name",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ListviewShadow",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\159a66b8\\424bd4d8\\8f\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}\\ParsingName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\UseCompartments",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoPropertiesMyComputer",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\\ShellFolder\\MapNetDriveVerbs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\6dc7d4c0\\a5cd4db\\87\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\InfoTip",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\DefaultRegistrationRefreshInterval",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\AutoComplete\\Client\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\7950e2c5\\19b8f67f\\82\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\3cca06a0\\6dc7d4c0\\84\\ConfigMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Security,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\3cca06a0\\6dc7d4c0\\84\\EvalationData",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\DisableWanDynamicUpdate",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{2227A280-3AEA-1069-A2DE-08002B30309D}\\ShellFolder\\CallForAttributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\181938c6\\7950e2c5\\82\\ConfigString",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\19ab8d57\\1bd7b0d8\\8f\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}\\InfoTip",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\159a66b8\\424bd4d8\\8f\\NIDependencies",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\AdapterTimeoutLimit",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\714991681_RASMANCS\\ConsoleTracingMask",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\.NET CLR Networking\\Performance\\Counter Names",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\AppendToMultiLabelName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\EnableAdapterDomainNameRegistration",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\30bc7c4f\\3f50fe4f\\90\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Drive\\shellex\\FolderExtensions\\{fbeb8a05-beee-4442-804e-409d6c4515e9}\\DriveMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Configuration,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\2dd6ac50\\163e1f5e\\8a\\Modules",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\ResolverRegistrationOnly",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\ForceLog",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\Generation",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\2dd6ac50\\163e1f5e\\8a\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{2227A280-3AEA-1069-A2DE-08002B30309D}\\System.ItemNameDisplay",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\6faf58\\19ab8d57\\8e\\EvalationData",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\BagMRU\\NodeSlots",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\61e7e666\\c991064\\83\\EvalationData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoControlPanel",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\PreCreate",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\crypt32\\DebugHeapFlags",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\LoadAppInit_DLLs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoPropertiesRecycleBin",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Runtime.Serialization.Formatters.Soap,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\StringCacheSettings\\StringCacheGeneration",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\RpcId",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\DefaultRegistrationTTL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Strong Cryptographic Provider\\Type",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\PInvokeInline",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\\ShellFolder\\HideOnDesktopPerUser",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\61e7e666\\c991064\\83\\NIDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\41c04c7e\\7f3b6ac4\\80\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\PnpLockdownFiles\\%SystemDrive%\\Users\\cuck\\AppData\\Local\\Temp\\is-839KS.tmp\\Hamdouna.exe.config",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\MaxCacheTtl",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\UpdateSecurityLevel",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\ProgramFilesDir",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\41c04c7e\\7f3b6ac4\\80\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\714991681_RASMANCS\\EnableConsoleTracing",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\3ced59c5\\1b2590b1\\85\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}\\Stream",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\3cca06a0\\6dc7d4c0\\84\\DisplayName",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\BagMRU\\NodeSlot",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\WaitToKillServiceTimeout",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\475dce40\\2d382ce6\\8d\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ShareCredsWithWinHttp",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsFORDISPLAY",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\CTF\\EnableAnchorContext",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\RelativePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\DnsQueryTimeouts",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@C:\\Windows\\system32\\prnfldr.dll,-8036",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\714991681_RASAPI32\\FileDirectory",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\Extensions\\NdrOleExtDLL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\19ab8d57\\1bd7b0d8\\8f\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\61e7e666\\c991064\\83\\MVID",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\.NET CLR Networking\\Performance\\First Counter",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}\\Description",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoInternetIcon",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\475dce40\\2d382ce6\\8d\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\2dd6ac50\\163e1f5e\\8a\\Status",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\\pzq.rkr",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ProxySettingsPerUser",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\Security",
"HKEY_CURRENT_USER\\Software\\Microsoft\\RestartManager\\Session0000\\RegFiles0001",
"HKEY_CURRENT_USER\\Software\\Microsoft\\RestartManager\\Session0000\\RegFiles0000",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets\\Internet\\MediaPermission\\Xml",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{2227A280-3AEA-1069-A2DE-08002B30309D}\\ShellFolder\\QueryForOverlay",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\\ShellFolder\\HideFolderVerbs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\MapNetDriveVerbs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\QueryForInfoTip",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\\DefaultConnectionSettings",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\159a66b8\\424bd4d8\\8f\\MissingDependencies",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\DowncaseSpnCauseApiOwnerIsTooLazy",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5188574",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\Enabled",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\714991681_RASAPI32\\EnableFileTracing",
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Layout Hotkey",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\3cca06a0\\6dc7d4c0\\84\\Status",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Local AppData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}\\FolderTypeID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\3cca06a0\\6dc7d4c0\\84\\ILDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}\\Category",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\Data",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\UseDropHandler",
"HKEY_CURRENT_USER\\Software\\Microsoft\\RestartManager\\Session0000\\RegProcs0000",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\.NET CLR Networking\\Performance\\CategoryOptions",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\19ab8d57\\1bd7b0d8\\8f\\Status",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\ResolverRegistration",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Category",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\RegistrationOverwrite",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\PublishExpandedPath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\LocalizedName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Xml,2.0.0.0,,b77a5c561934e089,MSIL",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\EnableMulticast",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\\InProcServer32\\LoadWithoutCOM",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\RegisterPrimaryName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\61e7e666\\c991064\\83\\Status",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\SystemSetupInProgress",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}\\InitFolderHandler",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\\{B725F130-47EF-101A-A5F1-02608C9EEBAC} 10",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\30bc7c4f\\3f50fe4f\\90\\MissingDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\424bd4d8\\1c83327b\\8e\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{2227A280-3AEA-1069-A2DE-08002B30309D}\\ShellFolder\\WantsUniversalDelegate",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProductName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\6faf58\\19ab8d57\\8e\\MissingDependencies",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\LsaExtensionConfig\\SspiCli\\CheckSignatureRoutine",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Interfaces\\{EF381EA0-4D07-418D-A490-68AF67CE948B}\\RegistrationMaxAddressCount",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}\\PublishExpandedPath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Interfaces\\{EF381EA0-4D07-418D-A490-68AF67CE948B}\\RegisterAdapterName",
"HKEY_CURRENT_USER\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\TrayNotify\\PromotedIconCache",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\InitFolderHandler",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\PnpLockdownFiles\\%SystemDrive%\\Users\\cuck\\AppData\\Local\\Temp\\is-839KS.tmp\\Gadouha.exe",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\CLRLoadLogDir",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\RegistrationEnabled",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}\\Category",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\RegisteredOwner",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\LsaExtensionConfig\\SspiCli\\CheckSignatureDll",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\OOBEInProgress",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledProcesses\\A0D71EFA",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HideInWebView",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\\ShellFolder\\WantsUniversalDelegate",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\\ShellFolder\\QueryForOverlay",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\NewGCCalc",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\\ShellFolder\\WantsFORDISPLAY",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}\\Attributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}\\Security",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\Accessibility,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\CallForAttributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\TurnOffSPIAnimations",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\3f50fe4f\\6f1da7aa\\90\\LastModTime",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\UseDoubleClickTimer",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\RegisterWanAdapters",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum\\{2227A280-3AEA-1069-A2DE-08002B30309D}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Name",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\NetBT\\Parameters\\EnableProxy",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\EnableBalloonTips",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\7950e2c5\\19b8f67f\\82\\Modules",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\MaxNumberOfAddressesToRegister",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\DisableConfigCache",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\\ShellFolder\\WantsAliasedNotifications",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\181938c6\\7950e2c5\\82\\EvalationData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}\\LocalRedirectOnly",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Capabilities",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\InstallationType",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\6dc7d4c0\\a5cd4db\\87\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\LogResourceBinds",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System,2.0.0.0,,b77a5c561934e089,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\714991681_RASAPI32\\MaxFileSize",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}\\Icon",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\6faf58\\19ab8d57\\8e\\NIDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HasNavigationEnum",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\181938c6\\7950e2c5\\82\\MissingDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\PnpLockdownFiles\\%SystemDrive%\\Users\\cuck\\AppData\\Local\\Temp\\is-839KS.tmp\\Hamdouna.exe",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\PInvokeCalliOpt",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledSessions\\GlobalSession",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\MaxNegativeCacheTtl",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\41c04c7e\\7f3b6ac4\\80\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\6faf58\\19ab8d57\\8e\\ConfigMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Windows.Forms,2.0.0.0,,b77a5c561934e089,MSIL",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\AppData",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Type",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\DisableHotCold",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\75638fee\\7566cac\\8c\\SIG",
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Language Hotkey",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\NetBT\\Parameters\\DhcpScopeId",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\AutoComplete\\Always Use Tab",
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Hotkey",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\UseEdns",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum\\{7007ACC7-3202-11D1-AAD2-00805FC1270E}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}\\PublishExpandedPath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\TailCallOpt",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\UseHostnameAsAlias",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{2227A280-3AEA-1069-A2DE-08002B30309D}\\ShellFolder\\Attributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\6faf58\\19ab8d57\\8e\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\\ShellFolder\\HasNavigationEnum",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Drawing,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\6faf58\\19ab8d57\\8e\\ConfigString",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\6dc7d4c0\\a5cd4db\\87\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\InitFolderHandler",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\3ced59c5\\1b2590b1\\85\\Modules",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\MulticastSenderMaxTimeout",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\ScreenDefaultServers",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{03C036F1-A186-11D0-824A-00AA005B4383}\\InProcServer32\\(Default)",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language Groups\\1",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\index143\\ILUsageMask",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\CacheAllCompartments",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\\ShellFolder\\WantsParseDisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{2227A280-3AEA-1069-A2DE-08002B30309D}\\ShellFolder\\RestrictedAttributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HideFolderVerbs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\\ShellFolder\\PinToNameSpaceTree",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\\SortOrderIndex",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\EnableDAForAllNetworks",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsUniversalDelegate",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\3f50fe4f\\6f1da7aa\\90\\Status",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SESSION MANAGER\\PendingFileRenameOperations",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\RegisterReverseLookup",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\FilterClusterIp",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\159a66b8\\424bd4d8\\8f\\MVID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\\ShellFolder\\UseDropHandler",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\475dce40\\2d382ce6\\8d\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\QueryForOverlay",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\SearchList",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\41c04c7e\\7f3b6ac4\\80\\LastModTime",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\UseDomainNameDevolution",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Interfaces\\{EF381EA0-4D07-418D-A490-68AF67CE948B}\\Domain",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\75638fee\\7566cac\\8c\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\424bd4d8\\1c83327b\\8e\\Status",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\UseNewRegistration",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\MaxCachedSockets",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\ServerPriorityTimeLimit",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsParseDisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Deployment,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Segoe UI",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\30bc7c4f\\3f50fe4f\\90\\ConfigMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\19ab8d57\\1bd7b0d8\\8f\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\61e7e666\\c991064\\83\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{2227A280-3AEA-1069-A2DE-08002B30309D}\\ShellFolder\\HideFolderVerbs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\MachineGuid",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\StreamResourceType",
"HKEY_CURRENT_USER\\Software\\Microsoft\\RestartManager\\Session0000\\RegFilesHash",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\UseLegacyIdentityFormat",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}\\RelativePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}\\StreamResourceType",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\MaxCacheSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Roamable",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\AutoComplete\\AutoSuggest",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SESSION MANAGER\\PendingFileRenameOperations2",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\ScreenBadTlds",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}\\RelativePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\LdapClientIntegrity",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ProgramFilesDir",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\424bd4d8\\1c83327b\\8e\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\index143\\NIUsageMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\6faf58\\19ab8d57\\8e\\DisplayName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\UpdateTopLevelDomainZones",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\\LocalizedString",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\QueryAdapterName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{2227A280-3AEA-1069-A2DE-08002B30309D}\\{B725F130-47EF-101A-A5F1-02608C9EEBAC} 10",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\30bc7c4f\\3f50fe4f\\90\\ConfigString",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\30bc7c4f\\3f50fe4f\\90\\EvalationData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledProcesses\\14AF6798",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\CacheLocation",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\NetBT\\Parameters\\EnableDns",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{2227A280-3AEA-1069-A2DE-08002B30309D}\\ShellFolder\\WantsParseDisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\StreamResource",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Strong Cryptographic Provider\\Image Path",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\181938c6\\7950e2c5\\82\\MVID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\Icon",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\3cca06a0\\6dc7d4c0\\84\\MissingDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\FolderTypeID",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\DisableAdapterDomainName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{2227A280-3AEA-1069-A2DE-08002B30309D}\\ShellFolder\\WantsAliasedNotifications",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\41c04c7e\\7f3b6ac4\\80\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\WinHttp\\DisableBranchCache",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\InstallRoot",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{2227A280-3AEA-1069-A2DE-08002B30309D}\\ShellFolder\\MapNetDriveVerbs",
"HKEY_CURRENT_USER\\Software\\Microsoft\\RestartManager\\Session0000\\RegSvcs0000",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\PrioritizeRecordData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\159a66b8\\424bd4d8\\8f\\ConfigString",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}\\PreCreate",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\3ced59c5\\1b2590b1\\85\\LastModTime",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\DynamicServerQueryOrder",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}\\PreCreate",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{21EC2020-3AEA-1069-A2DD-08002B30309D}\\SortOrderIndex",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\LocalRedirectOnly",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Security_HKLM_only",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\ScreenUnreachableServers",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\\ShellFolder\\CallForAttributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\Description",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}\\LocalizedName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\181938c6\\7950e2c5\\82\\NIDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\30bc7c4f\\3f50fe4f\\90\\NIDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}\\Stream",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{2227A280-3AEA-1069-A2DE-08002B30309D}\\ShellFolder\\HasNavigationEnum",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Common Programs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\2dd6ac50\\163e1f5e\\8a\\LastModTime",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\BagMRU\\MRUListEx",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Stream",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}\\Roamable",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\Category",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\DisableDynamicUpdate",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\DomainNameDevolutionLevel",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\714991681_RASMANCS\\MaxFileSize",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\AllowUnqualifiedQuery",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\LogFailures",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\.NET CLR Networking\\Performance\\FileMappingSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HideOnDesktopPerUser",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\7950e2c5\\19b8f67f\\82\\LastModTime",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Interfaces\\{EF381EA0-4D07-418D-A490-68AF67CE948B}\\QueryAdapterName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CEIPEnable",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\\ShellFolder\\QueryForInfoTip",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}\\StreamResource",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\ComputerName\\ActiveComputerName\\ComputerName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\61e7e666\\c991064\\83\\ILDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\3f50fe4f\\6f1da7aa\\90\\SIG",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\AddrConfigControl",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\75638fee\\7566cac\\8c\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{2227A280-3AEA-1069-A2DE-08002B30309D}\\ShellFolder\\HideInWebView",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\61e7e666\\c991064\\83\\MissingDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\\ShellFolder\\NoFileFolderJunction",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Attributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\index4"
],
"regkey_written": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\714991681_RASMANCS\\EnableConsoleTracing",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\714991681_RASAPI32\\MaxFileSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\714991681_RASAPI32\\FileDirectory",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\Bags\\1\\Desktop\\GroupByKey:FMTID",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\BagMRU\\NodeSlots",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\Bags\\1\\Desktop\\IconSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\714991681_RASAPI32\\EnableConsoleTracing",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\Bags\\1\\Desktop\\FFlags",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\BagMRU\\MRUListEx",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\Bags\\1\\Desktop\\Sort",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\714991681_RASMANCS\\FileTracingMask",
"HKEY_CURRENT_USER\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\TrayNotify\\IconStreams",
"HKEY_CURRENT_USER\\Software\\Microsoft\\RestartManager\\Session0000\\Sequence",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\714991681_RASMANCS\\EnableFileTracing",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\Bags\\1\\Desktop\\ColInfo",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\HRZR_PGYFRFFVBA",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\714991681_RASAPI32\\ConsoleTracingMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\714991681_RASMANCS\\MaxFileSize",
"HKEY_CURRENT_USER\\Software\\Microsoft\\RestartManager\\Session0000\\RegFilesHash",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\Bags\\1\\Desktop\\GroupByDirection",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5188574",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\714991681_RASMANCS\\FileDirectory",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\LanguageList",
"HKEY_CURRENT_USER\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\TrayNotify\\LastAdvertisement",
"HKEY_CURRENT_USER\\Software\\Microsoft\\RestartManager\\Session0000\\Owner",
"HKEY_CURRENT_USER\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\TrayNotify\\PastIconsStream",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\Bags\\1\\Desktop\\GroupView",
"HKEY_CURRENT_USER\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\TrayNotify\\UserStartTime",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StuckRects2\\Settings",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\Bags\\1\\Desktop\\GroupByKey:PID",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Action Center\\Checks\\{01979c6a-42fa-414c-b8aa-eee2c8202018}.check.100\\CheckSetting",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\Bags\\1\\Desktop\\LogicalViewMode",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\Bags\\1\\Desktop\\Mode",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\714991681_RASMANCS\\ConsoleTracingMask",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\\pzq.rkr",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\714991681_RASAPI32\\EnableFileTracing",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\714991681_RASAPI32\\FileTracingMask",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Streams\\Desktop\\TaskbarWinXP",
"HKEY_CURRENT_USER\\Software\\Microsoft\\RestartManager\\Session0000\\SessionHash",
"HKEY_CURRENT_USER\\Software\\Microsoft\\RestartManager\\Session0000\\RegFiles0000"
]
}Dropped
[
{
"yara": [],
"sha1": "f471234fa142c8ece647122095f7ff8ea87cf423",
"name": "0afdfed86b9e8193_psvince.dll",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\is-6IB5Q.tmp\\psvince.dll",
"type": "PE32 executable (DLL) (GUI) Intel 80386, for MS Windows",
"sha256": "0afdfed86b9e8193d0a74b5752a693604ab7ca7369d75136899ff8b08b8c5692",
"urls": [],
"crc32": "48964808",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/9731\/files\/0afdfed86b9e8193_psvince.dll",
"ssdeep": null,
"size": 43520,
"sha512": "8cccbff39939bea7d6fe1066551d65d21185cef68d24913ea43f24b8f4e08a5581a9f662061611b15b5248f5f0d541e98d6f70164aaaad14d0856e76fabbfaa4",
"pids": [
1556
],
"md5": "d726d1db6c265703dcd79b29adc63f86"
},
{
"yara": [],
"sha1": "faeef415bd0bc2a08cf9fe1e987007bf28e7218d",
"name": "e5a0ad2e37dde043_idp.dll",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\is-6IB5Q.tmp\\idp.dll",
"type": "PE32 executable (DLL) (GUI) Intel 80386, for MS Windows",
"sha256": "e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f",
"urls": [],
"crc32": "0106BEC4",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/9731\/files\/e5a0ad2e37dde043_idp.dll",
"ssdeep": null,
"size": 221184,
"sha512": "69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc",
"pids": [
1556
],
"md5": "b37377d34c8262a90ff95a9a92b65ed8"
},
{
"yara": [],
"sha1": "ef5f42fd21f6e72bdc74794f2496884d9c40bbfb",
"name": "52ca39624f8fd70b_hamdouna.exe.config",
"filepath": "c:\\users\\cuck\\appdata\\local\\temp\\is-839ks.tmp\\hamdouna.exe.config",
"type": "XML 1.0 document, ASCII text, with CRLF line terminators",
"sha256": "52ca39624f8fd70bc441d055712f115856bc67b37efb860d654e4a8909106dc0",
"urls": [],
"crc32": "13671B79",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/9731\/files\/52ca39624f8fd70b_hamdouna.exe.config",
"ssdeep": null,
"size": 1860,
"sha512": "cb32ce5ef72548d1b0d27f3f254f4b67b23a0b662d0ef7ae12f9e3ef1b0a917b098368b434caf54751c02c0f930e92cffd384f105d8d79ee725df4d97a559a3d",
"pids": [
1676
],
"md5": "3f1498c07d8713fe5c315db15a2a2cf3"
},
{
"yara": [],
"sha1": "646cef384e949aaf61e6d0b243d8d84ab04e79b7",
"name": "6535ba91fcca7174__isdecmp.dll",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\is-839KS.tmp\\_isetup\\_isdecmp.dll",
"type": "PE32 executable (DLL) (GUI) Intel 80386, for MS Windows",
"sha256": "6535ba91fcca7174c3974b19d9ab471f322c2bf49506ef03424517310080be1b",
"urls": [
"http:\/\/www.usertrust.com1",
"http:\/\/repository.certum.pl\/l3.cer0",
"http:\/\/crl.certum.pl\/l3.crl0a",
"https:\/\/www.certum.pl\/repository.0",
"http:\/\/crl.certum.pl\/ca.crl0:",
"http:\/\/crl.comodoca.com\/COMODORSACodeSigningCA.crl0t",
"https:\/\/www.certum.pl\/CPS0",
"http:\/\/www.jrsoftware.org\/0",
"http:\/\/crl.comodoca.com\/COMODORSACertificationAuthority.crl0q",
"http:\/\/crl.usertrust.com\/UTN-USERFirst-Object.crl05",
"https:\/\/secure.comodo.net\/CPS0C",
"http:\/\/ocsp.usertrust.com0",
"http:\/\/crt.comodoca.com\/COMODORSACodeSigningCA.crt0",
"http:\/\/ocsp.comodoca.com0",
"http:\/\/ocsp.certum.pl0.",
"http:\/\/crt.comodoca.com\/COMODORSAAddTrustCA.crt0"
],
"crc32": "62E04312",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/9731\/files\/6535ba91fcca7174__isdecmp.dll",
"ssdeep": null,
"size": 30376,
"sha512": "4587c853871624414e957f083713ec62d50c46b7041f83faa45dbf99b99b8399fc08d586d240e4bccee5eb0d09e1cdcb3fd013f07878adf4defcc312712e468d",
"pids": [
1676
],
"md5": "fd4743e2a51dd8e0d44f96eae1853226"
},
{
"yara": [],
"sha1": "dccf58308994cae95d6b91a6c284e70350c028df",
"name": "a5dc700ad2d32e47_hosts",
"filepath": "C:\\Windows\\System32\\drivers\\etc\\hosts",
"type": "ASCII text, with CRLF line terminators",
"sha256": "a5dc700ad2d32e473571275e3207fe1d8b2294363ad9f1d144bba92013ae3df1",
"urls": [],
"crc32": "5B3CE78B",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/9731\/files\/a5dc700ad2d32e47_hosts",
"ssdeep": null,
"size": 1032,
"sha512": "4b1922a3c33939670d0115ecef34abe6f582a383d5ec1582787b34c82351e1cfcc0bd2b6805fb2e31fd95b53df648b3fc8f9b7ec50b0c2d891a24407adb6f64d",
"pids": [
2056
],
"md5": "5d104652fed9d8235a991eac12b0a041"
},
{
"yara": [],
"sha1": "f6d96898adaebba7fda71222d642d7bce603e5c6",
"name": "1378fdaf8184f5ff_enterprisesec.config.cch",
"filepath": "c:\\windows\\microsoft.net\\framework64\\v2.0.50727\\config\\enterprisesec.config.cch",
"type": "data",
"sha256": "1378fdaf8184f5ffc518fbe82066d115dd9bc0c2ce2e3894f5b69bb273fd509e",
"urls": [],
"crc32": "855A040B",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/9731\/files\/1378fdaf8184f5ff_enterprisesec.config.cch",
"ssdeep": null,
"size": 408,
"sha512": "5c0b26de07b4c75f60d8344d1d477eb0362fc4dc0305d2cb04c948cb102ccabd60a3bf6981d8b4d708eeeb83b99ed2e1dcef580cf5c07d591af33c7b2e6cf148",
"pids": [
2056
],
"md5": "7b82d18447d75f654236b1f846077415"
},
{
"yara": [],
"sha1": "6e91dd5c4c5db64df8e22cf9e0624615a6c1fcf5",
"name": "8efe31ce4d724aec_hamdouna.exe",
"filepath": "c:\\users\\cuck\\appdata\\local\\temp\\is-839ks.tmp\\hamdouna.exe",
"type": "PE32 executable (GUI) Intel 80386 Mono\/.Net assembly, for MS Windows",
"sha256": "8efe31ce4d724aec96a332cf010b934af44b8033e55aa1b9c220cd1f6ed23169",
"urls": [],
"crc32": "A78CA381",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/9731\/files\/8efe31ce4d724aec_hamdouna.exe",
"ssdeep": null,
"size": 460288,
"sha512": "3d346ad1fa871945abf69c077327ead21e84ef93f261838c7a3b940437386f8d0800b4f46eb3f558b9f6171dda9befdce92333c6aa06c5bf6473a4c111e2110f",
"pids": [
1676
],
"md5": "42a5da4312a0b21b7613b895b362219b"
},
{
"yara": [],
"sha1": "0c66ecb9110cc5d4c9c833f3b3ad35aed2c4b8ca",
"name": "dfd62d0755555778_itdownload.dll",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\is-6IB5Q.tmp\\itdownload.dll",
"type": "PE32 executable (DLL) (GUI) Intel 80386, for MS Windows",
"sha256": "dfd62d0755555778583f86521a6806c2e4053c5f282287c149183123085798d8",
"urls": [],
"crc32": "DF577E57",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/9731\/files\/dfd62d0755555778_itdownload.dll",
"ssdeep": null,
"size": 203264,
"sha512": "660248bff3048ac43363eeff63eea93287017a2dc60bb9744764e777b40bcac20d522bc77c0a2060d4737a1244338019864a6e22215942e5ddd0f84843a03c59",
"pids": [
1556
],
"md5": "6ac939f80346082a2f34774953fd3dcb"
},
{
"yara": [],
"sha1": "580cfd6d7a8330dfb4f81eed0c658dce76ba7624",
"name": "912b184084dd338e_eaae2c7e8a07d3301279f8217a8cf34df54386359a1195655a5e036573e298b0.tmp",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\is-SVT21.tmp\\eaae2c7e8a07d3301279f8217a8cf34df54386359a1195655a5e036573e298b0.tmp",
"type": "PE32 executable (GUI) Intel 80386, for MS Windows",
"sha256": "912b184084dd338e978850cc46e63219a2df3ba2d576837178920a15d9c03e4a",
"urls": [
"http:\/\/www.remobjects.com\/ps",
"http:\/\/www.innosetup.com\/"
],
"crc32": "77934776",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/9731\/files\/912b184084dd338e_eaae2c7e8a07d3301279f8217a8cf34df54386359a1195655a5e036573e298b0.tmp",
"ssdeep": null,
"size": 876544,
"sha512": "90b243126d7a3caae55a7d8d342e86ee710a5f5fd0ee104dfda84423ef46b7479416092cf2a08859d2e715767f9d4a98e3b9fc4d76e6aa1cc3061eb80ab80b08",
"pids": [
2736
],
"md5": "233dde3c95904d2a71ab3c89453c74d9"
},
{
"yara": [],
"sha1": "019cd56ba687d39d12d4b13991c9a42ea6ba03da",
"name": "388a796580234efc__setup64.tmp",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\is-6IB5Q.tmp\\_isetup\\_setup64.tmp",
"type": "PE32+ executable (console) x86-64, for MS Windows",
"sha256": "388a796580234efc95f3b1c70ad4cb44bfddc7ba0f9203bf4902b9929b136f95",
"urls": [],
"crc32": "2CDCC338",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/9731\/files\/388a796580234efc__setup64.tmp",
"ssdeep": null,
"size": 6144,
"sha512": "17257f15d843e88bb78adcfb48184b8ce22109cc2c99e709432728a392afae7b808ed32289ba397207172de990a354f15c2459b6797317da8ea18b040c85787e",
"pids": [
1556
],
"md5": "e4211d6d009757c078a9fac7ff4f03d4"
},
{
"yara": [],
"sha1": "45f58598b832c6d4d4a95ef33c033c13b6c5a88a",
"name": "773fcc4478428f97_gadouha.exe",
"filepath": "c:\\users\\cuck\\appdata\\local\\temp\\is-839ks.tmp\\gadouha.exe",
"type": "PE32 executable (GUI) Intel 80386, for MS Windows",
"sha256": "773fcc4478428f97d9abb0118acf8f149c5713459f1007b7020ac1698f60ed68",
"urls": [
"http:\/\/www.jrsoftware.org\/ishelp\/index.php?topic=setupcmdline"
],
"crc32": "6D5E2648",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/9731\/files\/773fcc4478428f97_gadouha.exe",
"ssdeep": null,
"size": 814445,
"sha512": "b9b527780b03048e96177df11b64afbd797a543a8928558f1d3c68bd133485ec77a63f740e0a47849dab2905e01f23b9f87d8fa032d789bea0a059defb519aad",
"pids": [
1676
],
"md5": "75d2091a7be9718ad58041e8df9afda5"
},
{
"yara": [],
"sha1": "3fc525523a0c2db17456baf686e84b1b3a7217fd",
"name": "5967d831ca34fd59_gadouha.tmp",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\is-IQTOO.tmp\\Gadouha.tmp",
"type": "PE32 executable (GUI) Intel 80386, for MS Windows",
"sha256": "5967d831ca34fd59458f67d6a7f5ed6422328a4d0fa01b076c332facf5dc727b",
"urls": [
"http:\/\/www.remobjects.com\/ps",
"http:\/\/www.innosetup.com\/"
],
"crc32": "E9F5C225",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/9731\/files\/5967d831ca34fd59_gadouha.tmp",
"ssdeep": null,
"size": 739840,
"sha512": "d4b6748dd9c643b26e205d48da980a3dfc9c5fbde5ba0ffb19e2a2563335458e3524d18d2f2c54ff75f0b0f945cde57933329e815f5ba8536b7f506d7970718e",
"pids": [
2824
],
"md5": "f98a6b942ab09c6af5de82483c90f5f2"
}
]Generic
[
{
"process_path": "C:\\Program Files (x86)\\amkja\\714991681.exe",
"process_name": "714991681.exe",
"pid": 1348,
"summary": {
"dll_loaded": [
"AdvApi32.dll",
"C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\mscorwks.dll",
"ntdll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_64\\System\\adff7dd9fe8e541775c46b6363401b22\\System.ni.dll",
"shell32.dll",
"C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\culture.dll",
"mscoree.dll",
"C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\mscorjit.dll",
"kernel32.dll",
"gdi32.dll",
"advapi32.dll",
"C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\ole32.dll",
"C:\\Windows\\system32\\IMM32.DLL",
"RpcRtRemote.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_64\\mscorlib\\9469491f37d9c35b596968b206615309\\mscorlib.ni.dll",
"ADVAPI32.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_64\\System.Windows.Forms\\6c352ff9e3603b0e69d969ff7e7632f5\\System.Windows.Forms.ni.dll",
"ole32.dll",
"SHLWAPI.dll",
"CRYPTSP.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_64\\System.Drawing\\5910828a337dbe848dc90c7ae0a7dee2\\System.Drawing.ni.dll"
],
"file_opened": [
"C:\\Program Files (x86)\\amkja\\714991681.exe",
"C:\\",
"C:\\Windows\\assembly\\GAC_MSIL\\System.Drawing\\2.0.0.0__b03f5f7f11d50a3a\\",
"C:\\Program Files (x86)\\",
"C:\\Windows\\",
"C:\\Windows\\assembly\\pubpol4.dat",
"C:\\Windows\\assembly\\GAC_64\\mscorlib\\2.0.0.0__b77a5c561934e089\\sorttbls.nlp",
"C:\\Windows\\System32\\l_intl.nls",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_64\\index143.dat",
"C:\\Windows\\assembly\\GAC_MSIL\\System.Windows.Forms\\2.0.0.0__b77a5c561934e089\\",
"C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\",
"C:\\Windows\\winsxs\\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\\",
"C:\\Program Files (x86)\\amkja\\714991681.exe.config",
"C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\mscorrc.dll",
"C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\CONFIG\\security.config.cch",
"C:\\Program Files (x86)\\amkja\\714991681.exe.Config",
"C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\CONFIG\\enterprisesec.config.cch",
"C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\",
"C:\\Windows\\assembly\\GAC_64\\mscorlib\\2.0.0.0__b77a5c561934e089\\",
"C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\CONFIG\\machine.config",
"C:\\Program Files (x86)\\amkja\\",
"C:\\Windows\\assembly\\GAC_64\\mscorlib\\2.0.0.0__b77a5c561934e089\\sortkey.nlp"
],
"regkey_opened": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\181938c6\\7950e2c5",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\61e7e666\\c991064\\83",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.Accessibility__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\Managed\\S-1-5-21-699399860-4089948139-3198924279-1001\\Installer\\Assemblies\\Global",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Drawing__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\3175ab79\\107c66d",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\19ab8d57\\1bd7b0d8\\8f",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\61e7e666\\c991064",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\index143",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Deployment__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\Policy\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Configuration__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets\\LocalIntranet",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion\\GACChangeNotification\\Default",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\5c4b5a48\\7901e0f4",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\Managed\\S-1-5-21-699399860-4089948139-3198924279-1001\\Installer\\Assemblies\\C:|Program Files (x86)|amkja|714991681.exe.Config",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\41c04c7e\\7f3b6ac4\\80",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Installer\\Assemblies\\C:|Program Files (x86)|amkja|714991681.exe.Config",
"HKEY_CURRENT_USER\\Software\\Microsoft\\.NETFramework\\Policy\\Standards",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Installer\\Assemblies\\Global",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Windows.Forms__b77a5c561934e089",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\2dd6ac50\\163e1f5e\\8a",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Security__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Installer\\Assemblies\\Global",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\Policy\\standards",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Fusion",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\Policy\\Upgrades",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\Policy\\standards\\v2.0.50727",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\6dc7d4c0\\a5cd4db\\87",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-699399860-4089948139-3198924279-1001",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\v2.0.50727\\Security\\Policy",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System__b77a5c561934e089",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\StrongName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\3f50fe4f\\6f1da7aa\\90",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Installer\\Assemblies\\C:|Program Files (x86)|amkja|714991681.exe.Config",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion\\PublisherPolicy\\Default",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Xml__b77a5c561934e089",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\3ced59c5\\1b2590b1\\85",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\181938c6\\7950e2c5\\82",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\30bc7c4f\\3f50fe4f\\90",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\Policy\\v2.0",
"HKEY_CURRENT_USER\\Software\\Microsoft\\.NETFramework",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\3cca06a0\\6dc7d4c0\\84",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\c991064\\2bd33e1c\\81",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\7950e2c5\\19b8f67f\\82",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\714991681.exe",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Runtime.Serialization.Formatters.Soap__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets\\Internet",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\475dce40\\2d382ce6\\8d",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\internal\\jit\\Perf",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\Policy\\APTCA",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\Policy\\AppPatch",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\Policy\\Standards",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\424bd4d8\\1c83327b\\8e"
],
"file_deleted": [
"C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\CONFIG\\enterprisesec.config.cch.1348.38516312",
"C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\CONFIG\\security.config.cch.1348.38516312",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\64bit\\security.config.cch.1348.38516484"
],
"file_exists": [
"C:\\Program Files (x86)\\amkja\\714991681.exe",
"C:\\Windows\\winsxs\\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\\msvcr80.dll",
"C:\\Program Files (x86)\\amkja\\714991681.exe.Config",
"C:\\Windows\\assembly\\GAC\\PublisherPolicy.tme",
"C:\\Windows\\Globalization\\en-us.nlp",
"C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\fusion.localgac",
"C:\\Program Files (x86)\\amkja\\Newtonsoft.Json\\Newtonsoft.Json.dll",
"C:\\Program Files (x86)\\amkja\\Newtonsoft.Json\\Newtonsoft.Json.exe",
"C:\\Program Files (x86)\\amkja\\Newtonsoft.Json.dll",
"C:\\Windows\\System32\\MSCOREE.DLL.local",
"C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\CONFIG\\machine.config",
"C:\\Program Files (x86)\\amkja\\Newtonsoft.Json.exe"
],
"file_failed": [
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\64bit\\security.config.cch",
"C:\\Windows\\Microsoft.NET\\Framework64\\Upgrades.2.0.50727\\",
"C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\CONFIG\\security.config",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\64bit\\security.config",
"C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\CONFIG\\enterprisesec.config"
],
"file_read": [
"C:\\Program Files (x86)\\amkja\\714991681.exe.Config",
"C:\\Program Files (x86)\\amkja\\714991681.exe.config",
"C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\CONFIG\\security.config.cch",
"C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\CONFIG\\machine.config",
"C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\CONFIG\\enterprisesec.config.cch"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\PInvokeInline",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\3cca06a0\\6dc7d4c0\\84\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\3cca06a0\\6dc7d4c0\\84\\NIDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\c991064\\2bd33e1c\\81\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\61e7e666\\c991064\\83\\NIDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\41c04c7e\\7f3b6ac4\\80\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\475dce40\\2d382ce6\\8d\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\41c04c7e\\7f3b6ac4\\80\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\TailCallOpt",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\3ced59c5\\1b2590b1\\85\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\3f50fe4f\\6f1da7aa\\90\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Drawing,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\6dc7d4c0\\a5cd4db\\87\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\181938c6\\7950e2c5\\82\\ConfigMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\475dce40\\2d382ce6\\8d\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\2dd6ac50\\163e1f5e\\8a\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\475dce40\\2d382ce6\\8d\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\Extensions\\RemoteRpcDll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\181938c6\\7950e2c5\\82\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\475dce40\\2d382ce6\\8d\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{00000134-0000-0000-C000-000000000046}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\DisableHotCold",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\Extensions\\NdrOleExtDLL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\19ab8d57\\1bd7b0d8\\8f\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\30bc7c4f\\3f50fe4f\\90\\ILDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\index143\\ILUsageMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\61e7e666\\c991064\\83\\MVID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\19ab8d57\\1bd7b0d8\\8f\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\DevOverrideEnable",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\7950e2c5\\19b8f67f\\82\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\2dd6ac50\\163e1f5e\\8a\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\30bc7c4f\\3f50fe4f\\90\\EvalationData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\424bd4d8\\1c83327b\\8e\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\3f50fe4f\\6f1da7aa\\90\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NoClientChecks",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\61e7e666\\c991064\\83\\ConfigMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\475dce40\\2d382ce6\\8d\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\41c04c7e\\7f3b6ac4\\80\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\OnlyUseLatestCLR",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\LoggingLevel",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\c991064\\2bd33e1c\\81\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\ForceLog",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\c991064\\2bd33e1c\\81\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\424bd4d8\\1c83327b\\8e\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\LogFailures",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Deployment,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\30bc7c4f\\3f50fe4f\\90\\ConfigMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\30bc7c4f\\3f50fe4f\\90\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\19ab8d57\\1bd7b0d8\\8f\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\61e7e666\\c991064\\83\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\MachineGuid",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\3cca06a0\\6dc7d4c0\\84\\MVID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\DownloadCacheQuotaInKB",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\UseLegacyIdentityFormat",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\mscorlib,2.0.0.0,,b77a5c561934e089,AMD64",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\19ab8d57\\1bd7b0d8\\8f\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledSessions\\MachineThrottling",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\424bd4d8\\1c83327b\\8e\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\c991064\\2bd33e1c\\81\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\424bd4d8\\1c83327b\\8e\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\index143\\NIUsageMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Xml,2.0.0.0,,b77a5c561934e089,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\6dc7d4c0\\a5cd4db\\87\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\61e7e666\\c991064\\83\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\181938c6\\7950e2c5\\82\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Security,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\3cca06a0\\6dc7d4c0\\84\\ConfigString",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\30bc7c4f\\3f50fe4f\\90\\MissingDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\GCStressStart",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\424bd4d8\\1c83327b\\8e\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\30bc7c4f\\3f50fe4f\\90\\ConfigString",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\7950e2c5\\19b8f67f\\82\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\GCStressStartAtJit",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledProcesses\\14AF6798",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\CacheLocation",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\7950e2c5\\19b8f67f\\82\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\181938c6\\7950e2c5\\82\\ILDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\LegacyPolicyTimeStamp",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\3ced59c5\\1b2590b1\\85\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\CLRLoadLogDir",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\181938c6\\7950e2c5\\82\\MVID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\3cca06a0\\6dc7d4c0\\84\\MissingDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\3ced59c5\\1b2590b1\\85\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\41c04c7e\\7f3b6ac4\\80\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\NewGCCalc",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\InstallRoot",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\3ced59c5\\1b2590b1\\85\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\6dc7d4c0\\a5cd4db\\87\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\61e7e666\\c991064\\83\\ConfigString",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\3ced59c5\\1b2590b1\\85\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\3f50fe4f\\6f1da7aa\\90\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\Latest",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\7950e2c5\\19b8f67f\\82\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\TURNOFFDEBUGINFO",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\3cca06a0\\6dc7d4c0\\84\\ConfigMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\7950e2c5\\19b8f67f\\82\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\c991064\\2bd33e1c\\81\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\DisableConfigCache",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\181938c6\\7950e2c5\\82\\EvalationData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\3cca06a0\\6dc7d4c0\\84\\EvalationData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\LatestIndex",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\Accessibility,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\181938c6\\7950e2c5\\82\\NIDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\181938c6\\7950e2c5\\82\\ConfigString",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\30bc7c4f\\3f50fe4f\\90\\NIDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\19ab8d57\\1bd7b0d8\\8f\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\3cca06a0\\6dc7d4c0\\84\\ILDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\LogResourceBinds",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System,2.0.0.0,,b77a5c561934e089,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\EnableLog",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\2dd6ac50\\163e1f5e\\8a\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\30bc7c4f\\3f50fe4f\\90\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\3cca06a0\\6dc7d4c0\\84\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Configuration,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\2dd6ac50\\163e1f5e\\8a\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\181938c6\\7950e2c5\\82\\MissingDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\PInvokeCalliOpt",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledSessions\\GlobalSession",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\CseOn",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\41c04c7e\\7f3b6ac4\\80\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\2dd6ac50\\163e1f5e\\8a\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Windows.Forms,2.0.0.0,,b77a5c561934e089,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\3f50fe4f\\6f1da7aa\\90\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\6dc7d4c0\\a5cd4db\\87\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\61e7e666\\c991064\\83\\EvalationData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Strong Cryptographic Provider\\Image Path",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\61e7e666\\c991064\\83\\ILDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\3f50fe4f\\6f1da7aa\\90\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\VersioningLog",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\DisableMSIPeek",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\LoadAppInit_DLLs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\61e7e666\\c991064\\83\\MissingDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\6dc7d4c0\\a5cd4db\\87\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\30bc7c4f\\3f50fe4f\\90\\MVID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Runtime.Serialization.Formatters.Soap,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\index4",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Strong Cryptographic Provider\\Type"
]
},
"first_seen": 1601430808.796751,
"ppid": 2056
},
{
"process_path": "C:\\Users\\cuck\\AppData\\Local\\Temp\\is-839KS.tmp\\Gadouha.exe",
"process_name": "Gadouha.exe",
"pid": 2824,
"summary": {
"file_created": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-IQTOO.tmp\\Gadouha.tmp"
],
"directory_created": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-IQTOO.tmp"
],
"dll_loaded": [
"C:\\Windows\\system32\\cryptbase.dll",
"C:\\Windows\\system32\\apphelp.dll",
"C:\\Windows\\system32\\userenv.dll",
"C:\\Windows\\system32\\dwmapi.dll",
"dwmapi.dll",
"C:\\Windows\\system32\\propsys.dll",
"C:\\Windows\\system32\\clbcatq.dll",
"comctl32.dll",
"C:\\Windows\\system32\\profapi.dll",
"kernel32.dll",
"C:\\Windows\\system32\\setupapi.dll",
"C:\\Windows\\system32\\shell32.dll",
"API-MS-Win-Core-LocalRegistry-L1-1-0.dll",
"UxTheme.dll",
"C:\\Windows\\system32\\version.dll",
"ADVAPI32.dll",
"C:\\Windows\\system32\\oleacc.dll",
"C:\\Windows\\system32\\comres.dll",
"C:\\Windows\\system32\\ntmarta.dll",
"C:\\Windows\\system32\\uxtheme.dll"
],
"file_opened": [
"C:\\Windows\\System32\\oleaccrc.dll",
"C:\\Windows\\SysWOW64\\en-US\\KERNELBASE.dll.mui",
"C:\\Windows\\System32\\netmsg.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-839KS.tmp\\Gadouha.exe",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls"
],
"regkey_opened": [
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\LDAP",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Setup",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion"
],
"file_written": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-IQTOO.tmp\\Gadouha.tmp"
],
"file_exists": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-IQTOO.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp"
],
"command_line": [
"\"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-IQTOO.tmp\\Gadouha.tmp\" \/SL5=\"$70262,537450,79360,C:\\Users\\cuck\\AppData\\Local\\Temp\\is-839KS.tmp\\Gadouha.exe\" \/p=oih"
],
"file_read": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-839KS.tmp\\Gadouha.exe"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\SourcePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\DevicePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\UseOldHostResolutionOrder",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\UseHostnameAsAlias",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\LdapClientIntegrity"
]
},
"first_seen": 1601430796.359249,
"ppid": 1676
},
{
"process_path": "C:\\Windows\\System32\\lsass.exe",
"process_name": "lsass.exe",
"pid": 476,
"summary": {},
"first_seen": 1601430789.3125,
"ppid": 376
},
{
"process_path": "C:\\Users\\cuck\\AppData\\Local\\Temp\\is-SVT21.tmp\\eaae2c7e8a07d3301279f8217a8cf34df54386359a1195655a5e036573e298b0.tmp",
"process_name": "eaae2c7e8a07d3301279f8217a8cf34df54386359a1195655a5e036573e298b0.tmp",
"pid": 1676,
"summary": {
"file_created": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-839KS.tmp\\is-MKS0P.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-839KS.tmp\\_isetup\\_setup64.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-839KS.tmp\\_isetup\\_isdecmp.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-839KS.tmp\\is-56R6I.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-839KS.tmp\\is-SLFMP.tmp"
],
"file_recreated": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-839KS.tmp\\Hamdouna.exe.config",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-839KS.tmp\\Gadouha.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-839KS.tmp\\Hamdouna.exe",
"\\Device\\KsecDD"
],
"directory_created": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-839KS.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-839KS.tmp\\_isetup",
"C:\\Users\\cuck\\AppData\\Local\\Programs\\Common",
"C:\\Program Files (x86)\\amkja",
"C:\\Users\\cuck",
"C:\\Users\\cuck\\AppData\\Local\\Programs",
"C:\\Users\\cuck\\AppData\\Local"
],
"dll_loaded": [
"C:\\Windows\\system32\\clbcatq.dll",
"C:\\Windows\\system32\\sfc.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-839KS.tmp\\_isetup\\_isdecmp.dll",
"C:\\Windows\\system32\\setupapi.dll",
"kernel32.dll",
"UxTheme.dll",
"C:\\Windows\\system32\\ole32.dll",
"dwmapi.dll",
"C:\\Windows\\system32\\uxtheme.dll",
"C:\\Windows\\system32\\apphelp.dll",
"C:\\Windows\\system32\\propsys.dll",
"C:\\Windows\\syswow64\\MSCTF.dll",
"C:\\Windows\\SysWOW64\\bcryptprimitives.dll",
"API-MS-Win-Core-LocalRegistry-L1-1-0.dll",
"OLEAUT32.DLL",
"comctl32",
"ole32.dll",
"IMM32.dll",
"C:\\Windows\\system32\\cryptbase.dll",
"API-MS-Win-Security-SDDL-L1-1-0.dll",
"C:\\Windows\\system32\\dwmapi.dll",
"C:\\Windows\\system32\\shlwapi.dll",
"C:\\Windows\\system32\\profapi.dll",
"C:\\Windows\\system32\\comres.dll",
"C:\\Windows\\system32\\version.dll",
"profapi.dll",
"C:\\Windows\\system32\\shfolder.dll",
"C:\\Windows\\system32\\oleacc.dll",
"comctl32.dll",
"C:\\Windows\\system32\\userenv.dll",
"C:\\Windows\\system32\\shell32.dll",
"C:\\Windows\\system32\\Rstrtmgr.dll",
"DEVRTL.dll",
"ADVAPI32.dll",
"SETUPAPI.dll",
"C:\\Windows\\system32\\ntmarta.dll",
"OLEAUT32.dll"
],
"file_opened": [
"C:\\Windows\\System32\\imageres.dll",
"C:\\Windows\\System32\\oleaccrc.dll",
"C:\\Windows\\System32\\netmsg.dll",
"C:\\",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-839KS.tmp\\is-SLFMP.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-839KS.tmp\\is-56R6I.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\eaae2c7e8a07d3301279f8217a8cf34df54386359a1195655a5e036573e298b0.bin",
"C:\\Windows\\System32\\shell32.dll",
"C:\\Windows\\SysWOW64\\en-US\\KERNELBASE.dll.mui",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-839KS.tmp\\is-MKS0P.tmp",
"C:\\Windows\\System32"
],
"file_copied": [
[
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-839KS.tmp\\Hamdouna.exe",
"C:\\Program Files (x86)\\amkja\\714991681.exe"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-839KS.tmp\\Hamdouna.exe.config",
"C:\\Program Files (x86)\\amkja\\714991681.exe.config"
]
],
"regkey_opened": [
"HKEY_CURRENT_USER\\Software",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\PropertyBag",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\KnownFolderSettings",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\KnownFolders",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control",
"HKEY_CLASSES_ROOT\\CLSID\\{00BB2763-6A77-11D0-A535-00C04FD7D062}\\InProcServer32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Setup",
"HKEY_LOCAL_MACHINE\\Software\\Policies",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes",
"HKEY_CLASSES_ROOT\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Applications\\eaae2c7e8a07d3301279f8217a8cf34df54386359a1195655a5e036573e298b0.tmp",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\CTF\\LayoutIcon\\0409\\0000041d",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\LanguageProfile\\0x00000000\\{0001bea3-ed56-483d-a2e2-aeae25577436}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\Explorer",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AutoComplete",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\KnownClasses",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\Compatibility\\eaae2c7e8a07d3301279f8217a8cf34df54386359a1195655a5e036573e298b0.tmp",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\eaae2c7e8a07d3301279f8217a8cf34df54386359a1195655a5e036573e298b0.tmp",
"HKEY_LOCAL_MACHINE\\Software",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\RestartManager",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\zjka_is1",
"HKEY_CURRENT_USER\\Software\\Microsoft\\CTF\\DirectSwitchHotkeys",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}\\PropertyBag",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}\\PropertyBag",
"HKEY_LOCAL_MACHINE\\System\\Setup",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AutoComplete",
"HKEY_CLASSES_ROOT\\Drive\\shellex\\FolderExtensions",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AutoComplete",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-699399860-4089948139-3198924279-1001",
"HKEY_CURRENT_USER\\Software\\Policies",
"HKEY_CLASSES_ROOT\\CLSID\\{03C036F1-A186-11D0-824A-00AA005B4383}\\InProcServer32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\eaae2c7e8a07d3301279f8217a8cf34df54386359a1195655a5e036573e298b0.tmp",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CLASSES_ROOT\\Drive\\shellex\\FolderExtensions\\{fbeb8a05-beee-4442-804e-409d6c4515e9}",
"HKEY_LOCAL_MACHINE\\software\\microsoft\\windows\\currentversion\\setup\\PnpLockdownFiles",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\msasn1",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{3697C5FA-60DD-4B56-92D4-74A569205C16}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AutoComplete\\Client\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\RestartManager\\Session0000",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\PropertyBag",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Icons",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AutoComplete",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\LDAP",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\zjka_is1",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer",
"HKEY_CURRENT_USER\\Control Panel\\Desktop",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\Explorer",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AutoComplete",
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1"
],
"command_line": [
"\"C:\\Program Files (x86)\\amkja\\714991681.exe\" 0 0 0 0",
"\"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-839KS.tmp\\Gadouha.exe\" \/p=oih"
],
"file_written": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-839KS.tmp\\_isetup\\_isdecmp.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-839KS.tmp\\is-SLFMP.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-839KS.tmp\\Hamdouna.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-839KS.tmp\\_isetup\\_setup64.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-839KS.tmp\\is-56R6I.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-839KS.tmp\\Gadouha.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-839KS.tmp\\Hamdouna.exe.config",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-839KS.tmp\\is-MKS0P.tmp"
],
"file_exists": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-839KS.tmp\\is-MKS0P.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-839KS.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-839KS.tmp\\Hamdouna.exe",
"C:\\",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-839KS.tmp\\Hamdouna.exe.config",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-839KS.tmp\\is-56R6I.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-839KS.tmp\\Gadouha.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp",
"C:\\Users\\cuck",
"C:\\Program Files (x86)",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-839KS.tmp\\is-SLFMP.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Programs",
"C:\\Program Files (x86)\\amkja",
"C:\\Users\\cuck\\AppData\\Local"
],
"mutex": [
"Local\\RstrMgr-3887CAB8-533F-4C85-B0DC-3E5639F8D511-Session0000",
"Local\\RstrMgr3887CAB8-533F-4C85-B0DC-3E5639F8D511"
],
"file_failed": [
"C:\\Windows\\winsxs\\FileMaps\\users_cuck_appdata_local_temp_is-839ks.tmp_31458b8157a7828a.cdf-ms",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-839KS.tmp\\Gadouha.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-839KS.tmp\\Hamdouna.exe"
],
"guid": [
"{ea1afb91-9e28-4b86-90e9-9e9f8a5eefaf}",
"{eac04bc0-3791-11d2-bb95-0060977b464c}",
"{5e078e03-8265-4bbe-9487-d242edbef910}",
"{00bb2763-6a77-11d0-a535-00c04fd7d062}",
"{00000000-0000-0000-c000-000000000046}",
"{56fdf344-fd6d-11d0-958a-006097c9a090}",
"{807c1e6c-1d00-453f-b920-b61bb7cdd997}",
"{03c036f1-a186-11d0-824a-00aa005b4383}",
"{00bb2765-6a77-11d0-a535-00c04fd7d062}"
],
"file_read": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\eaae2c7e8a07d3301279f8217a8cf34df54386359a1195655a5e036573e298b0.bin"
],
"regkey_read": [
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Language Hotkey",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\AutoComplete\\Always Use Tab",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ListviewAlphaSelect",
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Hotkey",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\PublishExpandedPath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\LanguageProfile\\0x00000000\\{0001bea3-ed56-483d-a2e2-aeae25577436}\\Enable",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}\\PublishExpandedPath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Icon",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\ProgramFilesDir",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}\\Name",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\UseHostnameAsAlias",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}\\Stream",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}\\FolderTypeID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-699399860-4089948139-3198924279-1001\\ProfileImagePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}\\Description",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoSetFolders",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}\\Icon",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}\\InfoTip",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}\\Roamable",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\InitFolderHandler",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ProgramFilesDir",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledProcesses\\C70CE05B",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\Stream",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsFORDISPLAY",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\SourcePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\CTF\\EnableAnchorContext",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\RelativePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\RestrictedAttributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\PreCreate",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\UseOldHostResolutionOrder",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{03C036F1-A186-11D0-824A-00AA005B4383}\\InProcServer32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\PnpLockdownFiles\\%SystemDrive%\\Users\\cuck\\AppData\\Local\\Temp\\is-839KS.tmp\\Hamdouna.exe.config",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}\\LocalizedName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}\\StreamResource",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\StreamResource",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoInternetIcon",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}\\ParentFolder",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\LocalizedName",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\AccListViewV6",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\ParentFolder",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsUniversalDelegate",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}\\InitFolderHandler",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}\\ParentFolder",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SESSION MANAGER\\PendingFileRenameOperations",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\UseDropHandler",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\Roamable",
"HKEY_CURRENT_USER\\Software\\Microsoft\\RestartManager\\Session0000\\RegFiles0000",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\QueryForOverlay",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}\\Name",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\Attributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\MapNetDriveVerbs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\Name",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\QueryForInfoTip",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\NoFileFolderJunction",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\ParsingName",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsParseDisplayName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\Enabled",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Segoe UI",
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Layout Hotkey",
"HKEY_CURRENT_USER\\Software\\Microsoft\\RestartManager\\Session0000\\Sequence",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}\\PreCreate",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Local AppData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}\\FolderTypeID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\StreamResourceType",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsAliasedNotifications",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}\\Category",
"HKEY_CURRENT_USER\\Software\\Microsoft\\RestartManager\\Session0000\\RegFilesHash",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}\\ParsingName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\Security",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoCommonGroups",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}\\RelativePath",
"HKEY_CURRENT_USER\\Software\\Microsoft\\RestartManager\\Session0000\\RegProcs0000",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}\\StreamResourceType",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Roamable",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\PinToNameSpaceTree",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CommonFilesDir",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Category",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledSessions\\MachineThrottling",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\AutoComplete\\AutoSuggest",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SESSION MANAGER\\PendingFileRenameOperations2",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}\\RelativePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\LocalRedirectOnly",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\InfoTip",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\PublishExpandedPath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\LocalizedName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}\\StreamResourceType",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsFORPARSING",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\ParentFolder",
"HKEY_CURRENT_USER\\Software\\Microsoft\\RestartManager\\Session0000\\RegFiles0001",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\RelativePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\SystemSetupInProgress",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}\\InitFolderHandler",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}\\Security",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\WaitToKillServiceTimeout",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\RegisteredOrganization",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HideFolderVerbs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\ParsingName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}\\PublishExpandedPath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\CommonFilesDir",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\InitFolderHandler",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}\\StreamResource",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\PnpLockdownFiles\\%SystemDrive%\\Users\\cuck\\AppData\\Local\\Temp\\is-839KS.tmp\\Gadouha.exe",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\StreamResource",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\LdapClientIntegrity",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}\\Category",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\Icon",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}\\Security",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\Attributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\RegisteredOwner",
"HKEY_CURRENT_USER\\Control Panel\\Desktop\\SmoothScroll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Security",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}\\LocalRedirectOnly",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HideInWebView",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}\\InfoTip",
"HKEY_CURRENT_USER\\Software\\Microsoft\\RestartManager\\Session0000\\RegSvcs0000",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\FolderTypeID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoPropertiesRecycleBin",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\CallForAttributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoPropertiesMyComputer",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\TurnOffSPIAnimations",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}\\PreCreate",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\InfoTip",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\AutoComplete\\Client\\(Default)",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\UseDoubleClickTimer",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Name",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\EnableBalloonTips",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\LocalRedirectOnly",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\FolderTypeID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\DevicePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}\\Stream",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\Description",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}\\LocalRedirectOnly",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}\\Attributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{00BB2763-6A77-11D0-A535-00C04FD7D062}\\InProcServer32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Stream",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}\\Roamable",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\Category",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}\\Icon",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Drive\\shellex\\FolderExtensions\\{fbeb8a05-beee-4442-804e-409d6c4515e9}\\DriveMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HasNavigationEnum",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\PnpLockdownFiles\\%SystemDrive%\\Users\\cuck\\AppData\\Local\\Temp\\is-839KS.tmp\\Hamdouna.exe",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Description",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledSessions\\GlobalSession",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HideOnDesktopPerUser",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\StreamResourceType",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoControlPanel",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}\\Description",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ListviewShadow",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\PreCreate",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}\\Attributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}\\LocalizedName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}\\ParsingName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Attributes",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}"
],
"regkey_written": [
"HKEY_CURRENT_USER\\Software\\Microsoft\\RestartManager\\Session0000\\RegFilesHash",
"HKEY_CURRENT_USER\\Software\\Microsoft\\RestartManager\\Session0000\\SessionHash",
"HKEY_CURRENT_USER\\Software\\Microsoft\\RestartManager\\Session0000\\Owner",
"HKEY_CURRENT_USER\\Software\\Microsoft\\RestartManager\\Session0000\\Sequence",
"HKEY_CURRENT_USER\\Software\\Microsoft\\RestartManager\\Session0000\\RegFiles0000"
]
},
"first_seen": 1601430789.984375,
"ppid": 2736
},
{
"process_path": "C:\\Users\\cuck\\AppData\\Local\\Temp\\eaae2c7e8a07d3301279f8217a8cf34df54386359a1195655a5e036573e298b0.bin",
"process_name": "eaae2c7e8a07d3301279f8217a8cf34df54386359a1195655a5e036573e298b0.bin",
"pid": 2736,
"summary": {
"file_created": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-SVT21.tmp\\eaae2c7e8a07d3301279f8217a8cf34df54386359a1195655a5e036573e298b0.tmp"
],
"directory_created": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-SVT21.tmp"
],
"dll_loaded": [
"C:\\Windows\\system32\\cryptbase.dll",
"C:\\Windows\\system32\\apphelp.dll",
"C:\\Windows\\system32\\userenv.dll",
"C:\\Windows\\system32\\dwmapi.dll",
"dwmapi.dll",
"C:\\Windows\\system32\\propsys.dll",
"C:\\Windows\\system32\\clbcatq.dll",
"comctl32.dll",
"C:\\Windows\\system32\\profapi.dll",
"kernel32.dll",
"C:\\Windows\\system32\\setupapi.dll",
"C:\\Windows\\system32\\shell32.dll",
"API-MS-Win-Core-LocalRegistry-L1-1-0.dll",
"UxTheme.dll",
"C:\\Windows\\system32\\version.dll",
"ADVAPI32.dll",
"C:\\Windows\\system32\\oleacc.dll",
"C:\\Windows\\system32\\comres.dll",
"C:\\Windows\\system32\\ntmarta.dll",
"C:\\Windows\\system32\\uxtheme.dll"
],
"file_opened": [
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls",
"C:\\Windows\\System32\\oleaccrc.dll",
"C:\\Windows\\SysWOW64\\en-US\\KERNELBASE.dll.mui",
"C:\\Windows\\System32\\netmsg.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\eaae2c7e8a07d3301279f8217a8cf34df54386359a1195655a5e036573e298b0.bin"
],
"regkey_opened": [
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\LDAP",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Setup",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion"
],
"file_written": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-SVT21.tmp\\eaae2c7e8a07d3301279f8217a8cf34df54386359a1195655a5e036573e298b0.tmp"
],
"file_deleted": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-SVT21.tmp\\eaae2c7e8a07d3301279f8217a8cf34df54386359a1195655a5e036573e298b0.tmp"
],
"directory_removed": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-SVT21.tmp"
],
"file_exists": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-SVT21.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp"
],
"command_line": [
"\"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-SVT21.tmp\\eaae2c7e8a07d3301279f8217a8cf34df54386359a1195655a5e036573e298b0.tmp\" \/SL5=\"$60262,1280131,216064,C:\\Users\\cuck\\AppData\\Local\\Temp\\eaae2c7e8a07d3301279f8217a8cf34df54386359a1195655a5e036573e298b0.bin\" "
],
"file_read": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\eaae2c7e8a07d3301279f8217a8cf34df54386359a1195655a5e036573e298b0.bin"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\SourcePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\DevicePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\UseOldHostResolutionOrder",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\UseHostnameAsAlias",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\LdapClientIntegrity"
]
},
"first_seen": 1601430789.703125,
"ppid": 3040
},
{
"process_path": "C:\\Program Files (x86)\\amkja\\714991681.exe",
"process_name": "714991681.exe",
"pid": 2056,
"summary": {
"file_created": [
"C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\CONFIG\\enterprisesec.config.cch.new",
"C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\CONFIG\\security.config.cch.new"
],
"regkey_written": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\714991681_RASMANCS\\EnableConsoleTracing",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\714991681_RASMANCS\\FileTracingMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\714991681_RASAPI32\\MaxFileSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\714991681_RASAPI32\\FileDirectory",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\714991681_RASMANCS\\EnableFileTracing",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\714991681_RASAPI32\\EnableFileTracing",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\714991681_RASAPI32\\ConsoleTracingMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\714991681_RASMANCS\\ConsoleTracingMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\714991681_RASAPI32\\FileTracingMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\714991681_RASMANCS\\FileDirectory",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\714991681_RASMANCS\\MaxFileSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\714991681_RASAPI32\\EnableConsoleTracing"
],
"dll_loaded": [
"C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\shell32.dll",
"C:\\Windows\\System32\\mswsock.dll",
"CRYPTSP.dll",
"credssp.dll",
"ntdll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_64\\System.Configuration\\091b931d0f6408001747dbbbb05dbe66\\System.Configuration.ni.dll",
"gdi32.dll",
"C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\ws2_32.dll",
"DNSAPI.dll",
"kernel32.dll",
"C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\mscorjit.dll",
"C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\iphlpapi.dll",
"ntdll.dll",
"C:\\Windows\\system32\\napinsp.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_64\\System.Xml\\ee795155543768ea67eecddc686a1e9e\\System.Xml.ni.dll",
"winhttp.dll",
"ADVAPI32.dll",
"SspiCli.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_64\\System\\adff7dd9fe8e541775c46b6363401b22\\System.ni.dll",
"API-MS-WIN-Service-Management-L1-1-0.dll",
"C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\culture.dll",
"C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\rasapi32.dll",
"C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\winhttp.dll",
"API-MS-Win-Core-LocalRegistry-L1-1-0.dll",
"cryptsp.dll",
"API-MS-WIN-Service-winsvc-L1-1-0.dll",
"advapi32.dll",
"ole32.dll",
"SHLWAPI.dll",
"ws2_32.dll",
"C:\\Windows\\system32\\IMM32.DLL",
"RASMAN.DLL",
"rtutils.dll",
"IPHLPAPI.DLL",
"shell32.dll",
"shfolder.dll",
"C:\\Windows\\system32\\pnrpnsp.dll",
"rpcrt4.dll",
"RPCRT4.dll",
"C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\mscorwks.dll",
"C:\\Windows\\System32\\winrnr.dll",
"API-MS-Win-Security-SDDL-L1-1-0.dll",
"NSI.dll",
"C:\\Windows\\system32\\NLAapi.dll",
"iphlpapi.dll",
"mscoree.dll",
"RpcRtRemote.dll",
"CFGMGR32.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_64\\mscorlib\\9469491f37d9c35b596968b206615309\\mscorlib.ni.dll",
"C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\ole32.dll",
"rasapi32.dll",
"AdvApi32.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_64\\System.Windows.Forms\\6c352ff9e3603b0e69d969ff7e7632f5\\System.Windows.Forms.ni.dll",
"SETUPAPI.dll",
"WS2_32.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_64\\System.Drawing\\5910828a337dbe848dc90c7ae0a7dee2\\System.Drawing.ni.dll"
],
"file_opened": [
"C:\\Program Files (x86)\\amkja\\714991681.exe",
"C:\\",
"C:\\Windows\\System32\\drivers\\etc\\hosts",
"C:\\Windows\\assembly\\GAC_MSIL\\System.Drawing\\2.0.0.0__b03f5f7f11d50a3a\\",
"C:\\Program Files (x86)\\",
"C:\\Windows\\",
"C:\\Windows\\assembly\\pubpol4.dat",
"C:\\Windows\\assembly\\GAC_64\\mscorlib\\2.0.0.0__b77a5c561934e089\\sorttbls.nlp",
"C:\\Windows\\System32\\l_intl.nls",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_64\\index143.dat",
"C:\\Windows\\assembly\\GAC_MSIL\\System.Windows.Forms\\2.0.0.0__b77a5c561934e089\\",
"C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\",
"C:\\Windows\\winsxs\\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\\",
"C:\\Program Files (x86)\\amkja\\714991681.exe.config",
"C:\\Windows\\assembly\\GAC_MSIL\\System.Configuration\\2.0.0.0__b03f5f7f11d50a3a\\",
"C:\\Windows\\System32\\en-US\\KERNELBASE.dll.mui",
"C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\mscorrc.dll",
"C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\CONFIG\\enterprisesec.config.cch.new",
"C:\\Windows\\assembly\\GAC_MSIL\\System.Xml\\2.0.0.0__b77a5c561934e089\\",
"C:\\Program Files (x86)\\amkja\\714991681.exe.Config",
"C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\",
"C:\\Windows\\assembly\\GAC_64\\mscorlib\\2.0.0.0__b77a5c561934e089\\",
"C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\CONFIG\\security.config.cch.new",
"C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\CONFIG\\machine.config",
"C:\\Program Files (x86)\\amkja\\",
"C:\\Windows\\assembly\\GAC_64\\mscorlib\\2.0.0.0__b77a5c561934e089\\sortkey.nlp"
],
"regkey_opened": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\181938c6\\7950e2c5",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\61e7e666\\c991064\\83",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.Accessibility__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\6faf58\\19ab8d57",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\Managed\\S-1-5-21-699399860-4089948139-3198924279-1001\\Installer\\Assemblies\\Global",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Drawing__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\3175ab79\\107c66d",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Data.SqlXml__b77a5c561934e089",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\19ab8d57\\1bd7b0d8\\8f",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\61e7e666\\c991064",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\index143",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\159a66b8\\424bd4d8",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets\\Internet\\MediaPermission",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Deployment__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\Policy\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Configuration__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets\\LocalIntranet",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion\\GACChangeNotification\\Default",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\5c4b5a48\\7901e0f4",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\6faf58\\19ab8d57\\8e",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\Managed\\S-1-5-21-699399860-4089948139-3198924279-1001\\Installer\\Assemblies\\C:|Program Files (x86)|amkja|714991681.exe.Config",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\41c04c7e\\7f3b6ac4\\80",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Installer\\Assemblies\\C:|Program Files (x86)|amkja|714991681.exe.Config",
"HKEY_CURRENT_USER\\Software\\Microsoft\\.NETFramework\\Policy\\Standards",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Installer\\Assemblies\\Global",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\75638fee\\7566cac\\8c",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Windows.Forms__b77a5c561934e089",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\2dd6ac50\\163e1f5e\\8a",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets\\Internet\\WebBrowserPermission",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options",
"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Security__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets\\LocalIntranet\\MediaPermission",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Installer\\Assemblies\\Global",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\Policy\\standards",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Fusion",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\Policy\\Upgrades",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\Policy\\standards\\v2.0.50727",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\6dc7d4c0\\a5cd4db\\87",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-699399860-4089948139-3198924279-1001",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets\\LocalIntranet\\WebBrowserPermission",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\v2.0.50727\\Security\\Policy",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System__b77a5c561934e089",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\StrongName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\3f50fe4f\\6f1da7aa\\90",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Installer\\Assemblies\\C:|Program Files (x86)|amkja|714991681.exe.Config",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion\\PublisherPolicy\\Default",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Xml__b77a5c561934e089",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\3ced59c5\\1b2590b1\\85",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\181938c6\\7950e2c5\\82",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\30bc7c4f\\3f50fe4f\\90",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\Policy\\v2.0",
"HKEY_CURRENT_USER\\Software\\Microsoft\\.NETFramework",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\3cca06a0\\6dc7d4c0\\84",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\c991064\\2bd33e1c\\81",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\7950e2c5\\19b8f67f\\82",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Class\\{4d36e972-e325-11ce-bfc1-08002be10318}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\714991681.exe",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\.net clr networking\\Performance",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Runtime.Serialization.Formatters.Soap__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets\\Internet",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\475dce40\\2d382ce6\\8d",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\internal\\jit\\Perf",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\159a66b8\\424bd4d8\\8f",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\.NET CLR Networking\\Performance",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\Policy\\APTCA",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\Policy\\AppPatch",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\Policy\\Standards",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\424bd4d8\\1c83327b\\8e",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings"
],
"resolves_host": [
"pc.publicnewsetup.com",
"wpad",
"cuckpc"
],
"file_written": [
"C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\CONFIG\\security.config",
"C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\CONFIG\\enterprisesec.config",
"C:\\Windows\\System32\\drivers\\etc\\hosts"
],
"file_deleted": [
"C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\CONFIG\\enterprisesec.config.cch.2056.38504109",
"C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\CONFIG\\security.config.cch.2056.38504093",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\64bit\\security.config.cch.2056.38504671"
],
"file_exists": [
"C:\\Program Files (x86)\\amkja\\714991681.exe",
"C:\\Windows\\winsxs\\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\\msvcr80.dll",
"C:\\Program Files (x86)\\amkja\\714991681.exe.Config",
"C:\\Windows\\assembly\\GAC\\PublisherPolicy.tme",
"C:\\Windows\\Globalization\\en-us.nlp",
"C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\fusion.localgac",
"C:\\Program Files (x86)\\amkja\\Newtonsoft.Json\\Newtonsoft.Json.dll",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\64bit\\security.config",
"C:\\Program Files (x86)\\amkja\\Newtonsoft.Json\\Newtonsoft.Json.exe",
"C:\\Program Files (x86)\\amkja\\Newtonsoft.Json.dll",
"C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\CONFIG\\enterprisesec.config",
"C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\CONFIG\\enterprisesec.config.default",
"C:\\Windows\\Globalization\\en.nlp",
"C:\\Windows\\System32\\MSCOREE.DLL.local",
"C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\CONFIG\\security.config",
"C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\CONFIG\\machine.config",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\64bit\\security.config.default",
"C:\\Program Files (x86)\\amkja\\Newtonsoft.Json.exe",
"C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\CONFIG\\security.config.default"
],
"mutex": [
"Global\\.net clr networking",
"RasPbFile"
],
"file_failed": [
"C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\CONFIG\\enterprisesec.config.cch",
"C:\\Windows\\Microsoft.NET\\Framework64\\Upgrades.2.0.50727\\",
"C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\CONFIG\\security.config",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\64bit\\security.config",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Preferences",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\64bit\\security.config.cch",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\64bit\\security.config.cch.new",
"C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\CONFIG\\enterprisesec.config",
"C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\CONFIG\\security.config.cch"
],
"command_line": [
"\"C:\\Program Files (x86)\\amkja\\714991681.exe\" 1 ",
"C:\\Program Files (x86)\\amkja\\714991681.exe 1 "
],
"file_read": [
"C:\\Program Files (x86)\\amkja\\714991681.exe.Config",
"C:\\Program Files (x86)\\amkja\\714991681.exe.config",
"C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\CONFIG\\machine.config"
],
"regkey_read": [
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\Generation",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\PInvokeInline",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\NetBT\\Parameters\\NodeType",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\MulticastSenderMaxTimeout",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\NetBT\\Parameters\\DhcpScopeId",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\3cca06a0\\6dc7d4c0\\84\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\3cca06a0\\6dc7d4c0\\84\\NIDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\c991064\\2bd33e1c\\81\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\61e7e666\\c991064\\83\\NIDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\41c04c7e\\7f3b6ac4\\80\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\714991681_RASAPI32\\FileDirectory",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\WinHttp\\DisableBranchCache",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\MaxCacheTtl",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\475dce40\\2d382ce6\\8d\\Status",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\CacheAllCompartments",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\UpdateSecurityLevel",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\714991681_RASMANCS\\MaxFileSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\41c04c7e\\7f3b6ac4\\80\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\TailCallOpt",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\3ced59c5\\1b2590b1\\85\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\3f50fe4f\\6f1da7aa\\90\\Modules",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\RegisterAdapterName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\NetBT\\Parameters\\ScopeId",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\714991681_RASMANCS\\EnableFileTracing",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Interfaces\\{EF381EA0-4D07-418D-A490-68AF67CE948B}\\EnableMulticast",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets\\Internet\\WebBrowserPermission\\Xml",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Drawing,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\SystemSetupInProgress",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\6faf58\\19ab8d57\\8e\\ConfigString",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\6dc7d4c0\\a5cd4db\\87\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\181938c6\\7950e2c5\\82\\ConfigMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Data.SqlXml,2.0.0.0,,b77a5c561934e089,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\475dce40\\2d382ce6\\8d\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\2dd6ac50\\163e1f5e\\8a\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ShareCredsWithWinHttp",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\MaxRpcSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\475dce40\\2d382ce6\\8d\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\SourcePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\MulticastResponderFlags",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\DnsQueryTimeouts",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\714991681_RASMANCS\\FileDirectory",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\ScreenDefaultServers",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\181938c6\\7950e2c5\\82\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Strong Cryptographic Provider\\Type",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\475dce40\\2d382ce6\\8d\\LastModTime",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\EnableAdapterDomainNameRegistration",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Domain",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{00000134-0000-0000-C000-000000000046}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\DisableHotCold",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\Extensions\\NdrOleExtDLL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\19ab8d57\\1bd7b0d8\\8f\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\30bc7c4f\\3f50fe4f\\90\\ILDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\index143\\ILUsageMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\61e7e666\\c991064\\83\\MVID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\19ab8d57\\1bd7b0d8\\8f\\DisplayName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\.NET CLR Networking\\Performance\\First Counter",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\6faf58\\19ab8d57\\8e\\Status",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\NetBT\\Parameters\\EnableProxy",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\159a66b8\\424bd4d8\\8f\\ILDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\DevOverrideEnable",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\7950e2c5\\19b8f67f\\82\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\2dd6ac50\\163e1f5e\\8a\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\30bc7c4f\\3f50fe4f\\90\\EvalationData",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\Data",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProductName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\424bd4d8\\1c83327b\\8e\\Modules",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\AllowUnqualifiedQuery",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\3f50fe4f\\6f1da7aa\\90\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\714991681_RASMANCS\\FileTracingMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NoClientChecks",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\RegisterReverseLookup",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\61e7e666\\c991064\\83\\ConfigMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\714991681_RASAPI32\\FileTracingMask",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\RegistrationTtl",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\FilterClusterIp",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\159a66b8\\424bd4d8\\8f\\MVID",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SQMServiceList\\SQMServiceList",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\475dce40\\2d382ce6\\8d\\SIG",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\SearchList",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\41c04c7e\\7f3b6ac4\\80\\LastModTime",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\WpadOverride",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\OnlyUseLatestCLR",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SecurityProviders\\SecurityProviders",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\LoggingLevel",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\DefaultRegistrationRefreshInterval",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\c991064\\2bd33e1c\\81\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\ForceLog",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\75638fee\\7566cac\\8c\\Status",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\\DefaultConnectionSettings",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\159a66b8\\424bd4d8\\8f\\MissingDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\c991064\\2bd33e1c\\81\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\424bd4d8\\1c83327b\\8e\\Status",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\UseNewRegistration",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\159a66b8\\424bd4d8\\8f\\EvalationData",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\MaxCachedSockets",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ProxySettingsPerUser",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\DowncaseSpnCauseApiOwnerIsTooLazy",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\EnableDAForAllNetworks",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\UseDomainNameDevolution",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\LogFailures",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\714991681_RASAPI32\\ConsoleTracingMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\714991681_RASAPI32\\EnableConsoleTracing",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Deployment,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\MaxNegativeCacheTtl",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\75638fee\\7566cac\\8c\\DisplayName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\DefaultRegistrationTTL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\30bc7c4f\\3f50fe4f\\90\\ConfigMask",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Interfaces\\{EF381EA0-4D07-418D-A490-68AF67CE948B}\\MaxNumberOfAddressesToRegister",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\30bc7c4f\\3f50fe4f\\90\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\19ab8d57\\1bd7b0d8\\8f\\Modules",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\Generation",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\61e7e666\\c991064\\83\\DisplayName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\DnsSecureNameQueryFallback",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\MachineGuid",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\159a66b8\\424bd4d8\\8f\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\3cca06a0\\6dc7d4c0\\84\\MVID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets\\LocalIntranet\\WebBrowserPermission\\Xml",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Type",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\DownloadCacheQuotaInKB",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\UseLegacyIdentityFormat",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\159a66b8\\424bd4d8\\8f\\ConfigMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\mscorlib,2.0.0.0,,b77a5c561934e089,AMD64",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\MaxCacheSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\159a66b8\\424bd4d8\\8f\\NIDependencies",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\.NET CLR Networking\\Performance\\CategoryOptions",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Comment",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\19ab8d57\\1bd7b0d8\\8f\\Status",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\ResolverRegistration",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\.NET CLR Networking\\Performance\\Library",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledSessions\\MachineThrottling",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Interfaces\\{EF381EA0-4D07-418D-A490-68AF67CE948B}\\RegistrationEnabled",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\75638fee\\7566cac\\8c\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets\\LocalIntranet\\MediaPermission\\Xml",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\424bd4d8\\1c83327b\\8e\\SIG",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\UseEdns",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\RegistrationOverwrite",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\c991064\\2bd33e1c\\81\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\424bd4d8\\1c83327b\\8e\\DisplayName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\AllowUnqualifiedQuery",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\index143\\NIUsageMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Xml,2.0.0.0,,b77a5c561934e089,MSIL",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\EnableMulticast",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\6dc7d4c0\\a5cd4db\\87\\LastModTime",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\RegisterPrimaryName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\61e7e666\\c991064\\83\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\181938c6\\7950e2c5\\82\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Security,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\3cca06a0\\6dc7d4c0\\84\\ConfigString",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\714991681_RASAPI32\\EnableFileTracing",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\EnableConsoleTracing",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets\\Internet\\MediaPermission\\Xml",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\QueryAdapterName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\30bc7c4f\\3f50fe4f\\90\\MissingDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\714991681_RASMANCS\\EnableConsoleTracing",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\ScreenBadTlds",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\GCStressStart",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\424bd4d8\\1c83327b\\8e\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\30bc7c4f\\3f50fe4f\\90\\ConfigString",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\7950e2c5\\19b8f67f\\82\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\GCStressStartAtJit",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\DevicePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledProcesses\\14AF6798",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\6faf58\\19ab8d57\\8e\\MissingDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\CacheLocation",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\NetBT\\Parameters\\EnableDns",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\.NET CLR Networking\\Performance\\IsMultiInstance",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\7950e2c5\\19b8f67f\\82\\SIG",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Interfaces\\{EF381EA0-4D07-418D-A490-68AF67CE948B}\\RegistrationMaxAddressCount",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\181938c6\\7950e2c5\\82\\ILDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\LegacyPolicyTimeStamp",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Interfaces\\{EF381EA0-4D07-418D-A490-68AF67CE948B}\\RegisterAdapterName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\3ced59c5\\1b2590b1\\85\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\75638fee\\7566cac\\8c\\LastModTime",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\RegistrationMaxAddressCount",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Strong Cryptographic Provider\\Image Path",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\DnsQuickQueryTimeouts",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\CLRLoadLogDir",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\RegistrationEnabled",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\181938c6\\7950e2c5\\82\\MVID",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\UseDomainNameDevolution",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Hostname",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\DisableAdapterDomainName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\3cca06a0\\6dc7d4c0\\84\\MissingDependencies",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\DnsQuickQueryTimeouts",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\PrioritizeRecordData",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Interfaces\\{EF381EA0-4D07-418D-A490-68AF67CE948B}\\DisableAdapterDomainName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\OOBEInProgress",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\3ced59c5\\1b2590b1\\85\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\41c04c7e\\7f3b6ac4\\80\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\NewGCCalc",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledSessions\\GlobalSession",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Name",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\InstallRoot",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\159a66b8\\424bd4d8\\8f\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\WinHttp\\Tracing\\Enabled",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\DisableReverseAddressRegistrations",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\159a66b8\\424bd4d8\\8f\\ConfigString",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Capabilities",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\Data",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\LsaExtensionConfig\\SspiCli\\CheckSignatureRoutine",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\3ced59c5\\1b2590b1\\85\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\6dc7d4c0\\a5cd4db\\87\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\61e7e666\\c991064\\83\\ConfigString",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\UpdateSecurityLevel",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\NetBT\\Parameters\\DhcpNodeType",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\3ced59c5\\1b2590b1\\85\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\6faf58\\19ab8d57\\8e\\MVID",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\UseHostsFile",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\AddrConfigControl",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\3f50fe4f\\6f1da7aa\\90\\LastModTime",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\RegisterWanAdapters",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\DynamicServerQueryOrder",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\Latest",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\7950e2c5\\19b8f67f\\82\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\TURNOFFDEBUGINFO",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\3cca06a0\\6dc7d4c0\\84\\ConfigMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\7950e2c5\\19b8f67f\\82\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\c991064\\2bd33e1c\\81\\SIG",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\DnsQueryTimeouts",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\MaxNumberOfAddressesToRegister",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\ScreenUnreachableServers",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\DisableConfigCache",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\181938c6\\7950e2c5\\82\\EvalationData",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\TokenSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\3cca06a0\\6dc7d4c0\\84\\EvalationData",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\UpdateTopLevelDomainZones",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\LatestIndex",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\Accessibility,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\6faf58\\19ab8d57\\8e\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\181938c6\\7950e2c5\\82\\NIDependencies",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\DisableWanDynamicUpdate",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\InstallationType",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\181938c6\\7950e2c5\\82\\ConfigString",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\30bc7c4f\\3f50fe4f\\90\\NIDependencies",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Interfaces\\{EF381EA0-4D07-418D-A490-68AF67CE948B}\\Domain",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\19ab8d57\\1bd7b0d8\\8f\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\3cca06a0\\6dc7d4c0\\84\\ILDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\LogResourceBinds",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System,2.0.0.0,,b77a5c561934e089,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\Extensions\\RemoteRpcDll",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\AdapterTimeoutLimit",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\714991681_RASAPI32\\MaxFileSize",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\LsaExtensionConfig\\SspiCli\\CheckSignatureDll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\714991681_RASMANCS\\ConsoleTracingMask",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\.NET CLR Networking\\Performance\\Counter Names",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\EnableLog",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\WaitForNameErrorOnAll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\2dd6ac50\\163e1f5e\\8a\\LastModTime",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\DisableDynamicUpdate",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\DomainNameDevolutionLevel",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\AppendToMultiLabelName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\6faf58\\19ab8d57\\8e\\NIDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\30bc7c4f\\3f50fe4f\\90\\DisplayName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\DnsTest",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\3cca06a0\\6dc7d4c0\\84\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Configuration,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\2dd6ac50\\163e1f5e\\8a\\Modules",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\ResolverRegistrationOnly",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\ServerPriorityTimeLimit",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\181938c6\\7950e2c5\\82\\MissingDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\PInvokeCalliOpt",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\QueryIpMatching",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\CseOn",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\41c04c7e\\7f3b6ac4\\80\\SIG",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\.NET CLR Networking\\Performance\\FileMappingSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\6faf58\\19ab8d57\\8e\\ConfigMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\2dd6ac50\\163e1f5e\\8a\\SIG",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Interfaces\\{EF381EA0-4D07-418D-A490-68AF67CE948B}\\QueryAdapterName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\6faf58\\19ab8d57\\8e\\EvalationData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Windows.Forms,2.0.0.0,,b77a5c561934e089,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CEIPEnable",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\3f50fe4f\\6f1da7aa\\90\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\6dc7d4c0\\a5cd4db\\87\\Status",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\MulticastSenderFlags",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Version",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\6faf58\\19ab8d57\\8e\\ILDependencies",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\RegistrationRefreshInterval",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\61e7e666\\c991064\\83\\EvalationData",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\ComputerName\\ActiveComputerName\\ComputerName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Interfaces\\{EF381EA0-4D07-418D-A490-68AF67CE948B}\\DhcpDomain",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\61e7e666\\c991064\\83\\ILDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\3f50fe4f\\6f1da7aa\\90\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\VersioningLog",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\DisableMSIPeek",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\DirectAccessQueryOrder",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE\\MaximumAllowedAllocationSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\LoadAppInit_DLLs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\61e7e666\\c991064\\83\\MissingDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\6dc7d4c0\\a5cd4db\\87\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\30bc7c4f\\3f50fe4f\\90\\MVID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Runtime.Serialization.Formatters.Soap,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\RpcId",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\75638fee\\7566cac\\8c\\SIG",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\PrioritizeRecordData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\index4",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\UseCompartments"
],
"directory_created": [
"C:\\Users\\cuck\\AppData",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\CLR Security Config",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\64bit",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312",
"C:\\Users\\cuck",
"C:\\Users\\cuck\\AppData\\Roaming",
"C:\\Users"
]
},
"first_seen": 1601430796.312374,
"ppid": 1676
},
{
"process_path": "C:\\Users\\cuck\\AppData\\Local\\Temp\\is-IQTOO.tmp\\Gadouha.tmp",
"process_name": "Gadouha.tmp",
"pid": 1556,
"summary": {
"file_created": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-6IB5Q.tmp\\_isetup\\_setup64.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-6IB5Q.tmp\\itdownload.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-6IB5Q.tmp\\idp.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-6IB5Q.tmp\\_isetup\\_isdecmp.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-6IB5Q.tmp\\psvince.dll"
],
"file_recreated": [
"\\Device\\KsecDD"
],
"directory_created": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-6IB5Q.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Programs\\Common",
"C:\\Users\\cuck",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-6IB5Q.tmp\\_isetup",
"C:\\Users\\cuck\\AppData\\Local\\Programs",
"C:\\Users\\cuck\\AppData\\Local"
],
"dll_loaded": [
"C:\\Windows\\system32\\clbcatq.dll",
"C:\\Windows\\system32\\pnrpnsp.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-6IB5Q.tmp\\itdownload.dll",
"C:\\Windows\\System32\\mswsock.dll",
"C:\\Windows\\system32\\setupapi.dll",
"kernel32.dll",
"C:\\Windows\\system32\\ole32.dll",
"dwmapi.dll",
"C:\\Windows\\system32\\napinsp.dll",
"C:\\Windows\\system32\\uxtheme.dll",
"C:\\Windows\\system32\\apphelp.dll",
"C:\\Windows\\system32\\propsys.dll",
"C:\\Windows\\SysWOW64\\bcryptprimitives.dll",
"API-MS-Win-Core-LocalRegistry-L1-1-0.dll",
"ole32.dll",
"ws2_32.dll",
"C:\\Windows\\system32\\cryptbase.dll",
"API-MS-Win-Security-SDDL-L1-1-0.dll",
"C:\\Windows\\system32\\dwmapi.dll",
"C:\\Windows\\system32\\profapi.dll",
"C:\\Windows\\system32\\comres.dll",
"shell32.dll",
"C:\\Windows\\system32\\version.dll",
"profapi.dll",
"C:\\Windows\\system32\\shfolder.dll",
"C:\\Windows\\system32\\oleacc.dll",
"DNSAPI.dll",
"C:\\Windows\\System32\\winrnr.dll",
"C:\\Windows\\system32\\userenv.dll",
"C:\\Windows\\system32\\shell32.dll",
"C:\\Windows\\system32\\NLAapi.dll",
"WS2_32.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-6IB5Q.tmp\\psvince.dll",
"C:\\Windows\\system32\\Rstrtmgr.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-6IB5Q.tmp\\_isetup\\_isdecmp.dll",
"ADVAPI32.dll",
"rpcrt4.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-6IB5Q.tmp\\idp.dll",
"C:\\Windows\\system32\\ntmarta.dll"
],
"file_opened": [
"C:\\Windows\\System32\\oleaccrc.dll",
"C:\\Windows\\SysWOW64\\en-US\\KERNELBASE.dll.mui",
"C:\\Windows\\System32\\netmsg.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-839KS.tmp\\Gadouha.exe",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls"
],
"regkey_opened": [
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\DnsCache\\Parameters",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\DnsClient",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\PropertyBag",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\KnownFolderSettings",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\KnownFolders",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Setup",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\Compatibility\\Gadouha.tmp",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\LanguageProfile\\0x00000000\\{0001bea3-ed56-483d-a2e2-aeae25577436}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\Explorer",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\KnownClasses",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\crypt32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\RestartManager\\Session0000",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\RestartManager",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Rpc",
"HKEY_LOCAL_MACHINE\\Software\\Borland\\Locales",
"HKEY_CURRENT_USER\\Software\\Microsoft\\CTF\\DirectSwitchHotkeys",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}\\PropertyBag",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}\\PropertyBag",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\Rpc",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-699399860-4089948139-3198924279-1001",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\msasn1",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{3697C5FA-60DD-4B56-92D4-74A569205C16}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\Software\\Borland\\Locales",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\PropertyBag",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",
"HKEY_CURRENT_USER\\Software\\Borland\\Delphi\\Locales",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\LDAP",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\Explorer",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\System\\DNSClient",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}",
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1"
],
"file_written": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-6IB5Q.tmp\\_isetup\\_setup64.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-6IB5Q.tmp\\itdownload.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-6IB5Q.tmp\\idp.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-6IB5Q.tmp\\_isetup\\_isdecmp.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-6IB5Q.tmp\\psvince.dll"
],
"regkey_deleted": [
"HKEY_CURRENT_USER\\Software\\Microsoft\\RestartManager\\Session0000\\Owner",
"HKEY_CURRENT_USER\\Software\\Microsoft\\RestartManager\\Session0000\\RegFilesHash",
"HKEY_CURRENT_USER\\Software\\Microsoft\\RestartManager\\Session0000\\SessionHash",
"HKEY_CURRENT_USER\\Software\\Microsoft\\RestartManager\\Session0000\\Sequence",
"HKEY_CURRENT_USER\\Software\\Microsoft\\RestartManager\\Session0000\\RegFiles0000"
],
"file_exists": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-6IB5Q.tmp\\psvince.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-6IB5Q.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-6IB5Q.tmp\\idp.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-6IB5Q.tmp\\itdownload.dll",
"C:\\Users\\cuck\\AppData\\Local\\Programs\\Common",
"C:\\Users\\cuck\\AppData\\Local\\Temp",
"C:\\Users\\cuck",
"C:\\Users\\cuck\\AppData\\Local\\Programs",
"C:\\Users\\cuck\\AppData\\Local"
],
"mutex": [
"Local\\RstrMgr-3887CAB8-533F-4C85-B0DC-3E5639F8D511-Session0000",
"Local\\RstrMgr3887CAB8-533F-4C85-B0DC-3E5639F8D511"
],
"file_read": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-839KS.tmp\\Gadouha.exe"
],
"regkey_read": [
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Language Hotkey",
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Hotkey",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\PublishExpandedPath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\LanguageProfile\\0x00000000\\{0001bea3-ed56-483d-a2e2-aeae25577436}\\Enable",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}\\PublishExpandedPath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Icon",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\ProgramFilesDir",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}\\Name",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\UseHostnameAsAlias",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}\\Stream",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}\\FolderTypeID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-699399860-4089948139-3198924279-1001\\ProfileImagePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}\\Description",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}\\Icon",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}\\InfoTip",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}\\Roamable",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\InitFolderHandler",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\MaxRpcSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}\\LocalizedName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\SourcePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\CTF\\EnableAnchorContext",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\RelativePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\PreCreate",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\UseOldHostResolutionOrder",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Domain",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language Groups\\1",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\DisableImprovedZoneCheck",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}\\StreamResource",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\StreamResource",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\Stream",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\LocalizedName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\ParentFolder",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}\\InitFolderHandler",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}\\ParentFolder",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\Roamable",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}\\Name",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\Name",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\ParsingName",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5188574",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\Enabled",
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Layout Hotkey",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}\\PreCreate",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Local AppData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}\\FolderTypeID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\StreamResourceType",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}\\Category",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\Security",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}\\RelativePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}\\StreamResourceType",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Roamable",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CommonFilesDir",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Category",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledSessions\\MachineThrottling",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}\\RelativePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\LocalRedirectOnly",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\InfoTip",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\PublishExpandedPath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\LocalizedName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}\\StreamResourceType",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\ParentFolder",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\RelativePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\SystemSetupInProgress",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}\\InitFolderHandler",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}\\Security",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\WaitToKillServiceTimeout",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\RegisteredOrganization",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}\\ParentFolder",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\ParsingName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}\\PublishExpandedPath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\CommonFilesDir",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\InitFolderHandler",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\StreamResource",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\LdapClientIntegrity",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}\\Category",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\Icon",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Hostname",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}\\Security",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\Attributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\RegisteredOwner",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\OOBEInProgress",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Security",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}\\LocalRedirectOnly",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledProcesses\\A0D71EFA",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}\\InfoTip",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\FolderTypeID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}\\ParsingName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ProgramFilesDir",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}\\PreCreate",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\InfoTip",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Name",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\LocalRedirectOnly",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\FolderTypeID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Security_HKLM_only",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\DevicePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}\\Stream",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\Description",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Locale\\00000409",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}\\LocalRedirectOnly",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}\\Attributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Stream",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}\\Roamable",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\ComputerName\\ActiveComputerName\\ComputerName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\Category",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}\\Icon",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Description",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledSessions\\GlobalSession",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\StreamResourceType",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CEIPEnable",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}\\StreamResource",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}\\Description",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\PreCreate",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\crypt32\\DebugHeapFlags",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}\\Attributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}\\LocalizedName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}\\ParsingName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Attributes",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}"
],
"regkey_written": [
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5188574",
"HKEY_CURRENT_USER\\Software\\Microsoft\\RestartManager\\Session0000\\SessionHash",
"HKEY_CURRENT_USER\\Software\\Microsoft\\RestartManager\\Session0000\\Owner",
"HKEY_CURRENT_USER\\Software\\Microsoft\\RestartManager\\Session0000\\Sequence"
]
},
"first_seen": 1601430797.015501,
"ppid": 2824
},
{
"process_path": "C:\\Windows\\explorer.exe",
"process_name": "explorer.exe",
"pid": 1788,
"summary": {
"regkey_written": [
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\Bags\\1\\Desktop\\GroupByKey:FMTID",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\BagMRU\\NodeSlots",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\Bags\\1\\Desktop\\IconSize",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\Bags\\1\\Desktop\\FFlags",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\BagMRU\\MRUListEx",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\Bags\\1\\Desktop\\Sort",
"HKEY_CURRENT_USER\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\TrayNotify\\IconStreams",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\Bags\\1\\Desktop\\ColInfo",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\HRZR_PGYFRFFVBA",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\Bags\\1\\Desktop\\GroupByDirection",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\LanguageList",
"HKEY_CURRENT_USER\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\TrayNotify\\LastAdvertisement",
"HKEY_CURRENT_USER\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\TrayNotify\\PastIconsStream",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\Bags\\1\\Desktop\\GroupView",
"HKEY_CURRENT_USER\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\TrayNotify\\UserStartTime",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StuckRects2\\Settings",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\Bags\\1\\Desktop\\GroupByKey:PID",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Action Center\\Checks\\{01979c6a-42fa-414c-b8aa-eee2c8202018}.check.100\\CheckSetting",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\Bags\\1\\Desktop\\LogicalViewMode",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\Bags\\1\\Desktop\\Mode",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\\pzq.rkr",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Streams\\Desktop\\TaskbarWinXP"
],
"file_opened": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-IQTOO.tmp\\",
"C:\\",
"C:\\Users\\",
"C:\\Users\\cuck\\",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\",
"c:\\Users\\cuck\\AppData\\Local\\Temp\\is-IQTOO.tmp\\Gadouha.tmp",
"C:\\Users\\cuck\\AppData\\Local\\",
"C:\\Program Files (x86)\\desktop.ini",
"C:\\Users\\cuck\\AppData\\"
],
"regkey_opened": [
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Action Center\\Checks\\{01979c6a-42fa-414c-b8aa-eee2c8202018}.check.100",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StuckRects2"
],
"regkey_deleted": [
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\Bags\\1\\Desktop\\GroupCollapseState",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\Bags\\1\\Desktop\\ItemOrder",
"HKEY_CURRENT_USER\\System\\CurrentControlSet\\Control\\Network\\ShowWirelessConnectingOnStart",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\Bags\\1\\Desktop\\ItemPos800x600x96(1)"
],
"file_exists": [
"C:\\cuckoo_1348.ini",
"C:\\cuckoo_1676.ini",
"C:\\cuckoo_2824.ini",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-IQTOO.tmp\\Gadouha.tmp",
"C:\\Users\\cuck\\Desktop",
"C:\\cuckoo_2736.ini",
"C:\\cuckoo_1788.ini",
"C:\\Program Files (x86)",
"C:\\cuckoo_2056.ini",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-SVT21.tmp\\eaae2c7e8a07d3301279f8217a8cf34df54386359a1195655a5e036573e298b0.tmp",
"C:\\cuckoo_1556.ini"
],
"mutex": [
"Local\\Shell.CMruPidlList"
],
"file_failed": [
"C:\\cuckoo_1676.ini",
"C:\\cuckoo_2824.ini",
"C:\\cuckoo_1348.ini",
"C:\\cuckoo_2736.ini",
"C:\\cuckoo_1788.ini",
"C:\\cuckoo_2056.ini",
"C:\\cuckoo_1556.ini"
],
"guid": [
"{9b63616c-36b2-46bc-959f-c1593952d19b}",
"{1a1f4206-0688-4e7f-be03-d82ec69df9a5}",
"{c08956a2-1cd3-11d1-b1c5-00805fc1270e}",
"{42aedc87-2188-41fd-b9a3-0c966feabec1}",
"{a47979d2-c419-11d9-a5b4-001185ad2b89}",
"{46a6eeff-908e-4dc6-92a6-64be9177b41c}",
"{7007acc7-3202-11d1-aad2-00805fc1270e}",
"{d0074ffd-570f-4a9b-8d69-199fdba5723b}",
"{2fb499a3-cfce-480f-a5f3-2453db7a2b7a}",
"{ba126ad1-2166-11d1-b1d0-00805fc1270e}",
"{faedcf69-31fe-11d1-aad2-00805fc1270e}",
"{660b90c8-73a9-4b58-8cae-355b7f55341b}",
"{ba126ae5-2166-11d1-b1d0-00805fc1270e}",
"{000214e6-0000-0000-c000-000000000046}"
],
"file_read": [
"C:\\Program Files (x86)\\desktop.ini"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\\ShellFolder\\WantsAliasedNotifications",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\\{B725F130-47EF-101A-A5F1-02608C9EEBAC} 10",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\\ShellFolder\\HideOnDesktopPerUser",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\\ShellFolder\\QueryForInfoTip",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\\ShellFolder\\CallForAttributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\\ShellFolder\\RestrictedAttributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\\ShellFolder\\HideFolderVerbs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{2227A280-3AEA-1069-A2DE-08002B30309D}\\ShellFolder\\NoFileFolderJunction",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\\System.ItemNameDisplay",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum\\{7007ACC7-3202-11D1-AAD2-00805FC1270E}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{2227A280-3AEA-1069-A2DE-08002B30309D}\\ShellFolder\\WantsUniversalDelegate",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{2227A280-3AEA-1069-A2DE-08002B30309D}\\ShellFolder\\CallForAttributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{21EC2020-3AEA-1069-A2DD-08002B30309D}\\SortOrderIndex",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{2227A280-3AEA-1069-A2DE-08002B30309D}\\ShellFolder\\HideInWebView",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\BagMRU\\NodeSlots",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{2227A280-3AEA-1069-A2DE-08002B30309D}\\ShellFolder\\HasNavigationEnum",
"HKEY_CURRENT_USER\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\TrayNotify\\PromotedIconCache",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Common Programs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{2227A280-3AEA-1069-A2DE-08002B30309D}\\ShellFolder\\WantsParseDisplayName",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\BagMRU\\NodeSlot",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{2227A280-3AEA-1069-A2DE-08002B30309D}\\ShellFolder\\QueryForOverlay",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\\ShellFolder\\NoFileFolderJunction",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{2227A280-3AEA-1069-A2DE-08002B30309D}\\ShellFolder\\Attributes",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\AppData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\\ShellFolder\\HasNavigationEnum",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Desktop",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@C:\\Windows\\system32\\netshell.dll,-1200",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{2227A280-3AEA-1069-A2DE-08002B30309D}\\ShellFolder\\QueryForInfoTip",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{2227A280-3AEA-1069-A2DE-08002B30309D}\\ShellFolder\\PinToNameSpaceTree",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{2227A280-3AEA-1069-A2DE-08002B30309D}\\ShellFolder\\WantsFORPARSING",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{2227A280-3AEA-1069-A2DE-08002B30309D}\\ShellFolder\\HideFolderVerbs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ProgramFilesDir",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{2227A280-3AEA-1069-A2DE-08002B30309D}\\ShellFolder\\WantsFORDISPLAY",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{2227A280-3AEA-1069-A2DE-08002B30309D}\\ShellFolder\\WantsAliasedNotifications",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Programs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\ClearRecentDocsOnExit",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\\ShellFolder\\WantsUniversalDelegate",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@C:\\Windows\\system32\\prnfldr.dll,-8036",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{2227A280-3AEA-1069-A2DE-08002B30309D}\\ShellFolder\\HideOnDesktopPerUser",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Favorites",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ProgramFilesDir (x86)",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\\pzq.rkr",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\\ShellFolder\\WantsFORDISPLAY",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{2227A280-3AEA-1069-A2DE-08002B30309D}\\{B725F130-47EF-101A-A5F1-02608C9EEBAC} 10",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{2227A280-3AEA-1069-A2DE-08002B30309D}\\System.ItemNameDisplay",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{2227A280-3AEA-1069-A2DE-08002B30309D}\\ShellFolder\\UseDropHandler",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{2227A280-3AEA-1069-A2DE-08002B30309D}\\ShellFolder\\MapNetDriveVerbs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\\InProcServer32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\\ShellFolder\\WantsParseDisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\\ShellFolder\\MapNetDriveVerbs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{2227A280-3AEA-1069-A2DE-08002B30309D}\\ShellFolder\\RestrictedAttributes",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\BagMRU Size",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\BagMRU\\MRUListEx",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{2227A280-3AEA-1069-A2DE-08002B30309D}\\LocalizedString",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\\ShellFolder\\QueryForOverlay",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\\ShellFolder\\PinToNameSpaceTree",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\\SortOrderIndex",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\{9E3995AB-1F9C-4F13-B827-48B24B6C7174}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\\ShellFolder\\WantsFORPARSING",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\\ShellFolder\\Attributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\\InProcServer32\\LoadWithoutCOM",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum\\{2227A280-3AEA-1069-A2DE-08002B30309D}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\\ShellFolder\\HideInWebView",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\StringCacheSettings\\StringCacheGeneration",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\\LocalizedString",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\\ShellFolder\\UseDropHandler"
]
},
"first_seen": 1601430790.21875,
"ppid": 1740
}
]Signatures
[
{
"markcount": 2,
"families": [],
"description": "Queries for the computername",
"severity": 1,
"marks": [
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "GetComputerNameA",
"return_value": 1,
"arguments": {
"computer_name": "CUCKPC"
},
"time": 1601430793.796375,
"tid": 2872,
"flags": {}
},
"pid": 1676,
"type": "call",
"cid": 2537
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "GetComputerNameW",
"return_value": 1,
"arguments": {
"computer_name": "CUCKPC"
},
"time": 1601430370.315645,
"tid": 2804,
"flags": {}
},
"pid": 2056,
"type": "call",
"cid": 1524
}
],
"references": [],
"name": "antivm_queries_computername"
},
{
"markcount": 4,
"families": [],
"description": "Checks if process is being debugged by a debugger",
"severity": 1,
"marks": [
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": -1073741772,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1601430789.890125,
"tid": 2504,
"flags": {}
},
"pid": 2736,
"type": "call",
"cid": 366
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": -1073741700,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1601430367.581645,
"tid": 2804,
"flags": {}
},
"pid": 2056,
"type": "call",
"cid": 360
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": -1073741772,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1601430796.828249,
"tid": 2284,
"flags": {}
},
"pid": 2824,
"type": "call",
"cid": 372
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": -1073741700,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1601430379.78502,
"tid": 3036,
"flags": {}
},
"pid": 1348,
"type": "call",
"cid": 360
}
],
"references": [],
"name": "checks_debugger"
},
{
"markcount": 1,
"families": [],
"description": "Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate)",
"severity": 1,
"marks": [
{
"category": "registry",
"ioc": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\MachineGuid",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "recon_fingerprint"
},
{
"markcount": 1,
"families": [],
"description": "Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available",
"severity": 1,
"marks": [
{
"call": {
"category": "system",
"status": 1,
"stacktrace": [],
"api": "GlobalMemoryStatusEx",
"return_value": 1,
"arguments": {},
"time": 1601430368.206645,
"tid": 2804,
"flags": {}
},
"pid": 2056,
"type": "call",
"cid": 464
}
],
"references": [],
"name": "antivm_memory_available"
},
{
"markcount": 3,
"families": [],
"description": "The executable contains unknown PE section names indicative of a packer (could be a false positive)",
"severity": 1,
"marks": [
{
"category": "section",
"ioc": "CODE",
"type": "ioc",
"description": null
},
{
"category": "section",
"ioc": "DATA",
"type": "ioc",
"description": null
},
{
"category": "section",
"ioc": "BSS",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "pe_features"
},
{
"markcount": 0,
"families": [],
"description": "One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.",
"severity": 2,
"marks": [],
"references": [],
"name": "dumped_buffer"
},
{
"markcount": 158,
"families": [],
"description": "Allocates read-write-execute memory (usually to unpack itself)",
"severity": 2,
"marks": [
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2736,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffff",
"base_address": "0x00400000"
},
"time": 1601430789.843125,
"tid": 2504,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2736,
"type": "call",
"cid": 168
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2736,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 45056,
"protection": 64,
"process_handle": "0xffffffff",
"base_address": "0x00401000"
},
"time": 1601430789.843125,
"tid": 2504,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2736,
"type": "call",
"cid": 170
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2736,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 180224,
"protection": 64,
"process_handle": "0xffffffff",
"base_address": "0x00410000"
},
"time": 1601430789.843125,
"tid": 2504,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2736,
"type": "call",
"cid": 172
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1676,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x023a0000"
},
"time": 1601430790.078375,
"tid": 2872,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 1676,
"type": "call",
"cid": 194
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2056,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x000007feeed41000"
},
"time": 1601430367.487645,
"tid": 2804,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2056,
"type": "call",
"cid": 241
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2056,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x000007feeefbe000"
},
"time": 1601430367.549645,
"tid": 2804,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2056,
"type": "call",
"cid": 319
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2056,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x000007feeefbe000"
},
"time": 1601430367.549645,
"tid": 2804,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2056,
"type": "call",
"cid": 321
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2056,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x000007feeefbf000"
},
"time": 1601430367.581645,
"tid": 2804,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2056,
"type": "call",
"cid": 371
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2056,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x000007feeefbf000"
},
"time": 1601430367.581645,
"tid": 2804,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2056,
"type": "call",
"cid": 373
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2056,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x000007feeefbf000"
},
"time": 1601430367.581645,
"tid": 2804,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2056,
"type": "call",
"cid": 375
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2056,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x000007feeefbf000"
},
"time": 1601430367.596645,
"tid": 2804,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2056,
"type": "call",
"cid": 377
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2056,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x000007feeefbf000"
},
"time": 1601430367.596645,
"tid": 2804,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2056,
"type": "call",
"cid": 379
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2056,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x000007feeefbf000"
},
"time": 1601430367.596645,
"tid": 2804,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2056,
"type": "call",
"cid": 381
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2056,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x000007feeefbf000"
},
"time": 1601430367.596645,
"tid": 2804,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2056,
"type": "call",
"cid": 383
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2056,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x000007feeefbf000"
},
"time": 1601430367.596645,
"tid": 2804,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2056,
"type": "call",
"cid": 385
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2056,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x000007feeefc0000"
},
"time": 1601430367.596645,
"tid": 2804,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2056,
"type": "call",
"cid": 387
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2056,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x000007feeefc0000"
},
"time": 1601430367.596645,
"tid": 2804,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2056,
"type": "call",
"cid": 389
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2056,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x000007feeefc0000"
},
"time": 1601430367.596645,
"tid": 2804,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2056,
"type": "call",
"cid": 391
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2056,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x000007feeefc0000"
},
"time": 1601430367.596645,
"tid": 2804,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2056,
"type": "call",
"cid": 393
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2056,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x000007feeefc0000"
},
"time": 1601430367.596645,
"tid": 2804,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2056,
"type": "call",
"cid": 395
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2056,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x000007feeefc1000"
},
"time": 1601430367.596645,
"tid": 2804,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2056,
"type": "call",
"cid": 397
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2056,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x000007feeefc1000"
},
"time": 1601430367.596645,
"tid": 2804,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2056,
"type": "call",
"cid": 399
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2056,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x000007feeefc1000"
},
"time": 1601430367.596645,
"tid": 2804,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2056,
"type": "call",
"cid": 401
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2056,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x000007feeefc1000"
},
"time": 1601430367.596645,
"tid": 2804,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2056,
"type": "call",
"cid": 403
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2056,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x000007feeefbe000"
},
"time": 1601430367.596645,
"tid": 2804,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2056,
"type": "call",
"cid": 405
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2056,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"allocation_type": 4096,
"base_address": "0x000007ff00042000"
},
"time": 1601430368.237645,
"tid": 2804,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2056,
"type": "call",
"cid": 525
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2056,
"region_size": 589824,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"allocation_type": 1056768,
"base_address": "0x000007fffff20000"
},
"time": 1601430368.331645,
"tid": 2804,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_RESERVE|MEM_TOP_DOWN"
}
},
"pid": 2056,
"type": "call",
"cid": 557
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2056,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"allocation_type": 4096,
"base_address": "0x000007fffff20000"
},
"time": 1601430368.331645,
"tid": 2804,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2056,
"type": "call",
"cid": 558
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2056,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"allocation_type": 4096,
"base_address": "0x000007fffff20000"
},
"time": 1601430368.331645,
"tid": 2804,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2056,
"type": "call",
"cid": 559
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2056,
"region_size": 65536,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"allocation_type": 1056768,
"base_address": "0x000007fffff10000"
},
"time": 1601430368.331645,
"tid": 2804,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_RESERVE|MEM_TOP_DOWN"
}
},
"pid": 2056,
"type": "call",
"cid": 560
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2056,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"allocation_type": 4096,
"base_address": "0x000007fffff10000"
},
"time": 1601430368.331645,
"tid": 2804,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2056,
"type": "call",
"cid": 561
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2056,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"allocation_type": 4096,
"base_address": "0x000007ff000fa000"
},
"time": 1601430368.331645,
"tid": 2804,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2056,
"type": "call",
"cid": 562
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2056,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"allocation_type": 4096,
"base_address": "0x000007ff00032000"
},
"time": 1601430368.331645,
"tid": 2804,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2056,
"type": "call",
"cid": 563
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2056,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"allocation_type": 4096,
"base_address": "0x000007ff00043000"
},
"time": 1601430368.393645,
"tid": 2804,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2056,
"type": "call",
"cid": 581
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2056,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"allocation_type": 4096,
"base_address": "0x000007ff0010a000"
},
"time": 1601430368.393645,
"tid": 2804,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2056,
"type": "call",
"cid": 592
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2056,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"allocation_type": 4096,
"base_address": "0x000007ff00132000"
},
"time": 1601430368.393645,
"tid": 2804,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2056,
"type": "call",
"cid": 593
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2056,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"allocation_type": 4096,
"base_address": "0x000007ff0010d000"
},
"time": 1601430368.393645,
"tid": 2804,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2056,
"type": "call",
"cid": 594
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2056,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"allocation_type": 4096,
"base_address": "0x000007ff0004c000"
},
"time": 1601430368.424645,
"tid": 2804,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2056,
"type": "call",
"cid": 635
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2056,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"allocation_type": 4096,
"base_address": "0x000007ff00180000"
},
"time": 1601430368.518645,
"tid": 2804,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2056,
"type": "call",
"cid": 679
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2056,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"allocation_type": 4096,
"base_address": "0x000007ff000f2000"
},
"time": 1601430368.518645,
"tid": 2804,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2056,
"type": "call",
"cid": 682
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2056,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"allocation_type": 4096,
"base_address": "0x000007ff00044000"
},
"time": 1601430368.534645,
"tid": 2804,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2056,
"type": "call",
"cid": 703
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2056,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"allocation_type": 4096,
"base_address": "0x000007ff00045000"
},
"time": 1601430368.581645,
"tid": 2804,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2056,
"type": "call",
"cid": 719
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2056,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"allocation_type": 4096,
"base_address": "0x000007ff00181000"
},
"time": 1601430368.596645,
"tid": 2804,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2056,
"type": "call",
"cid": 721
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2056,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"allocation_type": 4096,
"base_address": "0x000007ff00046000"
},
"time": 1601430368.596645,
"tid": 2804,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2056,
"type": "call",
"cid": 722
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2056,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"allocation_type": 4096,
"base_address": "0x000007ff0003a000"
},
"time": 1601430368.612645,
"tid": 2804,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2056,
"type": "call",
"cid": 731
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2056,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"allocation_type": 4096,
"base_address": "0x000007ff001cf000"
},
"time": 1601430368.612645,
"tid": 2804,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2056,
"type": "call",
"cid": 737
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2056,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"allocation_type": 4096,
"base_address": "0x000007ff001c0000"
},
"time": 1601430368.612645,
"tid": 2804,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2056,
"type": "call",
"cid": 738
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2056,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"allocation_type": 4096,
"base_address": "0x000007ff0005f000"
},
"time": 1601430368.628645,
"tid": 2804,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2056,
"type": "call",
"cid": 746
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2056,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"allocation_type": 4096,
"base_address": "0x000007ff00182000"
},
"time": 1601430368.706645,
"tid": 2804,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2056,
"type": "call",
"cid": 760
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2056,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"allocation_type": 4096,
"base_address": "0x000007ff0004a000"
},
"time": 1601430368.706645,
"tid": 2804,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2056,
"type": "call",
"cid": 773
}
],
"references": [],
"name": "allocates_rwx"
},
{
"markcount": 0,
"families": [],
"description": "Checks whether any human activity is being performed by constantly checking whether the foreground window changed",
"severity": 2,
"marks": [],
"references": [
"https:\/\/www.virusbtn.com\/virusbulletin\/archive\/2015\/09\/vb201509-custom-packer.dkb"
],
"name": "antisandbox_foregroundwindows"
},
{
"markcount": 2,
"families": [],
"description": "Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation",
"severity": 2,
"marks": [
{
"call": {
"category": "misc",
"status": 0,
"stacktrace": [],
"last_error": 3,
"nt_status": -1073741772,
"api": "GetDiskFreeSpaceExW",
"return_value": 0,
"arguments": {
"root_path": "C:\\Program Files (x86)\\amkja\\",
"free_bytes_available": 8519242116645940457,
"total_number_of_free_bytes": 0,
"total_number_of_bytes": 4294967295
},
"time": 1601430791.609375,
"tid": 2872,
"flags": {}
},
"pid": 1676,
"type": "call",
"cid": 2278
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "GetDiskFreeSpaceExW",
"return_value": 1,
"arguments": {
"root_path": "C:\\Program Files (x86)\\",
"free_bytes_available": 23509606400,
"total_number_of_free_bytes": 0,
"total_number_of_bytes": 34252779520
},
"time": 1601430791.609375,
"tid": 2872,
"flags": {}
},
"pid": 1676,
"type": "call",
"cid": 2281
}
],
"references": [],
"name": "antivm_disk_size"
},
{
"markcount": 1,
"families": [],
"description": "Steals private information from local Internet browsers",
"severity": 2,
"marks": [
{
"category": "file",
"ioc": "C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Preferences",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "infostealer_browser"
},
{
"markcount": 6,
"families": [],
"description": "Drops an executable to the user AppData folder",
"severity": 2,
"marks": [
{
"category": "file",
"ioc": "C:\\Users\\cuck\\AppData\\Local\\Temp\\is-6IB5Q.tmp\\psvince.dll",
"type": "ioc",
"description": null
},
{
"category": "file",
"ioc": "C:\\Users\\cuck\\AppData\\Local\\Temp\\is-6IB5Q.tmp\\idp.dll",
"type": "ioc",
"description": null
},
{
"category": "file",
"ioc": "C:\\Users\\cuck\\AppData\\Local\\Temp\\is-839KS.tmp\\_isetup\\_isdecmp.dll",
"type": "ioc",
"description": null
},
{
"category": "file",
"ioc": "C:\\Users\\cuck\\AppData\\Local\\Temp\\is-6IB5Q.tmp\\itdownload.dll",
"type": "ioc",
"description": null
},
{
"category": "file",
"ioc": "C:\\Users\\cuck\\AppData\\Local\\Temp\\is-SVT21.tmp\\eaae2c7e8a07d3301279f8217a8cf34df54386359a1195655a5e036573e298b0.tmp",
"type": "ioc",
"description": null
},
{
"category": "file",
"ioc": "C:\\Users\\cuck\\AppData\\Local\\Temp\\is-IQTOO.tmp\\Gadouha.tmp",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "exe_appdata"
},
{
"markcount": 1,
"families": [],
"description": "Checks adapter addresses which can be used to detect virtual network interfaces",
"severity": 2,
"marks": [
{
"call": {
"category": "network",
"status": 1,
"stacktrace": [],
"api": "GetAdaptersAddresses",
"return_value": 0,
"arguments": {
"flags": 1158,
"family": 0
},
"time": 1601430370.737645,
"tid": 2804,
"flags": {}
},
"pid": 2056,
"type": "call",
"cid": 1893
}
],
"references": [],
"name": "antivm_network_adapters"
},
{
"markcount": 2,
"families": [],
"description": "Queries for potentially installed applications",
"severity": 2,
"marks": [
{
"call": {
"category": "registry",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": -1073741772,
"api": "RegOpenKeyExA",
"return_value": 2,
"arguments": {
"access": "0x00000001",
"base_handle": "0x80000001",
"key_handle": "0x00000000",
"regkey": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\zjka_is1",
"regkey_r": "Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\zjka_is1",
"options": 0
},
"time": 1601430790.281375,
"tid": 2872,
"flags": {}
},
"pid": 1676,
"type": "call",
"cid": 1948
},
{
"call": {
"category": "registry",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": -1073741772,
"api": "RegOpenKeyExA",
"return_value": 2,
"arguments": {
"access": "0x00000001",
"base_handle": "0x80000002",
"key_handle": "0x00000000",
"regkey": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\zjka_is1",
"regkey_r": "Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\zjka_is1",
"options": 0
},
"time": 1601430790.281375,
"tid": 2872,
"flags": {}
},
"pid": 1676,
"type": "call",
"cid": 1949
}
],
"references": [],
"name": "queries_programs"
},
{
"markcount": 1,
"families": [],
"description": "Installs itself for autorun at Windows startup",
"severity": 3,
"marks": [
{
"type": "generic",
"reg_key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\5188574",
"reg_value": "\"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-839KS.tmp\\Gadouha.exe\" \/VERYSILENT"
}
],
"references": [],
"name": "persistence_autorun"
},
{
"markcount": 2,
"families": [],
"description": "Creates or sets a registry key to a long series of bytes, possibly to store a binary or malware config",
"severity": 3,
"marks": [
{
"call": {
"category": "registry",
"status": 1,
"stacktrace": [],
"api": "NtSetValueKey",
"return_value": 0,
"arguments": {
"index": 0,
"key_handle": "0x0000000000000f84",
"value": "\u0014\u0000\u0000\u0000\u0005\u0000\u0000\u0000\u0001\u0000\u0001\u0000\u0010\u0000\u0000\u0000\u0014\u0000\u0000\u0000IL \u0006\u0010\u0000$\u0000\u0018\u0000\u0010\u0000\u0010\u0000\u00ff\u00ff\u00ff\u00ff!\u0010\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ffBM6\u0000\u0000\u0000\u0000\u0000\u0000\u00006\u0000\u0000\u0000(\u0000\u0000\u0000\u0010\u0000\u0000\u0000@\u0002\u0000\u0000\u0001\u0000 \u0000\u0000\u0000\u0000\u0000\u0000\u0090\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"reg_type": 3,
"regkey": "HKEY_CURRENT_USER\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\TrayNotify\\PastIconsStream"
},
"time": 1601430370.488021,
"tid": 1828,
"flags": {
"reg_type": "REG_BINARY"
}
},
"pid": 1788,
"type": "call",
"cid": 5780
},
{
"call": {
"category": "registry",
"status": 1,
"stacktrace": [],
"api": "NtSetValueKey",
"return_value": 0,
"arguments": {
"index": 0,
"key_handle": "0x00000000000001e0",
"value": "\u0014\u0000\u0000\u0000\u0007\u0000\u0000\u0000\u0001\u0000\u0001\u0000\u0004\u0000\u0000\u0000\u0014\u0000\u0000\u0000{\u0000S\u00003\u00008\u0000O\u0000S\u00004\u00000\u00004\u0000-\u00001\u0000Q\u00004\u00003\u0000-\u00004\u00002\u0000S\u00002\u0000-\u00009\u00003\u00000\u00005\u0000-\u00006\u00007\u0000Q\u0000R\u00000\u0000O\u00002\u00008\u0000S\u0000P\u00002\u00003\u0000}\u0000\\\u0000r\u0000k\u0000c\u0000y\u0000b\u0000e\u0000r\u0000e\u0000.\u0000r\u0000k\u0000r\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000{\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0000\u0000\u00e4\u0007\t\u0000F\u0000b\u0000y\u0000i\u0000r\u0000 \u0000C\u0000P\u0000 \u0000v\u0000f\u0000f\u0000h\u0000r\u0000f\u0000:\u0000 \u00001\u0000 \u0000z\u0000r\u0000f\u0000f\u0000n\u0000t\u0000r\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u000e\u0000\u0000\u0000v\u00ae x\u00e3#)B\u0082\u00c1\u00e4\u001c\u00b6}[\u009c\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00b3\u0086;4\u00e6\u00ee\u00d4\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\r !\u008f\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000{\u0000S\u00003\u00008\u0000O\u0000S\u00004\u00000\u00004\u0000-\u00001\u0000Q\u00004\u00003\u0000-\u00004\u00002\u0000S\u00002\u0000-\u00009\u00003\u00000\u00005\u0000-\u00006\u00007\u0000Q\u0000R\u00000\u0000O\u00002\u00008\u0000S\u0000P\u00002\u00003\u0000}\u0000\\\u0000r\u0000k\u0000c\u0000y\u0000b\u0000e\u0000r\u0000e\u0000.\u0000r\u0000k\u0000r\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000d\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0000\u0000\u00e4\u0007\t\u0000F\u0000c\u0000r\u0000n\u0000x\u0000r\u0000e\u0000f\u0000:\u0000 \u00006\u00007\u0000%\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u000f\u0000\u0000\u0000s\u00ae x\u00e3#)B\u0082\u00c1\u00e4\u001c\u00b6}[\u009c\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0086\u00e2\u009e\u00956\u0005\u00d4\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\r !\u008f\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0000\u0000{\u0000S\u00003\u00008\u0000O\u0000S\u00004\u00000\u00004\u0000-\u00001\u0000Q\u00004\u00003\u0000-\u00004\u00002\u0000S\u00002\u0000-\u00009\u00003\u00000\u00005\u0000-\u00006\u00007\u0000Q\u0000R\u00000\u0000O\u00002\u00008\u0000S\u0000P\u00002\u00003\u0000}\u0000\\\u0000r\u0000k\u0000c\u0000y\u0000b\u0000e\u0000r\u0000e\u0000.\u0000r\u0000k\u0000r\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000}\u00c0\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u00e4\u0007\t\u0000H\u0000a\u0000v\u0000q\u0000r\u0000a\u0000g\u0000v\u0000s\u0000v\u0000r\u0000q\u0000 \u0000a\u0000r\u0000g\u0000j\u0000b\u0000e\u0000x\u0000 \u0000A\u0000b\u0000 \u0000V\u0000a\u0000g\u0000r\u0000e\u0000a\u0000r\u0000g\u0000 \u0000n\u0000p\u0000p\u0000r\u0000f\u0000f\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"reg_type": 3,
"regkey": "HKEY_CURRENT_USER\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\TrayNotify\\IconStreams"
},
"time": 1601430370.488021,
"tid": 1828,
"flags": {
"reg_type": "REG_BINARY"
}
},
"pid": 1788,
"type": "call",
"cid": 5782
}
],
"references": [],
"name": "creates_largekey"
},
{
"markcount": 1,
"families": [],
"description": "Creates a windows hook that monitors keyboard input (keylogger)",
"severity": 3,
"marks": [
{
"call": {
"category": "system",
"status": 1,
"stacktrace": [],
"api": "SetWindowsHookExW",
"return_value": 15008213,
"arguments": {
"thread_identifier": 0,
"callback_function": "0x00000000ffe9ae10",
"module_address": "0x00000000ffdf0000",
"hook_identifier": 13
},
"time": 1601430470.644021,
"tid": 1828,
"flags": {
"hook_identifier": "WH_KEYBOARD_LL"
}
},
"pid": 1788,
"type": "call",
"cid": 10375
}
],
"references": [],
"name": "infostealer_keylogger"
}
]Yara
The Yara rules did not detect anything in the file.
Network
{
"tls": [],
"udp": [
{
"src": "192.168.56.101",
"dst": "192.168.56.255",
"offset": 662,
"time": 6.4743640422821045,
"dport": 137,
"sport": 137
},
{
"src": "192.168.56.101",
"dst": "192.168.56.255",
"offset": 5990,
"time": 12.47877311706543,
"dport": 138,
"sport": 138
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 7834,
"time": 6.161250114440918,
"dport": 5355,
"sport": 51001
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 8162,
"time": 4.168975114822388,
"dport": 5355,
"sport": 53595
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 8490,
"time": 6.17408013343811,
"dport": 5355,
"sport": 53848
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 8818,
"time": 4.668932199478149,
"dport": 5355,
"sport": 54255
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 9146,
"time": 3.0620691776275635,
"dport": 5355,
"sport": 55314
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 9474,
"time": 17.22232699394226,
"dport": 5355,
"sport": 55880
},
{
"src": "192.168.56.101",
"dst": "239.255.255.250",
"offset": 9794,
"time": 4.229034185409546,
"dport": 1900,
"sport": 1900
},
{
"src": "192.168.56.101",
"dst": "239.255.255.250",
"offset": 29204,
"time": 4.188220024108887,
"dport": 3702,
"sport": 49152
},
{
"src": "192.168.56.101",
"dst": "239.255.255.250",
"offset": 37588,
"time": 6.475368022918701,
"dport": 1900,
"sport": 53598
}
],
"dns_servers": [],
"http": [],
"icmp": [],
"smtp": [],
"tcp": [],
"smtp_ex": [],
"mitm": [],
"hosts": [],
"pcap_sha256": "5205f8f6c61dbb1e6d81a7fbeb965bf3cd68740368c9598179c2ece99d01adab",
"dns": [],
"http_ex": [],
"domains": [],
"dead_hosts": [],
"sorted_pcap_sha256": "aa89e9d3cdf7a63a2828b9fb45d213dae25f03cdfb0a1bf048106ce33b54344a",
"irc": [],
"https_ex": []
}Screenshots
Racingcar.exe removal instructions
The instructions below shows how to remove Racingcar.exe with help from the FreeFixer removal tool. Basically, you install FreeFixer, scan your computer, check the Racingcar.exe file for removal, restart your computer and scan it again to verify that Racingcar.exe has been successfully removed. Here are the removal instructions in more detail:
- Download and install FreeFixer: http://www.freefixer.com/download.html
- Start FreeFixer and press the Start Scan button. The scan will finish in approximately five minutes.
- When the scan is finished, locate Racingcar.exe in the scan result and tick the checkbox next to the Racingcar.exe file. Do not check any other file for removal unless you are 100% sure you want to delete it. Tip: Press CTRL-F to open up FreeFixer's search dialog to quickly locate Racingcar.exe in the scan result.
c:\users\%USERNAME%\appdata\local\temp\Racingcar.exe 
- Scroll down to the bottom of the scan result and press the Fix button. FreeFixer will now delete the Racingcar.exe file.
- Restart your computer.
- Start FreeFixer and scan your computer again. If Racingcar.exe still remains in the scan result, proceed with the next step. If Racingcar.exe is gone from the scan result you're done.
- If Racingcar.exe still remains in the scan result, check its checkbox again in the scan result and click Fix.
- Restart your computer.
- Start FreeFixer and scan your computer again. Verify that Racingcar.exe no longer appear in the scan result.
Hashes [?]
| Property | Value |
|---|---|
| MD5 | f8ce6d62ffc31eaf6a6ca2e48dfd16ee |
| SHA256 | eaae2c7e8a07d3301279f8217a8cf34df54386359a1195655a5e036573e298b0 |
Error Messages
These are some of the error messages that can appear related to racingcar.exe:
racingcar.exe has encountered a problem and needs to close. We are sorry for the inconvenience.
racingcar.exe - Application Error. The instruction at "0xXXXXXXXX" referenced memory at "0xXXXXXXXX". The memory could not be "read/written". Click on OK to terminate the program.
amkja Setup has stopped working.
End Program - racingcar.exe. This program is not responding.
racingcar.exe is not a valid Win32 application.
racingcar.exe - Application Error. The application failed to initialize properly (0xXXXXXXXX). Click OK to terminate the application.
What will you do with Racingcar.exe?
To help other users, please let us know what you will do with Racingcar.exe:
Comments
Please share with the other users what you think about this file. What does this file do? Is it legitimate or something that your computer is better without? Do you know how it was installed on your system? Did you install it yourself or did it come bundled with some other software? Is it running smoothly or do you get some error message? Any information that will help to document this file is welcome. Thank you for your contributions.
I'm reading all new comments so don't hesitate to post a question about the file. If I don't have the answer perhaps another user can help you.
No comments posted yet.