What is agpsetup.exe?
agpsetup.exe is part of Ad Guardian Plus and developed by Bitguardian according to the agpsetup.exe version information.
agpsetup.exe's description is "Ad Guardian Plus Setup"
agpsetup.exe is digitally signed by Bit Guardian GmbH.
agpsetup.exe is usually located in the 'c:\users\%USERNAME%\appdata\local\temp\dmr\downloads\152e221a8bef8d2d13c58f995563a1a1\a87530b6033f0992737d6307b1048619\' folder.
Some of the anti-virus scanners at VirusTotal detected agpsetup.exe.
If you have additional information about the file, please share it with the FreeFixer users by posting a comment at the bottom of this page.
Vendor and version information [?]
The following is the available information on agpsetup.exe:
| Property | Value |
|---|---|
| Product name | Ad Guardian Plus |
| Company name | Bitguardian |
| File description | Ad Guardian Plus Setup |
| Original filename | agpsetup.exe |
| Legal copyright | Copyright © Bitguardian 2019 |
| Product version | 1.0.0.8 |
| File version | 1.0.0.8 |
Here's a screenshot of the file properties when displayed by Windows Explorer:
| Product name | Ad Guardian Plus |
| Company name | Bitguardian |
| File description | Ad Guardian Plus Setup |
| Original filename | agpsetup.exe |
| Legal copyright | Copyright © Bitguardian 2019 |
| Product version | 1.0.0.8 |
| File version | 1.0.0.8 |
Digital signatures [?]
agpsetup.exe has a valid digital signature.
| Property | Value |
|---|---|
| Signer name | Bit Guardian GmbH |
| Certificate issuer name | Sectigo RSA Extended Validation Code Signing CA |
| Certificate serial number | 5f3148a136a39c80869c21b6c9f886d6 |
VirusTotal report
4 of the 70 anti-virus programs at VirusTotal detected the agpsetup.exe file. That's a 6% detection rate.
| Scanner | Detection Name |
|---|---|
| APEX | Malicious |
| DrWeb | Program.Unwanted.4429 |
| ESET-NOD32 | Win32/GT32SupportGeeks.X potentially unwanted |
| Webroot | W32.Adware.Gen |
Sandbox Report
The following information was gathered by executing the file inside Cuckoo Sandbox.
Summary
Successfully executed process in sandbox.
Summary
{
"file_created": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\ru.ini",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\ja.ini",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut58CF.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut588C.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\en.ini",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut5856.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\de.ini",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\DisableSelection.js",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut588B.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut58AD.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut58BE.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut589C.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut5855.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut5878.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut5879.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut5867.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\right.png",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\fr.ini",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut58BF.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut5868.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\install.html",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut587A.tmp"
],
"file_recreated": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut5855.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut5878.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut5879.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut588C.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut5867.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut58CF.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut588B.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut58BF.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut58AD.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut5868.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut587A.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut58BE.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut5856.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut589C.tmp"
],
"regkey_written": [
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\Bags\\1\\Desktop\\FFlags",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\Bags\\1\\Desktop\\GroupByDirection",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\BagMRU\\MRUListEx",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StuckRects2\\Settings",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\Bags\\1\\Desktop\\Sort",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\Bags\\1\\Desktop\\LogicalViewMode",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\Bags\\1\\Desktop\\Mode",
"HKEY_CURRENT_USER\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\TrayNotify\\UserStartTime",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\\pzq.rkr",
"HKEY_CURRENT_USER\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\TrayNotify\\LastAdvertisement",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\Bags\\1\\Desktop\\GroupView",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\Bags\\1\\Desktop\\ColInfo",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\HRZR_PGYFRFFVBA",
"HKEY_CURRENT_USER\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\TrayNotify\\IconStreams",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\Bags\\1\\Desktop\\GroupByKey:FMTID",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\BagMRU\\NodeSlots",
"HKEY_CURRENT_USER\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\TrayNotify\\PastIconsStream",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Streams\\Desktop\\TaskbarWinXP",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\Bags\\1\\Desktop\\IconSize",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\Bags\\1\\Desktop\\GroupByKey:PID"
],
"dll_loaded": [
"C:\\Windows\\system32\\ntshrui.dll",
"apphelp.dll",
"dwmapi.dll",
"kernel32.dll",
"UxTheme.dll",
"Advapi32.dll",
"ntmarta.dll",
"PROPSYS.dll",
"API-MS-Win-Core-LocalRegistry-L1-1-0.dll",
"comctl32",
"ole32.dll",
"CRYPTSP.dll",
"IMM32.dll",
"API-MS-Win-Security-SDDL-L1-1-0.dll",
"OLEAUT32.dll",
"netutils.dll",
"SHELL32.dll",
"comctl32.dll",
"C:\\Windows\\system32\\shell32.dll",
"ADVAPI32.dll",
"rpcrt4.dll",
"SETUPAPI.dll"
],
"file_opened": [
"C:\\Windows\\System32\\en-US\\ntshrui.dll.mui",
"C:\\Windows\\AppPatch\\sysmain.sdb",
"C:\\",
"C:\\Users\\cuck\\AppData",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000004.db",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Caches\\cversions.1.db",
"C:\\Users\\cuck\\AppData\\Local\\Temp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\ru.ini",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\ja.ini",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut58CF.tmp",
"C:\\Users",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut588C.tmp",
"C:\\Users\\cuck\\AppData\\Local",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\cross.png",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\animation_3.gif",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut58BF.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\en.ini",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\logo_sml.png",
"C:\\Users\\desktop.ini",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\de.ini",
"C:\\Windows\\System32\\",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp",
"C:\\Users\\cuck",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut58AD.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\animation_1.gif",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut58BE.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut589C.tmp",
"C:\\Windows\\System32\\ntshrui.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut5855.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\DisableSelection.js",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\logo.png",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\right.png",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\animation_2.gif",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\fr.ini",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\0e30298ff2a313223a836a941257994d0610c7e1f0afe921f578041db8c684ff.bin",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\install.html",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut587A.tmp"
],
"file_copied": [
[
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut5868.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\animation_3.gif"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut588B.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\logo_sml.png"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut5879.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\cross.png"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut5878.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\logo.png"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut5856.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\animation_1.gif"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut5867.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\animation_2.gif"
]
],
"regkey_opened": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\PropertyBag",
"HKEY_CLASSES_ROOT\\.html\\OpenWithProgids",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion",
"HKEY_CLASSES_ROOT\\Directory",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\JSFile\\Clsid",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.ini",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.gif\\OpenWithProgids",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.js",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.html",
"HKEY_CLASSES_ROOT\\Folder",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\JSFile\\DocObject",
"HKEY_CURRENT_USER\\FirefoxHTML-E7CF176E110C211B\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\Clsid",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced",
"HKEY_CLASSES_ROOT\\Drive\\shellex\\FolderExtensions",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\LSA\\AccessProviders",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\pngfile\\CurVer",
"HKEY_CLASSES_ROOT\\CLSID\\{25336920-03F9-11cf-8FD0-00AA00686F13}\\Implemented Categories\\{00021490-0000-0000-C000-000000000046}",
"HKEY_CLASSES_ROOT\\.js",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.html\\Clsid",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.html\\UserChoice",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\text\\ShellEx\\PropertyHandler",
"HKEY_CURRENT_USER\\FirefoxHTML-E7CF176E110C211B\\DocObject",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.html\\OpenWithProgids",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\ShellEx\\IconHandler",
"HKEY_CURRENT_USER\\Control Panel\\Mouse",
"HKEY_CLASSES_ROOT\\.html",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.png\\BrowseInPlace",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.html\\ShellEx\\PropertyHandler",
"HKEY_CLASSES_ROOT\\*",
"HKEY_CLASSES_ROOT\\FirefoxHTML-E7CF176E110C211B",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\pngfile\\BrowseInPlace",
"HKEY_CLASSES_ROOT\\giffile",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\ShellEx\\PropertyHandler",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\JSFile\\CurVer",
"HKEY_CLASSES_ROOT\\SystemFileAssociations\\.gif",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\Explorer",
"HKEY_CLASSES_ROOT\\.js\\OpenWithProgids",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Applications\\0e30298ff2a313223a836a941257994d0610c7e1f0afe921f578041db8c684ff.bin",
"HKEY_CLASSES_ROOT\\SystemFileAssociations\\document",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\giffile\\(Default)",
"HKEY_CLASSES_ROOT\\.ini",
"HKEY_CLASSES_ROOT\\CLSID\\{40DD6E20-7C17-11CE-A804-00AA003CA9F6}\\InProcServer32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\BrowseInPlace",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}",
"HKEY_CLASSES_ROOT\\.gif\\OpenWithProgids",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.gif\\ShellEx\\IconHandler",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\PropertySystem\\PropertyHandlers\\.ini",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\Clsid",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\ShellEx\\PropertyHandler",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\inifile\\DocObject",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\LanmanServer\\DefaultSecurity",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\JSFile\\(Default)",
"HKEY_CLASSES_ROOT\\CLSID\\{217FC9C0-3AEA-1069-A2DB-08002B30309D}\\InProcServer32",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.png\\UserChoice",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\0e30298ff2a313223a836a941257994d0610c7e1f0afe921f578041db8c684ff.bin",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.png\\ShellEx\\IconHandler",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer",
"HKEY_CURRENT_USER\\FirefoxHTML-E7CF176E110C211B\\ShellEx\\IconHandler",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\Explorer",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\image\\DocObject",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\(Default)",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Blocked",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced",
"HKEY_CLASSES_ROOT\\SystemFileAssociations\\.js",
"HKEY_CLASSES_ROOT\\SystemFileAssociations\\text",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\giffile\\ShellEx\\IconHandler",
"HKEY_CLASSES_ROOT\\CLSID\\{A38B883C-1682-497E-97B0-0A3A9E801682}\\OverrideFileSystemProperties",
"HKEY_CLASSES_ROOT\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Objects\\{40DD6E20-7C17-11CE-A804-00AA003CA9F6}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\text\\ShellEx\\IconHandler",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\giffile\\Clsid",
"HKEY_CLASSES_ROOT\\SystemFileAssociations\\.html",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\Associations\\UrlAssociations\\Directory",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.html\\DocObject",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.html\\BrowseInPlace",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\giffile\\CurVer",
"HKEY_CLASSES_ROOT\\inifile",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\0e30298ff2a313223a836a941257994d0610c7e1f0afe921f578041db8c684ff.bin",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\DocObject",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ini\\ShellEx\\PropertyHandler",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-20",
"HKEY_CLASSES_ROOT\\Directory\\shellex\\CopyHookHandlers",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\giffile\\DocObject",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\PropertySystem\\PropertyHandlers\\.gif",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\CurVer",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-699399860-4089948139-3198924279-1001",
"HKEY_CLASSES_ROOT\\CLSID\\{A38B883C-1682-497E-97B0-0A3A9E801682}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\shellex\\CopyHookHandlers\\Sharing",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\BrowseInPlace",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\JSFile\\ShellEx\\IconHandler",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\image\\ShellEx\\IconHandler",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.gif",
"HKEY_CLASSES_ROOT\\SystemFileAssociations\\.ini",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\shellex\\CopyHookHandlers\\FileSystem",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\Rpc",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\DocObject",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\ShellEx\\PropertyHandler",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.png\\OpenWithProgids",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\inifile\\Clsid",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\ShellEx\\IconHandler",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Setup",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\Shell\\RegisteredApplications\\UrlAssociations\\Directory\\OpenWithProgids",
"HKEY_CLASSES_ROOT\\.ini\\OpenWithProgids",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\pngfile\\(Default)",
"HKEY_CLASSES_ROOT\\.png\\OpenWithProgids",
"HKEY_CLASSES_ROOT\\Drive\\shellex\\FolderExtensions\\{fbeb8a05-beee-4442-804e-409d6c4515e9}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\text\\Clsid",
"HKEY_CURRENT_USER\\FirefoxHTML-E7CF176E110C211B\\BrowseInPlace",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\Compatibility\\0e30298ff2a313223a836a941257994d0610c7e1f0afe921f578041db8c684ff.bin",
"HKEY_CLASSES_ROOT\\ExplorerCLSIDFlags\\{A38B883C-1682-497E-97B0-0A3A9E801682}",
"HKEY_CLASSES_ROOT\\.gif",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\inifile\\ShellEx\\IconHandler",
"HKEY_CURRENT_USER\\.html\\ShellEx\\PropertyHandler",
"HKEY_CURRENT_USER\\Software\\AutoIt v3\\AutoIt",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Blocked",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.ini\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\pngfile\\ShellEx\\IconHandler",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\JSFile\\ShellEx\\PropertyHandler",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Nls\\Language",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\text\\DocObject",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\Clsid",
"HKEY_CLASSES_ROOT\\JSFile",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\inifile\\BrowseInPlace",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\text\\BrowseInPlace",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\LDAP",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.png\\DocObject",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer",
"HKEY_CLASSES_ROOT\\htmlfile",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\pngfile\\Clsid",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.png\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\JSFile\\BrowseInPlace",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Sharing",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.gif\\DocObject",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.html\\ShellEx\\IconHandler",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\*\\ShellEx\\PropertyHandler",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\PROFILELIST",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\PropertyBag",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StuckRects2",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\inifile\\CurVer",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.gif\\(Default)",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.gif\\UserChoice",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-18",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-19",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\ShellEx\\IconHandler",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\PropertySystem\\PropertyHandlers\\.html",
"HKEY_CURRENT_USER\\FirefoxHTML-E7CF176E110C211B\\ShellEx\\PropertyHandler",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.ini\\OpenWithProgids",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.html\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\PropertyBag",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.ini\\UserChoice",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.js\\ShellEx\\PropertyHandler",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\PropertySystem\\PropertyHandlers\\.png",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\pngfile\\DocObject",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Rpc",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\image\\BrowseInPlace",
"HKEY_CLASSES_ROOT\\AllFilesystemObjects",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\inifile\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\DocObject",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\(Default)",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.png",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\giffile\\BrowseInPlace",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.gif\\BrowseInPlace",
"HKEY_CLASSES_ROOT\\.png",
"HKEY_CLASSES_ROOT\\SystemFileAssociations\\.png",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Cached",
"HKEY_CLASSES_ROOT\\pngfile",
"HKEY_CURRENT_USER\\FirefoxHTML-E7CF176E110C211B\\Clsid",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.js\\OpenWithProgids",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\inifile\\ShellEx\\PropertyHandler",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\BrowseInPlace",
"HKEY_CLASSES_ROOT\\SystemFileAssociations\\image",
"HKEY_CURRENT_USER\\FirefoxHTML-E7CF176E110C211B\\CurVer",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\PropertySystem\\PropertyHandlers\\.js"
],
"file_written": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\ru.ini",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\ja.ini",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut58CF.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut588C.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\en.ini",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut5856.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\de.ini",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\DisableSelection.js",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut588B.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut58AD.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut58BE.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut589C.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut5855.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut5878.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut5879.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut5867.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\right.png",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\fr.ini",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut58BF.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut5868.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\install.html",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut587A.tmp"
],
"regkey_deleted": [
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\Bags\\1\\Desktop\\GroupCollapseState",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\Bags\\1\\Desktop\\ItemOrder",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\Bags\\1\\Desktop\\ItemPos800x600x96(1)"
],
"file_deleted": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\ru.ini",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\ja.ini",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut58CF.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut588C.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\cross.png",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\animation_3.gif",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\en.ini",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut5856.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\DisableSelection.js",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\logo_sml.png",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\de.ini",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut588B.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut58AD.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\animation_1.gif",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut58BE.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut589C.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut5855.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut5878.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut5879.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut5867.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\logo.png",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\right.png",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\animation_2.gif",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\fr.ini",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut58BF.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut5868.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\install.html",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut587A.tmp"
],
"directory_removed": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp"
],
"file_exists": [
"C:\\Windows\\System32\\propsys.dll",
"C:\\Users\\cuck\\Desktop",
"C:\\Users\\cuck\\AppData\\Local\\Temp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\ru.ini",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\ja.ini",
"C:\\Users",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\cross.png",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\animation_3.gif",
"C:\\cuckoo_1788.ini",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\en.ini",
"C:\\Windows\\SysWOW64\\propsys.dll",
"C:\\Windows\\servicing\\Packages\\Package_for_KB3033929~31bf3856ad364e35~amd64~~6.1.1.1.mum",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\logo_sml.png",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\de.ini",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\animation_1.gif",
"C:\\Windows\\System32\\ntshrui.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\DisableSelection.js",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\logo.png",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\right.png",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\animation_2.gif",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\fr.ini",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\0e30298ff2a313223a836a941257994d0610c7e1f0afe921f578041db8c684ff.bin",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\install.html"
],
"mutex": [
"AdGuardianPlus",
"Local\\Shell.CMruPidlList"
],
"file_failed": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\de.ini",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\fr.ini",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\ru.ini",
"C:\\cuckoo_1788.ini",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\ja.ini",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\en.ini"
],
"guid": [
"{9b63616c-36b2-46bc-959f-c1593952d19b}",
"{1a1f4206-0688-4e7f-be03-d82ec69df9a5}",
"{5762f2a7-4658-4c7a-a4ac-bdabfe154e0d}",
"{42aedc87-2188-41fd-b9a3-0c966feabec1}",
"{49f371e1-8c5c-4d9c-9a3b-54a6827f513c}",
"{a4341687-7593-47aa-9554-4b0ffc8b2214}",
"{00000000-0000-0000-c000-000000000046}",
"{688c934d-0c26-40f6-8d29-d56d72c76b48}",
"{6311429e-2f1a-4777-880f-c7289fd10169}",
"{559b1911-d3af-486e-b8bc-242b24df0114}",
"{2fb499a3-cfce-480f-a5f3-2453db7a2b7a}",
"{edb5f444-cb8d-445a-a523-ec5ab6ea33c7}",
"{57ced8a7-3f4a-432c-9350-30f24483f74f}",
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}",
"{000214fc-0000-0000-c000-000000000046}",
"{72eb61e0-8672-4303-9175-f2e4c68b2e7c}",
"{76765b11-3f95-4af2-ac9d-ea55d8994f1a}",
"{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}"
],
"file_read": [
"C:\\Windows\\System32\\ntshrui.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut5855.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut588C.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut58CF.tmp",
"C:\\Users\\desktop.ini",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut58BF.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut58AD.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\en.ini",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut587A.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut58BE.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut589C.tmp"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.gif\\IsShortcut",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\inifile\\AlwaysShowExt",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\LocalizedName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Category",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\MaxRpcSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\giffile\\IsShortcut",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\LocalRedirectOnly",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\InfoTip",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\CurrentBuild",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\ProgramFilesDir",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Stream",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\ParentFolder",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\giffile\\NeverShowExt",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\NoFileFolderConnection",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\PreCreate",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\UseHostnameAsAlias",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.html\\BrowseInPlace",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\StreamResourceType",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\BagMRU\\NodeSlot",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Sharing\\UsersShareName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\giffile\\CLSID\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{A38B883C-1682-497E-97B0-0A3A9E801682}\\UseInProcHandlerCache",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoSetFolders",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\pngfile\\AlwaysShowExt",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.html\\UserChoice\\Progid",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Security",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.png\\NeverShowExt",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Icon",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\RelativePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\JSFile\\DocObject",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Description",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.gif\\NeverShowExt",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\InitFolderHandler",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Filter",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowInfoTip",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\ParsingName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsFORDISPLAY",
"HKEY_CURRENT_USER\\.html\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\SourcePath",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\Generation",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\RestrictedAttributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\LocalRedirectOnly",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Attributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\pngfile\\IsShortcut",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\UseOldHostResolutionOrder",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{40DD6E20-7C17-11CE-A804-00AA003CA9F6}\\InProcServer32\\LoadWithoutCOM",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\NeverShowExt",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language Groups\\1",
"HKEY_CURRENT_USER\\FirefoxHTML-E7CF176E110C211B\\DocObject",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ini\\Content Type",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Attributes",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Cached\\{40DD6E20-7C17-11CE-A804-00AA003CA9F6} {000214FC-0000-0000-C000-000000000046} 0xFFFF",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Drive\\shellex\\FolderExtensions\\{fbeb8a05-beee-4442-804e-409d6c4515e9}\\DriveMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoInternetIcon",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.gif\\AlwaysShowExt",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.png\\BrowseInPlace",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\ParentFolder",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\Data",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\HideIcons",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Name",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsUniversalDelegate",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\\pzq.rkr",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\text\\IsShortcut",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\pngfile\\BrowseInPlace",
"HKEY_CURRENT_USER\\Control Panel\\Mouse\\SwapMouseButtons",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Attributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-19\\ProfileImagePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\PublishExpandedPath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\pngfile\\CLSID\\(Default)",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\AutoCheckSelect",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.png\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.html\\IsShortcut",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Stream",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\PropertySystem\\PropertyHandlers\\.gif\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{A38B883C-1682-497E-97B0-0A3A9E801682}\\UseOutOfProcHandlerCache",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\QueryForOverlay",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Name",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\RelativePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\Attributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.png\\DocObject",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\ClassicShell",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\QueryForInfoTip",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Security",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\StreamResourceType",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\AlwaysShowExt",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.gif\\Content Type",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\shellex\\CopyHookHandlers\\Sharing\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.png\\Content Type",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\SeparateProcess",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsParseDisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\inifile\\IsShortcut",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\image\\DocObject",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Locale\\00000409",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{A38B883C-1682-497E-97B0-0A3A9E801682}\\DisableProcessIsolation",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.html\\DocObject",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\PropertySystem\\PropertyHandlers\\.png\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\PublishExpandedPath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\RelativePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Roamable",
"HKEY_CURRENT_USER\\FirefoxHTML-E7CF176E110C211B\\IsShortcut",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\IsShortcut",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsAliasedNotifications",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\DontShowSuperHidden",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\UseDropHandler",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoCommonGroups",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\image\\NeverShowExt",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\IconsOnly",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\ClearRecentDocsOnExit",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\NoNetCrawling",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\FolderTypeID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\PinToNameSpaceTree",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\DocObject",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\DocObject",
"HKEY_CURRENT_USER\\FirefoxHTML-E7CF176E110C211B\\BrowseInPlace",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\InitFolderHandler",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.js\\Content Type",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\LdapClientIntegrity",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Icon",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\ConfirmFileDelete",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language\\InstallLanguage",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-699399860-4089948139-3198924279-1001\\ProfileImagePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.js\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.html\\NeverShowExt",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsFORPARSING",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\FolderTypeID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\inifile\\DocObject",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\SeparateProcess",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\BrowseInPlace",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\InitFolderHandler",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\SystemSetupInProgress",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\giffile\\AlwaysShowExt",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ini\\PerceivedType",
"HKEY_CURRENT_USER\\FirefoxHTML-E7CF176E110C211B\\NeverShowExt",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\image\\IsShortcut",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\DontPrettyPath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\shellex\\CopyHookHandlers\\FileSystem\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\AllowFileCLSIDJunctions",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\DevicePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\LocalRedirectOnly",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HideFolderVerbs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\PreCreate",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoNetCrawling",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\WebView",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LanmanServer\\DefaultSecurity\\SrvsvcDefaultShareInfo",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\text\\NeverShowExt",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\StreamResourceType",
"HKEY_CURRENT_USER\\FirefoxHTML-E7CF176E110C211B\\AlwaysShowExt",
"HKEY_CURRENT_USER\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\TrayNotify\\PromotedIconCache",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\StreamResource",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\ParsingName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Description",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Stream",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowCompColor",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\text\\AlwaysShowExt",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\OOBEInProgress",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\MapNetDriveVerbs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Advanced\\MaxUndoItems",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.html\\AlwaysShowExt",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\InfoTip",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.js\\PerceivedType",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.png\\IsShortcut",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\MapNetDrvBtn",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.png\\AlwaysShowExt",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\InfoTip",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\IsShortcut",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\inifile\\NeverShowExt",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ini\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoPropertiesRecycleBin",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\MaxUndoItems",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\CallForAttributes",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\AccessProviders\\MartaExtension",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoPropertiesMyComputer",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\BagMRU Size",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\inifile\\BrowseInPlace",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\NoFileFolderJunction",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\ParsingName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\text\\BrowseInPlace",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HideInWebView",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Name",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Icon",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-18\\ProfileImagePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{40DD6E20-7C17-11CE-A804-00AA003CA9F6}\\InProcServer32\\(Default)",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellState",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Roamable",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\JSFile\\BrowseInPlace",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.gif\\DocObject",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\StreamResource",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\PublishExpandedPath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\JSFile\\IsShortcut",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowTypeOverlay",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\CurrentVersion",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\Data",
"HKEY_CURRENT_USER\\.html\\Content Type",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\HideFileExt",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\StreamResource",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\FolderTypeID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\image\\AlwaysShowExt",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\BagMRU\\MRUListEx",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\ComputerName\\ActiveComputerName\\ComputerName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{A38B883C-1682-497E-97B0-0A3A9E801682}\\NoOplock",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.gif\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{217FC9C0-3AEA-1069-A2DB-08002B30309D}\\InProcServer32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\pngfile\\DocObject",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\NeverShowExt",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\LocalizedName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\PreCreate",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-20\\ProfileImagePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\image\\BrowseInPlace",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\BrowseInPlace",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HasNavigationEnum",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Hidden",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\JSFile\\AlwaysShowExt",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\LocalizedName",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\Generation",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\DocObject",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HideOnDesktopPerUser",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\NeverShowExt",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\giffile\\DocObject",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\IsShortcut",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CEIPEnable",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\giffile\\BrowseInPlace",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.gif\\BrowseInPlace",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\BagMRU\\NodeSlots",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowSuperHidden",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoControlPanel",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoSimpleStartMenu",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Roamable",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Category",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoWebView",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Description",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Security",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\text\\DocObject",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\BrowseInPlace",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\pngfile\\NeverShowExt",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Category",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\Cache",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\JSFile\\NeverShowExt",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\ParentFolder"
],
"directory_enumerated": [
"C:\\Windows\\System32\\*.*",
"C:\\Users\\cuck\\AppData",
"C:\\Users\\cuck\\AppData\\Local\\Temp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\ru.ini",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\ja.ini",
"C:\\Windows\\System32",
"C:\\Users",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\cross.png",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\animation_3.gif",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\en.ini",
"C:\\Windows\\servicing\\Packages\\Package_for_KB3033929~31bf3856ad364e35~amd64~~6.1.1.1.mum",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\logo_sml.png",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\install.html",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\de.ini",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp",
"C:\\Users\\cuck",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\animation_1.gif",
"C:\\Users\\cuck\\AppData\\Local",
"C:\\Windows\\System32\\ntshrui.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\DisableSelection.js",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\logo.png",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\right.png",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\animation_2.gif",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\fr.ini",
"C:\\Windows"
],
"directory_created": [
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Caches",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp"
]
}Dropped
[
{
"yara": [],
"sha1": "ceb56eaabf3ebce5a2f6682c7de87eba7c104ddc",
"name": "2f907fc5d9ce3dd1_aut5878.tmp",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\aut5878.tmp",
"type": "PNG image data, 65 x 77, 8-bit colormap, non-interlaced",
"sha256": "2f907fc5d9ce3dd19945e98f6e856d5a1548985ccdf4ed097081f4b1345b9cfe",
"urls": [],
"crc32": "5FD5A67C",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/2992\/files\/2f907fc5d9ce3dd1_aut5878.tmp",
"ssdeep": null,
"size": 3359,
"sha512": "be04449bff66aac67fbefd2015c9c26ff31a12a371801ab0f8b70a113b07862d210662f5f1fff60dceb9d9817e83ccb37fd378a5276772ff97b26f2d6444343a",
"pids": [
2016
],
"md5": "8e91877ed8a4cd85d4e317d6034b8eca"
},
{
"yara": [],
"sha1": "50255e2181cecbd816043f0447e5ee0737a10764",
"name": "e10c21d82fa9da56_de.ini",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\de.ini",
"type": "Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators",
"sha256": "e10c21d82fa9da56286d2969ff57d91e738f5308ed56649104bd0fad9e07cb1a",
"urls": [],
"crc32": "42470FDD",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/2992\/files\/e10c21d82fa9da56_de.ini",
"ssdeep": null,
"size": 7972,
"sha512": "15399629ad630a85caf8423608d7e431bb87679cc04833ff28306326980f0256b67e20a7eeb6c3bb8ed10b7e1314f635c3534f6434b83863d3830b18524b0250",
"pids": [
2016
],
"md5": "03c8e56368b1520cb0d8a6f0ec41d7dc"
},
{
"yara": [],
"sha1": "7c1e84f65535d83612833a24f77976663927f393",
"name": "481cd66bbdca9761_aut5868.tmp",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\aut5868.tmp",
"type": "GIF image data, version 89a, 300 x 300",
"sha256": "481cd66bbdca9761c7438a759df36289480aab766f5e52f5509ed4c44e106c20",
"urls": [],
"crc32": "CF52264C",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/2992\/files\/481cd66bbdca9761_aut5868.tmp",
"ssdeep": null,
"size": 63901,
"sha512": "aa1b8d1789bd2adcda58ef6359f68e2bdaba2a283a14512080cae362bfde8de68e7f2afa66d8525a728fc134d70a04d4fb4ec220402693438940bac7c5d39ab8",
"pids": [
2016
],
"md5": "c60c2b73e0034c4cddc3a24336be94d5"
},
{
"yara": [],
"sha1": "21d63bbf8dfbb57d037e920097d5627f25faa444",
"name": "e170a75d43cb092d_aut58CF.tmp",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\aut58CF.tmp",
"type": "data",
"sha256": "e170a75d43cb092df5ef67ad7610f4587bf38f544963130042ea4dc4dd800b54",
"urls": [],
"crc32": "3DAFC3D2",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/2992\/files\/e170a75d43cb092d_aut58CF.tmp",
"ssdeep": null,
"size": 3354,
"sha512": "8a3809d467e655e9b7487a2a91a27e2f75858e5c26cb09b5c04f825faa126306693cce8914945bd4288579d43d9c5c33dbe2617e8f5e43a3f8805cad1f54f61c",
"pids": [
2016
],
"md5": "2132f4df516ead7759c9f3530955e59b"
},
{
"yara": [],
"sha1": "e3f5fe3a02f9597f8c0b0013d28baea9f48ed5f9",
"name": "e12f17c2caf373f6_aut5867.tmp",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\aut5867.tmp",
"type": "GIF image data, version 89a, 300 x 300",
"sha256": "e12f17c2caf373f664d89cafd2f6bc9b3a4d7ccf5d3467cf2df929feb24ebbb9",
"urls": [],
"crc32": "7540C46B",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/2992\/files\/e12f17c2caf373f6_aut5867.tmp",
"ssdeep": null,
"size": 12937,
"sha512": "154425319d65a5739e4421eeafc9089b3fedb714c0d5303b668bb4b90863c026de46882865930c65eb4d6a249310709ff0162e29d567779b39e266f4333c24b2",
"pids": [
2016
],
"md5": "3dc08cb09dcb8cb1a335ea5ee3909552"
},
{
"yara": [],
"sha1": "fd7210a1aa2c418e791c85207711a42ad5aece08",
"name": "8dec17fa1c458dcf_DisableSelection.js",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\DisableSelection.js",
"type": "ASCII text, with CRLF line terminators",
"sha256": "8dec17fa1c458dcfa180aba15fe3cc14d2186261dc1c08bb3058c0d46cbf8fe9",
"urls": [],
"crc32": "AFF7AF64",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/2992\/files\/8dec17fa1c458dcf_DisableSelection.js",
"ssdeep": null,
"size": 1660,
"sha512": "21df811c5a67e8735cf2f99ec4321ae119fae46f0dc90706ce8e5ad1c395326566a97649a014c6fccc8495584a1c313c9e220ef5ed0f1eb7a54dd3c20bb3e263",
"pids": [
2016
],
"md5": "84789d911ffa412658a4a8de09a5ddad"
},
{
"yara": [],
"sha1": "3413e64c960a643699c8a58a2e6573416734518f",
"name": "da94e286060dd0be_aut588C.tmp",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\aut588C.tmp",
"type": "data",
"sha256": "da94e286060dd0be94e2edaf10d4ce016930414aff657ca3175b657977029474",
"urls": [],
"crc32": "39E18425",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/2992\/files\/da94e286060dd0be_aut588C.tmp",
"ssdeep": null,
"size": 314,
"sha512": "81e374e0b54493603fa86628c81d477aa8c5e0c717bb1b410311d0b33cac3aacd8bf8c878a1bffd13073b1ca1b7d87d22ed38c76f582df419623ff0e49e96268",
"pids": [
2016
],
"md5": "883315b99749c3a053fdb666bb4319fc"
},
{
"yara": [],
"sha1": "5b5090a70b964caf3609e51160ba5ba37eca2c30",
"name": "b0e2e18855da1e5a_fr.ini",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\fr.ini",
"type": "Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators",
"sha256": "b0e2e18855da1e5ab370d9e7f8883f1ee369a55a34db24477d18e816e61adfca",
"urls": [],
"crc32": "A8E9C15E",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/2992\/files\/b0e2e18855da1e5a_fr.ini",
"ssdeep": null,
"size": 7950,
"sha512": "9b200389b0a362b96ae382d0054325892a43717cd4756ab2fea64798de516de45478f6a60900854545ec49532de975597ab179b0bdb0561b3d39df573330815c",
"pids": [
2016
],
"md5": "bc483a1259152dbf8c94c27e7a7674aa"
},
{
"yara": [],
"sha1": "f8a289ef79fa35ef3d1234d4a4bcbfe1a0f30bac",
"name": "10f5c61c5ecc7885_install.html",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\install.html",
"type": "HTML document, Little-endian UTF-16 Unicode text, with CRLF, CR line terminators",
"sha256": "10f5c61c5ecc788598fd58ecd4db71cd45439eabd2ebe8108ba85e4380620ba8",
"urls": [],
"crc32": "DF7C96C2",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/2992\/files\/10f5c61c5ecc7885_install.html",
"ssdeep": null,
"size": 96754,
"sha512": "dc989de4bfe2e60d93339e68595e7c0bdb689d81f75679950565a8053c3f912880c91687b6311c74f00a23df9128b2d3bde2bd8e9a507da442fae88099c830c7",
"pids": [
2016
],
"md5": "b8455e6037f2dcd156b1a06b901b0e6c"
},
{
"yara": [],
"sha1": "61ef6f93fbdda811cf693fbe66c1fb0597394b70",
"name": "042276650ff3d1c3_aut58BF.tmp",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\aut58BF.tmp",
"type": "data",
"sha256": "042276650ff3d1c3902a22a0bfffecfe14a26f80446552b2fe93e1adf2e7acdb",
"urls": [],
"crc32": "0926FDBE",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/2992\/files\/042276650ff3d1c3_aut58BF.tmp",
"ssdeep": null,
"size": 3336,
"sha512": "783fec71147c24a69361af8256aa5e271b6d930e969129c3c4e7d7168c34272b3f75631bb0bfc5b542ad2e68a8c889e36679ec9d512469c595eb59d58d8909f7",
"pids": [
2016
],
"md5": "57dd5fae15340083b8726a0a0be3444d"
},
{
"yara": [],
"sha1": "7aed5d118a811a4dd64d8869490b7bce50d7405b",
"name": "994fb145ac35e71c_aut587A.tmp",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\aut587A.tmp",
"type": "data",
"sha256": "994fb145ac35e71c08ccdf2ccfa3f1617962680077bc8fe86316389fe25f7108",
"urls": [],
"crc32": "EDE95CE3",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/2992\/files\/994fb145ac35e71c_aut587A.tmp",
"ssdeep": null,
"size": 864,
"sha512": "1a990218cbe1b85bb4cd555db36e2175f5edac3b27a5d27098e7fe98d1f7b52910f2e7470a102553150750564b8e819d9d64f77fc251e32fe3c4f98a9e21c9c2",
"pids": [
2016
],
"md5": "1c5d77a6597f353a25aab21bda33f70d"
},
{
"yara": [],
"sha1": "33fcc1bf675f243f82c1a4c52a5677a4288ccbc0",
"name": "976069bb6dc787a8_right.png",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\right.png",
"type": "PNG image data, 20 x 20, 8-bit colormap, non-interlaced",
"sha256": "976069bb6dc787a826a201cd50e879c01cafcf2870bc9a931297cc63de300c2c",
"urls": [],
"crc32": "8836356E",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/2992\/files\/976069bb6dc787a8_right.png",
"ssdeep": null,
"size": 372,
"sha512": "1512ba4ffd78ce28064873b2ffa594df19f9f9fb57a1377678c36acc81501f46e993216dc398bc484e40e0ca33b7161449d1e0fa546f9437ec1b9b1c86bb4be7",
"pids": [
2016
],
"md5": "f8553d0ac63d366b0072c1d9b3966244"
},
{
"yara": [],
"sha1": "ed3b0b8f9f77a6d825f911088d160e18a98ec475",
"name": "1c411468c1c93b35_aut58AD.tmp",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\aut58AD.tmp",
"type": "data",
"sha256": "1c411468c1c93b3532f12d0a41b116d22454d4f33640a44587a98a2d5051ec0e",
"urls": [],
"crc32": "F4633152",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/2992\/files\/1c411468c1c93b35_aut58AD.tmp",
"ssdeep": null,
"size": 3320,
"sha512": "f03f4e3e0f4be4ca4ec9c98153396764ce22293cf5123ae704540cdd41ecbfa69e0320ca730a8f8ef0a1c83d4441594560c7f2a8d91ee9e19babbe0298aa9ca9",
"pids": [
2016
],
"md5": "97f48800360891f149bb337549e11a94"
},
{
"yara": [],
"sha1": "e87c09cb554989f97ee59541a26abf846ca9069f",
"name": "91083e0d4e5bc3fa_aut58BE.tmp",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\aut58BE.tmp",
"type": "data",
"sha256": "91083e0d4e5bc3fa278b66d82027fd4c97f2f0bfc6565226ede8dab3a948e185",
"urls": [],
"crc32": "1FA4B279",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/2992\/files\/91083e0d4e5bc3fa_aut58BE.tmp",
"ssdeep": null,
"size": 2526,
"sha512": "deded100c3df7ed9df2c2e8c8bbda3d97b8031fceb6aae38ab3fbcd452df72c28e6c48ba677c20159e03bb83d8b321e7887921661535af02045360db87bb1066",
"pids": [
2016
],
"md5": "04f2bba8237ac43094b719fc8ca51c10"
},
{
"yara": [],
"sha1": "040879b15a12e0c74aae7afc9f3487d980635818",
"name": "79ef409e76953ae0_aut589C.tmp",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\aut589C.tmp",
"type": "data",
"sha256": "79ef409e76953ae03abfad61d3f280ba2b873fcdb78e4328741a1a4113148517",
"urls": [],
"crc32": "866FD78F",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/2992\/files\/79ef409e76953ae0_aut589C.tmp",
"ssdeep": null,
"size": 3002,
"sha512": "23bb4ef0757d4c448056a57ba15117d153ed0fe318c08279294a6d3ec4b381d8a0bbee8bccca93a636b08eb119b9622517f905188b4e92e775f49d0c5cc2bcbf",
"pids": [
2016
],
"md5": "9dbfa4bb1da19977a0800d6639bff743"
},
{
"yara": [],
"sha1": "4ef5d8c3bf65d311d27ba5c890b7cf571966e15e",
"name": "5d5deb2a42669089_en.ini",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\en.ini",
"type": "Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators",
"sha256": "5d5deb2a426690898a8af76664de205eebeece904f722ac7a6005665ce3b69cc",
"urls": [],
"crc32": "E259FD10",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/2992\/files\/5d5deb2a42669089_en.ini",
"ssdeep": null,
"size": 7104,
"sha512": "883870646a165a83c76b48503e616a97fe32aae4ea579fc2c2960487979f8217131e7231b59ac017b0e1862479880714e95008beb5797be8f2b7a20d79418503",
"pids": [
2016
],
"md5": "1ea06c6e0a8ca81b1680467e3cf81fda"
},
{
"yara": [],
"sha1": "c5cf65712f7ad62fd10212cde648b6ef72b9e06b",
"name": "ae65f06177da7fc7_aut588B.tmp",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\aut588B.tmp",
"type": "PNG image data, 34 x 42, 8-bit colormap, non-interlaced",
"sha256": "ae65f06177da7fc7acc7990d07441ed5bb6e674a8f5a014d578ea592e5fb2c52",
"urls": [],
"crc32": "739ADC29",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/2992\/files\/ae65f06177da7fc7_aut588B.tmp",
"ssdeep": null,
"size": 1735,
"sha512": "fd3f37381b24b36e6c611731cb97919567b9d65c91bea38b18814902cb8602994a78bc38de10867736cb919427a59c13725c7ac833cc48403a005da4946ab28a",
"pids": [
2016
],
"md5": "b9e821ed6020d42354c03772cfa32681"
},
{
"yara": [],
"sha1": "c55b6ecf521b92f828babb55e2a8c5c0dc8c7147",
"name": "ef35b2a9001ac12a_ja.ini",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\ja.ini",
"type": "Little-endian UTF-16 Unicode text, with CRLF, CR line terminators",
"sha256": "ef35b2a9001ac12a5bb3e4cf683b34fb29e868cab86efbbf3017cc7ade83000d",
"urls": [],
"crc32": "591A6126",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/2992\/files\/ef35b2a9001ac12a_ja.ini",
"ssdeep": null,
"size": 5206,
"sha512": "b3c09f782ce710e456a01e5af69b372b4b762aa51e442f9bd2d120a2c6174ef30e20af700f343129a79ffa64bba2b88020614369b49118b5952b3d8eb44a523c",
"pids": [
2016
],
"md5": "820989d8fe44d66c93885fc9256d9433"
},
{
"yara": [],
"sha1": "a0793fb819b8adaf07143605a646cdf748204d9f",
"name": "ab9e87a348fba666_aut5879.tmp",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\aut5879.tmp",
"type": "PNG image data, 12 x 12, 8-bit\/color RGBA, non-interlaced",
"sha256": "ab9e87a348fba6660b83b36ef0490ffb0a8503c4480f5f44362e05aed47a4f33",
"urls": [],
"crc32": "019F2F34",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/2992\/files\/ab9e87a348fba666_aut5879.tmp",
"ssdeep": null,
"size": 169,
"sha512": "9c6e62d803f01e89d56ce6f5ebc99d994fe922097798824535533724c96fa0ae27cf1d5546db5be8bb22301e9482431655a7832e357dfd25a8994a55a59f799e",
"pids": [
2016
],
"md5": "fbca0217baf334f2b7fc9cddc8548dbf"
},
{
"yara": [],
"sha1": "347baa9b183f6e1a85b1b2204d963b244069585a",
"name": "ed95bb180da5f5ea_aut5856.tmp",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\aut5856.tmp",
"type": "GIF image data, version 89a, 300 x 300",
"sha256": "ed95bb180da5f5ea8507db137efdc4aa668c6b7955401c3b8724b1fdf49ab4ef",
"urls": [],
"crc32": "D5D911F8",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/2992\/files\/ed95bb180da5f5ea_aut5856.tmp",
"ssdeep": null,
"size": 23363,
"sha512": "68d639d0a8d6b81567e6697f6773b31e15fedc0d73e456961fa2b34f0349bcc273b7cb2aa0811fdde0f0bd642ce177a259436d1b63b426572a3e4201cecc4705",
"pids": [
2016
],
"md5": "c7bd2043999f1806c7d327cb51139aef"
},
{
"yara": [],
"sha1": "5cdbbe86eb1354dab5fe9b558168ab23a8a7629b",
"name": "a83299bf74b14b1b_aut5855.tmp",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\aut5855.tmp",
"type": "data",
"sha256": "a83299bf74b14b1ba14e7189b8636d7263f892c06a82917c6506112b705d77b6",
"urls": [],
"crc32": "8309AF59",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/2992\/files\/a83299bf74b14b1b_aut5855.tmp",
"ssdeep": null,
"size": 15008,
"sha512": "7852b0f1cd823e1d79ed5aaa35a0752bc320e674ce95a2fc7eaa5d98f1a8f875d04738651df8c5a4bd3e7b250bad3aefd38026def1a2994f32825933d07da083",
"pids": [
2016
],
"md5": "2c015a3cf2603a64421801706cc6f899"
},
{
"yara": [],
"sha1": "73e544bee27dcea2607665fdf09ae38196d42c66",
"name": "6ec52777bd036089_ru.ini",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\ru.ini",
"type": "Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators",
"sha256": "6ec52777bd03608983fe5ef5db7cf546c49b96f00466877bef630f4a3b9e0102",
"urls": [],
"crc32": "C1891790",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/2992\/files\/6ec52777bd036089_ru.ini",
"ssdeep": null,
"size": 7596,
"sha512": "40643604a3fbe7be00c5f17a4eaebcf6f835c2a506776f2eb7f59977760600438625623734a7058f1ba5c76df73eadc38f8cd1be5b66f80841e06e94fdcee80a",
"pids": [
2016
],
"md5": "1434e0458ea5db1b16dbe1d923db9106"
}
]Generic
[
{
"process_path": "C:\\Users\\cuck\\AppData\\Local\\Temp\\0e30298ff2a313223a836a941257994d0610c7e1f0afe921f578041db8c684ff.bin",
"process_name": "0e30298ff2a313223a836a941257994d0610c7e1f0afe921f578041db8c684ff.bin",
"pid": 2016,
"summary": {
"file_created": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\ru.ini",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\ja.ini",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut58CF.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut588C.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\en.ini",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut5856.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\de.ini",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\DisableSelection.js",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut588B.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut58AD.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut58BE.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut589C.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut5855.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut5878.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut5879.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut5867.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\right.png",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\fr.ini",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut58BF.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut5868.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\install.html",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut587A.tmp"
],
"file_recreated": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut5855.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut5878.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut5879.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut588C.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut5867.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut58CF.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut588B.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut58BF.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut58AD.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut5868.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut587A.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut58BE.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut5856.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut589C.tmp"
],
"directory_created": [
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Caches",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp"
],
"dll_loaded": [
"C:\\Windows\\system32\\ntshrui.dll",
"apphelp.dll",
"dwmapi.dll",
"kernel32.dll",
"UxTheme.dll",
"Advapi32.dll",
"ntmarta.dll",
"PROPSYS.dll",
"API-MS-Win-Core-LocalRegistry-L1-1-0.dll",
"comctl32",
"ole32.dll",
"CRYPTSP.dll",
"IMM32.dll",
"API-MS-Win-Security-SDDL-L1-1-0.dll",
"OLEAUT32.dll",
"netutils.dll",
"SHELL32.dll",
"comctl32.dll",
"C:\\Windows\\system32\\shell32.dll",
"ADVAPI32.dll",
"rpcrt4.dll",
"SETUPAPI.dll"
],
"file_opened": [
"C:\\Windows\\System32\\en-US\\ntshrui.dll.mui",
"C:\\Windows\\AppPatch\\sysmain.sdb",
"C:\\",
"C:\\Users\\cuck\\AppData",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000004.db",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Caches\\cversions.1.db",
"C:\\Users\\cuck\\AppData\\Local\\Temp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\ru.ini",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\ja.ini",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut58CF.tmp",
"C:\\Users",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut588C.tmp",
"C:\\Users\\cuck\\AppData\\Local",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\cross.png",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\animation_3.gif",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut58BF.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\en.ini",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\logo_sml.png",
"C:\\Users\\desktop.ini",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\de.ini",
"C:\\Windows\\System32\\",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp",
"C:\\Users\\cuck",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut58AD.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\animation_1.gif",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut58BE.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut589C.tmp",
"C:\\Windows\\System32\\ntshrui.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut5855.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\DisableSelection.js",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\logo.png",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\right.png",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\animation_2.gif",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\fr.ini",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\0e30298ff2a313223a836a941257994d0610c7e1f0afe921f578041db8c684ff.bin",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\install.html",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut587A.tmp"
],
"file_copied": [
[
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut5868.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\animation_3.gif"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut588B.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\logo_sml.png"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut5879.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\cross.png"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut5878.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\logo.png"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut5856.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\animation_1.gif"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut5867.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\animation_2.gif"
]
],
"regkey_opened": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\PropertyBag",
"HKEY_CLASSES_ROOT\\.html\\OpenWithProgids",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion",
"HKEY_CLASSES_ROOT\\Directory",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\JSFile\\Clsid",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.ini",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.gif\\OpenWithProgids",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.js",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.html",
"HKEY_CLASSES_ROOT\\Folder",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\JSFile\\DocObject",
"HKEY_CURRENT_USER\\FirefoxHTML-E7CF176E110C211B\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\Clsid",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced",
"HKEY_CLASSES_ROOT\\Drive\\shellex\\FolderExtensions",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\LSA\\AccessProviders",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\pngfile\\CurVer",
"HKEY_CLASSES_ROOT\\CLSID\\{25336920-03F9-11cf-8FD0-00AA00686F13}\\Implemented Categories\\{00021490-0000-0000-C000-000000000046}",
"HKEY_CLASSES_ROOT\\.js",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.html\\Clsid",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.html\\UserChoice",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\text\\ShellEx\\PropertyHandler",
"HKEY_CURRENT_USER\\FirefoxHTML-E7CF176E110C211B\\DocObject",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.html\\OpenWithProgids",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\ShellEx\\IconHandler",
"HKEY_CURRENT_USER\\Control Panel\\Mouse",
"HKEY_CLASSES_ROOT\\.html",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.png\\BrowseInPlace",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.html\\ShellEx\\PropertyHandler",
"HKEY_CLASSES_ROOT\\*",
"HKEY_CLASSES_ROOT\\FirefoxHTML-E7CF176E110C211B",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\pngfile\\BrowseInPlace",
"HKEY_CLASSES_ROOT\\giffile",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\ShellEx\\PropertyHandler",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\JSFile\\CurVer",
"HKEY_CLASSES_ROOT\\SystemFileAssociations\\.gif",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\Explorer",
"HKEY_CLASSES_ROOT\\.js\\OpenWithProgids",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Applications\\0e30298ff2a313223a836a941257994d0610c7e1f0afe921f578041db8c684ff.bin",
"HKEY_CLASSES_ROOT\\SystemFileAssociations\\document",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\giffile\\(Default)",
"HKEY_CLASSES_ROOT\\.ini",
"HKEY_CLASSES_ROOT\\CLSID\\{40DD6E20-7C17-11CE-A804-00AA003CA9F6}\\InProcServer32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\BrowseInPlace",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}",
"HKEY_CLASSES_ROOT\\.gif\\OpenWithProgids",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.gif\\ShellEx\\IconHandler",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\PropertySystem\\PropertyHandlers\\.ini",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\Clsid",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\ShellEx\\PropertyHandler",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\inifile\\DocObject",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\LanmanServer\\DefaultSecurity",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\JSFile\\(Default)",
"HKEY_CLASSES_ROOT\\CLSID\\{217FC9C0-3AEA-1069-A2DB-08002B30309D}\\InProcServer32",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.png\\UserChoice",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\0e30298ff2a313223a836a941257994d0610c7e1f0afe921f578041db8c684ff.bin",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.png\\ShellEx\\IconHandler",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer",
"HKEY_CURRENT_USER\\FirefoxHTML-E7CF176E110C211B\\ShellEx\\IconHandler",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\Explorer",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\image\\DocObject",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\(Default)",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Blocked",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced",
"HKEY_CLASSES_ROOT\\SystemFileAssociations\\.js",
"HKEY_CLASSES_ROOT\\SystemFileAssociations\\text",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\giffile\\ShellEx\\IconHandler",
"HKEY_CLASSES_ROOT\\CLSID\\{A38B883C-1682-497E-97B0-0A3A9E801682}\\OverrideFileSystemProperties",
"HKEY_CLASSES_ROOT\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Objects\\{40DD6E20-7C17-11CE-A804-00AA003CA9F6}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\text\\ShellEx\\IconHandler",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\giffile\\Clsid",
"HKEY_CLASSES_ROOT\\SystemFileAssociations\\.html",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\Associations\\UrlAssociations\\Directory",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.html\\DocObject",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.html\\BrowseInPlace",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\giffile\\CurVer",
"HKEY_CLASSES_ROOT\\inifile",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\0e30298ff2a313223a836a941257994d0610c7e1f0afe921f578041db8c684ff.bin",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\DocObject",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ini\\ShellEx\\PropertyHandler",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-20",
"HKEY_CLASSES_ROOT\\Directory\\shellex\\CopyHookHandlers",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\giffile\\DocObject",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\PropertySystem\\PropertyHandlers\\.gif",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\CurVer",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-699399860-4089948139-3198924279-1001",
"HKEY_CLASSES_ROOT\\CLSID\\{A38B883C-1682-497E-97B0-0A3A9E801682}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\shellex\\CopyHookHandlers\\Sharing",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\BrowseInPlace",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\JSFile\\ShellEx\\IconHandler",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\image\\ShellEx\\IconHandler",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.gif",
"HKEY_CLASSES_ROOT\\SystemFileAssociations\\.ini",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\shellex\\CopyHookHandlers\\FileSystem",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\Rpc",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\DocObject",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\ShellEx\\PropertyHandler",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.png\\OpenWithProgids",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\inifile\\Clsid",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\ShellEx\\IconHandler",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Setup",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\Shell\\RegisteredApplications\\UrlAssociations\\Directory\\OpenWithProgids",
"HKEY_CLASSES_ROOT\\.ini\\OpenWithProgids",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\pngfile\\(Default)",
"HKEY_CLASSES_ROOT\\.png\\OpenWithProgids",
"HKEY_CLASSES_ROOT\\Drive\\shellex\\FolderExtensions\\{fbeb8a05-beee-4442-804e-409d6c4515e9}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\text\\Clsid",
"HKEY_CURRENT_USER\\FirefoxHTML-E7CF176E110C211B\\BrowseInPlace",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\Compatibility\\0e30298ff2a313223a836a941257994d0610c7e1f0afe921f578041db8c684ff.bin",
"HKEY_CLASSES_ROOT\\ExplorerCLSIDFlags\\{A38B883C-1682-497E-97B0-0A3A9E801682}",
"HKEY_CLASSES_ROOT\\.gif",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\inifile\\ShellEx\\IconHandler",
"HKEY_CURRENT_USER\\.html\\ShellEx\\PropertyHandler",
"HKEY_CURRENT_USER\\Software\\AutoIt v3\\AutoIt",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Blocked",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.ini\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\pngfile\\ShellEx\\IconHandler",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\JSFile\\ShellEx\\PropertyHandler",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Nls\\Language",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\text\\DocObject",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\Clsid",
"HKEY_CLASSES_ROOT\\JSFile",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\inifile\\BrowseInPlace",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\text\\BrowseInPlace",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\LDAP",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.png\\DocObject",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer",
"HKEY_CLASSES_ROOT\\htmlfile",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\pngfile\\Clsid",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.png\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\JSFile\\BrowseInPlace",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Sharing",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.gif\\DocObject",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.html\\ShellEx\\IconHandler",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\*\\ShellEx\\PropertyHandler",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\PROFILELIST",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\PropertyBag",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\inifile\\CurVer",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.gif\\(Default)",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.gif\\UserChoice",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-18",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-19",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\ShellEx\\IconHandler",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\PropertySystem\\PropertyHandlers\\.html",
"HKEY_CURRENT_USER\\FirefoxHTML-E7CF176E110C211B\\ShellEx\\PropertyHandler",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.ini\\OpenWithProgids",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.html\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\PropertyBag",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.ini\\UserChoice",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.js\\ShellEx\\PropertyHandler",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\PropertySystem\\PropertyHandlers\\.png",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\pngfile\\DocObject",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Rpc",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\image\\BrowseInPlace",
"HKEY_CLASSES_ROOT\\AllFilesystemObjects",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\inifile\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\DocObject",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\(Default)",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.png",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\giffile\\BrowseInPlace",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.gif\\BrowseInPlace",
"HKEY_CLASSES_ROOT\\.png",
"HKEY_CLASSES_ROOT\\SystemFileAssociations\\.png",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Cached",
"HKEY_CLASSES_ROOT\\pngfile",
"HKEY_CURRENT_USER\\FirefoxHTML-E7CF176E110C211B\\Clsid",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.js\\OpenWithProgids",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\inifile\\ShellEx\\PropertyHandler",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\BrowseInPlace",
"HKEY_CLASSES_ROOT\\SystemFileAssociations\\image",
"HKEY_CURRENT_USER\\FirefoxHTML-E7CF176E110C211B\\CurVer",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\PropertySystem\\PropertyHandlers\\.js"
],
"file_written": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\ru.ini",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\ja.ini",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut58CF.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut588C.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\en.ini",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut5856.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\de.ini",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\DisableSelection.js",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut588B.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut58AD.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut58BE.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut589C.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut5855.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut5878.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut5879.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut5867.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\right.png",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\fr.ini",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut58BF.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut5868.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\install.html",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut587A.tmp"
],
"file_deleted": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\ru.ini",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\ja.ini",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut58CF.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut588C.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\cross.png",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\animation_3.gif",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\en.ini",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut5856.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\DisableSelection.js",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\logo_sml.png",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\de.ini",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut588B.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut58AD.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\animation_1.gif",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut58BE.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut589C.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut5855.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut5878.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut5879.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut5867.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\logo.png",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\right.png",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\animation_2.gif",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\fr.ini",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut58BF.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut5868.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\install.html",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut587A.tmp"
],
"directory_removed": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp"
],
"file_exists": [
"C:\\Windows\\System32\\propsys.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\ru.ini",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\ja.ini",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\en.ini",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\cross.png",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\animation_3.gif",
"C:\\Users",
"C:\\Windows\\SysWOW64\\propsys.dll",
"C:\\Windows\\servicing\\Packages\\Package_for_KB3033929~31bf3856ad364e35~amd64~~6.1.1.1.mum",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\logo_sml.png",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\de.ini",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\animation_1.gif",
"C:\\Windows\\System32\\ntshrui.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\DisableSelection.js",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\logo.png",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\right.png",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\animation_2.gif",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\fr.ini",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\0e30298ff2a313223a836a941257994d0610c7e1f0afe921f578041db8c684ff.bin",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\install.html"
],
"mutex": [
"AdGuardianPlus"
],
"file_failed": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\ru.ini",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\fr.ini",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\de.ini",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\ja.ini",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\en.ini"
],
"guid": [
"{5762f2a7-4658-4c7a-a4ac-bdabfe154e0d}",
"{49f371e1-8c5c-4d9c-9a3b-54a6827f513c}",
"{a4341687-7593-47aa-9554-4b0ffc8b2214}",
"{00000000-0000-0000-c000-000000000046}",
"{688c934d-0c26-40f6-8d29-d56d72c76b48}",
"{6311429e-2f1a-4777-880f-c7289fd10169}",
"{559b1911-d3af-486e-b8bc-242b24df0114}",
"{76765b11-3f95-4af2-ac9d-ea55d8994f1a}",
"{edb5f444-cb8d-445a-a523-ec5ab6ea33c7}",
"{57ced8a7-3f4a-432c-9350-30f24483f74f}",
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}",
"{000214fc-0000-0000-c000-000000000046}",
"{72eb61e0-8672-4303-9175-f2e4c68b2e7c}",
"{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}"
],
"file_read": [
"C:\\Windows\\System32\\ntshrui.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut5855.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut588C.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut58CF.tmp",
"C:\\Users\\desktop.ini",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut58BF.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut58AD.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\en.ini",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut587A.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut58BE.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut589C.tmp"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.gif\\IsShortcut",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\inifile\\AlwaysShowExt",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\LocalizedName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Category",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\MaxRpcSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\giffile\\IsShortcut",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\LocalRedirectOnly",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\InfoTip",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\CurrentBuild",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\ProgramFilesDir",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Stream",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\ParentFolder",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\giffile\\NeverShowExt",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\NoFileFolderConnection",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\PreCreate",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\UseHostnameAsAlias",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.html\\BrowseInPlace",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\StreamResourceType",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\NoNetCrawling",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Sharing\\UsersShareName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\giffile\\CLSID\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{A38B883C-1682-497E-97B0-0A3A9E801682}\\UseInProcHandlerCache",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoSetFolders",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\pngfile\\AlwaysShowExt",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.html\\UserChoice\\Progid",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Security",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.png\\NeverShowExt",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Icon",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\RelativePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\JSFile\\DocObject",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Description",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.gif\\NeverShowExt",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\InitFolderHandler",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Filter",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ini\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\ParsingName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsFORDISPLAY",
"HKEY_CURRENT_USER\\.html\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\SourcePath",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\Generation",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\RestrictedAttributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\LocalRedirectOnly",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Attributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\pngfile\\IsShortcut",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\UseOldHostResolutionOrder",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{40DD6E20-7C17-11CE-A804-00AA003CA9F6}\\InProcServer32\\LoadWithoutCOM",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\NeverShowExt",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowInfoTip",
"HKEY_CURRENT_USER\\FirefoxHTML-E7CF176E110C211B\\DocObject",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ini\\Content Type",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Attributes",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Cached\\{40DD6E20-7C17-11CE-A804-00AA003CA9F6} {000214FC-0000-0000-C000-000000000046} 0xFFFF",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Drive\\shellex\\FolderExtensions\\{fbeb8a05-beee-4442-804e-409d6c4515e9}\\DriveMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoInternetIcon",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.gif\\AlwaysShowExt",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.png\\BrowseInPlace",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\ParentFolder",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\Data",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\HideIcons",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Name",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsUniversalDelegate",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\text\\IsShortcut",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\pngfile\\BrowseInPlace",
"HKEY_CURRENT_USER\\Control Panel\\Mouse\\SwapMouseButtons",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Attributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-19\\ProfileImagePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\PublishExpandedPath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\pngfile\\CLSID\\(Default)",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\AutoCheckSelect",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.png\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.html\\IsShortcut",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Stream",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\PropertySystem\\PropertyHandlers\\.gif\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{A38B883C-1682-497E-97B0-0A3A9E801682}\\UseOutOfProcHandlerCache",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\QueryForOverlay",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Name",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\RelativePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\Attributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.png\\DocObject",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\ClassicShell",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\QueryForInfoTip",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Security",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\StreamResourceType",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\AlwaysShowExt",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.gif\\Content Type",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\shellex\\CopyHookHandlers\\Sharing\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\LocalizedName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsParseDisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\inifile\\IsShortcut",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\image\\DocObject",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Locale\\00000409",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{A38B883C-1682-497E-97B0-0A3A9E801682}\\DisableProcessIsolation",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\PublishExpandedPath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\RelativePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Roamable",
"HKEY_CURRENT_USER\\FirefoxHTML-E7CF176E110C211B\\IsShortcut",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\IsShortcut",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsAliasedNotifications",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\DontShowSuperHidden",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\UseDropHandler",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoCommonGroups",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\image\\NeverShowExt",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\IconsOnly",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\PropertySystem\\PropertyHandlers\\.png\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.html\\DocObject",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\FolderTypeID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\PinToNameSpaceTree",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\DocObject",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\DocObject",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\InitFolderHandler",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.js\\Content Type",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\LdapClientIntegrity",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Icon",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\ConfirmFileDelete",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language\\InstallLanguage",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-699399860-4089948139-3198924279-1001\\ProfileImagePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.js\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.html\\NeverShowExt",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsFORPARSING",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\FolderTypeID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\inifile\\DocObject",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\SeparateProcess",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\BrowseInPlace",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\InitFolderHandler",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\SystemSetupInProgress",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\giffile\\AlwaysShowExt",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ini\\PerceivedType",
"HKEY_CURRENT_USER\\FirefoxHTML-E7CF176E110C211B\\NeverShowExt",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\image\\IsShortcut",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\DontPrettyPath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\shellex\\CopyHookHandlers\\FileSystem\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\AllowFileCLSIDJunctions",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\DevicePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\LocalRedirectOnly",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HideFolderVerbs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\PreCreate",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoNetCrawling",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\WebView",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LanmanServer\\DefaultSecurity\\SrvsvcDefaultShareInfo",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\text\\NeverShowExt",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\StreamResourceType",
"HKEY_CURRENT_USER\\FirefoxHTML-E7CF176E110C211B\\AlwaysShowExt",
"HKEY_CURRENT_USER\\FirefoxHTML-E7CF176E110C211B\\BrowseInPlace",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\StreamResource",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\ParsingName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Description",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Stream",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowCompColor",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\text\\AlwaysShowExt",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\OOBEInProgress",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\MapNetDriveVerbs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Advanced\\MaxUndoItems",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.html\\AlwaysShowExt",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\InfoTip",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.js\\PerceivedType",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.png\\IsShortcut",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Roamable",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\MapNetDrvBtn",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.png\\AlwaysShowExt",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\InfoTip",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\IsShortcut",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\inifile\\NeverShowExt",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoPropertiesRecycleBin",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\MaxUndoItems",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\CallForAttributes",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\AccessProviders\\MartaExtension",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoPropertiesMyComputer",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\inifile\\BrowseInPlace",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\NoFileFolderJunction",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\ParsingName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\text\\BrowseInPlace",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HideInWebView",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Name",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Icon",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-18\\ProfileImagePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{40DD6E20-7C17-11CE-A804-00AA003CA9F6}\\InProcServer32\\(Default)",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellState",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Roamable",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\JSFile\\BrowseInPlace",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.gif\\DocObject",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\StreamResource",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\PublishExpandedPath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\JSFile\\IsShortcut",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowTypeOverlay",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\CurrentVersion",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\Data",
"HKEY_CURRENT_USER\\.html\\Content Type",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\HideFileExt",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\StreamResource",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\FolderTypeID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\image\\AlwaysShowExt",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.png\\Content Type",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\ComputerName\\ActiveComputerName\\ComputerName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{A38B883C-1682-497E-97B0-0A3A9E801682}\\NoOplock",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.gif\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{217FC9C0-3AEA-1069-A2DB-08002B30309D}\\InProcServer32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\pngfile\\DocObject",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\NeverShowExt",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\LocalizedName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\PreCreate",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-20\\ProfileImagePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\image\\BrowseInPlace",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\BrowseInPlace",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HasNavigationEnum",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Hidden",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\JSFile\\AlwaysShowExt",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\SeparateProcess",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\Generation",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\DocObject",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HideOnDesktopPerUser",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\NeverShowExt",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\giffile\\DocObject",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\IsShortcut",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CEIPEnable",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\giffile\\BrowseInPlace",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.gif\\BrowseInPlace",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowSuperHidden",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoControlPanel",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoSimpleStartMenu",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language Groups\\1",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Category",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoWebView",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Description",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Security",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\text\\DocObject",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\BrowseInPlace",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\pngfile\\NeverShowExt",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Category",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\Cache",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\JSFile\\NeverShowExt",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\ParentFolder"
],
"directory_enumerated": [
"C:\\Windows\\System32\\*.*",
"C:\\Users\\cuck\\AppData",
"C:\\Users\\cuck\\AppData\\Local\\Temp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\ru.ini",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\ja.ini",
"C:\\Windows\\System32",
"C:\\Users",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\cross.png",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\animation_3.gif",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\en.ini",
"C:\\Windows\\servicing\\Packages\\Package_for_KB3033929~31bf3856ad364e35~amd64~~6.1.1.1.mum",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\logo_sml.png",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\install.html",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\de.ini",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp",
"C:\\Users\\cuck",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\animation_1.gif",
"C:\\Users\\cuck\\AppData\\Local",
"C:\\Windows\\System32\\ntshrui.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\DisableSelection.js",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\logo.png",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\right.png",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\animation_2.gif",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~zidlaxx.tmp\\fr.ini",
"C:\\Windows"
]
},
"first_seen": 1571766785.7812,
"ppid": 2660
},
{
"process_path": "C:\\Windows\\System32\\lsass.exe",
"process_name": "lsass.exe",
"pid": 476,
"summary": {},
"first_seen": 1571766785.4844,
"ppid": 376
},
{
"process_path": "C:\\Windows\\explorer.exe",
"process_name": "explorer.exe",
"pid": 1788,
"summary": {
"regkey_written": [
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\Bags\\1\\Desktop\\FFlags",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\Bags\\1\\Desktop\\GroupByDirection",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\BagMRU\\MRUListEx",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StuckRects2\\Settings",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\Bags\\1\\Desktop\\Sort",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\Bags\\1\\Desktop\\LogicalViewMode",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\Bags\\1\\Desktop\\Mode",
"HKEY_CURRENT_USER\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\TrayNotify\\UserStartTime",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\\pzq.rkr",
"HKEY_CURRENT_USER\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\TrayNotify\\LastAdvertisement",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\Bags\\1\\Desktop\\GroupView",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\Bags\\1\\Desktop\\ColInfo",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\HRZR_PGYFRFFVBA",
"HKEY_CURRENT_USER\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\TrayNotify\\IconStreams",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\Bags\\1\\Desktop\\GroupByKey:FMTID",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\BagMRU\\NodeSlots",
"HKEY_CURRENT_USER\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\TrayNotify\\PastIconsStream",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Streams\\Desktop\\TaskbarWinXP",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\Bags\\1\\Desktop\\IconSize",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\Bags\\1\\Desktop\\GroupByKey:PID"
],
"file_opened": [
"C:\\"
],
"regkey_opened": [
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StuckRects2"
],
"regkey_deleted": [
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\Bags\\1\\Desktop\\GroupCollapseState",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\Bags\\1\\Desktop\\ItemOrder",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\Bags\\1\\Desktop\\ItemPos800x600x96(1)"
],
"file_exists": [
"C:\\cuckoo_1788.ini",
"C:\\Users\\cuck\\Desktop"
],
"mutex": [
"Local\\Shell.CMruPidlList"
],
"file_failed": [
"C:\\cuckoo_1788.ini"
],
"guid": [
"{9b63616c-36b2-46bc-959f-c1593952d19b}",
"{1a1f4206-0688-4e7f-be03-d82ec69df9a5}",
"{2fb499a3-cfce-480f-a5f3-2453db7a2b7a}",
"{42aedc87-2188-41fd-b9a3-0c966feabec1}"
],
"regkey_read": [
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\BagMRU\\NodeSlot",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\BagMRU\\MRUListEx",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\ClearRecentDocsOnExit",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\\pzq.rkr",
"HKEY_CURRENT_USER\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\TrayNotify\\PromotedIconCache",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\BagMRU\\NodeSlots",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\BagMRU Size"
]
},
"first_seen": 1571766787.8967,
"ppid": 1740
}
]Signatures
[
{
"markcount": 3,
"families": [],
"description": "Queries for the computername",
"severity": 1,
"marks": [
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "GetComputerNameW",
"return_value": 1,
"arguments": {
"computer_name": "CUCKPC"
},
"time": 1571766786.1883,
"tid": 1268,
"flags": {}
},
"pid": 2016,
"type": "call",
"cid": 1945
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "GetComputerNameW",
"return_value": 1,
"arguments": {
"computer_name": "CUCKPC"
},
"time": 1571766786.1883,
"tid": 1268,
"flags": {}
},
"pid": 2016,
"type": "call",
"cid": 1946
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "GetComputerNameW",
"return_value": 1,
"arguments": {
"computer_name": "CUCKPC"
},
"time": 1571766786.1883,
"tid": 1268,
"flags": {}
},
"pid": 2016,
"type": "call",
"cid": 1953
}
],
"references": [],
"name": "antivm_queries_computername"
},
{
"markcount": 1,
"families": [],
"description": "Checks if process is being debugged by a debugger",
"severity": 1,
"marks": [
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": -1073741772,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1571766785.8912,
"tid": 1268,
"flags": {}
},
"pid": 2016,
"type": "call",
"cid": 71
}
],
"references": [],
"name": "checks_debugger"
},
{
"markcount": 1,
"families": [],
"description": "Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available",
"severity": 1,
"marks": [
{
"call": {
"category": "system",
"status": 1,
"stacktrace": [],
"api": "GlobalMemoryStatusEx",
"return_value": 1,
"arguments": {},
"time": 1571766787.7343,
"tid": 2468,
"flags": {}
},
"pid": 2016,
"type": "call",
"cid": 2222
}
],
"references": [],
"name": "antivm_memory_available"
},
{
"markcount": 0,
"families": [],
"description": "Checks whether any human activity is being performed by constantly checking whether the foreground window changed",
"severity": 2,
"marks": [],
"references": [
"https:\/\/www.virusbtn.com\/virusbulletin\/archive\/2015\/09\/vb201509-custom-packer.dkb"
],
"name": "antisandbox_foregroundwindows"
},
{
"markcount": 1,
"families": [],
"description": "Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation",
"severity": 2,
"marks": [
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "GetDiskFreeSpaceExW",
"return_value": 1,
"arguments": {
"root_path": "C:\\",
"free_bytes_available": 23512010752,
"total_number_of_free_bytes": 23512010752,
"total_number_of_bytes": 34252779520
},
"time": 1571766786.0312,
"tid": 1268,
"flags": {}
},
"pid": 2016,
"type": "call",
"cid": 619
}
],
"references": [],
"name": "antivm_disk_size"
},
{
"markcount": 3,
"families": [],
"description": "Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping",
"severity": 2,
"marks": [
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "Process32NextW",
"return_value": 1,
"arguments": {
"process_name": "SearchProtocolHost.exe",
"snapshot_handle": "0x00000148",
"process_identifier": 2340
},
"time": 1571766787.6883,
"tid": 1268,
"flags": {}
},
"pid": 2016,
"type": "call",
"cid": 1999
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "Process32NextW",
"return_value": 1,
"arguments": {
"process_name": "SearchFilterHost.exe",
"snapshot_handle": "0x00000148",
"process_identifier": 1624
},
"time": 1571766787.6883,
"tid": 1268,
"flags": {}
},
"pid": 2016,
"type": "call",
"cid": 2000
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "Process32NextW",
"return_value": 1,
"arguments": {
"process_name": "0e30298ff2a313223a836a941257994d0610c7e1f0afe921f578041db8c684ff.bin",
"snapshot_handle": "0x00000148",
"process_identifier": 2016
},
"time": 1571766787.6883,
"tid": 1268,
"flags": {}
},
"pid": 2016,
"type": "call",
"cid": 2001
}
],
"references": [],
"name": "injection_process_search"
},
{
"markcount": 2,
"families": [],
"description": "The binary likely contains encrypted or compressed data indicative of a packer",
"severity": 2,
"marks": [
{
"entropy": 7.8030710772342,
"section": {
"size_of_data": "0x0011da00",
"virtual_address": "0x000c8000",
"entropy": 7.8030710772342,
"name": ".rsrc",
"virtual_size": "0x0011d8e8"
},
"type": "generic",
"description": "A section with a high entropy has been found"
},
{
"entropy": 0.58559712967709,
"type": "generic",
"description": "Overall entropy of this PE file is high"
}
],
"references": [
"http:\/\/www.forensickb.com\/2013\/03\/file-entropy-explained.html",
"http:\/\/virii.es\/U\/Using%20Entropy%20Analysis%20to%20Find%20Encrypted%20and%20Packed%20Malware.pdf"
],
"name": "packer_entropy"
},
{
"markcount": 2,
"families": [],
"description": "Creates or sets a registry key to a long series of bytes, possibly to store a binary or malware config",
"severity": 3,
"marks": [
{
"call": {
"category": "registry",
"status": 1,
"stacktrace": [],
"api": "NtSetValueKey",
"return_value": 0,
"arguments": {
"index": 0,
"key_handle": "0x0000000000000f84",
"value": "\u0014\u0000\u0000\u0000\u0005\u0000\u0000\u0000\u0001\u0000\u0001\u0000\u0011\u0000\u0000\u0000\u0014\u0000\u0000\u0000IL \u0006\u0011\u0000$\u0000\u0018\u0000\u0010\u0000\u0010\u0000\u00ff\u00ff\u00ff\u00ff!\u0010\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ffBM6\u0000\u0000\u0000\u0000\u0000\u0000\u00006\u0000\u0000\u0000(\u0000\u0000\u0000\u0010\u0000\u0000\u0000@\u0002\u0000\u0000\u0001\u0000 \u0000\u0000\u0000\u0000\u0000\u0000\u0090\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"reg_type": 3,
"regkey": "HKEY_CURRENT_USER\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\TrayNotify\\PastIconsStream"
},
"time": 1571766366.4629,
"tid": 1828,
"flags": {
"reg_type": "REG_BINARY"
}
},
"pid": 1788,
"type": "call",
"cid": 1737
},
{
"call": {
"category": "registry",
"status": 1,
"stacktrace": [],
"api": "NtSetValueKey",
"return_value": 0,
"arguments": {
"index": 0,
"key_handle": "0x00000000000001e0",
"value": "\u0014\u0000\u0000\u0000\u0007\u0000\u0000\u0000\u0001\u0000\u0001\u0000\u0005\u0000\u0000\u0000\u0014\u0000\u0000\u0000{\u0000S\u00003\u00008\u0000O\u0000S\u00004\u00000\u00004\u0000-\u00001\u0000Q\u00004\u00003\u0000-\u00004\u00002\u0000S\u00002\u0000-\u00009\u00003\u00000\u00005\u0000-\u00006\u00007\u0000Q\u0000R\u00000\u0000O\u00002\u00008\u0000S\u0000P\u00002\u00003\u0000}\u0000\\\u0000r\u0000k\u0000c\u0000y\u0000b\u0000e\u0000r\u0000e\u0000.\u0000r\u0000k\u0000r\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000{\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0000\u0000\u00e3\u0007\n\u0000F\u0000b\u0000y\u0000i\u0000r\u0000 \u0000C\u0000P\u0000 \u0000v\u0000f\u0000f\u0000h\u0000r\u0000f\u0000:\u0000 \u00001\u0000 \u0000z\u0000r\u0000f\u0000f\u0000n\u0000t\u0000r\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u000f\u0000\u0000\u0000v\u00ae x\u00e3#)B\u0082\u00c1\u00e4\u001c\u00b6}[\u009c\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00b3\u0086;4\u00e6\u00ee\u00d4\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\r !\u008f\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000{\u0000S\u00003\u00008\u0000O\u0000S\u00004\u00000\u00004\u0000-\u00001\u0000Q\u00004\u00003\u0000-\u00004\u00002\u0000S\u00002\u0000-\u00009\u00003\u00000\u00005\u0000-\u00006\u00007\u0000Q\u0000R\u00000\u0000O\u00002\u00008\u0000S\u0000P\u00002\u00003\u0000}\u0000\\\u0000r\u0000k\u0000c\u0000y\u0000b\u0000e\u0000r\u0000e\u0000.\u0000r\u0000k\u0000r\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000d\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0000\u0000\u00e3\u0007\n\u0000F\u0000c\u0000r\u0000n\u0000x\u0000r\u0000e\u0000f\u0000:\u0000 \u00006\u00007\u0000%\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0010\u0000\u0000\u0000s\u00ae x\u00e3#)B\u0082\u00c1\u00e4\u001c\u00b6}[\u009c\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0086\u00e2\u009e\u00956\u0005\u00d4\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\r !\u008f\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0000\u0000{\u0000S\u00003\u00008\u0000O\u0000S\u00004\u00000\u00004\u0000-\u00001\u0000Q\u00004\u00003\u0000-\u00004\u00002\u0000S\u00002\u0000-\u00009\u00003\u00000\u00005\u0000-\u00006\u00007\u0000Q\u0000R\u00000\u0000O\u00002\u00008\u0000S\u0000P\u00002\u00003\u0000}\u0000\\\u0000r\u0000k\u0000c\u0000y\u0000b\u0000e\u0000r\u0000e\u0000.\u0000r\u0000k\u0000r\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000}\u00c0\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u00e3\u0007\n\u0000H\u0000a\u0000v\u0000q\u0000r\u0000a\u0000g\u0000v\u0000s\u0000v\u0000r\u0000q\u0000 \u0000a\u0000r\u0000g\u0000j\u0000b\u0000e\u0000x\u0000 \u0000A\u0000b\u0000 \u0000V\u0000a\u0000g\u0000r\u0000e\u0000a\u0000r\u0000g\u0000 \u0000n\u0000p\u0000p\u0000r\u0000f\u0000f\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"reg_type": 3,
"regkey": "HKEY_CURRENT_USER\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\TrayNotify\\IconStreams"
},
"time": 1571766366.4629,
"tid": 1828,
"flags": {
"reg_type": "REG_BINARY"
}
},
"pid": 1788,
"type": "call",
"cid": 1739
}
],
"references": [],
"name": "creates_largekey"
},
{
"markcount": 1,
"families": [],
"description": "Creates a windows hook that monitors keyboard input (keylogger)",
"severity": 3,
"marks": [
{
"call": {
"category": "system",
"status": 1,
"stacktrace": [],
"api": "SetWindowsHookExW",
"return_value": 22020737,
"arguments": {
"thread_identifier": 0,
"callback_function": "0x00000000ffe9ae10",
"module_address": "0x00000000ffdf0000",
"hook_identifier": 13
},
"time": 1571766416.3219,
"tid": 1828,
"flags": {
"hook_identifier": "WH_KEYBOARD_LL"
}
},
"pid": 1788,
"type": "call",
"cid": 4610
}
],
"references": [],
"name": "infostealer_keylogger"
}
]Yara
The Yara rules did not detect anything in the file.
Network
{
"tls": [],
"udp": [
{
"src": "192.168.56.101",
"dst": "192.168.56.255",
"offset": 662,
"time": 6.2204368114471,
"dport": 137,
"sport": 137
},
{
"src": "192.168.56.101",
"dst": "192.168.56.255",
"offset": 5342,
"time": 12.23836684227,
"dport": 138,
"sport": 138
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 7186,
"time": 6.1853499412537,
"dport": 5355,
"sport": 51001
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 7514,
"time": 4.1666719913483,
"dport": 5355,
"sport": 53595
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 7842,
"time": 6.1971688270569,
"dport": 5355,
"sport": 53848
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 8170,
"time": 4.7632308006287,
"dport": 5355,
"sport": 54255
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 8498,
"time": 3.0594749450684,
"dport": 5355,
"sport": 55314
},
{
"src": "192.168.56.101",
"dst": "239.255.255.250",
"offset": 8826,
"time": 4.7240109443665,
"dport": 1900,
"sport": 1900
},
{
"src": "192.168.56.101",
"dst": "239.255.255.250",
"offset": 28236,
"time": 4.1787049770355,
"dport": 3702,
"sport": 49152
},
{
"src": "192.168.56.101",
"dst": "239.255.255.250",
"offset": 36620,
"time": 6.2538030147552,
"dport": 1900,
"sport": 53598
}
],
"dns_servers": [],
"http": [],
"icmp": [],
"smtp": [],
"tcp": [],
"smtp_ex": [],
"mitm": [],
"hosts": [],
"pcap_sha256": "2eacb80c9f566f677ba47b3b2a3b971a3b10438fba6ef2e492e77f6675e63fe5",
"dns": [],
"http_ex": [],
"domains": [],
"dead_hosts": [],
"sorted_pcap_sha256": "e9596dd801ca59bf02f91865f48ed6f32d85c904d0abfe3c68f541d2c76eb8c9",
"irc": [],
"https_ex": []
}Screenshots
agpsetup.exe removal instructions
The instructions below shows how to remove agpsetup.exe with help from the FreeFixer removal tool. Basically, you install FreeFixer, scan your computer, check the agpsetup.exe file for removal, restart your computer and scan it again to verify that agpsetup.exe has been successfully removed. Here are the removal instructions in more detail:
- Download and install FreeFixer: http://www.freefixer.com/download.html
- Start FreeFixer and press the Start Scan button. The scan will finish in approximately five minutes.
- When the scan is finished, locate agpsetup.exe in the scan result and tick the checkbox next to the agpsetup.exe file. Do not check any other file for removal unless you are 100% sure you want to delete it. Tip: Press CTRL-F to open up FreeFixer's search dialog to quickly locate agpsetup.exe in the scan result.
c:\users\%USERNAME%\appdata\lo..a1\a87530b6033f0992737d6307b1048619\agpsetup.exe 
- Scroll down to the bottom of the scan result and press the Fix button. FreeFixer will now delete the agpsetup.exe file.
- Restart your computer.
- Start FreeFixer and scan your computer again. If agpsetup.exe still remains in the scan result, proceed with the next step. If agpsetup.exe is gone from the scan result you're done.
- If agpsetup.exe still remains in the scan result, check its checkbox again in the scan result and click Fix.
- Restart your computer.
- Start FreeFixer and scan your computer again. Verify that agpsetup.exe no longer appear in the scan result.
Hashes [?]
| Property | Value |
|---|---|
| MD5 | c6d0d739d2cdbbdfb5ad7453c068d219 |
| SHA256 | 0e30298ff2a313223a836a941257994d0610c7e1f0afe921f578041db8c684ff |
Error Messages
These are some of the error messages that can appear related to agpsetup.exe:
agpsetup.exe has encountered a problem and needs to close. We are sorry for the inconvenience.
agpsetup.exe - Application Error. The instruction at "0xXXXXXXXX" referenced memory at "0xXXXXXXXX". The memory could not be "read/written". Click on OK to terminate the program.
Ad Guardian Plus Setup has stopped working.
End Program - agpsetup.exe. This program is not responding.
agpsetup.exe is not a valid Win32 application.
agpsetup.exe - Application Error. The application failed to initialize properly (0xXXXXXXXX). Click OK to terminate the application.
What will you do with agpsetup.exe?
To help other users, please let us know what you will do with agpsetup.exe:
Comments
Please share with the other users what you think about this file. What does this file do? Is it legitimate or something that your computer is better without? Do you know how it was installed on your system? Did you install it yourself or did it come bundled with some other software? Is it running smoothly or do you get some error message? Any information that will help to document this file is welcome. Thank you for your contributions.
I'm reading all new comments so don't hesitate to post a question about the file. If I don't have the answer perhaps another user can help you.
No comments posted yet.