What is eath.exe?

eath.exe is usually located in the 'c:\' folder.

Some of the anti-virus scanners at VirusTotal detected eath.exe.

If you have additional information about the file, please share it with the FreeFixer users by posting a comment at the bottom of this page.

Vendor and version information [?]

eath.exe does not have any version or vendor information.

VirusTotal report

59 of the 67 anti-virus programs at VirusTotal detected the eath.exe file. That's a 88% detection rate.

Scanner	Detection Name
Acronis	suspicious
Ad-Aware	Win32.Sality.3
AhnLab-V3	Win32/Kashu.E
ALYac	Worm.Sality.3.Gen
Antiy-AVL	Virus/Win32.Sality.gen
Arcabit	Win32.Sality.3
Avast	Win32:Sality
AVG	Win32:Sality
Avira	W32/Sality.AT
Baidu	Win32.Trojan.Sality.p
BitDefender	Win32.Sality.3
Bkav	W32.Sality.PE
CAT-QuickHeal	W32.Sality.U
ClamAV	Win.Trojan.Agent-36126
Comodo	Virus.Win32.Sality.gen@1egj5j
CrowdStrike	win/malicious_confidence_100% (D)
Cybereason	malicious.f1733b
Cyren	W32/Sality.gen2
DrWeb	Win32.Sector.31
eGambit	Trojan.Generic
Emsisoft	Win32.Sality.3 (B)
Endgame	malicious (high confidence)
ESET-NOD32	Win32/Sality
F-Prot	W32/Sality.gen2
F-Secure	Malware.W32/Sality.AT
FireEye	Generic.mg.26927bcf1733b933
Fortinet	W32/LPECrypt.A!tr
GData	Win32.Virus.Sality.A
Ikarus	Virus.Win32.Sality
Invincea	heuristic
Jiangmin	Win32/HLLP.Kuku.poly2
K7AntiVirus	Trojan ( 001e7bc71 )
K7GW	Trojan ( 001e7bc71 )
Kaspersky	Virus.Win32.Sality.gen
Malwarebytes	Trojan.MalPack.Gen
MAX	malware (ai score=83)
McAfee	W32/Sality.gen.z
McAfee-GW-Edition	BehavesLike.Win32.Sality.cc
Microsoft	Virus:Win32/Sality.AT
MicroWorld-eScan	Win32.Sality.3
NANO-Antivirus	Virus.Win32.Sality.beygb
Panda	W32/Sality.AK.drp
Qihoo-360	Trojan.Win32.SalityStub.A
Rising	Virus.Sality!8.35A/N3#100% (RDM+:cmRtazrHldsyoX9uEXMZc9t+UQrn)
SentinelOne	DFI - Malicious PE
Sophos	Troj/SalLoad-C
SUPERAntiSpyware	Trojan.Agent/Gen-CDesc[LordPE]
TACHYON	Virus/W32.Sality.D
Tencent	Trojan.Win32.SalityStub.a
TheHacker	W32/Sality.gen
TotalDefense	Win32/Sality.AA
Trapmine	malicious.high.ml.score
TrendMicro-HouseCall	PE_SALITY.RL-O
VBA32	Virus.Win32.Sality.bakc
ViRobot	Win32.Sality.N.Host
Yandex	Win32.Sality.BL
Zillya	Virus.Sality.Win32.17
ZoneAlarm	Virus.Win32.Sality.gen
Zoner	Trojan.Win32.Sality.22009

59 of the 67 anti-virus programs detected the eath.exe file.

Sandbox Report

The following information was gathered by executing the file inside Cuckoo Sandbox.

Summary

Successfully executed process in sandbox.

Summary

{
    "file_created": [
        "C:\\nrpds.exe",
        "C:\\autorun.inf",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\windaepms.exe"
    ],
    "regkey_written": [
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_98",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_99",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Security Center\\Svc\\AntiVirusOverride",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_92",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_93",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_90",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_91",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_96",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_97",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_94",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_95",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_146",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_147",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_144",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_130",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_131",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_132",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_133",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_134",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_135",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_136",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_137",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_138",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_139",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_143",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_140",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_141",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_120",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_121",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_111",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_110",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_113",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_112",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_115",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_114",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_117",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_116",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_119",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_118",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_98",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_99",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_94",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_95",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_96",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_97",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_90",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_91",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_92",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_93",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_109",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Security Center\\FirewallOverride",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_73",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_72",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_71",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_70",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_77",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_76",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_75",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_74",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_135",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_134",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_79",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_78",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_131",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_130",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_133",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_132",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_121",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_31",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_30",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_33",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_32",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_35",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_34",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_37",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_36",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_39",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_38",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_58",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_59",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_56",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_57",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_54",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_55",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_52",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_53",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_50",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_51",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_1",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_0",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_3",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_2",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_5",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_4",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_7",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_6",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_9",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_8",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_129",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_128",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_121",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_120",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_123",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_122",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_125",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_124",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_127",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_126",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Security Center\\FirewallDisableNotify",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_49",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_48",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_47",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_46",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_45",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_44",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_43",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_42",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_41",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_40",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_82",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_83",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_80",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_81",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_86",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_87",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_84",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_85",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_88",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_89",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_37",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_36",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_35",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_34",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_33",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_32",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_31",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_30",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_39",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_38",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_9",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_8",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_104",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_3",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_2",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_1",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_0",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_7",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_6",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_5",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_4",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_100",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_101",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_102",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\GlobalUserOffline",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_103",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_68",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_69",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_66",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_67",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_64",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_65",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_62",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_63",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_60",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_61",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_106",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_107",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_12",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_13",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_10",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_11",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_16",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_17",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_14",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_15",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_18",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_19",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_105",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_129",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_23",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_127",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_126",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_125",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_28",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_123",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_122",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_121",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_120",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_103",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_102",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Security Center\\AntiVirusDisableNotify",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_145",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_14",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_15",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_16",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_17",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_10",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_11",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_12",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_13",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_142",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_18",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_19",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_108",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_128",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_129",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_124",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_125",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_126",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_127",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_120",
        "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\LanguageList",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_122",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_123",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_8",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_9",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_0",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_1",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_2",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_3",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_4",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_5",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_6",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_7",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_108",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_109",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_68",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_69",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_64",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_65",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_66",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_67",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_60",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_61",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_62",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_63",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_22",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Security Center\\Svc\\UacDisableNotify",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_20",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_21",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_26",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_27",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_24",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_25",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_28",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_29",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile\\DoNotAllowExceptions",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_97",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_96",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_95",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_94",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_93",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_92",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_91",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_90",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_99",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_98",
        "HKEY_CURRENT_USER\\Software\\Arxv\\-2022283959\\418466543",
        "HKEY_CURRENT_USER\\Software\\Arxv\\-2022283959\\1801680227",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Security Center\\Svc\\UpdatesDisableNotify",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_8",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_9",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_6",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_7",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_4",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_5",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_2",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_3",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_0",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_1",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile\\EnableFirewall",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_69",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_68",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_63",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_62",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_61",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_60",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_67",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_66",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_65",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_64",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_114",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_115",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_116",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_117",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_110",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_111",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_112",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_113",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Security Center\\UpdatesDisableNotify",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_118",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_119",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Security Center\\Svc\\FirewallOverride",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_116",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_117",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_114",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_115",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_112",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_113",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_110",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_111",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_118",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_119",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_58",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_59",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_50",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_51",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_52",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_53",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_54",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_55",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_56",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_57",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_29",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_28",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_25",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_24",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_27",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_26",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_21",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_20",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_23",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_22",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile\\DisableNotifications",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_20",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_21",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_22",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_23",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_24",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_25",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_26",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_27",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_28",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_29",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_146",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_147",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_140",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_141",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_142",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_143",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Security Center\\UacDisableNotify",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_59",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_58",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_53",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_52",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_51",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_50",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_57",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_56",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_55",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_54",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_55",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_54",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_57",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_56",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_51",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_50",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_53",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_52",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_139",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_59",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_58",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_138",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_137",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_136",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_29",
        "HKEY_CURRENT_USER\\Software\\Arxv\\-2022283959\\-1383213684",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_27",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_26",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_25",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_24",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_23",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_22",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_21",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_20",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_147",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_146",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_145",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_144",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_143",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_142",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_141",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_140",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Security Center\\AntiVirusOverride",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_61",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_60",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_63",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_62",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_65",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_64",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_67",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_66",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_69",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_68",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_139",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_138",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_133",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_132",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_131",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_130",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_137",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_136",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_135",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_134",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_117",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_116",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_115",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_114",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_113",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_112",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_111",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_110",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_119",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_118",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_19",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_18",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_11",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_10",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_13",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_12",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_15",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_14",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_17",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_16",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_19",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_18",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_17",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_16",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_15",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_14",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_13",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_12",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_11",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_10",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_80",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_81",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_82",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_83",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_84",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_85",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_86",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_87",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_88",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_89",
        "HKEY_CURRENT_USER\\Software\\Arxv\\-2022283959\\-691606842",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_74",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_75",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_76",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_77",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_70",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_71",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_72",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_73",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_78",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_79",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_89",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_88",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_101",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_100",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_107",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_106",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_105",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_104",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_81",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_80",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_83",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_82",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_85",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_84",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_87",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_86",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Security Center\\Svc\\AntiVirusDisableNotify",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_105",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_104",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_107",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_106",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_101",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_100",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_103",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_102",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_109",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_108",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_38",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_39",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_36",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_37",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_34",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_35",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_32",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_33",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_30",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_31",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_102",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_103",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_100",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_101",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_106",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_107",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_104",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_105",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_108",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_109",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_83",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_82",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_81",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_80",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_87",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_86",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_85",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_84",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Action Center\\Checks\\{01979c6a-42fa-414c-b8aa-eee2c8202018}.check.100\\CheckSetting",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_89",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_88",
        "HKEY_CURRENT_USER\\Software\\Arxv\\-2022283959\\1110073385",
        "HKEY_CURRENT_USER\\Software\\Arxv\\-2022283959\\-2074820526",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_128",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_46",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_47",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_44",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_45",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_42",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_43",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_40",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_41",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_126",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_127",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_124",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_125",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_122",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_123",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_48",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_49",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_124",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_44",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_45",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_46",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_47",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_40",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_41",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_42",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_43",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_48",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_49",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_38",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_39",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_30",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_31",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_32",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_33",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_34",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_35",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_36",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_37",
        "HKEY_CURRENT_USER\\Software\\Arxv\\-2022283959\\-273140299",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_128",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_129",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Security Center\\Svc\\FirewallDisableNotify",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_141",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_140",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_143",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_142",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_145",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_144",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_147",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_146",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_49",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_48",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_45",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_44",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_47",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_46",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_41",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_40",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_43",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_42",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_138",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_139",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_132",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_133",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_130",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_131",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_136",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_137",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_134",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_135",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_72",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_73",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_70",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_71",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_76",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_77",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_74",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_75",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_78",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_79",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_91",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_90",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_93",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_92",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_95",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_94",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_97",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_96",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_99",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_98",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_144",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_145",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_79",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_78",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_75",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_74",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_77",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_76",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_71",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_70",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_73",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_72",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Hidden"
    ],
    "dll_loaded": [
        "API-MS-Win-Security-LSALookup-L1-1-0.dll",
        "apphelp.dll",
        "kernel32.dll",
        "MSVCRT.dll",
        "POWRPROF.DLL",
        "slc.dll",
        "ntmarta.dll",
        "API-MS-WIN-Service-Management-L1-1-0.dll",
        "PROPSYS.dll",
        "KERNEL32.DLL",
        "API-MS-Win-Core-LocalRegistry-L1-1-0.dll",
        "API-MS-WIN-Service-winsvc-L1-1-0.dll",
        "ole32.dll",
        "USER32.dll",
        "fxsst.dll",
        "API-MS-Win-Security-SDDL-L1-1-0.dll",
        "WININET.DLL",
        "ADVAPI32.dll",
        "OLEAUT32",
        "OLEAUT32.dll",
        "profapi.dll",
        "SHELL32.dll",
        "C:\\Windows\\system32\\FXSRESM.DLL",
        "sfc",
        "comctl32.dll",
        "VERSION.dll",
        "MPR",
        "DEVRTL.dll",
        "SHELL32.DLL",
        "SETUPAPI.dll",
        "WS2_32.dll"
    ],
    "file_failed": [
        "\\??\\L:",
        "\\??\\N:",
        "\\??\\U:",
        "\\??\\H:",
        "\\??\\W:",
        "\\??\\J:",
        "\\??\\Q:",
        "C:\\autorun.inf",
        "\\??\\D:",
        "\\??\\S:",
        "\\??\\F:",
        "\\??\\M:",
        "\\??\\X:",
        "\\??\\Z:",
        "C:\\desktop.ini",
        "C:\\Windows\\winsxs\\FileMaps\\users_cuck_appdata_local_temp_c2004f3465698a5a.cdf-ms",
        "\\??\\O:",
        "\\??\\I:",
        "\\??\\T:",
        "\\??\\V:",
        "\\??\\K:",
        "\\??\\E:",
        "\\??\\P:",
        "\\??\\R:",
        "\\??\\G:",
        "\\??\\Y:"
    ],
    "regkey_opened": [
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Action Center\\Checks\\{01979c6a-42fa-414c-b8aa-eee2c8202018}.check.100",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum",
        "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\Shell\\MuiCache ",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Security Center",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\KnownFolderSettings",
        "HKEY_CURRENT_USER\\AppEvents\\EventLabels\\FaxSent",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\Associations\\UrlAssociations\\Drive",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions",
        "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",
        "HKEY_CLASSES_ROOT\\Drive",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Blocked",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Drive\\(Default)",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Setup",
        "HKEY_CLASSES_ROOT\\Drive\\shellex\\FolderExtensions\\{fbeb8a05-beee-4442-804e-409d6c4515e9}",
        "HKEY_CURRENT_USER\\Software\\Arxv",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\PropertyBag",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Drive\\shell\\open",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",
        "HKEY_CLASSES_ROOT\\Folder",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\crypt32",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\shell\\open",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\policies\\system",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile",
        "HKEY_CLASSES_ROOT\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Security Center\\Svc",
        "HKEY_LOCAL_MACHINE\\System\\Setup",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\",
        "HKEY_CLASSES_ROOT\\Drive\\shellex\\FolderExtensions",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\(Default)",
        "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\LSA\\AccessProviders",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-699399860-4089948139-3198924279-1001",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fax\\Client\\ServiceStartup",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Applications\\bc26065d73abee805e03efb332b6fa543d4b62e3f1fedf955f305df0271618ed.bin",
        "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\KnownFolders",
        "HKEY_LOCAL_MACHINE\\system\\CurrentControlSet\\control\\NetworkProvider\\HwOrder",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\PropertyBag",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Cached",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\PropertyBag",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run",
        "HKEY_CLASSES_ROOT\\SystemFileAssociations\\Drive.Fixed",
        "HKEY_LOCAL_MACHINE\\software\\microsoft\\windows\\currentversion\\setup\\PnpLockdownFiles",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\PropertyBag",
        "HKEY_CLASSES_ROOT\\CLSID\\{11DBB47C-A525-400B-9E80-A54615A090C0}\\SupportedProtocols",
        "HKEY_CURRENT_USER\\Control Panel\\Personalization\\Desktop Slideshow",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\Shell\\RegisteredApplications\\UrlAssociations\\Drive\\OpenWithProgids",
        "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\LDAP",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\shell\\open\\(Default)",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile\\AuthorizedApplications\\List",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\shell\\open",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\OLE\\Tracing",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\shell\\open\\command",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Drive\\CurVer",
        "HKEY_CURRENT_USER\\Software\\Arxv\\-2022283959",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Blocked",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1",
        "HKEY_CLASSES_ROOT\\CLSID\\{11DBB47C-A525-400B-9E80-A54615A090C0}\\InProcServer32",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\ShellNoRoam\\MUICache"
    ],
    "command_line": [
        "C:\\"
    ],
    "file_written": [
        "C:\\Windows\\system.ini",
        "C:\\nrpds.exe",
        "C:\\autorun.inf",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\windaepms.exe"
    ],
    "file_deleted": [
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\windaepms.exe"
    ],
    "file_exists": [
        "C:\\Users\\cuck\\AppData\\Roaming",
        "C:\\",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\windaepms.exe",
        "C:\\nrpds.exe",
        "C:\\Users\\cuck",
        "C:\\autorun.inf",
        "C:\\Windows\\System32\\explorerframe.dll"
    ],
    "mutex": [
        "cmd.exeM_1692_",
        "svchost.exeM_1216_",
        "svchost.exeM_660_",
        "lsass.exeM_476_",
        "svchost.exeM_276_",
        "explorer.exeM_1788_",
        "wmpnetwk.exeM_1856_",
        "svchost.exeM_712_",
        "winlogon.exeM_424_",
        "dwm.exeM_1768_",
        "wininit.exeM_376_",
        "taskhost.exeM_1724_",
        "searchprotocolhost.exeM_1232_",
        "conhost.exeM_1700_",
        "svchost.exeM_1000_",
        "lsm.exeM_484_",
        "csrss.exeM_328_",
        "svchost.exeM_480_",
        "smss.exeM_252_",
        "searchprotocolhost.exeM_1092_",
        "python.exeM_1244_",
        "bc26065d73abee805e03efb332b6fa543d4b62e3f1fedf955f305df0271618eM_2816_",
        "spoolsv.exeM_1084_",
        "csrss.exeM_384_",
        "audiodg.exeM_2560_",
        "services.exeM_468_",
        "svchost.exeM_880_",
        "svchost.exeM_1548_",
        "uxJLpe1m",
        "svchost.exeM_592_",
        "mobsync.exeM_800_",
        "taskhost.exeM_2312_",
        "svchost.exeM_804_",
        "searchfilterhost.exeM_2676_",
        "Ap1mutx7",
        "explorer.exeM_2800_",
        "svchost.exeM_3000_",
        "python.exeM_2168_",
        "svchost.exeM_3064_",
        "svchost.exeM_1120_",
        "searchindexer.exeM_1316_"
    ],
    "file_opened": [
        "C:\\Windows\\System32\\ExplorerFrame.dll",
        "C:\\Windows\\system.ini",
        "C:\\Windows\\AppPatch\\sysmain.sdb",
        "C:\\",
        "C:\\Windows\\Globalization\\Sorting\\sortdefault.nls",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\FXSAPIDebugLogFile.txt",
        "C:\\Windows\\System32\\",
        "C:\\Users\\desktop.ini",
        "C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000004.db",
        "C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Caches\\cversions.1.db",
        "C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\slideshow.ini",
        "C:\\Users\\cuck\\Desktop\\desktop.ini",
        "C:\\autorun.inf",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\windaepms.exe",
        "C:\\Program Files (x86)\\desktop.ini",
        "C:\\Windows\\winsxs\\FileMaps\\program_files_common_files_microsoft_shared_ink_3c86e3db0b3b254c.cdf-ms",
        "C:\\Program Files\\desktop.ini",
        "C:\\Windows\\System32\\explorerframe.dll"
    ],
    "guid": [
        "{b57046bc-32e5-428a-9887-19f712b907bf}",
        "{9ba05972-f6a8-11cf-a442-00a0c90a8f39}",
        "{ba126ae5-2166-11d1-b1d0-00805fc1270e}",
        "{00000320-0000-0000-c000-000000000046}",
        "{5762f2a7-4658-4c7a-a4ac-bdabfe154e0d}",
        "{00000146-0000-0000-c000-000000000046}",
        "{d0074ffd-570f-4a9b-8d69-199fdba5723b}",
        "{75847177-f077-4171-bd2c-a6bb2164fbd0}",
        "{d5f569d0-593b-101a-b569-08002b2dbf7a}",
        "{11dbb47c-a525-400b-9e80-a54615a090c0}",
        "{000214e6-0000-0000-c000-000000000046}",
        "{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}",
        "{00000323-0000-0000-c000-000000000046}",
        "{ba126ad1-2166-11d1-b1d0-00805fc1270e}",
        "{faedcf69-31fe-11d1-aad2-00805fc1270e}",
        "{489e9453-869b-4bcc-a1c7-48b5285fd9d8}",
        "{a47979d2-c419-11d9-a5b4-001185ad2b89}",
        "{7007acc7-3202-11d1-aad2-00805fc1270e}",
        "{682159d9-c321-47ca-b3f1-30e36b2ec8b9}",
        "{85cb6900-4d95-11cf-960c-0080c7f4ee85}",
        "{7f9185b0-cb92-43c5-80a9-92277a4f7b54}",
        "{b196b284-bab4-101a-b69c-00aa00341d07}"
    ],
    "file_read": [
        "C:\\Users\\cuck\\Desktop\\desktop.ini",
        "C:\\Users\\desktop.ini",
        "C:\\Windows\\system.ini",
        "C:\\autorun.inf",
        "C:\\Program Files (x86)\\desktop.ini",
        "C:\\Windows\\winsxs\\FileMaps\\program_files_common_files_microsoft_shared_ink_3c86e3db0b3b254c.cdf-ms",
        "C:\\Program Files\\desktop.ini",
        "C:\\Windows\\System32\\ExplorerFrame.dll"
    ],
    "regkey_read": [
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_98",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_99",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\CallForAttributes",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_92",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_93",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_90",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_91",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_96",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_97",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\Icon",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_95",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_146",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_147",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_144",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_130",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-699399860-4089948139-3198924279-1001\\ProfileImagePath",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_132",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_133",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_134",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_135",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoSetFolders",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_137",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_138",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_139",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_143",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\StreamResourceType",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_141",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_120",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\Category",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\InfoTip",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\DisableImprovedZoneCheck",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\Description",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_94",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_121",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\LocalizedName",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_111",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_110",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_113",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_112",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\RelativePath",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_114",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\Attributes",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_116",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_119",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_118",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\ParsingName",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_98",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\Icon",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_94",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_95",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_96",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_97",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_90",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_91",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_92",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_93",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_109",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\RelativePath",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\ParentFolder",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_73",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\PublishExpandedPath",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_71",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_70",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_77",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_76",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_75",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_74",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsAliasedNotifications",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_134",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_79",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_78",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_131",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_126",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_36",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_132",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\StreamResource",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_131",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_31",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_30",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_33",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_32",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_35",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_34",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_37",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\FolderTypeID",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_39",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_38",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\InfoTip",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_136",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\ParentFolder",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_99",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\shell\\open\\command\\DelegateExecute",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_3",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_58",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_59",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_56",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_57",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_54",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_55",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_52",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Security",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_50",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_51",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_1",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_0",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_3",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_2",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_5",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_4",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_7",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_6",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_9",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_8",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_129",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_128",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_121",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_120",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_123",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_122",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_125",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_124",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_127",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_126",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{2227A280-3AEA-1069-A2DE-08002B30309D}\\LocalizedString",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_142",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_49",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_48",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_47",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_46",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_45",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_44",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_43",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_42",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_41",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_40",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\DevicePath",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\\System.ItemNameDisplay",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\Data",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_82",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_83",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_80",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_81",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_86",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_87",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_84",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_85",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_88",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_89",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_37",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_36",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_35",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_34",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_33",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_32",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_31",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_30",
        "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@C:\\Windows\\system32\\netshell.dll,-1200",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_39",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_38",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\Category",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_9",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_8",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Description",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_104",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_75",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_3",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_2",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_1",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_0",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_7",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_6",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_5",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_4",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\StreamResourceType",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_101",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_102",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_71",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_103",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\_LabelFromReg",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_68",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_69",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_66",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_41",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_64",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\InfoTip",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_62",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_63",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_60",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_61",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_106",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_63",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Icon",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\Icon",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\PreCreate",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_12",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_13",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_10",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_11",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_16",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_17",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_14",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_15",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_18",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_19",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\SourcePath",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\RestrictedAttributes",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\UseOldHostResolutionOrder",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\\InProcServer32\\(Default)",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_129",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_128",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_127",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_126",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_125",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\Security",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_123",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_122",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_121",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_120",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_103",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_102",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\NoFileFolderJunction",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}",
        "HKEY_CURRENT_USER\\AppEvents\\Schemes\\Apps\\.Default\\Open\\.Current\\Default Flags",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\Attributes",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_145",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\Category",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{11DBB47C-A525-400B-9E80-A54615A090C0}\\InProcServer32\\(Default)",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_105",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_100",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoDriveTypeAutoRun",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_14",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_15",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_16",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_17",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_10",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_11",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_12",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_13",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_142",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_18",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_19",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoCommonGroups",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_108",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_128",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_129",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\PublishExpandedPath",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_125",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\PinToNameSpaceTree",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_127",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_120",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_121",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_122",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_123",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_8",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_9",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_0",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_1",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_2",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\LocalRedirectOnly",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_4",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_5",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_6",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_7",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_91",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsFORPARSING",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_108",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_109",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_68",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_69",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_64",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_65",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_66",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_67",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_60",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_61",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_62",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\StreamResource",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\LocalRedirectOnly",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\PublishExpandedPath",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_22",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_23",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_20",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_21",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_26",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_27",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_24",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_25",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\InitFolderHandler",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_28",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_29",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_97",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_96",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_95",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_94",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_93",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_92",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Desktop",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_90",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_99",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_98",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoDriveAutoRun",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_105",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\LocalizedName",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_133",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\LocalRedirectOnly",
        "HKEY_CURRENT_USER\\Control Panel\\Personalization\\Desktop Slideshow\\Flags",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoPropertiesRecycleBin",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\AccessProviders\\MartaExtension",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoPropertiesMyComputer",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_8",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_9",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_6",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_7",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_4",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_5",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_2",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_3",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_0",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_1",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_69",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_68",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_67",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_63",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_62",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_61",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_60",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_67",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_66",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_65",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_64",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_114",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_115",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_116",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_65",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_110",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_111",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_112",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_113",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_107",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_118",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_119",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\Attributes",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_116",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_117",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_114",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\Stream",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_112",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_113",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_110",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_111",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\LocalizedName",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_118",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_119",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_58",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_59",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\PreCreate",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Cached\\{11DBB47C-A525-400B-9E80-A54615A090C0} {7F9185B0-CB92-43C5-80A9-92277A4F7B54} 0xFFFF",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_50",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_51",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Drive\\shellex\\FolderExtensions\\{fbeb8a05-beee-4442-804e-409d6c4515e9}\\DriveMask",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_53",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_54",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_55",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_56",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_57",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_115",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_29",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_28",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_25",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_24",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_27",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_26",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_21",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_20",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_23",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_22",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{2227A280-3AEA-1069-A2DE-08002B30309D}\\System.ItemNameDisplay",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\LocalRedirectOnly",
        "HKEY_CURRENT_USER\\Control Panel\\Personalization\\Desktop Slideshow\\Shuffle",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoControlPanel",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_20",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_21",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_22",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_23",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_24",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_25",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_26",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_27",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_28",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_29",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_146",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_147",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_140",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_141",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_142",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_143",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\ParentFolder",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_92",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\StringCacheSettings\\StringCacheGeneration",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_117",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\Name",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_59",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_58",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_72",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_53",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_52",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_51",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_50",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_57",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_56",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_55",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_54",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_55",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_54",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_57",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_56",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_51",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_50",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_53",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_52",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_139",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_59",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_58",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsFORDISPLAY",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_138",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\shell\\open\\ExplorerHost",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\RelativePath",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\Generation",
        "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@C:\\Windows\\system32\\prnfldr.dll,-8036",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_135",
        "HKEY_CURRENT_USER\\AppEvents\\Schemes\\Apps\\.Default\\Close\\.Current\\Default Flags",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\PreCreate",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_137",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoInternetIcon",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_136",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_29",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_28",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_27",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_26",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_25",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_24",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_23",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_22",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_21",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_20",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\Stream",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\Security",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\MapNetDriveVerbs",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\StreamResource",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\QueryForInfoTip",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\Roamable",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_140",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\crypt32\\DebugHeapFlags",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\Name",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_11",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\Data",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\Stream",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\UseDropHandler",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\StreamResourceType",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Category",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_147",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_146",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_145",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_144",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_143",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\ParsingName",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_141",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_140",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\PublishExpandedPath",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\ParsingName",
        "HKEY_CURRENT_USER\\Control Panel\\Personalization\\Desktop Slideshow\\AnimationDuration",
        "HKEY_CURRENT_USER\\AppEvents\\Schemes\\Apps\\.Default\\Open\\.Current\\(Default)",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\\InProcServer32\\LoadWithoutCOM",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_60",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_63",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_62",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_65",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_64",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_67",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_66",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_69",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_68",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\SystemSetupInProgress",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\\{B725F130-47EF-101A-A5F1-02608C9EEBAC} 10",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_139",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_138",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_133",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_132",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_131",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\FolderTypeID",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_137",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_136",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_135",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_134",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HideFolderVerbs",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_117",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_117",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_116",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_115",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_114",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_113",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\Description",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\InitFolderHandler",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_110",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_119",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_118",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_19",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_18",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\InitFolderHandler",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_11",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_10",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_13",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_12",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_15",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_14",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_17",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_16",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HideInWebView",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\shell\\open\\LaunchExplorerFlags",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_19",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_18",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_17",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_16",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_15",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_14",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_13",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_12",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\StreamResourceType",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_10",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_80",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_81",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_82",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_83",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_84",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_85",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_86",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_87",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_88",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_89",
        "HKEY_CURRENT_USER\\Control Panel\\Personalization\\Desktop Slideshow\\Interval",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\RelativePath",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Name",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE\\PageAllocatorUseSystemHeap",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\Name",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_74",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_61",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_76",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_77",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_70",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_72",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_73",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_78",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_79",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_124",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_130",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HasNavigationEnum",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_89",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_88",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_101",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_100",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_107",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_106",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\FolderTypeID",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_104",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_81",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_80",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_83",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_82",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_85",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_84",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_87",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_86",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_115",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\AppData",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{2ABC0864-9677-42E5-882A-D415C556C284}\\ProxyStubClsid32\\(Default)",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_78",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_105",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_104",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_107",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_106",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_101",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_100",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_103",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_102",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_109",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_108",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\Cache",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_112",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_38",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_39",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_36",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_37",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_34",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_35",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_32",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_33",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_30",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_31",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\UseHostnameAsAlias",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoDrives",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_102",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_103",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_100",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_101",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_106",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_107",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_104",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_105",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\LocalizedName",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_108",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_109",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_83",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_82",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_81",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_80",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_87",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_86",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_85",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_84",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_89",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_88",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_52",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\\SortOrderIndex",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsUniversalDelegate",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_46",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_47",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_44",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_45",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_42",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_43",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_40",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_41",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_126",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_127",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_124",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_125",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_122",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_123",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_48",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_49",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\QueryForOverlay",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_124",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_44",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_45",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_46",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{21EC2020-3AEA-1069-A2DD-08002B30309D}\\SortOrderIndex",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_40",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_41",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_42",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_43",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_48",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_49",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_38",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsParseDisplayName",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\shell\\open\\LocalServerOnly",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_30",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_31",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_32",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_33",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_34",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_35",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_36",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_37",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\Generation",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_128",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_129",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Roamable",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\LdapClientIntegrity",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\Description",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_148",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_111",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_141",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_140",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_143",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_142",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_145",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_144",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_147",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_146",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_49",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_48",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_45",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_44",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_47",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_46",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\\LocalizedString",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_40",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_43",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_42",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{2227A280-3AEA-1069-A2DE-08002B30309D}\\{B725F130-47EF-101A-A5F1-02608C9EEBAC} 10",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_138",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_139",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_132",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_133",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_130",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_131",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_136",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_137",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_134",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_135",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\StreamResource",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_72",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_73",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_70",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_71",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_76",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_77",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_74",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_75",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\FolderTypeID",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_78",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c1_79",
        "HKEY_CURRENT_USER\\AppEvents\\Schemes\\Apps\\.Default\\Close\\.Current\\(Default)",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\InitFolderHandler",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_91",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_90",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_93",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\PreCreate",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_95",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_94",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_97",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_96",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_99",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_98",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE\\PageAllocatorSystemHeapIsPrivate",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\PnpLockdownFiles\\%SystemDrive%\\Users\\cuck\\AppData\\Local\\Temp\\windaepms.exe",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\Security",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_53",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_144",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_47",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_145",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\ParsingName",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Security_HKLM_only",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\Attributes",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_79",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Stream",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_75",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_74",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_77",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_76",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_71",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_70",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_73",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c4_72",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\Roamable",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c2_130",
        "HKEY_CURRENT_USER\\Software\\Arxv\\c3_39",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HideOnDesktopPerUser",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CEIPEnable",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\InfoTip",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\Roamable",
        "HKEY_CURRENT_USER\\AppEvents\\Schemes\\(Default)",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Attributes",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\ParentFolder"
    ],
    "directory_enumerated": [
        "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\ink\\FSDEFINITIONS\\main\\*",
        "F:\\*",
        "Y:\\*",
        "T:\\*",
        "C:\\Windows\\System32\\*.*",
        "R:\\*",
        "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\ink\\hu-HU\\*",
        "K:\\*",
        "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\ink\\FSDEFINITIONS\\*",
        "M:\\*",
        "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\ink\\en-US\\*",
        "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\ink\\lv-LV\\*",
        "I:\\*",
        "D:\\*",
        "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\ink\\he-IL\\*",
        "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\ink\\et-EE\\*",
        "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\ink\\FSDEFINITIONS\\keypad\\*",
        "C:\\Windows\\System32",
        "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\ink\\de-DE\\*",
        "P:\\*",
        "N:\\*",
        "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\ink\\FSDEFINITIONS\\web\\*",
        "V:\\*",
        "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\ink\\FSDEFINITIONS\\auxpad\\*",
        "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\*",
        "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\ink\\FSDEFINITIONS\\oskpred\\*",
        "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\ink\\HWRCUSTOMIZATION\\*",
        "H:\\*",
        "C:\\PerfLogs\\Admin\\*",
        "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\ink\\FSDEFINITIONS\\symbols\\*",
        "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\ink\\hr-HR\\*",
        "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\ink\\lt-LT\\*",
        "W:\\*",
        "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\ink\\fr-FR\\*",
        "S:\\*",
        "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\ink\\*",
        "C:\\PROGRAM FILES\\COMMON FILES\\*",
        "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\ink\\FSDEFINITIONS\\OSKNUMPAD\\*",
        "U:\\*",
        "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\ink\\it-IT\\*",
        "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\ink\\es-ES\\*",
        "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\ink\\ko-KR\\*",
        "G:\\*",
        "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\ink\\ar-SA\\*",
        "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\ink\\FSDEFINITIONS\\numbers\\*",
        "C:\\*",
        "Q:\\*",
        "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\ink\\fi-FI\\*",
        "O:\\*",
        "C:\\CUCKOO-AGENT\\*",
        "E:\\*",
        "C:\\PROGRAM FILES\\*",
        "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\ink\\ja-JP\\*",
        "Z:\\*",
        "X:\\*",
        "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\ink\\el-GR\\*",
        "C:\\PerfLogs\\*",
        "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\ink\\cs-CZ\\*",
        "C:\\DOCUMENTS AND SETTINGS\\*",
        "C:\\Windows",
        "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\ink\\bg-BG\\*",
        "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\ink\\da-DK\\*",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\*",
        "L:\\*",
        "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\ink\\FSDEFINITIONS\\oskmenu\\*",
        "J:\\*"
    ],
    "directory_created": [
        "C:\\Users\\cuck",
        "C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Caches",
        "C:\\Users\\cuck\\AppData\\Roaming",
        "C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\"
    ]
}

Dropped

[
    {
        "yara": [],
        "sha1": "59017bf82301e0a0905acbe86311c5b8a1b5eae1",
        "name": "96dc950eec5b8bbb_autorun.inf",
        "filepath": "C:\\autorun.inf",
        "type": "Microsoft Windows Autorun file, ASCII text, with CRLF line terminators",
        "sha256": "96dc950eec5b8bbb440c5dafe55b960f32ae819874e8a65dc2a3ea8c15882125",
        "urls": [],
        "crc32": "9186E62C",
        "path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/4820\/files\/96dc950eec5b8bbb_autorun.inf",
        "ssdeep": null,
        "size": 288,
        "sha512": "5d9a7f85f2bff4e98a7311c811e34e0f9d6807bbbbab29d894307a9a4b427a9b08eb1977d99e6c77d43e90d14109cb1eb391375d40956f5c34e2ba84d558cd8d",
        "pids": [
            2816
        ],
        "md5": "7bb99c897916f24300033bef83df9d6e"
    },
    {
        "yara": [],
        "sha1": "5e3fb5a9d1bdc7457f791cbe394d3412b093646d",
        "name": "4a0c2745a37c7a6a_windaepms.exe",
        "filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\windaepms.exe",
        "type": "PE32 executable (GUI) Intel 80386, for MS Windows",
        "sha256": "4a0c2745a37c7a6a6d6b906ba59f86161f2cb933fb6b223b4b851c96a5a24e53",
        "urls": [],
        "crc32": "C16721AB",
        "path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/4820\/files\/4a0c2745a37c7a6a_windaepms.exe",
        "ssdeep": null,
        "size": 74752,
        "sha512": "1b0c2d240081796872dd63e4267697d3b6739e7699fe3fdc5ab381e2b259b2a9af533bf3acdbdd5c6ada260d462907759a4768b6576f4b9f725383090ef3b586",
        "pids": [
            2816
        ],
        "md5": "88f6ec8d7bb768122cdb66e1f2a2b19a"
    },
    {
        "yara": [],
        "sha1": "fce18a0e182657e379feef1e62b14020ee84f39f",
        "name": "0fbb1adc4c8cf65c_nrpds.exe",
        "filepath": "C:\\nrpds.exe",
        "type": "PE32 executable (GUI) Intel 80386, for MS Windows",
        "sha256": "0fbb1adc4c8cf65c919f8840c4d674cc37f2ff42e77737f9f0bb5a3621947d92",
        "urls": [],
        "crc32": "D703789C",
        "path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/4820\/files\/0fbb1adc4c8cf65c_nrpds.exe",
        "ssdeep": null,
        "size": 103140,
        "sha512": "e3190e34d262c613d1df68c92538a37509cdccb65ac603a74f673df4a72ecb94133c3ee0f02da8820000b9c0d116938753defd76923710a4efdd4aac3a51709f",
        "pids": [
            2816
        ],
        "md5": "40fd045a6c7010b4a4d028643d7c39d3"
    },
    {
        "yara": [],
        "sha1": "5fb1fe7784cf7e8b7fa5c9f1a2d0189a6332cdc2",
        "name": "eba6dc05194afb1b_system.ini",
        "filepath": "C:\\Windows\\system.ini",
        "type": "Windows SYSTEM.INI, ASCII text, with CRLF line terminators",
        "sha256": "eba6dc05194afb1bdf35f61865fd86a557d931b10bfedb10b176a65242a54274",
        "urls": [],
        "crc32": "EFE31153",
        "path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/4820\/files\/eba6dc05194afb1b_system.ini",
        "ssdeep": null,
        "size": 256,
        "sha512": "b6faf69d6f5c48da3486cf0818e0d4e0cba916934179777c230edf76183856251750d348a940ee99bc15ee54a8bbfa9e9364f2f820a256ca856eb75de1627026",
        "pids": [
            2816
        ],
        "md5": "cd6efc4dc81adb1f396efaea08f465b0"
    }
]

Generic

[
    {
        "process_path": "C:\\Users\\cuck\\AppData\\Local\\Temp\\bc26065d73abee805e03efb332b6fa543d4b62e3f1fedf955f305df0271618ed.bin",
        "process_name": "bc26065d73abee805e03efb332b6fa543d4b62e3f1fedf955f305df0271618ed.bin",
        "pid": 2816,
        "summary": {
            "file_created": [
                "C:\\nrpds.exe",
                "C:\\autorun.inf",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\windaepms.exe"
            ],
            "regkey_written": [
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_98",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_99",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Security Center\\Svc\\AntiVirusOverride",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_92",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_93",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_90",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_91",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_96",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_97",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_94",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_95",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_146",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_147",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_144",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_130",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_131",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_132",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_133",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_134",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_135",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_136",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_137",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_138",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_139",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_143",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_140",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_141",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_120",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_121",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_111",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_110",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_113",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_112",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_115",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_114",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_117",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_116",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_119",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_118",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_98",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_99",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_94",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_95",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_96",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_97",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_90",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_91",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_92",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_93",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_109",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Security Center\\FirewallOverride",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_73",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_72",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_71",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_70",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_77",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_76",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_75",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_74",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_135",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_134",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_79",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_78",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_131",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_130",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_133",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_132",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_31",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_30",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_33",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_32",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_35",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_34",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_37",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_36",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_39",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_38",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_58",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_59",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_56",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_57",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_54",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_55",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_52",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_53",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_50",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_51",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_1",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_0",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_3",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_2",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_5",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_4",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_7",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_6",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_9",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_8",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_129",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_128",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_121",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_120",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_123",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_122",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_125",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_124",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_127",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_126",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Security Center\\FirewallDisableNotify",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_49",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_48",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_47",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_46",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_45",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_44",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_43",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_42",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_41",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_40",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_82",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_83",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_80",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_81",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_86",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_87",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_84",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_85",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_88",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_89",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_37",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_36",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_35",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_34",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_33",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_32",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_31",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_30",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_39",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_38",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_9",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_8",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_104",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_3",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_2",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_1",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_0",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_7",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_6",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_5",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_4",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_100",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_101",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_102",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\GlobalUserOffline",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_103",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_68",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_69",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_66",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_67",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_64",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_65",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_62",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_63",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_60",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_61",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_106",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_107",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_12",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_13",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_10",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_11",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_16",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_17",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_14",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_15",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_18",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_19",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_105",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_129",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_23",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_127",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_126",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_125",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_28",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_123",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_122",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_121",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_120",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_103",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_102",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Security Center\\AntiVirusDisableNotify",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_145",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_14",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_15",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_16",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_17",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_10",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_11",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_12",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_13",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_142",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_18",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_19",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_108",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_128",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_129",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_124",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_125",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_126",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_127",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_120",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_121",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_122",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_123",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_8",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_9",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_0",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_1",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_2",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_3",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_4",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_5",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_6",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_7",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_108",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_109",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_68",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_69",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_64",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_65",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_66",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_67",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_60",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_61",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_62",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_63",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_22",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Security Center\\Svc\\UacDisableNotify",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_20",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_21",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_26",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_27",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_24",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_25",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_28",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_29",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile\\DoNotAllowExceptions",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_97",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_96",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_95",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_94",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_93",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_92",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_91",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_90",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_99",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_98",
                "HKEY_CURRENT_USER\\Software\\Arxv\\-2022283959\\418466543",
                "HKEY_CURRENT_USER\\Software\\Arxv\\-2022283959\\1801680227",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Security Center\\Svc\\UpdatesDisableNotify",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_8",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_9",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_6",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_7",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_4",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_5",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_2",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_3",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_0",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_1",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile\\EnableFirewall",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_69",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_68",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_63",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_62",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_61",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_60",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_67",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_66",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_65",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_64",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_114",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_115",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_116",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_117",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_110",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_111",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_112",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_113",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Security Center\\UpdatesDisableNotify",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_118",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_119",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Security Center\\Svc\\FirewallOverride",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_116",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_117",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_114",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_115",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_112",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_113",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_110",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_111",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_118",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_119",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_58",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_59",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_50",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_51",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_52",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_53",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_54",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_55",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_56",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_57",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_29",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_28",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_25",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_24",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_27",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_26",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_21",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_20",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_23",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_22",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile\\DisableNotifications",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_20",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_21",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_22",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_23",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_24",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_25",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_26",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_27",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_28",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_29",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_146",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_147",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_140",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_141",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_142",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_143",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Security Center\\UacDisableNotify",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_59",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_58",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_53",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_52",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_51",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_50",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_57",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_56",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_55",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_54",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_55",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_54",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_57",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_56",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_51",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_50",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_53",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_52",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_139",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_59",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_58",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_138",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_137",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_136",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_29",
                "HKEY_CURRENT_USER\\Software\\Arxv\\-2022283959\\-1383213684",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_27",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_26",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_25",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_24",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_23",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_22",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_21",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_20",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_147",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_146",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_145",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_144",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_143",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_142",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_141",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_140",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Security Center\\AntiVirusOverride",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_61",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_60",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_63",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_62",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_65",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_64",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_67",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_66",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_69",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_68",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_139",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_138",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_133",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_132",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_131",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_130",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_137",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_136",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_135",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_134",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_117",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_116",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_115",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_114",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_113",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_112",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_111",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_110",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_119",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_118",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_19",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_18",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_11",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_10",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_13",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_12",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_15",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_14",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_17",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_16",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_19",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_18",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_17",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_16",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_15",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_14",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_13",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_12",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_11",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_10",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_80",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_81",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_82",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_83",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_84",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_85",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_86",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_87",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_88",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_89",
                "HKEY_CURRENT_USER\\Software\\Arxv\\-2022283959\\-691606842",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_74",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_75",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_76",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_77",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_70",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_71",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_72",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_73",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_78",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_79",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_89",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_88",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_101",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_100",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_107",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_106",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_105",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_104",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_81",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_80",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_83",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_82",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_85",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_84",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_87",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_86",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Security Center\\Svc\\AntiVirusDisableNotify",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_105",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_104",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_107",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_106",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_101",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_100",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_103",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_102",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_109",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_108",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_38",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_39",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_36",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_37",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_34",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_35",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_32",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_33",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_30",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_31",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_102",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_103",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_100",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_101",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_106",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_107",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_104",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_105",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_108",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_109",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_83",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_82",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_81",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_80",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_87",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_86",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_85",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_84",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_89",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_88",
                "HKEY_CURRENT_USER\\Software\\Arxv\\-2022283959\\1110073385",
                "HKEY_CURRENT_USER\\Software\\Arxv\\-2022283959\\-2074820526",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_128",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_46",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_47",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_44",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_45",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_42",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_43",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_40",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_41",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_126",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_127",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_124",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_125",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_122",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_123",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_48",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_49",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_124",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_44",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_45",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_46",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_47",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_40",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_41",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_42",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_43",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_48",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_49",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_38",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_39",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_30",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_31",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_32",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_33",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_34",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_35",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_36",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_37",
                "HKEY_CURRENT_USER\\Software\\Arxv\\-2022283959\\-273140299",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_128",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_129",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Security Center\\Svc\\FirewallDisableNotify",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_141",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_140",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_143",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_142",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_145",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_144",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_147",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_146",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_49",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_48",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_45",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_44",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_47",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_46",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_41",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_40",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_43",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_42",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_138",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_139",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_132",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_133",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_130",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_131",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_136",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_137",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_134",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_135",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_72",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_73",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_70",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_71",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_76",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_77",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_74",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_75",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_78",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_79",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_91",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_90",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_93",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_92",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_95",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_94",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_97",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_96",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_99",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_98",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_144",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_145",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_79",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_78",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_75",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_74",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_77",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_76",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_71",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_70",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_73",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_72",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Hidden"
            ],
            "dll_loaded": [
                "API-MS-Win-Security-LSALookup-L1-1-0.dll",
                "apphelp.dll",
                "kernel32.dll",
                "MSVCRT.dll",
                "ntmarta.dll",
                "PROPSYS.dll",
                "KERNEL32.DLL",
                "API-MS-Win-Core-LocalRegistry-L1-1-0.dll",
                "ole32.dll",
                "USER32.dll",
                "API-MS-Win-Security-SDDL-L1-1-0.dll",
                "WININET.DLL",
                "ADVAPI32.dll",
                "OLEAUT32",
                "OLEAUT32.dll",
                "profapi.dll",
                "SHELL32.dll",
                "sfc",
                "comctl32.dll",
                "MPR",
                "DEVRTL.dll",
                "SHELL32.DLL",
                "SETUPAPI.dll",
                "WS2_32.dll"
            ],
            "file_opened": [
                "C:\\Windows\\system.ini",
                "C:\\Windows\\AppPatch\\sysmain.sdb",
                "C:\\Windows\\Globalization\\Sorting\\sortdefault.nls",
                "C:\\Windows\\System32\\",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\windaepms.exe",
                "C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000004.db",
                "C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Caches\\cversions.1.db",
                "C:\\Users\\cuck\\Desktop\\desktop.ini",
                "C:\\autorun.inf",
                "C:\\Windows\\System32\\ExplorerFrame.dll",
                "C:\\Windows\\winsxs\\FileMaps\\program_files_common_files_microsoft_shared_ink_3c86e3db0b3b254c.cdf-ms",
                "C:\\Windows\\System32\\explorerframe.dll"
            ],
            "regkey_opened": [
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum",
                "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\Shell\\MuiCache ",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Security Center",
                "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder",
                "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\KnownFolderSettings",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\Associations\\UrlAssociations\\Drive",
                "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions",
                "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",
                "HKEY_CLASSES_ROOT\\Drive",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}",
                "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Blocked",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Drive\\(Default)",
                "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Setup",
                "HKEY_CLASSES_ROOT\\Drive\\shellex\\FolderExtensions\\{fbeb8a05-beee-4442-804e-409d6c4515e9}",
                "HKEY_CURRENT_USER\\Software\\Arxv",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\PropertyBag",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Drive\\shell\\open",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders",
                "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",
                "HKEY_CLASSES_ROOT\\Folder",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\crypt32",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\shell\\open",
                "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum",
                "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\policies\\system",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile",
                "HKEY_CLASSES_ROOT\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Security Center\\Svc",
                "HKEY_LOCAL_MACHINE\\System\\Setup",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\",
                "HKEY_CLASSES_ROOT\\Drive\\shellex\\FolderExtensions",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\(Default)",
                "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\LSA\\AccessProviders",
                "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-699399860-4089948139-3198924279-1001",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Applications\\bc26065d73abee805e03efb332b6fa543d4b62e3f1fedf955f305df0271618ed.bin",
                "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\KnownFolders",
                "HKEY_LOCAL_MACHINE\\system\\CurrentControlSet\\control\\NetworkProvider\\HwOrder",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\PropertyBag",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Cached",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\PropertyBag",
                "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run",
                "HKEY_CLASSES_ROOT\\SystemFileAssociations\\Drive.Fixed",
                "HKEY_LOCAL_MACHINE\\software\\microsoft\\windows\\currentversion\\setup\\PnpLockdownFiles",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\PropertyBag",
                "HKEY_CLASSES_ROOT\\CLSID\\{11DBB47C-A525-400B-9E80-A54615A090C0}\\SupportedProtocols",
                "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\Shell\\RegisteredApplications\\UrlAssociations\\Drive\\OpenWithProgids",
                "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\LDAP",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\shell\\open\\(Default)",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile\\AuthorizedApplications\\List",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\shell\\open",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer",
                "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\OLE\\Tracing",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\shell\\open\\command",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Drive\\CurVer",
                "HKEY_CURRENT_USER\\Software\\Arxv\\-2022283959",
                "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion",
                "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Blocked",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1",
                "HKEY_CLASSES_ROOT\\CLSID\\{11DBB47C-A525-400B-9E80-A54615A090C0}\\InProcServer32",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\ShellNoRoam\\MUICache"
            ],
            "command_line": [
                "C:\\"
            ],
            "file_written": [
                "C:\\Windows\\system.ini",
                "C:\\nrpds.exe",
                "C:\\autorun.inf",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\windaepms.exe"
            ],
            "file_deleted": [
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\windaepms.exe"
            ],
            "file_exists": [
                "C:\\nrpds.exe",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\windaepms.exe",
                "C:\\autorun.inf",
                "C:\\Windows\\System32\\explorerframe.dll"
            ],
            "mutex": [
                "cmd.exeM_1692_",
                "svchost.exeM_1216_",
                "svchost.exeM_660_",
                "lsass.exeM_476_",
                "svchost.exeM_276_",
                "explorer.exeM_1788_",
                "wmpnetwk.exeM_1856_",
                "svchost.exeM_712_",
                "winlogon.exeM_424_",
                "dwm.exeM_1768_",
                "wininit.exeM_376_",
                "taskhost.exeM_1724_",
                "searchprotocolhost.exeM_1232_",
                "conhost.exeM_1700_",
                "svchost.exeM_1000_",
                "lsm.exeM_484_",
                "csrss.exeM_328_",
                "svchost.exeM_480_",
                "smss.exeM_252_",
                "searchprotocolhost.exeM_1092_",
                "python.exeM_1244_",
                "bc26065d73abee805e03efb332b6fa543d4b62e3f1fedf955f305df0271618eM_2816_",
                "spoolsv.exeM_1084_",
                "csrss.exeM_384_",
                "audiodg.exeM_2560_",
                "services.exeM_468_",
                "svchost.exeM_880_",
                "svchost.exeM_1548_",
                "uxJLpe1m",
                "svchost.exeM_592_",
                "mobsync.exeM_800_",
                "taskhost.exeM_2312_",
                "svchost.exeM_804_",
                "searchfilterhost.exeM_2676_",
                "Ap1mutx7",
                "explorer.exeM_2800_",
                "svchost.exeM_3000_",
                "python.exeM_2168_",
                "svchost.exeM_3064_",
                "svchost.exeM_1120_",
                "searchindexer.exeM_1316_"
            ],
            "file_failed": [
                "\\??\\L:",
                "\\??\\N:",
                "\\??\\U:",
                "\\??\\H:",
                "\\??\\W:",
                "\\??\\J:",
                "\\??\\Q:",
                "C:\\autorun.inf",
                "\\??\\D:",
                "\\??\\S:",
                "\\??\\F:",
                "\\??\\M:",
                "\\??\\X:",
                "\\??\\Z:",
                "C:\\Windows\\winsxs\\FileMaps\\users_cuck_appdata_local_temp_c2004f3465698a5a.cdf-ms",
                "\\??\\O:",
                "\\??\\I:",
                "\\??\\T:",
                "\\??\\V:",
                "\\??\\K:",
                "\\??\\E:",
                "\\??\\P:",
                "\\??\\R:",
                "\\??\\G:",
                "\\??\\Y:"
            ],
            "guid": [
                "{5762f2a7-4658-4c7a-a4ac-bdabfe154e0d}",
                "{489e9453-869b-4bcc-a1c7-48b5285fd9d8}",
                "{682159d9-c321-47ca-b3f1-30e36b2ec8b9}",
                "{9ba05972-f6a8-11cf-a442-00a0c90a8f39}",
                "{85cb6900-4d95-11cf-960c-0080c7f4ee85}",
                "{7f9185b0-cb92-43c5-80a9-92277a4f7b54}",
                "{11dbb47c-a525-400b-9e80-a54615a090c0}",
                "{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}"
            ],
            "file_read": [
                "C:\\Windows\\winsxs\\FileMaps\\program_files_common_files_microsoft_shared_ink_3c86e3db0b3b254c.cdf-ms",
                "C:\\Windows\\system.ini",
                "C:\\Users\\cuck\\Desktop\\desktop.ini",
                "C:\\autorun.inf",
                "C:\\Windows\\System32\\ExplorerFrame.dll"
            ],
            "regkey_read": [
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_98",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_99",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\CallForAttributes",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_92",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_93",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_90",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_91",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_96",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_97",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\Icon",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_95",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_146",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_147",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_144",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_130",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-699399860-4089948139-3198924279-1001\\ProfileImagePath",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_132",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_133",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_134",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_135",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoSetFolders",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_137",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_138",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_139",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_143",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\StreamResourceType",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_141",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_120",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\Category",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\InfoTip",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\DisableImprovedZoneCheck",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\Description",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_94",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_121",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\LocalizedName",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_111",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_110",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_113",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_112",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\RelativePath",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_114",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\Attributes",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_116",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_119",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_118",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\ParsingName",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_98",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\Icon",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_94",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_95",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_96",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_97",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_90",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_91",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_92",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_93",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_109",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\RelativePath",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\ParentFolder",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_73",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\PublishExpandedPath",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_71",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_70",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_77",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_76",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_75",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_74",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsAliasedNotifications",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_134",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_79",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_78",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_131",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_126",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_36",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_132",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\StreamResource",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_131",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_31",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_30",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_33",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_32",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_35",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_34",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_37",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\FolderTypeID",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_39",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_38",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\InfoTip",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_136",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\ParentFolder",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_99",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\shell\\open\\command\\DelegateExecute",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_3",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_58",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_59",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_56",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_57",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_54",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_55",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_52",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Security",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_50",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_51",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_1",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_0",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_3",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_2",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_5",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_4",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_7",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_6",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_9",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_8",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_129",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_128",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_121",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_120",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_123",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_122",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_125",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_124",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_127",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_126",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_142",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_49",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_48",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_47",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_46",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_45",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_44",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_43",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_42",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_41",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_40",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\DevicePath",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\Data",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_82",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_83",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_80",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_81",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_86",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_87",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_84",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_85",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_88",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_89",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_37",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_36",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_35",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_34",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_33",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_32",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_31",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_30",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_39",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_38",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\Category",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_9",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_8",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Description",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_104",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_3",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_2",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_1",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_0",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_7",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_6",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_5",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_4",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\StreamResourceType",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_101",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_102",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_71",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_103",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_68",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_69",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_66",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_67",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_64",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\InfoTip",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_62",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_63",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_60",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_61",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_106",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_63",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Icon",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\Icon",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\PreCreate",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_12",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_13",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_10",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_11",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_16",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_17",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_14",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_15",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_18",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_19",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\SourcePath",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\RestrictedAttributes",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\UseOldHostResolutionOrder",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_129",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_128",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_127",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_126",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_125",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\Security",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_123",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_122",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_121",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_120",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_103",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_102",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\NoFileFolderJunction",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\Attributes",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_145",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\Category",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{11DBB47C-A525-400B-9E80-A54615A090C0}\\InProcServer32\\(Default)",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_105",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_100",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoDriveTypeAutoRun",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_14",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_15",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_16",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_17",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_10",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_11",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_12",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_13",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_142",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_18",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_19",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoCommonGroups",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_108",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_128",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_129",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\PublishExpandedPath",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_125",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\PinToNameSpaceTree",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_127",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_120",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_121",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_122",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_123",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_8",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_9",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_0",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_1",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_2",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\LocalRedirectOnly",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_4",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_5",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_6",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_7",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_91",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsFORPARSING",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_108",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_109",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_68",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_69",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_64",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_65",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_66",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_67",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_60",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_61",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_62",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\StreamResource",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\LocalRedirectOnly",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\PublishExpandedPath",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_22",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_23",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_20",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_21",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_26",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_27",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_24",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_25",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\InitFolderHandler",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_28",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_29",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_97",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_96",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_95",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_94",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_93",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_92",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Desktop",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_90",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_99",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_98",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoDriveAutoRun",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_105",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\LocalizedName",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_133",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\LocalRedirectOnly",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoPropertiesRecycleBin",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\AccessProviders\\MartaExtension",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoPropertiesMyComputer",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_8",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_9",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_6",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_7",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_4",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_5",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_2",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_3",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_0",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_1",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_69",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_68",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_63",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_62",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_61",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_60",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_67",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_66",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_65",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_64",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_114",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_115",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_116",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_65",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_110",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_111",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_112",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_113",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_107",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_118",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_119",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\Attributes",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_116",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_117",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_114",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\Stream",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_112",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_113",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_110",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_111",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\LocalizedName",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_118",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_119",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_58",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_59",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\PreCreate",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Cached\\{11DBB47C-A525-400B-9E80-A54615A090C0} {7F9185B0-CB92-43C5-80A9-92277A4F7B54} 0xFFFF",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_50",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_51",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Drive\\shellex\\FolderExtensions\\{fbeb8a05-beee-4442-804e-409d6c4515e9}\\DriveMask",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_53",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_54",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_55",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_56",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_57",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_115",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_29",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_28",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_25",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_24",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_27",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_26",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_21",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_20",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_23",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_22",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\LocalRedirectOnly",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoControlPanel",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_20",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_21",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_22",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_23",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_24",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_25",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_26",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_27",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_28",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_29",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_146",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_147",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_140",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_141",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_142",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_143",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\ParentFolder",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_92",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_117",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\Name",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_59",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_58",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_72",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_53",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_52",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_51",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_50",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_57",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_56",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_55",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_54",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_55",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_54",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_57",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_56",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_51",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_50",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_53",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_52",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_139",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_59",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_58",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsFORDISPLAY",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_138",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\shell\\open\\ExplorerHost",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\RelativePath",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\Generation",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_135",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\PreCreate",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_137",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoInternetIcon",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_136",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_29",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_28",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_27",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_26",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_25",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_24",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_23",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_22",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_21",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_20",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\Stream",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\Security",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\MapNetDriveVerbs",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\StreamResource",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\QueryForInfoTip",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\Roamable",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_140",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\crypt32\\DebugHeapFlags",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\Name",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_11",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\Data",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\Stream",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\UseDropHandler",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\StreamResourceType",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Category",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_147",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_146",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_145",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_144",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_143",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\ParsingName",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_141",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_140",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\PublishExpandedPath",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\ParsingName",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_61",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_60",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_63",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_62",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_65",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_64",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_67",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_66",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_69",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_68",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\SystemSetupInProgress",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_139",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_138",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_133",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_132",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_131",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\FolderTypeID",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_137",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_136",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_135",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_134",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HideFolderVerbs",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_117",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_117",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_116",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_115",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_114",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_113",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\Description",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\InitFolderHandler",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_110",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_119",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_118",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_19",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_18",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\InitFolderHandler",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_11",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_10",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_13",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_12",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_15",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_14",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_17",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_16",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HideInWebView",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\shell\\open\\LaunchExplorerFlags",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_19",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_18",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_17",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_16",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_15",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_14",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_13",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_12",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\StreamResourceType",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_10",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_80",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_81",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_82",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_83",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_84",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_85",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_86",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_87",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_88",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_89",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\RelativePath",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Name",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE\\PageAllocatorUseSystemHeap",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\Name",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_74",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_75",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_76",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_77",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_70",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_72",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_73",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_78",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_79",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_124",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_130",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HasNavigationEnum",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_89",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_88",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_101",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_100",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_107",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_106",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\FolderTypeID",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_104",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_81",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_80",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_83",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_82",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_85",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_84",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_87",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_86",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_115",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\AppData",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_78",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_105",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_104",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_107",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_106",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_101",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_100",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_103",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_102",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_109",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_108",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\Cache",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_112",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_38",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_39",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_36",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_37",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_34",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_35",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_32",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_33",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_30",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_31",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\UseHostnameAsAlias",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoDrives",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_102",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_103",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_100",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_101",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_106",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_107",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_104",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_105",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\LocalizedName",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_108",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_109",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_83",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_82",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_81",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_80",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_87",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_86",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_85",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_84",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_89",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_88",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_52",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsUniversalDelegate",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_46",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_47",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_44",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_45",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_42",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_43",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_40",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_41",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_126",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_127",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_124",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_125",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_122",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_123",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_48",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_49",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\QueryForOverlay",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_124",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_44",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_45",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_46",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_47",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_40",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_41",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_42",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_43",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_48",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_49",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_38",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsParseDisplayName",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\shell\\open\\LocalServerOnly",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_30",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_31",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_32",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_33",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_34",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_35",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_36",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_37",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\Generation",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_128",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_129",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Roamable",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\LdapClientIntegrity",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\Description",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_148",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_111",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_141",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_140",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_143",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_142",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_145",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_144",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_147",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_146",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_49",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_48",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_45",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_44",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_47",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_46",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_41",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_40",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_43",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_42",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_138",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_139",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_132",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_133",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_130",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_131",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_136",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_137",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_134",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_135",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\StreamResource",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_72",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_73",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_70",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_71",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_76",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_77",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_74",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_75",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\FolderTypeID",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_78",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c1_79",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\InitFolderHandler",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_91",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_90",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_93",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\PreCreate",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_95",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_94",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_97",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_96",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_99",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_98",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE\\PageAllocatorSystemHeapIsPrivate",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\PnpLockdownFiles\\%SystemDrive%\\Users\\cuck\\AppData\\Local\\Temp\\windaepms.exe",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\Security",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_53",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_144",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_145",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\ParsingName",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Security_HKLM_only",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\Attributes",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_79",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Stream",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_75",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_74",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_77",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_76",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_71",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_70",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_73",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c4_72",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\Roamable",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c2_130",
                "HKEY_CURRENT_USER\\Software\\Arxv\\c3_39",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HideOnDesktopPerUser",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CEIPEnable",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\InfoTip",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\Roamable",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Attributes",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\ParentFolder"
            ],
            "directory_enumerated": [
                "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\ink\\FSDEFINITIONS\\main\\*",
                "F:\\*",
                "Y:\\*",
                "T:\\*",
                "C:\\Windows\\System32\\*.*",
                "R:\\*",
                "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\ink\\hu-HU\\*",
                "K:\\*",
                "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\ink\\FSDEFINITIONS\\*",
                "M:\\*",
                "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\ink\\en-US\\*",
                "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\ink\\lv-LV\\*",
                "I:\\*",
                "D:\\*",
                "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\ink\\he-IL\\*",
                "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\ink\\et-EE\\*",
                "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\ink\\FSDEFINITIONS\\keypad\\*",
                "C:\\Windows\\System32",
                "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\ink\\de-DE\\*",
                "P:\\*",
                "N:\\*",
                "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\ink\\FSDEFINITIONS\\web\\*",
                "V:\\*",
                "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\ink\\FSDEFINITIONS\\auxpad\\*",
                "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\*",
                "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\ink\\FSDEFINITIONS\\oskpred\\*",
                "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\ink\\HWRCUSTOMIZATION\\*",
                "H:\\*",
                "C:\\PerfLogs\\Admin\\*",
                "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\ink\\FSDEFINITIONS\\symbols\\*",
                "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\ink\\hr-HR\\*",
                "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\ink\\lt-LT\\*",
                "W:\\*",
                "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\ink\\fr-FR\\*",
                "S:\\*",
                "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\ink\\*",
                "C:\\PROGRAM FILES\\COMMON FILES\\*",
                "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\ink\\FSDEFINITIONS\\OSKNUMPAD\\*",
                "U:\\*",
                "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\ink\\it-IT\\*",
                "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\ink\\es-ES\\*",
                "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\ink\\ko-KR\\*",
                "G:\\*",
                "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\ink\\ar-SA\\*",
                "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\ink\\FSDEFINITIONS\\numbers\\*",
                "C:\\*",
                "Q:\\*",
                "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\ink\\fi-FI\\*",
                "O:\\*",
                "C:\\CUCKOO-AGENT\\*",
                "E:\\*",
                "C:\\PROGRAM FILES\\*",
                "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\ink\\ja-JP\\*",
                "Z:\\*",
                "X:\\*",
                "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\ink\\el-GR\\*",
                "C:\\PerfLogs\\*",
                "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\ink\\cs-CZ\\*",
                "C:\\DOCUMENTS AND SETTINGS\\*",
                "C:\\Windows",
                "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\ink\\bg-BG\\*",
                "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\ink\\da-DK\\*",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\*",
                "L:\\*",
                "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\ink\\FSDEFINITIONS\\oskmenu\\*",
                "J:\\*"
            ],
            "directory_created": [
                "C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Caches"
            ]
        },
        "first_seen": 1578329585.578125,
        "ppid": 2016
    },
    {
        "process_path": "C:\\Windows\\System32\\mobsync.exe",
        "process_name": "mobsync.exe",
        "pid": 800,
        "summary": {},
        "first_seen": 1578329587.483875,
        "ppid": 592
    },
    {
        "process_path": "C:\\Windows\\System32\\cmd.exe",
        "process_name": "cmd.exe",
        "pid": 1692,
        "summary": {},
        "first_seen": 1578329586.75,
        "ppid": 1788
    },
    {
        "process_path": "C:\\Windows\\System32\\taskhost.exe",
        "process_name": "taskhost.exe",
        "pid": 1724,
        "summary": {
            "regkey_read": [
                "HKEY_CURRENT_USER\\AppEvents\\Schemes\\(Default)",
                "HKEY_CURRENT_USER\\AppEvents\\Schemes\\Apps\\.Default\\Close\\.Current\\Default Flags",
                "HKEY_CURRENT_USER\\AppEvents\\Schemes\\Apps\\.Default\\Close\\.Current\\(Default)",
                "HKEY_CURRENT_USER\\AppEvents\\Schemes\\Apps\\.Default\\Open\\.Current\\(Default)",
                "HKEY_CURRENT_USER\\AppEvents\\Schemes\\Apps\\.Default\\Open\\.Current\\Default Flags"
            ]
        },
        "first_seen": 1578329585.953125,
        "ppid": 468
    },
    {
        "process_path": "C:\\Windows\\System32\\conhost.exe",
        "process_name": "conhost.exe",
        "pid": 1700,
        "summary": {},
        "first_seen": 1578329587.202625,
        "ppid": 384
    },
    {
        "process_path": "C:\\Windows\\System32\\dwm.exe",
        "process_name": "dwm.exe",
        "pid": 1768,
        "summary": {},
        "first_seen": 1578329586.359375,
        "ppid": 804
    },
    {
        "process_path": "C:\\Windows\\System32\\lsass.exe",
        "process_name": "lsass.exe",
        "pid": 476,
        "summary": {},
        "first_seen": 1578329585.328125,
        "ppid": 376
    },
    {
        "process_path": "C:\\Windows\\System32\\SearchProtocolHost.exe",
        "process_name": "SearchProtocolHost.exe",
        "pid": 1232,
        "summary": {
            "guid": [
                "{00000323-0000-0000-c000-000000000046}",
                "{00000146-0000-0000-c000-000000000046}"
            ],
            "regkey_read": [
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles"
            ]
        },
        "first_seen": 1578329598.374498,
        "ppid": 1316
    },
    {
        "process_path": "C:\\Windows\\explorer.exe",
        "process_name": "explorer.exe",
        "pid": 1788,
        "summary": {
            "regkey_written": [
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Action Center\\Checks\\{01979c6a-42fa-414c-b8aa-eee2c8202018}.check.100\\CheckSetting",
                "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\LanguageList"
            ],
            "file_failed": [
                "C:\\desktop.ini"
            ],
            "regkey_opened": [
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Action Center\\Checks\\{01979c6a-42fa-414c-b8aa-eee2c8202018}.check.100"
            ],
            "file_exists": [
                "C:\\"
            ],
            "file_opened": [
                "C:\\Users\\desktop.ini",
                "C:\\Program Files (x86)\\desktop.ini",
                "C:\\Program Files\\desktop.ini",
                "C:\\"
            ],
            "guid": [
                "{00000320-0000-0000-c000-000000000046}",
                "{00000323-0000-0000-c000-000000000046}",
                "{a47979d2-c419-11d9-a5b4-001185ad2b89}",
                "{00000146-0000-0000-c000-000000000046}",
                "{7007acc7-3202-11d1-aad2-00805fc1270e}",
                "{d0074ffd-570f-4a9b-8d69-199fdba5723b}",
                "{faedcf69-31fe-11d1-aad2-00805fc1270e}",
                "{d5f569d0-593b-101a-b569-08002b2dbf7a}",
                "{ba126ae5-2166-11d1-b1d0-00805fc1270e}",
                "{000214e6-0000-0000-c000-000000000046}"
            ],
            "file_read": [
                "C:\\Users\\desktop.ini",
                "C:\\Program Files (x86)\\desktop.ini",
                "C:\\Program Files\\desktop.ini"
            ],
            "regkey_read": [
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{2227A280-3AEA-1069-A2DE-08002B30309D}\\LocalizedString",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{2227A280-3AEA-1069-A2DE-08002B30309D}\\System.ItemNameDisplay",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\\SortOrderIndex",
                "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@C:\\Windows\\system32\\prnfldr.dll,-8036",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\\{B725F130-47EF-101A-A5F1-02608C9EEBAC} 10",
                "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@C:\\Windows\\system32\\netshell.dll,-1200",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\\System.ItemNameDisplay",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{2227A280-3AEA-1069-A2DE-08002B30309D}\\{B725F130-47EF-101A-A5F1-02608C9EEBAC} 10",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\\InProcServer32\\LoadWithoutCOM",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{21EC2020-3AEA-1069-A2DD-08002B30309D}\\SortOrderIndex",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\\InProcServer32\\(Default)",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\StringCacheSettings\\StringCacheGeneration",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Drive\\shellex\\FolderExtensions\\{fbeb8a05-beee-4442-804e-409d6c4515e9}\\DriveMask",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\\LocalizedString",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\_LabelFromReg"
            ]
        },
        "first_seen": 1578329586.5625,
        "ppid": 1740
    },
    {
        "process_path": "C:\\Windows\\explorer.exe",
        "process_name": "explorer.exe",
        "pid": 2800,
        "summary": {
            "directory_created": [
                "C:\\Users\\cuck",
                "C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\",
                "C:\\Users\\cuck\\AppData\\Roaming"
            ],
            "dll_loaded": [
                "API-MS-WIN-Service-Management-L1-1-0.dll",
                "VERSION.dll",
                "API-MS-WIN-Service-winsvc-L1-1-0.dll",
                "POWRPROF.DLL",
                "ADVAPI32.dll",
                "ole32.dll",
                "C:\\Windows\\system32\\FXSRESM.DLL",
                "slc.dll",
                "fxsst.dll"
            ],
            "file_opened": [
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\FXSAPIDebugLogFile.txt",
                "C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\slideshow.ini"
            ],
            "regkey_opened": [
                "HKEY_CURRENT_USER\\Control Panel\\Personalization\\Desktop Slideshow",
                "HKEY_CURRENT_USER\\AppEvents\\EventLabels\\FaxSent",
                "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fax\\Client\\ServiceStartup"
            ],
            "file_exists": [
                "C:\\Users\\cuck",
                "C:\\Users\\cuck\\AppData\\Roaming"
            ],
            "guid": [
                "{ba126ad1-2166-11d1-b1d0-00805fc1270e}",
                "{a47979d2-c419-11d9-a5b4-001185ad2b89}",
                "{b196b284-bab4-101a-b69c-00aa00341d07}",
                "{75847177-f077-4171-bd2c-a6bb2164fbd0}",
                "{b57046bc-32e5-428a-9887-19f712b907bf}"
            ],
            "regkey_read": [
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\\SortOrderIndex",
                "HKEY_CURRENT_USER\\Control Panel\\Personalization\\Desktop Slideshow\\AnimationDuration",
                "HKEY_CURRENT_USER\\Control Panel\\Personalization\\Desktop Slideshow\\Interval",
                "HKEY_CURRENT_USER\\Control Panel\\Personalization\\Desktop Slideshow\\Flags",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{21EC2020-3AEA-1069-A2DD-08002B30309D}\\SortOrderIndex",
                "HKEY_CURRENT_USER\\Control Panel\\Personalization\\Desktop Slideshow\\Shuffle",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{2ABC0864-9677-42E5-882A-D415C556C284}\\ProxyStubClsid32\\(Default)"
            ]
        },
        "first_seen": 1578329597.96825,
        "ppid": 424
    }
]

Signatures

[
    {
        "markcount": 1,
        "families": [],
        "description": "Queries for the computername",
        "severity": 1,
        "marks": [
            {
                "call": {
                    "category": "misc",
                    "status": 1,
                    "stacktrace": [],
                    "api": "GetComputerNameA",
                    "return_value": 1,
                    "arguments": {
                        "computer_name": "CUCKPC"
                    },
                    "time": 1578329585.750125,
                    "tid": 2588,
                    "flags": {}
                },
                "pid": 2816,
                "type": "call",
                "cid": 286
            }
        ],
        "references": [],
        "name": "antivm_queries_computername"
    },
    {
        "markcount": 3,
        "families": [],
        "description": "One or more processes crashed",
        "severity": 1,
        "marks": [
            {
                "call": {
                    "category": "__notification__",
                    "status": 1,
                    "stacktrace": [],
                    "raw": [
                        "stacktrace"
                    ],
                    "api": "__exception__",
                    "return_value": 0,
                    "arguments": {
                        "stacktrace": "b\nc\n2\n6\n0\n6\n5\nd\n7\n3\na\nb\ne\ne\n8\n0\n5\ne\n0\n3\ne\nf\nb\n3\n3\n2\nb\n6\nf\na\n5\n4\n3\nd\n4\nb\n6\n2\ne\n3\nf\n1\nf\ne\nd\nf\n9\n5\n5\nf\n3\n0\n5\nd\nf\n0\n2\n7\n1\n6\n1\n8\ne\nd\n+\n0\nx\n2\nd\nc\nd\n \n@\n \n0\nx\n4\n0\n2\nd\nc\nd",
                        "registers": {
                            "esp": 31653680,
                            "edi": 2179137553,
                            "eax": 2179137553,
                            "ebp": 31653720,
                            "edx": 2179137554,
                            "ebx": 32227724,
                            "esi": 4205006,
                            "ecx": 2008823930
                        },
                        "exception": {
                            "instruction_r": "8a 08 40 84 c9 75 f9 2b c2 c7 45 fc fe ff ff ff",
                            "symbol": "lstrlen+0x1a lstrcmpW-0x3f kernelbase+0xa34a",
                            "instruction": "mov cl, byte ptr [eax]",
                            "module": "KERNELBASE.dll",
                            "exception_code": "0xc0000005",
                            "offset": 41802,
                            "address": "0x75dba34a"
                        }
                    },
                    "time": 1578329585.719125,
                    "tid": 2588,
                    "flags": {}
                },
                "pid": 2816,
                "type": "call",
                "cid": 72
            },
            {
                "call": {
                    "category": "__notification__",
                    "status": 1,
                    "stacktrace": [],
                    "raw": [
                        "stacktrace"
                    ],
                    "api": "__exception__",
                    "return_value": 0,
                    "arguments": {
                        "stacktrace": "0\nx\n5\n1\nf\n1\n9\n0\n4\n\n\n0\nx\n3\n0\n\n\n0\nx\n3\n0\n\n\n0\nx\n3\n0\n\n\n0\nx\n3\n0\n\n\n0\nx\n3\n0\n\n\n0\nx\n3\n0\n\n\n0\nx\n3\n0\n\n\n0\nx\n3\n0\n\n\n0\nx\n3\n0\n\n\n0\nx\n3\n0\n\n\n0\nx\n3\n0\n\n\n0\nx\n3\n0\n\n\n0\nx\n3\n0\n\n\n0\nx\n3\n0\n\n\n0\nx\n3\n0\n\n\n0\nx\n3\n0\n\n\n0\nx\n3\n0\n\n\n0\nx\n3\n0\n\n\n0\nx\n3\n0\n\n\n0\nx\n3\n0\n\n\n0\nx\n3\n0\n\n\n0\nx\n3\n0\n\n\n0\nx\n3\n0\n\n\n0\nx\n3\n0\n\n\n0\nx\n3\n0\n\n\n0\nx\n3\n0\n\n\n0\nx\n3\n0\n\n\n0\nx\n3\n0\n\n\n0\nx\n3\n0\n\n\n0\nx\n3\n0\n\n\n0\nx\n3\n0\n\n\n0\nx\n3\n0\n\n\n0\nx\n3\n0\n\n\n0\nx\n3\n0\n\n\n0\nx\n3\n0\n\n\n0\nx\n3\n0\n\n\n0\nx\n3\n0\n\n\n0\nx\n3\n0\n\n\n0\nx\n3\n0\n\n\n0\nx\n3\n0\n\n\n0\nx\n3\n0\n\n\n0\nx\n3\n0\n\n\n0\nx\n3\n0\n\n\n0\nx\n3\n0\n\n\n0\nx\n3\n0\n\n\n0\nx\n3\n0\n\n\n0\nx\n3\n0\n\n\n0\nx\n3\n0\n\n\n0\nx\n3\n0\n\n\n0\nx\n3\n0\n\n\n0\nx\n3\n0\n\n\n0\nx\n3\n0\n\n\n0\nx\n3\n0\n\n\n0\nx\n3\n0\n\n\n0\nx\n3\n0\n\n\n0\nx\n3\n0\n\n\n0\nx\n3\n0\n\n\n0\nx\n3\n0\n\n\n0\nx\n3\n0\n\n\n0\nx\n3\n0\n\n\n0\nx\n3\n0\n\n\n0\nx\n3\n0\n\n\n0\nx\n3\n0",
                        "registers": {
                            "r14": 247911176,
                            "r9": 0,
                            "rcx": 48,
                            "rsi": 247911176,
                            "r10": 0,
                            "rbx": 98187056,
                            "rdi": 98267440,
                            "r11": 156302544,
                            "r8": 2007859596,
                            "rdx": 8796092387920,
                            "rbp": 156299888,
                            "r15": 262145,
                            "r12": 262144,
                            "rsp": 156299768,
                            "rax": 85924096,
                            "r13": 156301057
                        },
                        "exception": {
                            "instruction_r": "83 3d 8d d1 02 00 00 68 53 12 69 fb c7 44 24 04",
                            "instruction": "cmp dword ptr [rip + 0x2d18d], 0",
                            "exception_code": "0xc0000005",
                            "symbol": "",
                            "address": "0x51f1904"
                        }
                    },
                    "time": 1578329587.4065,
                    "tid": 2104,
                    "flags": {}
                },
                "pid": 1788,
                "type": "call",
                "cid": 1075
            },
            {
                "call": {
                    "category": "__notification__",
                    "status": 1,
                    "stacktrace": [],
                    "raw": [
                        "stacktrace"
                    ],
                    "api": "__exception__",
                    "return_value": 0,
                    "arguments": {
                        "stacktrace": "R\na\ni\ns\ne\nE\nx\nc\ne\np\nt\ni\no\nn\n+\n0\nx\n3\nd\n \nF\nr\ne\ne\nE\nn\nv\ni\nr\no\nn\nm\ne\nn\nt\nS\nt\nr\ni\nn\ng\ns\nW\n-\n0\nx\n3\n7\n3\n \nk\ne\nr\nn\ne\nl\nb\na\ns\ne\n+\n0\nx\na\n4\n9\nd\n \n@\n \n0\nx\n7\nf\ne\nf\nd\na\n1\na\n4\n9\nd\n\n\nR\np\nc\nR\na\ni\ns\ne\nE\nx\nc\ne\np\nt\ni\no\nn\n+\n0\nx\n5\n3\n \nR\np\nc\nE\nx\nc\ne\np\nt\ni\no\nn\nF\ni\nl\nt\ne\nr\n-\n0\nx\n2\nb\nd\n \nr\np\nc\nr\nt\n4\n+\n0\nx\n1\n7\n3\nc\n3\n \n@\n \n0\nx\n7\nf\ne\nf\ne\ne\nf\n7\n3\nc\n3\n\n\nC\no\nG\ne\nt\nI\nn\ns\nt\na\nn\nc\ne\nF\nr\no\nm\nF\ni\nl\ne\n+\n0\nx\na\n7\n0\na\n \nH\nA\nC\nC\nE\nL\n_\nU\ns\ne\nr\nF\nr\ne\ne\n-\n0\nx\n1\n6\nc\n6\n \no\nl\ne\n3\n2\n+\n0\nx\n1\n7\n6\n2\nb\na\n \n@\n \n0\nx\n7\nf\ne\nf\nf\nb\n6\n6\n2\nb\na\n\n\nN\nd\nr\n6\n4\nA\ns\ny\nn\nc\nS\ne\nr\nv\ne\nr\nC\na\nl\nl\nA\nl\nl\n+\n0\nx\n1\n4\nc\n9\n \nN\nd\nr\n6\n4\nA\ns\ny\nn\nc\nC\nl\ni\ne\nn\nt\nC\na\nl\nl\n-\n0\nx\n5\n1\n7\n \nr\np\nc\nr\nt\n4\n+\n0\nx\nd\nb\n9\n4\n9\n \n@\n \n0\nx\n7\nf\ne\nf\ne\nf\nb\nb\n9\n4\n9\n\n\nC\no\nG\ne\nt\nI\nn\ns\nt\na\nn\nc\ne\nF\nr\no\nm\nF\ni\nl\ne\n+\n0\nx\n6\n6\n2\n0\n \nH\nA\nC\nC\nE\nL\n_\nU\ns\ne\nr\nF\nr\ne\ne\n-\n0\nx\n5\n7\nb\n0\n \no\nl\ne\n3\n2\n+\n0\nx\n1\n7\n2\n1\nd\n0\n \n@\n \n0\nx\n7\nf\ne\nf\nf\nb\n6\n2\n1\nd\n0\n\n\nD\nc\no\nm\nC\nh\na\nn\nn\ne\nl\nS\ne\nt\nH\nR\ne\ns\nu\nl\nt\n+\n0\nx\n3\n0\n6\n6\n \nO\nb\nj\ne\nc\nt\nS\nt\nu\nb\nl\ne\ns\ns\nC\nl\ni\ne\nn\nt\n3\n-\n0\nx\n7\ne\ne\n \no\nl\ne\n3\n2\n+\n0\nx\n2\nd\n8\na\n2\n \n@\n \n0\nx\n7\nf\ne\nf\nf\na\n1\nd\n8\na\n2\n\n\nO\nb\nj\ne\nc\nt\nS\nt\nu\nb\nl\ne\ns\ns\nC\nl\ni\ne\nn\nt\n5\n+\n0\nx\n1\n8\n3\n \nI\ns\nV\na\nl\ni\nd\nI\nn\nt\ne\nr\nf\na\nc\ne\n-\n0\nx\n1\n0\n5\nd\n \no\nl\ne\n3\n2\n+\n0\nx\n3\n1\nb\nb\n3\n \n@\n \n0\nx\n7\nf\ne\nf\nf\na\n2\n1\nb\nb\n3\n\n\nO\nb\nj\ne\nc\nt\nS\nt\nu\nb\nl\ne\ns\ns\nC\nl\ni\ne\nn\nt\n5\n+\n0\nx\nf\n2\n \nI\ns\nV\na\nl\ni\nd\nI\nn\nt\ne\nr\nf\na\nc\ne\n-\n0\nx\n1\n0\ne\ne\n \no\nl\ne\n3\n2\n+\n0\nx\n3\n1\nb\n2\n2\n \n@\n \n0\nx\n7\nf\ne\nf\nf\na\n2\n1\nb\n2\n2\n\n\nC\no\nM\na\nr\ns\nh\na\nl\nI\nn\nt\ne\nr\nf\na\nc\ne\n+\n0\nx\n2\n6\n3\nf\n \nO\nb\nj\ne\nc\nt\nS\nt\nu\nb\nl\ne\ns\ns\nC\nl\ni\ne\nn\nt\n5\n-\n0\nx\n2\n4\n5\n \no\nl\ne\n3\n2\n+\n0\nx\n3\n1\n7\ne\nb\n \n@\n \n0\nx\n7\nf\ne\nf\nf\na\n2\n1\n7\ne\nb\n\n\nC\no\nM\na\nr\ns\nh\na\nl\nI\nn\nt\ne\nr\nf\na\nc\ne\n+\n0\nx\n2\n2\n6\nb\n \nO\nb\nj\ne\nc\nt\nS\nt\nu\nb\nl\ne\ns\ns\nC\nl\ni\ne\nn\nt\n5\n-\n0\nx\n6\n1\n9\n \no\nl\ne\n3\n2\n+\n0\nx\n3\n1\n4\n1\n7\n \n@\n \n0\nx\n7\nf\ne\nf\nf\na\n2\n1\n4\n1\n7\n\n\nC\no\nS\ne\nt\nS\nt\na\nt\ne\n+\n0\nx\n4\n5\na\n \nD\nc\no\nm\nC\nh\na\nn\nn\ne\nl\nS\ne\nt\nH\nR\ne\ns\nu\nl\nt\n-\n0\nx\n1\n3\n4\n2\n \no\nl\ne\n3\n2\n+\n0\nx\n2\n9\n4\nf\na\n \n@\n \n0\nx\n7\nf\ne\nf\nf\na\n1\n9\n4\nf\na\n\n\nC\no\nS\ne\nt\nS\nt\na\nt\ne\n+\n0\nx\n3\n8\n8\n \nD\nc\no\nm\nC\nh\na\nn\nn\ne\nl\nS\ne\nt\nH\nR\ne\ns\nu\nl\nt\n-\n0\nx\n1\n4\n1\n4\n \no\nl\ne\n3\n2\n+\n0\nx\n2\n9\n4\n2\n8\n \n@\n \n0\nx\n7\nf\ne\nf\nf\na\n1\n9\n4\n2\n8\n\n\nC\no\nS\ne\nt\nS\nt\na\nt\ne\n+\n0\nx\na\na\n9\n \nD\nc\no\nm\nC\nh\na\nn\nn\ne\nl\nS\ne\nt\nH\nR\ne\ns\nu\nl\nt\n-\n0\nx\nc\nf\n3\n \no\nl\ne\n3\n2\n+\n0\nx\n2\n9\nb\n4\n9\n \n@\n \n0\nx\n7\nf\ne\nf\nf\na\n1\n9\nb\n4\n9\n\n\nC\no\nR\ne\ng\ni\ns\nt\ne\nr\nM\ne\ns\ns\na\ng\ne\nF\ni\nl\nt\ne\nr\n+\n0\nx\n1\n5\n3\nb\n \nC\no\nU\nn\ni\nn\ni\nt\ni\na\nl\ni\nz\ne\n-\n0\nx\n3\n3\n4\n1\n \no\nl\ne\n3\n2\n+\n0\nx\n1\nd\nf\nd\n3\n \n@\n \n0\nx\n7\nf\ne\nf\nf\na\n0\nd\nf\nd\n3\n\n\nC\no\nR\ne\ng\ni\ns\nt\ne\nr\nM\ne\ns\ns\na\ng\ne\nF\ni\nl\nt\ne\nr\n+\n0\nx\n1\n1\nc\n0\n \nC\no\nU\nn\ni\nn\ni\nt\ni\na\nl\ni\nz\ne\n-\n0\nx\n3\n6\nb\nc\n \no\nl\ne\n3\n2\n+\n0\nx\n1\nd\nc\n5\n8\n \n@\n \n0\nx\n7\nf\ne\nf\nf\na\n0\nd\nc\n5\n8\n\n\nC\no\nR\ne\ng\ni\ns\nt\ne\nr\nM\ne\ns\ns\na\ng\ne\nF\ni\nl\nt\ne\nr\n+\n0\nx\nb\n9\n7\n \nC\no\nU\nn\ni\nn\ni\nt\ni\na\nl\ni\nz\ne\n-\n0\nx\n3\nc\ne\n5\n \no\nl\ne\n3\n2\n+\n0\nx\n1\nd\n6\n2\nf\n \n@\n \n0\nx\n7\nf\ne\nf\nf\na\n0\nd\n6\n2\nf\n\n\nC\no\nR\ne\ng\ni\ns\nt\ne\nr\nM\ne\ns\ns\na\ng\ne\nF\ni\nl\nt\ne\nr\n+\n0\nx\n1\n3\nf\ne\n \nC\no\nU\nn\ni\nn\ni\nt\ni\na\nl\ni\nz\ne\n-\n0\nx\n3\n4\n7\ne\n \no\nl\ne\n3\n2\n+\n0\nx\n1\nd\ne\n9\n6\n \n@\n \n0\nx\n7\nf\ne\nf\nf\na\n0\nd\ne\n9\n6\n\n\nO\nb\nj\ne\nc\nt\nS\nt\nu\nb\nl\ne\ns\ns\nC\nl\ni\ne\nn\nt\n3\n2\n+\n0\nx\n7\n3\nc\n2\n \nC\no\nD\ni\ns\nc\no\nn\nn\ne\nc\nt\nC\no\nn\nt\ne\nx\nt\n-\n0\nx\n9\nc\nb\n6\n \no\nl\ne\n3\n2\n+\n0\nx\n4\na\ne\nc\n2\n \n@\n \n0\nx\n7\nf\ne\nf\nf\na\n3\na\ne\nc\n2\n\n\nC\no\nU\nn\ni\nn\ni\nt\ni\na\nl\ni\nz\ne\n+\n0\nx\n1\n0\n1\n0\n \nC\no\nI\nn\ni\nt\ni\na\nl\ni\nz\ne\nE\nx\n-\n0\nx\n7\n0\nc\n \no\nl\ne\n3\n2\n+\n0\nx\n2\n2\n3\n2\n4\n \n@\n \n0\nx\n7\nf\ne\nf\nf\na\n1\n2\n3\n2\n4\n\n\nC\no\nR\ne\ng\ni\ns\nt\ne\nr\nM\ne\ns\ns\na\ng\ne\nF\ni\nl\nt\ne\nr\n+\n0\nx\n3\nc\n3\n0\n \nC\no\nU\nn\ni\nn\ni\nt\ni\na\nl\ni\nz\ne\n-\n0\nx\nc\n4\nc\n \no\nl\ne\n3\n2\n+\n0\nx\n2\n0\n6\nc\n8\n \n@\n \n0\nx\n7\nf\ne\nf\nf\na\n1\n0\n6\nc\n8\n\n\nC\no\nR\ne\ng\ni\ns\nt\ne\nr\nM\ne\ns\ns\na\ng\ne\nF\ni\nl\nt\ne\nr\n+\n0\nx\n3\nc\n0\n1\n \nC\no\nU\nn\ni\nn\ni\nt\ni\na\nl\ni\nz\ne\n-\n0\nx\nc\n7\nb\n \no\nl\ne\n3\n2\n+\n0\nx\n2\n0\n6\n9\n9\n \n@\n \n0\nx\n7\nf\ne\nf\nf\na\n1\n0\n6\n9\n9\n\n\nC\no\nD\ni\ns\na\nb\nl\ne\nC\na\nl\nl\nC\na\nn\nc\ne\nl\nl\na\nt\ni\no\nn\n+\n0\nx\n3\nf\nc\n \nO\nb\nj\ne\nc\nt\nS\nt\nu\nb\nl\ne\ns\ns\nC\nl\ni\ne\nn\nt\n2\n4\n-\n0\nx\ne\n4\n \no\nl\ne\n3\n2\n+\n0\nx\ne\n7\na\nc\n \n@\n \n0\nx\n7\nf\ne\nf\nf\n9\nf\ne\n7\na\nc\n\n\nC\no\nU\nn\ni\nn\ni\nt\ni\na\nl\ni\nz\ne\n+\n0\nx\na\n6\n \nC\no\nI\nn\ni\nt\ni\na\nl\ni\nz\ne\nE\nx\n-\n0\nx\n1\n6\n7\n6\n \no\nl\ne\n3\n2\n+\n0\nx\n2\n1\n3\nb\na\n \n@\n \n0\nx\n7\nf\ne\nf\nf\na\n1\n1\n3\nb\na\n\n\nN\ne\nw\n_\no\nl\ne\n3\n2\n_\nC\no\nU\nn\ni\nn\ni\nt\ni\na\nl\ni\nz\ne\n+\n0\nx\n5\n7\n \nN\ne\nw\n_\no\nl\ne\n3\n2\n_\nO\nl\ne\nC\no\nn\nv\ne\nr\nt\nO\nL\nE\nS\nT\nR\nE\nA\nM\nT\no\nI\nS\nt\no\nr\na\ng\ne\n-\n0\nx\n5\n3\n \n@\n \n0\nx\n6\n5\na\na\n7\n6\n1\ne\n\n\nm\no\nb\ns\ny\nn\nc\n+\n0\nx\n6\n8\n4\n0\n \n@\n \n0\nx\nf\nf\n1\n0\n6\n8\n4\n0\n\n\nm\no\nb\ns\ny\nn\nc\n+\n0\nx\n7\n0\na\ne\n \n@\n \n0\nx\nf\nf\n1\n0\n7\n0\na\ne\n\n\nB\na\ns\ne\nT\nh\nr\ne\na\nd\nI\nn\ni\nt\nT\nh\nu\nn\nk\n+\n0\nx\nd\n \nC\nr\ne\na\nt\ne\nT\nh\nr\ne\na\nd\n-\n0\nx\n5\n3\n \nk\ne\nr\nn\ne\nl\n3\n2\n+\n0\nx\n1\n6\n5\n2\nd\n \n@\n \n0\nx\n7\n7\n7\na\n6\n5\n2\nd\n\n\nR\nt\nl\nU\ns\ne\nr\nT\nh\nr\ne\na\nd\nS\nt\na\nr\nt\n+\n0\nx\n2\n1\n \ns\nt\nr\nc\nh\nr\n-\n0\nx\n3\nd\nf\n \nn\nt\nd\nl\nl\n+\n0\nx\n2\nc\n5\n2\n1\n \n@\n \n0\nx\n7\n7\n9\nd\nc\n5\n2\n1",
                        "registers": {
                            "r14": 0,
                            "r9": 0,
                            "rcx": 1762560,
                            "rsi": 0,
                            "r10": 0,
                            "rbx": 0,
                            "rdi": 0,
                            "r11": 1764320,
                            "r8": 0,
                            "rdx": 1,
                            "rbp": 0,
                            "r15": 0,
                            "r12": 0,
                            "rsp": 1769376,
                            "rax": 2010841956,
                            "r13": 0
                        },
                        "exception": {
                            "instruction_r": "48 81 c4 c8 00 00 00 c3 48 85 f6 74 08 83 3b 00",
                            "symbol": "RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d",
                            "instruction": "add rsp, 0xc8",
                            "module": "KERNELBASE.dll",
                            "exception_code": "0x80010012",
                            "offset": 42141,
                            "address": "0x7fefda1a49d"
                        }
                    },
                    "time": 1578329587.858875,
                    "tid": 1584,
                    "flags": {}
                },
                "pid": 800,
                "type": "call",
                "cid": 19
            }
        ],
        "references": [],
        "name": "raises_exception"
    },
    {
        "markcount": 0,
        "families": [],
        "description": "One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.",
        "severity": 2,
        "marks": [],
        "references": [],
        "name": "dumped_buffer"
    },
    {
        "markcount": 2,
        "families": [],
        "description": "Allocates read-write-execute memory (usually to unpack itself)",
        "severity": 2,
        "marks": [
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 2816,
                        "region_size": 17358848,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "protection": 64,
                        "process_handle": "0xffffffff",
                        "allocation_type": 12288,
                        "base_address": "0x01e30000"
                    },
                    "time": 1578329585.687125,
                    "tid": 2588,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT|MEM_RESERVE"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 36
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtProtectVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 2816,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 1,
                        "length": 4096,
                        "protection": 64,
                        "process_handle": "0xffffffff",
                        "base_address": "0x01e30000"
                    },
                    "time": 1578329585.734125,
                    "tid": 2588,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 192
            }
        ],
        "references": [],
        "name": "allocates_rwx"
    },
    {
        "markcount": 0,
        "families": [],
        "description": "Checks whether any human activity is being performed by constantly checking whether the foreground window changed",
        "severity": 2,
        "marks": [],
        "references": [
            "https:\/\/www.virusbtn.com\/virusbulletin\/archive\/2015\/09\/vb201509-custom-packer.dkb"
        ],
        "name": "antisandbox_foregroundwindows"
    },
    {
        "markcount": 1,
        "families": [],
        "description": "A process attempted to delay the analysis task.",
        "severity": 2,
        "marks": [
            {
                "type": "generic",
                "description": "bc26065d73abee805e03efb332b6fa543d4b62e3f1fedf955f305df0271618ed.bin tried to sleep 844 seconds, actually delayed analysis time by 844 seconds"
            }
        ],
        "references": [],
        "name": "antisandbox_sleep"
    },
    {
        "markcount": 1,
        "families": [],
        "description": "Creates an autorun.inf file",
        "severity": 2,
        "marks": [
            {
                "category": "file",
                "ioc": "C:\\autorun.inf",
                "type": "ioc",
                "description": null
            }
        ],
        "references": [],
        "name": "spreading_autoruninf"
    },
    {
        "markcount": 1,
        "families": [],
        "description": "Drops an executable to the user AppData folder",
        "severity": 2,
        "marks": [
            {
                "category": "file",
                "ioc": "C:\\Users\\cuck\\AppData\\Local\\Temp\\windaepms.exe",
                "type": "ioc",
                "description": null
            }
        ],
        "references": [],
        "name": "exe_appdata"
    },
    {
        "markcount": 1,
        "families": [],
        "description": "Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping",
        "severity": 2,
        "marks": [
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "Process32NextW",
                    "return_value": 1,
                    "arguments": {
                        "process_name": "SearchProtocolHost.exe",
                        "snapshot_handle": "0x000002e8",
                        "process_identifier": 1232
                    },
                    "time": 1578329598.109125,
                    "tid": 1676,
                    "flags": {}
                },
                "pid": 2816,
                "type": "call",
                "cid": 2785
            }
        ],
        "references": [],
        "name": "injection_process_search"
    },
    {
        "markcount": 2,
        "families": [],
        "description": "The binary likely contains encrypted or compressed data indicative of a packer",
        "severity": 2,
        "marks": [
            {
                "entropy": 7.990026038664141,
                "section": {
                    "size_of_data": "0x00013200",
                    "virtual_address": "0x00001000",
                    "entropy": 7.990026038664141,
                    "name": ".text",
                    "virtual_size": "0x00014000"
                },
                "type": "generic",
                "description": "A section with a high entropy has been found"
            },
            {
                "entropy": 1,
                "type": "generic",
                "description": "Overall entropy of this PE file is high"
            }
        ],
        "references": [
            "http:\/\/www.forensickb.com\/2013\/03\/file-entropy-explained.html",
            "http:\/\/virii.es\/U\/Using%20Entropy%20Analysis%20to%20Find%20Encrypted%20and%20Packed%20Malware.pdf"
        ],
        "name": "packer_entropy"
    },
    {
        "markcount": 12,
        "families": [],
        "description": "Checks for the Locally Unique Identifier on the system for a suspicious privilege",
        "severity": 2,
        "marks": [
            {
                "call": {
                    "category": "system",
                    "status": 1,
                    "stacktrace": [],
                    "api": "LookupPrivilegeValueW",
                    "return_value": 1,
                    "arguments": {
                        "system_name": "",
                        "privilege_name": "SeDebugPrivilege"
                    },
                    "time": 1578329587.312125,
                    "tid": 1676,
                    "flags": {}
                },
                "pid": 2816,
                "type": "call",
                "cid": 2425
            },
            {
                "call": {
                    "category": "system",
                    "status": 1,
                    "stacktrace": [],
                    "api": "LookupPrivilegeValueW",
                    "return_value": 1,
                    "arguments": {
                        "system_name": "",
                        "privilege_name": "SeDebugPrivilege"
                    },
                    "time": 1578329597.875125,
                    "tid": 1676,
                    "flags": {}
                },
                "pid": 2816,
                "type": "call",
                "cid": 2745
            },
            {
                "call": {
                    "category": "system",
                    "status": 1,
                    "stacktrace": [],
                    "api": "LookupPrivilegeValueW",
                    "return_value": 1,
                    "arguments": {
                        "system_name": "",
                        "privilege_name": "SeDebugPrivilege"
                    },
                    "time": 1578329608.765125,
                    "tid": 1676,
                    "flags": {}
                },
                "pid": 2816,
                "type": "call",
                "cid": 3057
            },
            {
                "call": {
                    "category": "system",
                    "status": 1,
                    "stacktrace": [],
                    "api": "LookupPrivilegeValueW",
                    "return_value": 1,
                    "arguments": {
                        "system_name": "",
                        "privilege_name": "SeDebugPrivilege"
                    },
                    "time": 1578329619.047125,
                    "tid": 1676,
                    "flags": {}
                },
                "pid": 2816,
                "type": "call",
                "cid": 3400
            },
            {
                "call": {
                    "category": "system",
                    "status": 1,
                    "stacktrace": [],
                    "api": "LookupPrivilegeValueW",
                    "return_value": 1,
                    "arguments": {
                        "system_name": "",
                        "privilege_name": "SeDebugPrivilege"
                    },
                    "time": 1578329629.328125,
                    "tid": 1676,
                    "flags": {}
                },
                "pid": 2816,
                "type": "call",
                "cid": 3612
            },
            {
                "call": {
                    "category": "system",
                    "status": 1,
                    "stacktrace": [],
                    "api": "LookupPrivilegeValueW",
                    "return_value": 1,
                    "arguments": {
                        "system_name": "",
                        "privilege_name": "SeDebugPrivilege"
                    },
                    "time": 1578329639.609125,
                    "tid": 1676,
                    "flags": {}
                },
                "pid": 2816,
                "type": "call",
                "cid": 3886
            },
            {
                "call": {
                    "category": "system",
                    "status": 1,
                    "stacktrace": [],
                    "api": "LookupPrivilegeValueW",
                    "return_value": 1,
                    "arguments": {
                        "system_name": "",
                        "privilege_name": "SeDebugPrivilege"
                    },
                    "time": 1578329649.875125,
                    "tid": 1676,
                    "flags": {}
                },
                "pid": 2816,
                "type": "call",
                "cid": 4110
            },
            {
                "call": {
                    "category": "system",
                    "status": 1,
                    "stacktrace": [],
                    "api": "LookupPrivilegeValueW",
                    "return_value": 1,
                    "arguments": {
                        "system_name": "",
                        "privilege_name": "SeDebugPrivilege"
                    },
                    "time": 1578329660.140125,
                    "tid": 1676,
                    "flags": {}
                },
                "pid": 2816,
                "type": "call",
                "cid": 4328
            },
            {
                "call": {
                    "category": "system",
                    "status": 1,
                    "stacktrace": [],
                    "api": "LookupPrivilegeValueW",
                    "return_value": 1,
                    "arguments": {
                        "system_name": "",
                        "privilege_name": "SeDebugPrivilege"
                    },
                    "time": 1578329670.422125,
                    "tid": 1676,
                    "flags": {}
                },
                "pid": 2816,
                "type": "call",
                "cid": 4569
            },
            {
                "call": {
                    "category": "system",
                    "status": 1,
                    "stacktrace": [],
                    "api": "LookupPrivilegeValueW",
                    "return_value": 1,
                    "arguments": {
                        "system_name": "",
                        "privilege_name": "SeDebugPrivilege"
                    },
                    "time": 1578329680.672125,
                    "tid": 1676,
                    "flags": {}
                },
                "pid": 2816,
                "type": "call",
                "cid": 4772
            },
            {
                "call": {
                    "category": "system",
                    "status": 1,
                    "stacktrace": [],
                    "api": "LookupPrivilegeValueW",
                    "return_value": 1,
                    "arguments": {
                        "system_name": "",
                        "privilege_name": "SeDebugPrivilege"
                    },
                    "time": 1578329690.969125,
                    "tid": 1676,
                    "flags": {}
                },
                "pid": 2816,
                "type": "call",
                "cid": 4996
            },
            {
                "call": {
                    "category": "system",
                    "status": 1,
                    "stacktrace": [],
                    "api": "LookupPrivilegeValueW",
                    "return_value": 1,
                    "arguments": {
                        "system_name": "",
                        "privilege_name": "SeDebugPrivilege"
                    },
                    "time": 1578329701.265125,
                    "tid": 1676,
                    "flags": {}
                },
                "pid": 2816,
                "type": "call",
                "cid": 5239
            }
        ],
        "references": [],
        "name": "privilege_luid_check"
    },
    {
        "markcount": 93,
        "families": [],
        "description": "Allocates execute permission to another process indicative of possible code injection",
        "severity": 3,
        "marks": [
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 1724,
                        "region_size": 8192,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "protection": 64,
                        "process_handle": "0x000001e0",
                        "allocation_type": 12288,
                        "base_address": "0x002e0000"
                    },
                    "time": 1578329585.875125,
                    "tid": 1676,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT|MEM_RESERVE"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 1649
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 1768,
                        "region_size": 8192,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "protection": 64,
                        "process_handle": "0x000001dc",
                        "allocation_type": 12288,
                        "base_address": "0x00130000"
                    },
                    "time": 1578329586.203125,
                    "tid": 1676,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT|MEM_RESERVE"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 2304
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 1788,
                        "region_size": 8192,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "protection": 64,
                        "process_handle": "0x000001e0",
                        "allocation_type": 12288,
                        "base_address": "0x03e20000"
                    },
                    "time": 1578329586.484125,
                    "tid": 1676,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT|MEM_RESERVE"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 2351
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 1692,
                        "region_size": 8192,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "protection": 64,
                        "process_handle": "0x000001e0",
                        "allocation_type": 12288,
                        "base_address": "0x00140000"
                    },
                    "time": 1578329586.656125,
                    "tid": 1676,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT|MEM_RESERVE"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 2368
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 1700,
                        "region_size": 8192,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "protection": 64,
                        "process_handle": "0x000001dc",
                        "allocation_type": 12288,
                        "base_address": "0x01b20000"
                    },
                    "time": 1578329586.859125,
                    "tid": 1676,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT|MEM_RESERVE"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 2378
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 2168,
                        "region_size": 8192,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "protection": 64,
                        "process_handle": "0x000001e0",
                        "allocation_type": 12288,
                        "base_address": "0x01d20000"
                    },
                    "time": 1578329587.312125,
                    "tid": 1676,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT|MEM_RESERVE"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 2409
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 800,
                        "region_size": 8192,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "protection": 64,
                        "process_handle": "0x000001e0",
                        "allocation_type": 12288,
                        "base_address": "0x002d0000"
                    },
                    "time": 1578329587.312125,
                    "tid": 1676,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT|MEM_RESERVE"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 2432
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 1244,
                        "region_size": 8192,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "protection": 64,
                        "process_handle": "0x0000017c",
                        "allocation_type": 12288,
                        "base_address": "0x00350000"
                    },
                    "time": 1578329587.578125,
                    "tid": 1676,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT|MEM_RESERVE"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 2443
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 2816,
                        "region_size": 8192,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "protection": 64,
                        "process_handle": "0x0000017c",
                        "allocation_type": 12288,
                        "base_address": "0x03210000"
                    },
                    "time": 1578329587.594125,
                    "tid": 1676,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT|MEM_RESERVE"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 2473
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 2816,
                        "region_size": 4096,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "protection": 64,
                        "process_handle": "0x0000017c",
                        "allocation_type": 12288,
                        "base_address": "0x03260000"
                    },
                    "time": 1578329587.594125,
                    "tid": 1676,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT|MEM_RESERVE"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 2476
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 1724,
                        "region_size": 8192,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "protection": 64,
                        "process_handle": "0x000002f0",
                        "allocation_type": 12288,
                        "base_address": "0x02510000"
                    },
                    "time": 1578329597.859125,
                    "tid": 1676,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT|MEM_RESERVE"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 2688
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 1768,
                        "region_size": 8192,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "protection": 64,
                        "process_handle": "0x000002f4",
                        "allocation_type": 12288,
                        "base_address": "0x020d0000"
                    },
                    "time": 1578329597.859125,
                    "tid": 1676,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT|MEM_RESERVE"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 2697
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 1692,
                        "region_size": 8192,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "protection": 64,
                        "process_handle": "0x000002f0",
                        "allocation_type": 12288,
                        "base_address": "0x026c0000"
                    },
                    "time": 1578329597.859125,
                    "tid": 1676,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT|MEM_RESERVE"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 2709
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 1700,
                        "region_size": 8192,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "protection": 64,
                        "process_handle": "0x000002f4",
                        "allocation_type": 12288,
                        "base_address": "0x01d80000"
                    },
                    "time": 1578329597.875125,
                    "tid": 1676,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT|MEM_RESERVE"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 2718
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 2168,
                        "region_size": 8192,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "protection": 64,
                        "process_handle": "0x000002f0",
                        "allocation_type": 12288,
                        "base_address": "0x01d50000"
                    },
                    "time": 1578329597.875125,
                    "tid": 1676,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT|MEM_RESERVE"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 2733
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 1244,
                        "region_size": 8192,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "protection": 64,
                        "process_handle": "0x000002f4",
                        "allocation_type": 12288,
                        "base_address": "0x00380000"
                    },
                    "time": 1578329597.875125,
                    "tid": 1676,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT|MEM_RESERVE"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 2752
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 2800,
                        "region_size": 8192,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "protection": 64,
                        "process_handle": "0x000002f4",
                        "allocation_type": 12288,
                        "base_address": "0x04370000"
                    },
                    "time": 1578329597.875125,
                    "tid": 1676,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT|MEM_RESERVE"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 2780
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 1232,
                        "region_size": 8192,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "protection": 64,
                        "process_handle": "0x000002f0",
                        "allocation_type": 12288,
                        "base_address": "0x00230000"
                    },
                    "time": 1578329598.109125,
                    "tid": 1676,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT|MEM_RESERVE"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 2789
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 1724,
                        "region_size": 8192,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "protection": 64,
                        "process_handle": "0x000002f0",
                        "allocation_type": 12288,
                        "base_address": "0x02540000"
                    },
                    "time": 1578329608.765125,
                    "tid": 1676,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT|MEM_RESERVE"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 3000
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 1768,
                        "region_size": 8192,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "protection": 64,
                        "process_handle": "0x000002f4",
                        "allocation_type": 12288,
                        "base_address": "0x020e0000"
                    },
                    "time": 1578329608.765125,
                    "tid": 1676,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT|MEM_RESERVE"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 3009
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 1692,
                        "region_size": 8192,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "protection": 64,
                        "process_handle": "0x000002f0",
                        "allocation_type": 12288,
                        "base_address": "0x026d0000"
                    },
                    "time": 1578329608.765125,
                    "tid": 1676,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT|MEM_RESERVE"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 3021
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 1700,
                        "region_size": 8192,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "protection": 64,
                        "process_handle": "0x000002f4",
                        "allocation_type": 12288,
                        "base_address": "0x01da0000"
                    },
                    "time": 1578329608.765125,
                    "tid": 1676,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT|MEM_RESERVE"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 3030
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 2168,
                        "region_size": 8192,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "protection": 64,
                        "process_handle": "0x000002f0",
                        "allocation_type": 12288,
                        "base_address": "0x03300000"
                    },
                    "time": 1578329608.765125,
                    "tid": 1676,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT|MEM_RESERVE"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 3045
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 1244,
                        "region_size": 8192,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "protection": 64,
                        "process_handle": "0x000002f4",
                        "allocation_type": 12288,
                        "base_address": "0x00390000"
                    },
                    "time": 1578329608.765125,
                    "tid": 1676,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT|MEM_RESERVE"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 3064
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 2800,
                        "region_size": 8192,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "protection": 64,
                        "process_handle": "0x000002f0",
                        "allocation_type": 12288,
                        "base_address": "0x02be0000"
                    },
                    "time": 1578329608.765125,
                    "tid": 1676,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT|MEM_RESERVE"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 3088
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 1232,
                        "region_size": 8192,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "protection": 64,
                        "process_handle": "0x000002f4",
                        "allocation_type": 12288,
                        "base_address": "0x01d70000"
                    },
                    "time": 1578329608.765125,
                    "tid": 1676,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT|MEM_RESERVE"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 3097
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 1724,
                        "region_size": 8192,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "protection": 64,
                        "process_handle": "0x00000300",
                        "allocation_type": 12288,
                        "base_address": "0x02550000"
                    },
                    "time": 1578329619.031125,
                    "tid": 1676,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT|MEM_RESERVE"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 3343
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 1768,
                        "region_size": 8192,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "protection": 64,
                        "process_handle": "0x000001d0",
                        "allocation_type": 12288,
                        "base_address": "0x020f0000"
                    },
                    "time": 1578329619.031125,
                    "tid": 1676,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT|MEM_RESERVE"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 3352
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 1692,
                        "region_size": 8192,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "protection": 64,
                        "process_handle": "0x00000300",
                        "allocation_type": 12288,
                        "base_address": "0x026e0000"
                    },
                    "time": 1578329619.031125,
                    "tid": 1676,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT|MEM_RESERVE"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 3364
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 1700,
                        "region_size": 8192,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "protection": 64,
                        "process_handle": "0x000001d0",
                        "allocation_type": 12288,
                        "base_address": "0x01db0000"
                    },
                    "time": 1578329619.047125,
                    "tid": 1676,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT|MEM_RESERVE"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 3373
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 2168,
                        "region_size": 8192,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "protection": 64,
                        "process_handle": "0x00000300",
                        "allocation_type": 12288,
                        "base_address": "0x03310000"
                    },
                    "time": 1578329619.047125,
                    "tid": 1676,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT|MEM_RESERVE"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 3388
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 1244,
                        "region_size": 8192,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "protection": 64,
                        "process_handle": "0x000001d0",
                        "allocation_type": 12288,
                        "base_address": "0x003a0000"
                    },
                    "time": 1578329619.047125,
                    "tid": 1676,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT|MEM_RESERVE"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 3407
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 2800,
                        "region_size": 8192,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "protection": 64,
                        "process_handle": "0x00000300",
                        "allocation_type": 12288,
                        "base_address": "0x02bf0000"
                    },
                    "time": 1578329619.047125,
                    "tid": 1676,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT|MEM_RESERVE"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 3431
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 1232,
                        "region_size": 8192,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "protection": 64,
                        "process_handle": "0x000001d0",
                        "allocation_type": 12288,
                        "base_address": "0x01d80000"
                    },
                    "time": 1578329619.047125,
                    "tid": 1676,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT|MEM_RESERVE"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 3440
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 1724,
                        "region_size": 8192,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "protection": 64,
                        "process_handle": "0x00000300",
                        "allocation_type": 12288,
                        "base_address": "0x02560000"
                    },
                    "time": 1578329629.312125,
                    "tid": 1676,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT|MEM_RESERVE"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 3555
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 1768,
                        "region_size": 8192,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "protection": 64,
                        "process_handle": "0x000001d0",
                        "allocation_type": 12288,
                        "base_address": "0x02200000"
                    },
                    "time": 1578329629.312125,
                    "tid": 1676,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT|MEM_RESERVE"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 3564
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 1692,
                        "region_size": 8192,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "protection": 64,
                        "process_handle": "0x00000300",
                        "allocation_type": 12288,
                        "base_address": "0x026f0000"
                    },
                    "time": 1578329629.312125,
                    "tid": 1676,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT|MEM_RESERVE"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 3576
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 1700,
                        "region_size": 8192,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "protection": 64,
                        "process_handle": "0x000001d0",
                        "allocation_type": 12288,
                        "base_address": "0x01dc0000"
                    },
                    "time": 1578329629.328125,
                    "tid": 1676,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT|MEM_RESERVE"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 3585
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 2168,
                        "region_size": 8192,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "protection": 64,
                        "process_handle": "0x00000300",
                        "allocation_type": 12288,
                        "base_address": "0x03320000"
                    },
                    "time": 1578329629.328125,
                    "tid": 1676,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT|MEM_RESERVE"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 3600
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 1244,
                        "region_size": 8192,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "protection": 64,
                        "process_handle": "0x000001d0",
                        "allocation_type": 12288,
                        "base_address": "0x003b0000"
                    },
                    "time": 1578329629.328125,
                    "tid": 1676,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT|MEM_RESERVE"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 3619
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 2800,
                        "region_size": 8192,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "protection": 64,
                        "process_handle": "0x00000300",
                        "allocation_type": 12288,
                        "base_address": "0x052a0000"
                    },
                    "time": 1578329629.344125,
                    "tid": 1676,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT|MEM_RESERVE"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 3643
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 1232,
                        "region_size": 8192,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "protection": 64,
                        "process_handle": "0x000001d0",
                        "allocation_type": 12288,
                        "base_address": "0x01f10000"
                    },
                    "time": 1578329629.344125,
                    "tid": 1676,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT|MEM_RESERVE"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 3652
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 1724,
                        "region_size": 8192,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "protection": 64,
                        "process_handle": "0x00000324",
                        "allocation_type": 12288,
                        "base_address": "0x02570000"
                    },
                    "time": 1578329639.594125,
                    "tid": 1676,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT|MEM_RESERVE"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 3829
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 1768,
                        "region_size": 8192,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "protection": 64,
                        "process_handle": "0x00000320",
                        "allocation_type": 12288,
                        "base_address": "0x02660000"
                    },
                    "time": 1578329639.594125,
                    "tid": 1676,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT|MEM_RESERVE"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 3838
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 1692,
                        "region_size": 8192,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "protection": 64,
                        "process_handle": "0x00000324",
                        "allocation_type": 12288,
                        "base_address": "0x02700000"
                    },
                    "time": 1578329639.594125,
                    "tid": 1676,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT|MEM_RESERVE"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 3850
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 1700,
                        "region_size": 8192,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "protection": 64,
                        "process_handle": "0x00000320",
                        "allocation_type": 12288,
                        "base_address": "0x01dd0000"
                    },
                    "time": 1578329639.594125,
                    "tid": 1676,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT|MEM_RESERVE"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 3859
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 2168,
                        "region_size": 8192,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "protection": 64,
                        "process_handle": "0x00000324",
                        "allocation_type": 12288,
                        "base_address": "0x03330000"
                    },
                    "time": 1578329639.594125,
                    "tid": 1676,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT|MEM_RESERVE"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 3874
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 1244,
                        "region_size": 8192,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "protection": 64,
                        "process_handle": "0x00000320",
                        "allocation_type": 12288,
                        "base_address": "0x003c0000"
                    },
                    "time": 1578329639.609125,
                    "tid": 1676,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT|MEM_RESERVE"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 3893
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 2800,
                        "region_size": 8192,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "protection": 64,
                        "process_handle": "0x00000324",
                        "allocation_type": 12288,
                        "base_address": "0x052d0000"
                    },
                    "time": 1578329639.609125,
                    "tid": 1676,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT|MEM_RESERVE"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 3917
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 1232,
                        "region_size": 8192,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "protection": 64,
                        "process_handle": "0x00000320",
                        "allocation_type": 12288,
                        "base_address": "0x01f30000"
                    },
                    "time": 1578329639.609125,
                    "tid": 1676,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT|MEM_RESERVE"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 3926
            }
        ],
        "references": [],
        "name": "allocates_execute_remote_process"
    },
    {
        "markcount": 1,
        "families": [],
        "description": "Installs itself for autorun at Windows startup",
        "severity": 3,
        "marks": [
            {
                "category": "file",
                "ioc": "C:\\Windows\\system.ini",
                "type": "ioc",
                "description": null
            }
        ],
        "references": [],
        "name": "persistence_autorun"
    },
    {
        "markcount": 1,
        "families": [],
        "description": "Operates on local firewall's policies and settings",
        "severity": 3,
        "marks": [
            {
                "category": "registry",
                "ioc": "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile",
                "type": "ioc",
                "description": null
            }
        ],
        "references": [],
        "name": "bypass_firewall"
    },
    {
        "markcount": 101,
        "families": [],
        "description": "Creates a thread using CreateRemoteThread in a non-child process indicative of process injection",
        "severity": 3,
        "marks": [
            {
                "category": "Process injection",
                "ioc": "Process 2816 created a remote thread in non-child process 1724",
                "type": "ioc",
                "description": null
            },
            {
                "call": {
                    "category": "process",
                    "status": 0,
                    "stacktrace": [],
                    "last_error": 5,
                    "nt_status": -1073741790,
                    "api": "CreateRemoteThread",
                    "return_value": 0,
                    "arguments": {
                        "thread_identifier": 0,
                        "process_identifier": 1724,
                        "function_address": "0x002e0000",
                        "flags": 0,
                        "process_handle": "0x000001e0",
                        "parameter": "0x00000000",
                        "stack_size": 0
                    },
                    "time": 1578329586.156125,
                    "tid": 1676,
                    "flags": {}
                },
                "pid": 2816,
                "type": "call",
                "cid": 1696
            },
            {
                "category": "Process injection",
                "ioc": "Process 2816 created a remote thread in non-child process 1768",
                "type": "ioc",
                "description": null
            },
            {
                "call": {
                    "category": "process",
                    "status": 0,
                    "stacktrace": [],
                    "last_error": 5,
                    "nt_status": -1073741790,
                    "api": "CreateRemoteThread",
                    "return_value": 0,
                    "arguments": {
                        "thread_identifier": 0,
                        "process_identifier": 1768,
                        "function_address": "0x00130000",
                        "flags": 0,
                        "process_handle": "0x000001dc",
                        "parameter": "0x00000000",
                        "stack_size": 0
                    },
                    "time": 1578329586.484125,
                    "tid": 1676,
                    "flags": {}
                },
                "pid": 2816,
                "type": "call",
                "cid": 2344
            },
            {
                "category": "Process injection",
                "ioc": "Process 2816 created a remote thread in non-child process 1788",
                "type": "ioc",
                "description": null
            },
            {
                "call": {
                    "category": "process",
                    "status": 0,
                    "stacktrace": [],
                    "last_error": 5,
                    "nt_status": -1073741790,
                    "api": "CreateRemoteThread",
                    "return_value": 0,
                    "arguments": {
                        "thread_identifier": 0,
                        "process_identifier": 1788,
                        "function_address": "0x03e20000",
                        "flags": 0,
                        "process_handle": "0x000001e0",
                        "parameter": "0x00000000",
                        "stack_size": 0
                    },
                    "time": 1578329586.656125,
                    "tid": 1676,
                    "flags": {}
                },
                "pid": 2816,
                "type": "call",
                "cid": 2354
            },
            {
                "category": "Process injection",
                "ioc": "Process 2816 created a remote thread in non-child process 1692",
                "type": "ioc",
                "description": null
            },
            {
                "call": {
                    "category": "process",
                    "status": 0,
                    "stacktrace": [],
                    "last_error": 5,
                    "nt_status": -1073741790,
                    "api": "CreateRemoteThread",
                    "return_value": 0,
                    "arguments": {
                        "thread_identifier": 0,
                        "process_identifier": 1692,
                        "function_address": "0x00140000",
                        "flags": 0,
                        "process_handle": "0x000001e0",
                        "parameter": "0x00000000",
                        "stack_size": 0
                    },
                    "time": 1578329586.859125,
                    "tid": 1676,
                    "flags": {}
                },
                "pid": 2816,
                "type": "call",
                "cid": 2371
            },
            {
                "category": "Process injection",
                "ioc": "Process 2816 created a remote thread in non-child process 1700",
                "type": "ioc",
                "description": null
            },
            {
                "call": {
                    "category": "process",
                    "status": 0,
                    "stacktrace": [],
                    "last_error": 5,
                    "nt_status": -1073741790,
                    "api": "CreateRemoteThread",
                    "return_value": 0,
                    "arguments": {
                        "thread_identifier": 0,
                        "process_identifier": 1700,
                        "function_address": "0x01b20000",
                        "flags": 0,
                        "process_handle": "0x000001dc",
                        "parameter": "0x00000000",
                        "stack_size": 0
                    },
                    "time": 1578329587.312125,
                    "tid": 1676,
                    "flags": {}
                },
                "pid": 2816,
                "type": "call",
                "cid": 2388
            },
            {
                "category": "Process injection",
                "ioc": "Process 2816 created a remote thread in non-child process 2168",
                "type": "ioc",
                "description": null
            },
            {
                "call": {
                    "category": "process",
                    "status": 0,
                    "stacktrace": [],
                    "last_error": 5,
                    "nt_status": -1073741790,
                    "api": "CreateRemoteThread",
                    "return_value": 0,
                    "arguments": {
                        "thread_identifier": 0,
                        "process_identifier": 2168,
                        "function_address": "0x01d20000",
                        "flags": 0,
                        "process_handle": "0x000001e0",
                        "parameter": "0x00000000",
                        "stack_size": 0
                    },
                    "time": 1578329587.312125,
                    "tid": 1676,
                    "flags": {}
                },
                "pid": 2816,
                "type": "call",
                "cid": 2411
            },
            {
                "category": "Process injection",
                "ioc": "Process 2816 created a remote thread in non-child process 800",
                "type": "ioc",
                "description": null
            },
            {
                "call": {
                    "category": "process",
                    "status": 0,
                    "stacktrace": [],
                    "last_error": 5,
                    "nt_status": -1073741790,
                    "api": "CreateRemoteThread",
                    "return_value": 0,
                    "arguments": {
                        "thread_identifier": 0,
                        "process_identifier": 800,
                        "function_address": "0x002d0000",
                        "flags": 0,
                        "process_handle": "0x000001e0",
                        "parameter": "0x00000000",
                        "stack_size": 0
                    },
                    "time": 1578329587.578125,
                    "tid": 1676,
                    "flags": {}
                },
                "pid": 2816,
                "type": "call",
                "cid": 2436
            },
            {
                "category": "Process injection",
                "ioc": "Process 2816 created a remote thread in non-child process 1244",
                "type": "ioc",
                "description": null
            },
            {
                "call": {
                    "category": "process",
                    "status": 0,
                    "stacktrace": [],
                    "last_error": 5,
                    "nt_status": -1073741790,
                    "api": "CreateRemoteThread",
                    "return_value": 0,
                    "arguments": {
                        "thread_identifier": 0,
                        "process_identifier": 1244,
                        "function_address": "0x00350000",
                        "flags": 0,
                        "process_handle": "0x0000017c",
                        "parameter": "0x00000000",
                        "stack_size": 0
                    },
                    "time": 1578329587.594125,
                    "tid": 1676,
                    "flags": {}
                },
                "pid": 2816,
                "type": "call",
                "cid": 2445
            },
            {
                "call": {
                    "category": "process",
                    "status": 0,
                    "stacktrace": [],
                    "last_error": 5,
                    "nt_status": -1073741790,
                    "api": "CreateRemoteThread",
                    "return_value": 0,
                    "arguments": {
                        "thread_identifier": 0,
                        "process_identifier": 1724,
                        "function_address": "0x02510000",
                        "flags": 0,
                        "process_handle": "0x000002f0",
                        "parameter": "0x00000000",
                        "stack_size": 0
                    },
                    "time": 1578329597.859125,
                    "tid": 1676,
                    "flags": {}
                },
                "pid": 2816,
                "type": "call",
                "cid": 2690
            },
            {
                "call": {
                    "category": "process",
                    "status": 0,
                    "stacktrace": [],
                    "last_error": 5,
                    "nt_status": -1073741790,
                    "api": "CreateRemoteThread",
                    "return_value": 0,
                    "arguments": {
                        "thread_identifier": 0,
                        "process_identifier": 1768,
                        "function_address": "0x020d0000",
                        "flags": 0,
                        "process_handle": "0x000002f4",
                        "parameter": "0x00000000",
                        "stack_size": 0
                    },
                    "time": 1578329597.859125,
                    "tid": 1676,
                    "flags": {}
                },
                "pid": 2816,
                "type": "call",
                "cid": 2699
            },
            {
                "call": {
                    "category": "process",
                    "status": 0,
                    "stacktrace": [],
                    "last_error": 5,
                    "nt_status": -1073741790,
                    "api": "CreateRemoteThread",
                    "return_value": 0,
                    "arguments": {
                        "thread_identifier": 0,
                        "process_identifier": 1692,
                        "function_address": "0x026c0000",
                        "flags": 0,
                        "process_handle": "0x000002f0",
                        "parameter": "0x00000000",
                        "stack_size": 0
                    },
                    "time": 1578329597.875125,
                    "tid": 1676,
                    "flags": {}
                },
                "pid": 2816,
                "type": "call",
                "cid": 2711
            },
            {
                "call": {
                    "category": "process",
                    "status": 0,
                    "stacktrace": [],
                    "last_error": 5,
                    "nt_status": -1073741790,
                    "api": "CreateRemoteThread",
                    "return_value": 0,
                    "arguments": {
                        "thread_identifier": 0,
                        "process_identifier": 1700,
                        "function_address": "0x01d80000",
                        "flags": 0,
                        "process_handle": "0x000002f4",
                        "parameter": "0x00000000",
                        "stack_size": 0
                    },
                    "time": 1578329597.875125,
                    "tid": 1676,
                    "flags": {}
                },
                "pid": 2816,
                "type": "call",
                "cid": 2720
            },
            {
                "call": {
                    "category": "process",
                    "status": 0,
                    "stacktrace": [],
                    "last_error": 5,
                    "nt_status": -1073741790,
                    "api": "CreateRemoteThread",
                    "return_value": 0,
                    "arguments": {
                        "thread_identifier": 0,
                        "process_identifier": 2168,
                        "function_address": "0x01d50000",
                        "flags": 0,
                        "process_handle": "0x000002f0",
                        "parameter": "0x00000000",
                        "stack_size": 0
                    },
                    "time": 1578329597.875125,
                    "tid": 1676,
                    "flags": {}
                },
                "pid": 2816,
                "type": "call",
                "cid": 2735
            },
            {
                "call": {
                    "category": "process",
                    "status": 0,
                    "stacktrace": [],
                    "last_error": 5,
                    "nt_status": -1073741790,
                    "api": "CreateRemoteThread",
                    "return_value": 0,
                    "arguments": {
                        "thread_identifier": 0,
                        "process_identifier": 1244,
                        "function_address": "0x00380000",
                        "flags": 0,
                        "process_handle": "0x000002f4",
                        "parameter": "0x00000000",
                        "stack_size": 0
                    },
                    "time": 1578329597.875125,
                    "tid": 1676,
                    "flags": {}
                },
                "pid": 2816,
                "type": "call",
                "cid": 2754
            },
            {
                "category": "Process injection",
                "ioc": "Process 2816 created a remote thread in non-child process 2800",
                "type": "ioc",
                "description": null
            },
            {
                "call": {
                    "category": "process",
                    "status": 0,
                    "stacktrace": [],
                    "last_error": 5,
                    "nt_status": -1073741790,
                    "api": "CreateRemoteThread",
                    "return_value": 0,
                    "arguments": {
                        "thread_identifier": 0,
                        "process_identifier": 2800,
                        "function_address": "0x04370000",
                        "flags": 0,
                        "process_handle": "0x000002f4",
                        "parameter": "0x00000000",
                        "stack_size": 0
                    },
                    "time": 1578329598.109125,
                    "tid": 1676,
                    "flags": {}
                },
                "pid": 2816,
                "type": "call",
                "cid": 2782
            },
            {
                "category": "Process injection",
                "ioc": "Process 2816 created a remote thread in non-child process 1232",
                "type": "ioc",
                "description": null
            },
            {
                "call": {
                    "category": "process",
                    "status": 0,
                    "stacktrace": [],
                    "last_error": 5,
                    "nt_status": -1073741790,
                    "api": "CreateRemoteThread",
                    "return_value": 0,
                    "arguments": {
                        "thread_identifier": 0,
                        "process_identifier": 1232,
                        "function_address": "0x00230000",
                        "flags": 0,
                        "process_handle": "0x000002f0",
                        "parameter": "0x00000000",
                        "stack_size": 0
                    },
                    "time": 1578329598.515125,
                    "tid": 1676,
                    "flags": {}
                },
                "pid": 2816,
                "type": "call",
                "cid": 2802
            },
            {
                "call": {
                    "category": "process",
                    "status": 0,
                    "stacktrace": [],
                    "last_error": 5,
                    "nt_status": -1073741790,
                    "api": "CreateRemoteThread",
                    "return_value": 0,
                    "arguments": {
                        "thread_identifier": 0,
                        "process_identifier": 1724,
                        "function_address": "0x02540000",
                        "flags": 0,
                        "process_handle": "0x000002f0",
                        "parameter": "0x00000000",
                        "stack_size": 0
                    },
                    "time": 1578329608.765125,
                    "tid": 1676,
                    "flags": {}
                },
                "pid": 2816,
                "type": "call",
                "cid": 3002
            },
            {
                "call": {
                    "category": "process",
                    "status": 0,
                    "stacktrace": [],
                    "last_error": 5,
                    "nt_status": -1073741790,
                    "api": "CreateRemoteThread",
                    "return_value": 0,
                    "arguments": {
                        "thread_identifier": 0,
                        "process_identifier": 1768,
                        "function_address": "0x020e0000",
                        "flags": 0,
                        "process_handle": "0x000002f4",
                        "parameter": "0x00000000",
                        "stack_size": 0
                    },
                    "time": 1578329608.765125,
                    "tid": 1676,
                    "flags": {}
                },
                "pid": 2816,
                "type": "call",
                "cid": 3011
            },
            {
                "call": {
                    "category": "process",
                    "status": 0,
                    "stacktrace": [],
                    "last_error": 5,
                    "nt_status": -1073741790,
                    "api": "CreateRemoteThread",
                    "return_value": 0,
                    "arguments": {
                        "thread_identifier": 0,
                        "process_identifier": 1692,
                        "function_address": "0x026d0000",
                        "flags": 0,
                        "process_handle": "0x000002f0",
                        "parameter": "0x00000000",
                        "stack_size": 0
                    },
                    "time": 1578329608.765125,
                    "tid": 1676,
                    "flags": {}
                },
                "pid": 2816,
                "type": "call",
                "cid": 3023
            },
            {
                "call": {
                    "category": "process",
                    "status": 0,
                    "stacktrace": [],
                    "last_error": 5,
                    "nt_status": -1073741790,
                    "api": "CreateRemoteThread",
                    "return_value": 0,
                    "arguments": {
                        "thread_identifier": 0,
                        "process_identifier": 1700,
                        "function_address": "0x01da0000",
                        "flags": 0,
                        "process_handle": "0x000002f4",
                        "parameter": "0x00000000",
                        "stack_size": 0
                    },
                    "time": 1578329608.765125,
                    "tid": 1676,
                    "flags": {}
                },
                "pid": 2816,
                "type": "call",
                "cid": 3032
            },
            {
                "call": {
                    "category": "process",
                    "status": 0,
                    "stacktrace": [],
                    "last_error": 5,
                    "nt_status": -1073741790,
                    "api": "CreateRemoteThread",
                    "return_value": 0,
                    "arguments": {
                        "thread_identifier": 0,
                        "process_identifier": 2168,
                        "function_address": "0x03300000",
                        "flags": 0,
                        "process_handle": "0x000002f0",
                        "parameter": "0x00000000",
                        "stack_size": 0
                    },
                    "time": 1578329608.765125,
                    "tid": 1676,
                    "flags": {}
                },
                "pid": 2816,
                "type": "call",
                "cid": 3047
            },
            {
                "call": {
                    "category": "process",
                    "status": 0,
                    "stacktrace": [],
                    "last_error": 5,
                    "nt_status": -1073741790,
                    "api": "CreateRemoteThread",
                    "return_value": 0,
                    "arguments": {
                        "thread_identifier": 0,
                        "process_identifier": 1244,
                        "function_address": "0x00390000",
                        "flags": 0,
                        "process_handle": "0x000002f4",
                        "parameter": "0x00000000",
                        "stack_size": 0
                    },
                    "time": 1578329608.765125,
                    "tid": 1676,
                    "flags": {}
                },
                "pid": 2816,
                "type": "call",
                "cid": 3066
            },
            {
                "call": {
                    "category": "process",
                    "status": 0,
                    "stacktrace": [],
                    "last_error": 5,
                    "nt_status": -1073741790,
                    "api": "CreateRemoteThread",
                    "return_value": 0,
                    "arguments": {
                        "thread_identifier": 0,
                        "process_identifier": 2800,
                        "function_address": "0x02be0000",
                        "flags": 0,
                        "process_handle": "0x000002f0",
                        "parameter": "0x00000000",
                        "stack_size": 0
                    },
                    "time": 1578329608.765125,
                    "tid": 1676,
                    "flags": {}
                },
                "pid": 2816,
                "type": "call",
                "cid": 3090
            },
            {
                "call": {
                    "category": "process",
                    "status": 0,
                    "stacktrace": [],
                    "last_error": 5,
                    "nt_status": -1073741790,
                    "api": "CreateRemoteThread",
                    "return_value": 0,
                    "arguments": {
                        "thread_identifier": 0,
                        "process_identifier": 1232,
                        "function_address": "0x01d70000",
                        "flags": 0,
                        "process_handle": "0x000002f4",
                        "parameter": "0x00000000",
                        "stack_size": 0
                    },
                    "time": 1578329608.765125,
                    "tid": 1676,
                    "flags": {}
                },
                "pid": 2816,
                "type": "call",
                "cid": 3099
            },
            {
                "call": {
                    "category": "process",
                    "status": 0,
                    "stacktrace": [],
                    "last_error": 5,
                    "nt_status": -1073741790,
                    "api": "CreateRemoteThread",
                    "return_value": 0,
                    "arguments": {
                        "thread_identifier": 0,
                        "process_identifier": 1724,
                        "function_address": "0x02550000",
                        "flags": 0,
                        "process_handle": "0x00000300",
                        "parameter": "0x00000000",
                        "stack_size": 0
                    },
                    "time": 1578329619.031125,
                    "tid": 1676,
                    "flags": {}
                },
                "pid": 2816,
                "type": "call",
                "cid": 3345
            },
            {
                "call": {
                    "category": "process",
                    "status": 0,
                    "stacktrace": [],
                    "last_error": 5,
                    "nt_status": -1073741790,
                    "api": "CreateRemoteThread",
                    "return_value": 0,
                    "arguments": {
                        "thread_identifier": 0,
                        "process_identifier": 1768,
                        "function_address": "0x020f0000",
                        "flags": 0,
                        "process_handle": "0x000001d0",
                        "parameter": "0x00000000",
                        "stack_size": 0
                    },
                    "time": 1578329619.031125,
                    "tid": 1676,
                    "flags": {}
                },
                "pid": 2816,
                "type": "call",
                "cid": 3354
            },
            {
                "call": {
                    "category": "process",
                    "status": 0,
                    "stacktrace": [],
                    "last_error": 5,
                    "nt_status": -1073741790,
                    "api": "CreateRemoteThread",
                    "return_value": 0,
                    "arguments": {
                        "thread_identifier": 0,
                        "process_identifier": 1692,
                        "function_address": "0x026e0000",
                        "flags": 0,
                        "process_handle": "0x00000300",
                        "parameter": "0x00000000",
                        "stack_size": 0
                    },
                    "time": 1578329619.031125,
                    "tid": 1676,
                    "flags": {}
                },
                "pid": 2816,
                "type": "call",
                "cid": 3366
            },
            {
                "call": {
                    "category": "process",
                    "status": 0,
                    "stacktrace": [],
                    "last_error": 5,
                    "nt_status": -1073741790,
                    "api": "CreateRemoteThread",
                    "return_value": 0,
                    "arguments": {
                        "thread_identifier": 0,
                        "process_identifier": 1700,
                        "function_address": "0x01db0000",
                        "flags": 0,
                        "process_handle": "0x000001d0",
                        "parameter": "0x00000000",
                        "stack_size": 0
                    },
                    "time": 1578329619.047125,
                    "tid": 1676,
                    "flags": {}
                },
                "pid": 2816,
                "type": "call",
                "cid": 3375
            },
            {
                "call": {
                    "category": "process",
                    "status": 0,
                    "stacktrace": [],
                    "last_error": 5,
                    "nt_status": -1073741790,
                    "api": "CreateRemoteThread",
                    "return_value": 0,
                    "arguments": {
                        "thread_identifier": 0,
                        "process_identifier": 2168,
                        "function_address": "0x03310000",
                        "flags": 0,
                        "process_handle": "0x00000300",
                        "parameter": "0x00000000",
                        "stack_size": 0
                    },
                    "time": 1578329619.047125,
                    "tid": 1676,
                    "flags": {}
                },
                "pid": 2816,
                "type": "call",
                "cid": 3390
            },
            {
                "call": {
                    "category": "process",
                    "status": 0,
                    "stacktrace": [],
                    "last_error": 5,
                    "nt_status": -1073741790,
                    "api": "CreateRemoteThread",
                    "return_value": 0,
                    "arguments": {
                        "thread_identifier": 0,
                        "process_identifier": 1244,
                        "function_address": "0x003a0000",
                        "flags": 0,
                        "process_handle": "0x000001d0",
                        "parameter": "0x00000000",
                        "stack_size": 0
                    },
                    "time": 1578329619.047125,
                    "tid": 1676,
                    "flags": {}
                },
                "pid": 2816,
                "type": "call",
                "cid": 3409
            },
            {
                "call": {
                    "category": "process",
                    "status": 0,
                    "stacktrace": [],
                    "last_error": 5,
                    "nt_status": -1073741790,
                    "api": "CreateRemoteThread",
                    "return_value": 0,
                    "arguments": {
                        "thread_identifier": 0,
                        "process_identifier": 2800,
                        "function_address": "0x02bf0000",
                        "flags": 0,
                        "process_handle": "0x00000300",
                        "parameter": "0x00000000",
                        "stack_size": 0
                    },
                    "time": 1578329619.047125,
                    "tid": 1676,
                    "flags": {}
                },
                "pid": 2816,
                "type": "call",
                "cid": 3433
            },
            {
                "call": {
                    "category": "process",
                    "status": 0,
                    "stacktrace": [],
                    "last_error": 5,
                    "nt_status": -1073741790,
                    "api": "CreateRemoteThread",
                    "return_value": 0,
                    "arguments": {
                        "thread_identifier": 0,
                        "process_identifier": 1232,
                        "function_address": "0x01d80000",
                        "flags": 0,
                        "process_handle": "0x000001d0",
                        "parameter": "0x00000000",
                        "stack_size": 0
                    },
                    "time": 1578329619.047125,
                    "tid": 1676,
                    "flags": {}
                },
                "pid": 2816,
                "type": "call",
                "cid": 3442
            },
            {
                "call": {
                    "category": "process",
                    "status": 0,
                    "stacktrace": [],
                    "last_error": 5,
                    "nt_status": -1073741790,
                    "api": "CreateRemoteThread",
                    "return_value": 0,
                    "arguments": {
                        "thread_identifier": 0,
                        "process_identifier": 1724,
                        "function_address": "0x02560000",
                        "flags": 0,
                        "process_handle": "0x00000300",
                        "parameter": "0x00000000",
                        "stack_size": 0
                    },
                    "time": 1578329629.312125,
                    "tid": 1676,
                    "flags": {}
                },
                "pid": 2816,
                "type": "call",
                "cid": 3557
            },
            {
                "call": {
                    "category": "process",
                    "status": 0,
                    "stacktrace": [],
                    "last_error": 5,
                    "nt_status": -1073741790,
                    "api": "CreateRemoteThread",
                    "return_value": 0,
                    "arguments": {
                        "thread_identifier": 0,
                        "process_identifier": 1768,
                        "function_address": "0x02200000",
                        "flags": 0,
                        "process_handle": "0x000001d0",
                        "parameter": "0x00000000",
                        "stack_size": 0
                    },
                    "time": 1578329629.312125,
                    "tid": 1676,
                    "flags": {}
                },
                "pid": 2816,
                "type": "call",
                "cid": 3566
            },
            {
                "call": {
                    "category": "process",
                    "status": 0,
                    "stacktrace": [],
                    "last_error": 5,
                    "nt_status": -1073741790,
                    "api": "CreateRemoteThread",
                    "return_value": 0,
                    "arguments": {
                        "thread_identifier": 0,
                        "process_identifier": 1692,
                        "function_address": "0x026f0000",
                        "flags": 0,
                        "process_handle": "0x00000300",
                        "parameter": "0x00000000",
                        "stack_size": 0
                    },
                    "time": 1578329629.328125,
                    "tid": 1676,
                    "flags": {}
                },
                "pid": 2816,
                "type": "call",
                "cid": 3578
            },
            {
                "call": {
                    "category": "process",
                    "status": 0,
                    "stacktrace": [],
                    "last_error": 5,
                    "nt_status": -1073741790,
                    "api": "CreateRemoteThread",
                    "return_value": 0,
                    "arguments": {
                        "thread_identifier": 0,
                        "process_identifier": 1700,
                        "function_address": "0x01dc0000",
                        "flags": 0,
                        "process_handle": "0x000001d0",
                        "parameter": "0x00000000",
                        "stack_size": 0
                    },
                    "time": 1578329629.328125,
                    "tid": 1676,
                    "flags": {}
                },
                "pid": 2816,
                "type": "call",
                "cid": 3587
            },
            {
                "call": {
                    "category": "process",
                    "status": 0,
                    "stacktrace": [],
                    "last_error": 5,
                    "nt_status": -1073741790,
                    "api": "CreateRemoteThread",
                    "return_value": 0,
                    "arguments": {
                        "thread_identifier": 0,
                        "process_identifier": 2168,
                        "function_address": "0x03320000",
                        "flags": 0,
                        "process_handle": "0x00000300",
                        "parameter": "0x00000000",
                        "stack_size": 0
                    },
                    "time": 1578329629.328125,
                    "tid": 1676,
                    "flags": {}
                },
                "pid": 2816,
                "type": "call",
                "cid": 3602
            },
            {
                "call": {
                    "category": "process",
                    "status": 0,
                    "stacktrace": [],
                    "last_error": 5,
                    "nt_status": -1073741790,
                    "api": "CreateRemoteThread",
                    "return_value": 0,
                    "arguments": {
                        "thread_identifier": 0,
                        "process_identifier": 1244,
                        "function_address": "0x003b0000",
                        "flags": 0,
                        "process_handle": "0x000001d0",
                        "parameter": "0x00000000",
                        "stack_size": 0
                    },
                    "time": 1578329629.328125,
                    "tid": 1676,
                    "flags": {}
                },
                "pid": 2816,
                "type": "call",
                "cid": 3621
            },
            {
                "call": {
                    "category": "process",
                    "status": 0,
                    "stacktrace": [],
                    "last_error": 5,
                    "nt_status": -1073741790,
                    "api": "CreateRemoteThread",
                    "return_value": 0,
                    "arguments": {
                        "thread_identifier": 0,
                        "process_identifier": 2800,
                        "function_address": "0x052a0000",
                        "flags": 0,
                        "process_handle": "0x00000300",
                        "parameter": "0x00000000",
                        "stack_size": 0
                    },
                    "time": 1578329629.344125,
                    "tid": 1676,
                    "flags": {}
                },
                "pid": 2816,
                "type": "call",
                "cid": 3645
            },
            {
                "call": {
                    "category": "process",
                    "status": 0,
                    "stacktrace": [],
                    "last_error": 5,
                    "nt_status": -1073741790,
                    "api": "CreateRemoteThread",
                    "return_value": 0,
                    "arguments": {
                        "thread_identifier": 0,
                        "process_identifier": 1232,
                        "function_address": "0x01f10000",
                        "flags": 0,
                        "process_handle": "0x000001d0",
                        "parameter": "0x00000000",
                        "stack_size": 0
                    },
                    "time": 1578329629.344125,
                    "tid": 1676,
                    "flags": {}
                },
                "pid": 2816,
                "type": "call",
                "cid": 3654
            }
        ],
        "references": [
            "www.endgame.com\/blog\/technical-blog\/ten-process-injection-techniques-technical-survey-common-and-trending-process"
        ],
        "name": "injection_createremotethread"
    },
    {
        "markcount": 104,
        "families": [],
        "description": "Manipulates memory of a non-child process indicative of process injection",
        "severity": 3,
        "marks": [
            {
                "category": "Process injection",
                "ioc": "Process 2816 manipulating memory of non-child process 1724",
                "type": "ioc",
                "description": null
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 1724,
                        "region_size": 8192,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "protection": 64,
                        "process_handle": "0x000001e0",
                        "allocation_type": 12288,
                        "base_address": "0x002e0000"
                    },
                    "time": 1578329585.875125,
                    "tid": 1676,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT|MEM_RESERVE"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 1649
            },
            {
                "category": "Process injection",
                "ioc": "Process 2816 manipulating memory of non-child process 1768",
                "type": "ioc",
                "description": null
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 1768,
                        "region_size": 8192,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "protection": 64,
                        "process_handle": "0x000001dc",
                        "allocation_type": 12288,
                        "base_address": "0x00130000"
                    },
                    "time": 1578329586.203125,
                    "tid": 1676,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT|MEM_RESERVE"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 2304
            },
            {
                "category": "Process injection",
                "ioc": "Process 2816 manipulating memory of non-child process 1788",
                "type": "ioc",
                "description": null
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 1788,
                        "region_size": 8192,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "protection": 64,
                        "process_handle": "0x000001e0",
                        "allocation_type": 12288,
                        "base_address": "0x03e20000"
                    },
                    "time": 1578329586.484125,
                    "tid": 1676,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT|MEM_RESERVE"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 2351
            },
            {
                "category": "Process injection",
                "ioc": "Process 2816 manipulating memory of non-child process 1692",
                "type": "ioc",
                "description": null
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 1692,
                        "region_size": 8192,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "protection": 64,
                        "process_handle": "0x000001e0",
                        "allocation_type": 12288,
                        "base_address": "0x00140000"
                    },
                    "time": 1578329586.656125,
                    "tid": 1676,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT|MEM_RESERVE"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 2368
            },
            {
                "category": "Process injection",
                "ioc": "Process 2816 manipulating memory of non-child process 1700",
                "type": "ioc",
                "description": null
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 1700,
                        "region_size": 8192,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "protection": 64,
                        "process_handle": "0x000001dc",
                        "allocation_type": 12288,
                        "base_address": "0x01b20000"
                    },
                    "time": 1578329586.859125,
                    "tid": 1676,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT|MEM_RESERVE"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 2378
            },
            {
                "category": "Process injection",
                "ioc": "Process 2816 manipulating memory of non-child process 2168",
                "type": "ioc",
                "description": null
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 2168,
                        "region_size": 8192,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "protection": 64,
                        "process_handle": "0x000001e0",
                        "allocation_type": 12288,
                        "base_address": "0x01d20000"
                    },
                    "time": 1578329587.312125,
                    "tid": 1676,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT|MEM_RESERVE"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 2409
            },
            {
                "category": "Process injection",
                "ioc": "Process 2816 manipulating memory of non-child process 800",
                "type": "ioc",
                "description": null
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 800,
                        "region_size": 8192,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "protection": 64,
                        "process_handle": "0x000001e0",
                        "allocation_type": 12288,
                        "base_address": "0x002d0000"
                    },
                    "time": 1578329587.312125,
                    "tid": 1676,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT|MEM_RESERVE"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 2432
            },
            {
                "category": "Process injection",
                "ioc": "Process 2816 manipulating memory of non-child process 1244",
                "type": "ioc",
                "description": null
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 1244,
                        "region_size": 8192,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "protection": 64,
                        "process_handle": "0x0000017c",
                        "allocation_type": 12288,
                        "base_address": "0x00350000"
                    },
                    "time": 1578329587.578125,
                    "tid": 1676,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT|MEM_RESERVE"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 2443
            },
            {
                "category": "Process injection",
                "ioc": "Process 2816 manipulating memory of non-child process 2816",
                "type": "ioc",
                "description": null
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 2816,
                        "region_size": 8192,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "protection": 64,
                        "process_handle": "0x0000017c",
                        "allocation_type": 12288,
                        "base_address": "0x03210000"
                    },
                    "time": 1578329587.594125,
                    "tid": 1676,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT|MEM_RESERVE"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 2473
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 2816,
                        "region_size": 4096,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "protection": 64,
                        "process_handle": "0x0000017c",
                        "allocation_type": 12288,
                        "base_address": "0x03260000"
                    },
                    "time": 1578329587.594125,
                    "tid": 1676,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT|MEM_RESERVE"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 2476
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 1724,
                        "region_size": 8192,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "protection": 64,
                        "process_handle": "0x000002f0",
                        "allocation_type": 12288,
                        "base_address": "0x02510000"
                    },
                    "time": 1578329597.859125,
                    "tid": 1676,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT|MEM_RESERVE"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 2688
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 1768,
                        "region_size": 8192,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "protection": 64,
                        "process_handle": "0x000002f4",
                        "allocation_type": 12288,
                        "base_address": "0x020d0000"
                    },
                    "time": 1578329597.859125,
                    "tid": 1676,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT|MEM_RESERVE"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 2697
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 1692,
                        "region_size": 8192,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "protection": 64,
                        "process_handle": "0x000002f0",
                        "allocation_type": 12288,
                        "base_address": "0x026c0000"
                    },
                    "time": 1578329597.859125,
                    "tid": 1676,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT|MEM_RESERVE"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 2709
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 1700,
                        "region_size": 8192,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "protection": 64,
                        "process_handle": "0x000002f4",
                        "allocation_type": 12288,
                        "base_address": "0x01d80000"
                    },
                    "time": 1578329597.875125,
                    "tid": 1676,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT|MEM_RESERVE"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 2718
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 2168,
                        "region_size": 8192,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "protection": 64,
                        "process_handle": "0x000002f0",
                        "allocation_type": 12288,
                        "base_address": "0x01d50000"
                    },
                    "time": 1578329597.875125,
                    "tid": 1676,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT|MEM_RESERVE"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 2733
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 1244,
                        "region_size": 8192,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "protection": 64,
                        "process_handle": "0x000002f4",
                        "allocation_type": 12288,
                        "base_address": "0x00380000"
                    },
                    "time": 1578329597.875125,
                    "tid": 1676,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT|MEM_RESERVE"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 2752
            },
            {
                "category": "Process injection",
                "ioc": "Process 2816 manipulating memory of non-child process 2800",
                "type": "ioc",
                "description": null
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 2800,
                        "region_size": 8192,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "protection": 64,
                        "process_handle": "0x000002f4",
                        "allocation_type": 12288,
                        "base_address": "0x04370000"
                    },
                    "time": 1578329597.875125,
                    "tid": 1676,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT|MEM_RESERVE"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 2780
            },
            {
                "category": "Process injection",
                "ioc": "Process 2816 manipulating memory of non-child process 1232",
                "type": "ioc",
                "description": null
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 1232,
                        "region_size": 8192,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "protection": 64,
                        "process_handle": "0x000002f0",
                        "allocation_type": 12288,
                        "base_address": "0x00230000"
                    },
                    "time": 1578329598.109125,
                    "tid": 1676,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT|MEM_RESERVE"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 2789
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 1724,
                        "region_size": 8192,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "protection": 64,
                        "process_handle": "0x000002f0",
                        "allocation_type": 12288,
                        "base_address": "0x02540000"
                    },
                    "time": 1578329608.765125,
                    "tid": 1676,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT|MEM_RESERVE"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 3000
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 1768,
                        "region_size": 8192,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "protection": 64,
                        "process_handle": "0x000002f4",
                        "allocation_type": 12288,
                        "base_address": "0x020e0000"
                    },
                    "time": 1578329608.765125,
                    "tid": 1676,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT|MEM_RESERVE"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 3009
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 1692,
                        "region_size": 8192,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "protection": 64,
                        "process_handle": "0x000002f0",
                        "allocation_type": 12288,
                        "base_address": "0x026d0000"
                    },
                    "time": 1578329608.765125,
                    "tid": 1676,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT|MEM_RESERVE"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 3021
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 1700,
                        "region_size": 8192,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "protection": 64,
                        "process_handle": "0x000002f4",
                        "allocation_type": 12288,
                        "base_address": "0x01da0000"
                    },
                    "time": 1578329608.765125,
                    "tid": 1676,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT|MEM_RESERVE"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 3030
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 2168,
                        "region_size": 8192,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "protection": 64,
                        "process_handle": "0x000002f0",
                        "allocation_type": 12288,
                        "base_address": "0x03300000"
                    },
                    "time": 1578329608.765125,
                    "tid": 1676,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT|MEM_RESERVE"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 3045
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 1244,
                        "region_size": 8192,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "protection": 64,
                        "process_handle": "0x000002f4",
                        "allocation_type": 12288,
                        "base_address": "0x00390000"
                    },
                    "time": 1578329608.765125,
                    "tid": 1676,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT|MEM_RESERVE"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 3064
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 2800,
                        "region_size": 8192,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "protection": 64,
                        "process_handle": "0x000002f0",
                        "allocation_type": 12288,
                        "base_address": "0x02be0000"
                    },
                    "time": 1578329608.765125,
                    "tid": 1676,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT|MEM_RESERVE"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 3088
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 1232,
                        "region_size": 8192,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "protection": 64,
                        "process_handle": "0x000002f4",
                        "allocation_type": 12288,
                        "base_address": "0x01d70000"
                    },
                    "time": 1578329608.765125,
                    "tid": 1676,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT|MEM_RESERVE"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 3097
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 1724,
                        "region_size": 8192,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "protection": 64,
                        "process_handle": "0x00000300",
                        "allocation_type": 12288,
                        "base_address": "0x02550000"
                    },
                    "time": 1578329619.031125,
                    "tid": 1676,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT|MEM_RESERVE"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 3343
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 1768,
                        "region_size": 8192,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "protection": 64,
                        "process_handle": "0x000001d0",
                        "allocation_type": 12288,
                        "base_address": "0x020f0000"
                    },
                    "time": 1578329619.031125,
                    "tid": 1676,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT|MEM_RESERVE"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 3352
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 1692,
                        "region_size": 8192,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "protection": 64,
                        "process_handle": "0x00000300",
                        "allocation_type": 12288,
                        "base_address": "0x026e0000"
                    },
                    "time": 1578329619.031125,
                    "tid": 1676,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT|MEM_RESERVE"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 3364
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 1700,
                        "region_size": 8192,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "protection": 64,
                        "process_handle": "0x000001d0",
                        "allocation_type": 12288,
                        "base_address": "0x01db0000"
                    },
                    "time": 1578329619.047125,
                    "tid": 1676,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT|MEM_RESERVE"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 3373
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 2168,
                        "region_size": 8192,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "protection": 64,
                        "process_handle": "0x00000300",
                        "allocation_type": 12288,
                        "base_address": "0x03310000"
                    },
                    "time": 1578329619.047125,
                    "tid": 1676,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT|MEM_RESERVE"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 3388
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 1244,
                        "region_size": 8192,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "protection": 64,
                        "process_handle": "0x000001d0",
                        "allocation_type": 12288,
                        "base_address": "0x003a0000"
                    },
                    "time": 1578329619.047125,
                    "tid": 1676,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT|MEM_RESERVE"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 3407
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 2800,
                        "region_size": 8192,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "protection": 64,
                        "process_handle": "0x00000300",
                        "allocation_type": 12288,
                        "base_address": "0x02bf0000"
                    },
                    "time": 1578329619.047125,
                    "tid": 1676,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT|MEM_RESERVE"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 3431
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 1232,
                        "region_size": 8192,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "protection": 64,
                        "process_handle": "0x000001d0",
                        "allocation_type": 12288,
                        "base_address": "0x01d80000"
                    },
                    "time": 1578329619.047125,
                    "tid": 1676,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT|MEM_RESERVE"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 3440
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 1724,
                        "region_size": 8192,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "protection": 64,
                        "process_handle": "0x00000300",
                        "allocation_type": 12288,
                        "base_address": "0x02560000"
                    },
                    "time": 1578329629.312125,
                    "tid": 1676,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT|MEM_RESERVE"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 3555
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 1768,
                        "region_size": 8192,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "protection": 64,
                        "process_handle": "0x000001d0",
                        "allocation_type": 12288,
                        "base_address": "0x02200000"
                    },
                    "time": 1578329629.312125,
                    "tid": 1676,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT|MEM_RESERVE"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 3564
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 1692,
                        "region_size": 8192,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "protection": 64,
                        "process_handle": "0x00000300",
                        "allocation_type": 12288,
                        "base_address": "0x026f0000"
                    },
                    "time": 1578329629.312125,
                    "tid": 1676,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT|MEM_RESERVE"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 3576
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 1700,
                        "region_size": 8192,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "protection": 64,
                        "process_handle": "0x000001d0",
                        "allocation_type": 12288,
                        "base_address": "0x01dc0000"
                    },
                    "time": 1578329629.328125,
                    "tid": 1676,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT|MEM_RESERVE"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 3585
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 2168,
                        "region_size": 8192,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "protection": 64,
                        "process_handle": "0x00000300",
                        "allocation_type": 12288,
                        "base_address": "0x03320000"
                    },
                    "time": 1578329629.328125,
                    "tid": 1676,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT|MEM_RESERVE"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 3600
            }
        ],
        "references": [
            "www.endgame.com\/blog\/technical-blog\/ten-process-injection-techniques-technical-survey-common-and-trending-process"
        ],
        "name": "injection_modifies_memory"
    },
    {
        "markcount": 1,
        "families": [],
        "description": "Creates a windows hook that monitors keyboard input (keylogger)",
        "severity": 3,
        "marks": [
            {
                "call": {
                    "category": "system",
                    "status": 1,
                    "stacktrace": [],
                    "api": "SetWindowsHookExW",
                    "return_value": 15991535,
                    "arguments": {
                        "thread_identifier": 0,
                        "callback_function": "0x00000000ffe9ae10",
                        "module_address": "0x00000000ffdf0000",
                        "hook_identifier": 13
                    },
                    "time": 1578329649.12425,
                    "tid": 1776,
                    "flags": {
                        "hook_identifier": "WH_KEYBOARD_LL"
                    }
                },
                "pid": 2800,
                "type": "call",
                "cid": 2143
            }
        ],
        "references": [],
        "name": "infostealer_keylogger"
    },
    {
        "markcount": 12,
        "families": [],
        "description": "Modifies security center warnings",
        "severity": 3,
        "marks": [
            {
                "category": "registry",
                "ioc": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Security Center\\Svc\\UpdatesDisableNotify",
                "type": "ioc",
                "description": null
            },
            {
                "category": "registry",
                "ioc": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Security Center\\UacDisableNotify",
                "type": "ioc",
                "description": null
            },
            {
                "category": "registry",
                "ioc": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Security Center\\Svc\\AntiVirusOverride",
                "type": "ioc",
                "description": null
            },
            {
                "category": "registry",
                "ioc": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Security Center\\UpdatesDisableNotify",
                "type": "ioc",
                "description": null
            },
            {
                "category": "registry",
                "ioc": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Security Center\\AntiVirusOverride",
                "type": "ioc",
                "description": null
            },
            {
                "category": "registry",
                "ioc": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Security Center\\Svc\\FirewallOverride",
                "type": "ioc",
                "description": null
            },
            {
                "category": "registry",
                "ioc": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Security Center\\Svc\\UacDisableNotify",
                "type": "ioc",
                "description": null
            },
            {
                "category": "registry",
                "ioc": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Security Center\\FirewallDisableNotify",
                "type": "ioc",
                "description": null
            },
            {
                "category": "registry",
                "ioc": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Security Center\\Svc\\AntiVirusDisableNotify",
                "type": "ioc",
                "description": null
            },
            {
                "category": "registry",
                "ioc": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Security Center\\AntiVirusDisableNotify",
                "type": "ioc",
                "description": null
            },
            {
                "category": "registry",
                "ioc": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Security Center\\FirewallOverride",
                "type": "ioc",
                "description": null
            },
            {
                "category": "registry",
                "ioc": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Security Center\\Svc\\FirewallDisableNotify",
                "type": "ioc",
                "description": null
            }
        ],
        "references": [],
        "name": "modifies_security_center_warnings"
    },
    {
        "markcount": 1,
        "families": [],
        "description": "Attempts to modify Explorer settings to prevent hidden files from being displayed",
        "severity": 3,
        "marks": [
            {
                "category": "registry",
                "ioc": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Hidden",
                "type": "ioc",
                "description": null
            }
        ],
        "references": [],
        "name": "stealth_hiddenfile"
    },
    {
        "markcount": 10,
        "families": [],
        "description": "Disables Windows Security features",
        "severity": 5,
        "marks": [
            {
                "type": "generic",
                "description": "attempts to disable user access control",
                "registry": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA"
            },
            {
                "type": "generic",
                "description": "attempts to disable antivirus notifications",
                "registry": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Security Center\\AntiVirusOverride"
            },
            {
                "type": "generic",
                "description": "attempts to disable antivirus notifications",
                "registry": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Security Center\\AntiVirusDisableNotify"
            },
            {
                "type": "generic",
                "description": "attempts to disable firewall notifications",
                "registry": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Security Center\\FirewallDisableNotify"
            },
            {
                "type": "generic",
                "description": "attempts to disable firewall notifications",
                "registry": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Security Center\\FirewallOverride"
            },
            {
                "type": "generic",
                "description": "attempts to disable windows update notifications",
                "registry": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Security Center\\UpdatesDisableNotify"
            },
            {
                "type": "generic",
                "description": "disables user access control notifications",
                "registry": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Security Center\\UacDisableNotify"
            },
            {
                "type": "generic",
                "description": "attempts to disable windows firewall",
                "registry": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile\\EnableFirewall"
            },
            {
                "type": "generic",
                "description": "attempts to disable firewall exceptions",
                "registry": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile\\DoNotAllowExceptions"
            },
            {
                "type": "generic",
                "description": "attempts to disable firewall notifications",
                "registry": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile\\DisableNotifications"
            }
        ],
        "references": [],
        "name": "disables_security"
    }
]

Yara

The Yara rules did not detect anything in the file.

Network

{
    "tls": [],
    "udp": [
        {
            "src": "192.168.56.101",
            "dst": "192.168.56.255",
            "offset": 546,
            "time": 3.0865049362182617,
            "dport": 137,
            "sport": 137
        },
        {
            "src": "192.168.56.101",
            "dst": "192.168.56.255",
            "offset": 5874,
            "time": 9.094645023345947,
            "dport": 138,
            "sport": 138
        },
        {
            "src": "192.168.56.101",
            "dst": "224.0.0.252",
            "offset": 7718,
            "time": 3.015049934387207,
            "dport": 5355,
            "sport": 51001
        },
        {
            "src": "192.168.56.101",
            "dst": "224.0.0.252",
            "offset": 8046,
            "time": 1.0450878143310547,
            "dport": 5355,
            "sport": 53595
        },
        {
            "src": "192.168.56.101",
            "dst": "224.0.0.252",
            "offset": 8374,
            "time": 3.0296239852905273,
            "dport": 5355,
            "sport": 53848
        },
        {
            "src": "192.168.56.101",
            "dst": "224.0.0.252",
            "offset": 8702,
            "time": 1.5494928359985352,
            "dport": 5355,
            "sport": 54255
        },
        {
            "src": "192.168.56.101",
            "dst": "224.0.0.252",
            "offset": 9030,
            "time": -0.0847480297088623,
            "dport": 5355,
            "sport": 55314
        },
        {
            "src": "192.168.56.101",
            "dst": "239.255.255.250",
            "offset": 9358,
            "time": 1.5631349086761475,
            "dport": 1900,
            "sport": 1900
        },
        {
            "src": "192.168.56.101",
            "dst": "239.255.255.250",
            "offset": 28768,
            "time": 1.076200008392334,
            "dport": 3702,
            "sport": 49152
        },
        {
            "src": "192.168.56.101",
            "dst": "239.255.255.250",
            "offset": 37152,
            "time": 3.1321418285369873,
            "dport": 1900,
            "sport": 53598
        }
    ],
    "dns_servers": [],
    "http": [],
    "icmp": [],
    "smtp": [],
    "tcp": [],
    "smtp_ex": [],
    "mitm": [],
    "hosts": [],
    "pcap_sha256": "06bbfe31b8360b056ab7e918be03455df35102c6febb3f8a642b4004f0a69186",
    "dns": [],
    "http_ex": [],
    "domains": [],
    "dead_hosts": [],
    "sorted_pcap_sha256": "95e9d1d457927365f9c1aa912d7efcff8b6dcfe1c4d33e651e8dc7ea6f1c758f",
    "irc": [],
    "https_ex": []
}

Screenshots

eath.exe removal instructions

The instructions below shows how to remove eath.exe with help from the FreeFixer removal tool. Basically, you install FreeFixer, scan your computer, check the eath.exe file for removal, restart your computer and scan it again to verify that eath.exe has been successfully removed. Here are the removal instructions in more detail:

Download and install FreeFixer: http://www.freefixer.com/download.html
Start FreeFixer and press the Start Scan button. The scan will finish in approximately five minutes.
When the scan is finished, locate eath.exe in the scan result and tick the checkbox next to the eath.exe file. Do not check any other file for removal unless you are 100% sure you want to delete it. Tip: Press CTRL-F to open up FreeFixer's search dialog to quickly locate eath.exe in the scan result.

c:\eath.exe
Scroll down to the bottom of the scan result and press the Fix button. FreeFixer will now delete the eath.exe file.
Restart your computer.
Start FreeFixer and scan your computer again. If eath.exe still remains in the scan result, proceed with the next step. If eath.exe is gone from the scan result you're done.
If eath.exe still remains in the scan result, check its checkbox again in the scan result and click Fix.
Restart your computer.
Start FreeFixer and scan your computer again. Verify that eath.exe no longer appear in the scan result.

Free Questionnaires

Hashes [?]

Property	Value
MD5	26927bcf1733b933c9b1e49b10d31216
SHA256	bc26065d73abee805e03efb332b6fa543d4b62e3f1fedf955f305df0271618ed

Error Messages

These are some of the error messages that can appear related to eath.exe:

eath.exe has encountered a problem and needs to close. We are sorry for the inconvenience.

eath.exe - Application Error. The instruction at "0xXXXXXXXX" referenced memory at "0xXXXXXXXX". The memory could not be "read/written". Click on OK to terminate the program.

eath.exe has stopped working.

End Program - eath.exe. This program is not responding.

eath.exe is not a valid Win32 application.

eath.exe - Application Error. The application failed to initialize properly (0xXXXXXXXX). Click OK to terminate the application.

What will you do with eath.exe?

To help other users, please let us know what you will do with eath.exe:

Comments

Please share with the other users what you think about this file. What does this file do? Is it legitimate or something that your computer is better without? Do you know how it was installed on your system? Did you install it yourself or did it come bundled with some other software? Is it running smoothly or do you get some error message? Any information that will help to document this file is welcome. Thank you for your contributions.

I'm reading all new comments so don't hesitate to post a question about the file. If I don't have the answer perhaps another user can help you.

No comments posted yet.

What is eath.exe?

Vendor and version information [?]

VirusTotal report

Sandbox Report

Summary

Summary

Dropped

Generic

Signatures

Yara

Network

Screenshots

eath.exe removal instructions

Hashes [?]

Error Messages

What will you do with eath.exe?

Comments

Leave a reply