eath.exe is usually located in the 'c:\' folder.
Some of the anti-virus scanners at VirusTotal detected eath.exe.
If you have additional information about the file, please share it with the FreeFixer users by posting a comment at the bottom of this page.
59 of the 67 anti-virus programs at VirusTotal detected the eath.exe file. That's a 88% detection rate.
Scanner | Detection Name |
---|---|
Acronis | suspicious |
Ad-Aware | Win32.Sality.3 |
AhnLab-V3 | Win32/Kashu.E |
ALYac | Worm.Sality.3.Gen |
Antiy-AVL | Virus/Win32.Sality.gen |
Arcabit | Win32.Sality.3 |
Avast | Win32:Sality |
AVG | Win32:Sality |
Avira | W32/Sality.AT |
Baidu | Win32.Trojan.Sality.p |
BitDefender | Win32.Sality.3 |
Bkav | W32.Sality.PE |
CAT-QuickHeal | W32.Sality.U |
ClamAV | Win.Trojan.Agent-36126 |
Comodo | Virus.Win32.Sality.gen@1egj5j |
CrowdStrike | win/malicious_confidence_100% (D) |
Cybereason | malicious.f1733b |
Cyren | W32/Sality.gen2 |
DrWeb | Win32.Sector.31 |
eGambit | Trojan.Generic |
Emsisoft | Win32.Sality.3 (B) |
Endgame | malicious (high confidence) |
ESET-NOD32 | Win32/Sality |
F-Prot | W32/Sality.gen2 |
F-Secure | Malware.W32/Sality.AT |
FireEye | Generic.mg.26927bcf1733b933 |
Fortinet | W32/LPECrypt.A!tr |
GData | Win32.Virus.Sality.A |
Ikarus | Virus.Win32.Sality |
Invincea | heuristic |
Jiangmin | Win32/HLLP.Kuku.poly2 |
K7AntiVirus | Trojan ( 001e7bc71 ) |
K7GW | Trojan ( 001e7bc71 ) |
Kaspersky | Virus.Win32.Sality.gen |
Malwarebytes | Trojan.MalPack.Gen |
MAX | malware (ai score=83) |
McAfee | W32/Sality.gen.z |
McAfee-GW-Edition | BehavesLike.Win32.Sality.cc |
Microsoft | Virus:Win32/Sality.AT |
MicroWorld-eScan | Win32.Sality.3 |
NANO-Antivirus | Virus.Win32.Sality.beygb |
Panda | W32/Sality.AK.drp |
Qihoo-360 | Trojan.Win32.SalityStub.A |
Rising | Virus.Sality!8.35A/N3#100% (RDM+:cmRtazrHldsyoX9uEXMZc9t+UQrn) |
SentinelOne | DFI - Malicious PE |
Sophos | Troj/SalLoad-C |
SUPERAntiSpyware | Trojan.Agent/Gen-CDesc[LordPE] |
TACHYON | Virus/W32.Sality.D |
Tencent | Trojan.Win32.SalityStub.a |
TheHacker | W32/Sality.gen |
TotalDefense | Win32/Sality.AA |
Trapmine | malicious.high.ml.score |
TrendMicro-HouseCall | PE_SALITY.RL-O |
VBA32 | Virus.Win32.Sality.bakc |
ViRobot | Win32.Sality.N.Host |
Yandex | Win32.Sality.BL |
Zillya | Virus.Sality.Win32.17 |
ZoneAlarm | Virus.Win32.Sality.gen |
Zoner | Trojan.Win32.Sality.22009 |
The following information was gathered by executing the file inside Cuckoo Sandbox.
Successfully executed process in sandbox.
{ "file_created": [ "C:\\nrpds.exe", "C:\\autorun.inf", "C:\\Users\\cuck\\AppData\\Local\\Temp\\windaepms.exe" ], "regkey_written": [ "HKEY_CURRENT_USER\\Software\\Arxv\\c3_98", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_99", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Security Center\\Svc\\AntiVirusOverride", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_92", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_93", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_90", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_91", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_96", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_97", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_94", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_95", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_146", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_147", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_144", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_130", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_131", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_132", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_133", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_134", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_135", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_136", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_137", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_138", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_139", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_143", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_140", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_141", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_120", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_121", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_111", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_110", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_113", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_112", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_115", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_114", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_117", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_116", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_119", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_118", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_98", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_99", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_94", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_95", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_96", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_97", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_90", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_91", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_92", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_93", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_109", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Security Center\\FirewallOverride", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_73", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_72", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_71", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_70", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_77", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_76", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_75", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_74", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_135", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_134", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_79", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_78", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_131", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_130", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_133", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_132", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_121", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_31", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_30", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_33", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_32", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_35", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_34", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_37", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_36", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_39", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_38", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_58", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_59", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_56", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_57", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_54", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_55", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_52", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_53", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_50", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_51", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_1", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_0", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_3", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_2", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_5", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_4", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_7", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_6", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_9", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_8", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_129", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_128", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_121", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_120", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_123", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_122", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_125", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_124", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_127", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_126", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Security Center\\FirewallDisableNotify", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_49", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_48", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_47", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_46", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_45", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_44", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_43", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_42", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_41", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_40", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_82", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_83", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_80", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_81", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_86", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_87", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_84", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_85", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_88", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_89", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_37", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_36", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_35", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_34", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_33", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_32", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_31", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_30", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_39", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_38", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_9", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_8", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_104", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_3", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_2", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_1", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_0", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_7", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_6", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_5", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_4", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_100", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_101", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_102", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\GlobalUserOffline", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_103", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_68", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_69", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_66", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_67", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_64", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_65", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_62", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_63", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_60", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_61", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_106", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_107", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_12", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_13", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_10", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_11", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_16", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_17", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_14", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_15", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_18", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_19", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_105", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_129", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_23", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_127", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_126", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_125", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_28", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_123", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_122", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_121", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_120", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_103", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_102", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Security Center\\AntiVirusDisableNotify", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_145", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_14", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_15", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_16", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_17", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_10", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_11", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_12", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_13", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_142", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_18", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_19", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_108", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_128", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_129", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_124", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_125", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_126", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_127", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_120", "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\LanguageList", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_122", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_123", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_8", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_9", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_0", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_1", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_2", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_3", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_4", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_5", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_6", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_7", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_108", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_109", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_68", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_69", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_64", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_65", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_66", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_67", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_60", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_61", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_62", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_63", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_22", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Security Center\\Svc\\UacDisableNotify", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_20", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_21", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_26", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_27", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_24", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_25", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_28", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_29", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile\\DoNotAllowExceptions", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_97", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_96", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_95", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_94", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_93", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_92", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_91", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_90", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_99", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_98", "HKEY_CURRENT_USER\\Software\\Arxv\\-2022283959\\418466543", "HKEY_CURRENT_USER\\Software\\Arxv\\-2022283959\\1801680227", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Security Center\\Svc\\UpdatesDisableNotify", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_8", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_9", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_6", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_7", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_4", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_5", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_2", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_3", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_0", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_1", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile\\EnableFirewall", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_69", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_68", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_63", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_62", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_61", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_60", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_67", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_66", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_65", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_64", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_114", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_115", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_116", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_117", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_110", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_111", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_112", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_113", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Security Center\\UpdatesDisableNotify", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_118", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_119", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Security Center\\Svc\\FirewallOverride", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_116", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_117", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_114", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_115", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_112", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_113", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_110", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_111", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_118", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_119", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_58", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_59", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_50", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_51", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_52", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_53", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_54", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_55", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_56", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_57", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_29", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_28", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_25", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_24", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_27", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_26", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_21", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_20", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_23", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_22", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile\\DisableNotifications", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_20", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_21", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_22", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_23", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_24", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_25", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_26", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_27", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_28", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_29", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_146", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_147", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_140", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_141", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_142", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_143", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Security Center\\UacDisableNotify", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_59", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_58", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_53", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_52", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_51", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_50", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_57", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_56", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_55", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_54", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_55", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_54", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_57", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_56", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_51", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_50", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_53", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_52", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_139", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_59", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_58", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_138", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_137", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_136", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_29", "HKEY_CURRENT_USER\\Software\\Arxv\\-2022283959\\-1383213684", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_27", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_26", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_25", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_24", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_23", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_22", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_21", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_20", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_147", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_146", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_145", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_144", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_143", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_142", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_141", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_140", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Security Center\\AntiVirusOverride", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_61", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_60", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_63", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_62", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_65", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_64", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_67", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_66", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_69", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_68", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_139", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_138", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_133", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_132", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_131", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_130", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_137", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_136", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_135", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_134", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_117", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_116", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_115", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_114", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_113", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_112", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_111", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_110", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_119", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_118", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_19", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_18", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_11", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_10", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_13", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_12", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_15", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_14", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_17", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_16", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_19", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_18", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_17", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_16", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_15", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_14", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_13", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_12", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_11", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_10", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_80", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_81", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_82", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_83", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_84", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_85", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_86", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_87", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_88", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_89", "HKEY_CURRENT_USER\\Software\\Arxv\\-2022283959\\-691606842", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_74", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_75", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_76", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_77", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_70", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_71", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_72", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_73", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_78", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_79", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_89", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_88", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_101", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_100", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_107", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_106", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_105", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_104", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_81", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_80", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_83", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_82", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_85", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_84", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_87", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_86", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Security Center\\Svc\\AntiVirusDisableNotify", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_105", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_104", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_107", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_106", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_101", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_100", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_103", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_102", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_109", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_108", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_38", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_39", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_36", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_37", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_34", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_35", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_32", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_33", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_30", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_31", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_102", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_103", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_100", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_101", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_106", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_107", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_104", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_105", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_108", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_109", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_83", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_82", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_81", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_80", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_87", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_86", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_85", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_84", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Action Center\\Checks\\{01979c6a-42fa-414c-b8aa-eee2c8202018}.check.100\\CheckSetting", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_89", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_88", "HKEY_CURRENT_USER\\Software\\Arxv\\-2022283959\\1110073385", "HKEY_CURRENT_USER\\Software\\Arxv\\-2022283959\\-2074820526", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_128", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_46", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_47", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_44", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_45", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_42", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_43", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_40", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_41", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_126", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_127", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_124", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_125", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_122", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_123", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_48", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_49", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_124", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_44", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_45", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_46", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_47", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_40", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_41", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_42", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_43", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_48", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_49", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_38", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_39", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_30", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_31", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_32", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_33", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_34", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_35", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_36", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_37", "HKEY_CURRENT_USER\\Software\\Arxv\\-2022283959\\-273140299", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_128", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_129", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Security Center\\Svc\\FirewallDisableNotify", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_141", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_140", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_143", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_142", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_145", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_144", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_147", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_146", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_49", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_48", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_45", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_44", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_47", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_46", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_41", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_40", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_43", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_42", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_138", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_139", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_132", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_133", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_130", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_131", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_136", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_137", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_134", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_135", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_72", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_73", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_70", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_71", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_76", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_77", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_74", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_75", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_78", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_79", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_91", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_90", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_93", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_92", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_95", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_94", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_97", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_96", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_99", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_98", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_144", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_145", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_79", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_78", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_75", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_74", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_77", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_76", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_71", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_70", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_73", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_72", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Hidden" ], "dll_loaded": [ "API-MS-Win-Security-LSALookup-L1-1-0.dll", "apphelp.dll", "kernel32.dll", "MSVCRT.dll", "POWRPROF.DLL", "slc.dll", "ntmarta.dll", "API-MS-WIN-Service-Management-L1-1-0.dll", "PROPSYS.dll", "KERNEL32.DLL", "API-MS-Win-Core-LocalRegistry-L1-1-0.dll", "API-MS-WIN-Service-winsvc-L1-1-0.dll", "ole32.dll", "USER32.dll", "fxsst.dll", "API-MS-Win-Security-SDDL-L1-1-0.dll", "WININET.DLL", "ADVAPI32.dll", "OLEAUT32", "OLEAUT32.dll", "profapi.dll", "SHELL32.dll", "C:\\Windows\\system32\\FXSRESM.DLL", "sfc", "comctl32.dll", "VERSION.dll", "MPR", "DEVRTL.dll", "SHELL32.DLL", "SETUPAPI.dll", "WS2_32.dll" ], "file_failed": [ "\\??\\L:", "\\??\\N:", "\\??\\U:", "\\??\\H:", "\\??\\W:", "\\??\\J:", "\\??\\Q:", "C:\\autorun.inf", "\\??\\D:", "\\??\\S:", "\\??\\F:", "\\??\\M:", "\\??\\X:", "\\??\\Z:", "C:\\desktop.ini", "C:\\Windows\\winsxs\\FileMaps\\users_cuck_appdata_local_temp_c2004f3465698a5a.cdf-ms", "\\??\\O:", "\\??\\I:", "\\??\\T:", "\\??\\V:", "\\??\\K:", "\\??\\E:", "\\??\\P:", "\\??\\R:", "\\??\\G:", "\\??\\Y:" ], "regkey_opened": [ "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Action Center\\Checks\\{01979c6a-42fa-414c-b8aa-eee2c8202018}.check.100", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum", "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\Shell\\MuiCache ", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Security Center", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\KnownFolderSettings", "HKEY_CURRENT_USER\\AppEvents\\EventLabels\\FaxSent", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\Associations\\UrlAssociations\\Drive", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions", "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings", "HKEY_CLASSES_ROOT\\Drive", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Blocked", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Drive\\(Default)", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Setup", "HKEY_CLASSES_ROOT\\Drive\\shellex\\FolderExtensions\\{fbeb8a05-beee-4442-804e-409d6c4515e9}", "HKEY_CURRENT_USER\\Software\\Arxv", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\PropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Drive\\shell\\open", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings", "HKEY_CLASSES_ROOT\\Folder", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run", "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\crypt32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\shell\\open", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\policies\\system", "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile", "HKEY_CLASSES_ROOT\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Security Center\\Svc", "HKEY_LOCAL_MACHINE\\System\\Setup", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\", "HKEY_CLASSES_ROOT\\Drive\\shellex\\FolderExtensions", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\(Default)", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\LSA\\AccessProviders", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-699399860-4089948139-3198924279-1001", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fax\\Client\\ServiceStartup", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Applications\\bc26065d73abee805e03efb332b6fa543d4b62e3f1fedf955f305df0271618ed.bin", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\KnownFolders", "HKEY_LOCAL_MACHINE\\system\\CurrentControlSet\\control\\NetworkProvider\\HwOrder", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\PropertyBag", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Cached", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\PropertyBag", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run", "HKEY_CLASSES_ROOT\\SystemFileAssociations\\Drive.Fixed", "HKEY_LOCAL_MACHINE\\software\\microsoft\\windows\\currentversion\\setup\\PnpLockdownFiles", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\PropertyBag", "HKEY_CLASSES_ROOT\\CLSID\\{11DBB47C-A525-400B-9E80-A54615A090C0}\\SupportedProtocols", "HKEY_CURRENT_USER\\Control Panel\\Personalization\\Desktop Slideshow", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\Shell\\RegisteredApplications\\UrlAssociations\\Drive\\OpenWithProgids", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\LDAP", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\shell\\open\\(Default)", "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile\\AuthorizedApplications\\List", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\shell\\open", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\OLE\\Tracing", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\shell\\open\\command", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Drive\\CurVer", "HKEY_CURRENT_USER\\Software\\Arxv\\-2022283959", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Blocked", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1", "HKEY_CLASSES_ROOT\\CLSID\\{11DBB47C-A525-400B-9E80-A54615A090C0}\\InProcServer32", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\ShellNoRoam\\MUICache" ], "command_line": [ "C:\\" ], "file_written": [ "C:\\Windows\\system.ini", "C:\\nrpds.exe", "C:\\autorun.inf", "C:\\Users\\cuck\\AppData\\Local\\Temp\\windaepms.exe" ], "file_deleted": [ "C:\\Users\\cuck\\AppData\\Local\\Temp\\windaepms.exe" ], "file_exists": [ "C:\\Users\\cuck\\AppData\\Roaming", "C:\\", "C:\\Users\\cuck\\AppData\\Local\\Temp\\windaepms.exe", "C:\\nrpds.exe", "C:\\Users\\cuck", "C:\\autorun.inf", "C:\\Windows\\System32\\explorerframe.dll" ], "mutex": [ "cmd.exeM_1692_", "svchost.exeM_1216_", "svchost.exeM_660_", "lsass.exeM_476_", "svchost.exeM_276_", "explorer.exeM_1788_", "wmpnetwk.exeM_1856_", "svchost.exeM_712_", "winlogon.exeM_424_", "dwm.exeM_1768_", "wininit.exeM_376_", "taskhost.exeM_1724_", "searchprotocolhost.exeM_1232_", "conhost.exeM_1700_", "svchost.exeM_1000_", "lsm.exeM_484_", "csrss.exeM_328_", "svchost.exeM_480_", "smss.exeM_252_", "searchprotocolhost.exeM_1092_", "python.exeM_1244_", "bc26065d73abee805e03efb332b6fa543d4b62e3f1fedf955f305df0271618eM_2816_", "spoolsv.exeM_1084_", "csrss.exeM_384_", "audiodg.exeM_2560_", "services.exeM_468_", "svchost.exeM_880_", "svchost.exeM_1548_", "uxJLpe1m", "svchost.exeM_592_", "mobsync.exeM_800_", "taskhost.exeM_2312_", "svchost.exeM_804_", "searchfilterhost.exeM_2676_", "Ap1mutx7", "explorer.exeM_2800_", "svchost.exeM_3000_", "python.exeM_2168_", "svchost.exeM_3064_", "svchost.exeM_1120_", "searchindexer.exeM_1316_" ], "file_opened": [ "C:\\Windows\\System32\\ExplorerFrame.dll", "C:\\Windows\\system.ini", "C:\\Windows\\AppPatch\\sysmain.sdb", "C:\\", "C:\\Windows\\Globalization\\Sorting\\sortdefault.nls", "C:\\Users\\cuck\\AppData\\Local\\Temp\\FXSAPIDebugLogFile.txt", "C:\\Windows\\System32\\", "C:\\Users\\desktop.ini", "C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000004.db", "C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Caches\\cversions.1.db", "C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\slideshow.ini", "C:\\Users\\cuck\\Desktop\\desktop.ini", "C:\\autorun.inf", "C:\\Users\\cuck\\AppData\\Local\\Temp\\windaepms.exe", "C:\\Program Files (x86)\\desktop.ini", "C:\\Windows\\winsxs\\FileMaps\\program_files_common_files_microsoft_shared_ink_3c86e3db0b3b254c.cdf-ms", "C:\\Program Files\\desktop.ini", "C:\\Windows\\System32\\explorerframe.dll" ], "guid": [ "{b57046bc-32e5-428a-9887-19f712b907bf}", "{9ba05972-f6a8-11cf-a442-00a0c90a8f39}", "{ba126ae5-2166-11d1-b1d0-00805fc1270e}", "{00000320-0000-0000-c000-000000000046}", "{5762f2a7-4658-4c7a-a4ac-bdabfe154e0d}", "{00000146-0000-0000-c000-000000000046}", "{d0074ffd-570f-4a9b-8d69-199fdba5723b}", "{75847177-f077-4171-bd2c-a6bb2164fbd0}", "{d5f569d0-593b-101a-b569-08002b2dbf7a}", "{11dbb47c-a525-400b-9e80-a54615a090c0}", "{000214e6-0000-0000-c000-000000000046}", "{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}", "{00000323-0000-0000-c000-000000000046}", "{ba126ad1-2166-11d1-b1d0-00805fc1270e}", "{faedcf69-31fe-11d1-aad2-00805fc1270e}", "{489e9453-869b-4bcc-a1c7-48b5285fd9d8}", "{a47979d2-c419-11d9-a5b4-001185ad2b89}", "{7007acc7-3202-11d1-aad2-00805fc1270e}", "{682159d9-c321-47ca-b3f1-30e36b2ec8b9}", "{85cb6900-4d95-11cf-960c-0080c7f4ee85}", "{7f9185b0-cb92-43c5-80a9-92277a4f7b54}", "{b196b284-bab4-101a-b69c-00aa00341d07}" ], "file_read": [ "C:\\Users\\cuck\\Desktop\\desktop.ini", "C:\\Users\\desktop.ini", "C:\\Windows\\system.ini", "C:\\autorun.inf", "C:\\Program Files (x86)\\desktop.ini", "C:\\Windows\\winsxs\\FileMaps\\program_files_common_files_microsoft_shared_ink_3c86e3db0b3b254c.cdf-ms", "C:\\Program Files\\desktop.ini", "C:\\Windows\\System32\\ExplorerFrame.dll" ], "regkey_read": [ "HKEY_CURRENT_USER\\Software\\Arxv\\c3_98", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_99", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\CallForAttributes", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_92", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_93", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_90", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_91", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_96", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_97", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\Icon", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_95", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_146", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_147", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_144", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_130", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-699399860-4089948139-3198924279-1001\\ProfileImagePath", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_132", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_133", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_134", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_135", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoSetFolders", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_137", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_138", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_139", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_143", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\StreamResourceType", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_141", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_120", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\DisableImprovedZoneCheck", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\Description", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_94", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_121", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\LocalizedName", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_111", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_110", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_113", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_112", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\RelativePath", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_114", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\Attributes", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_116", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_119", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_118", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\ParsingName", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_98", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\Icon", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_94", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_95", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_96", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_97", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_90", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_91", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_92", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_93", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_109", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\ParentFolder", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_73", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\PublishExpandedPath", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_71", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_70", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_77", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_76", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_75", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_74", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsAliasedNotifications", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_134", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_79", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_78", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_131", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_126", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_36", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_132", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\StreamResource", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_131", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_31", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_30", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_33", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_32", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_35", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_34", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_37", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\FolderTypeID", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_39", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_38", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\InfoTip", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_136", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\ParentFolder", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_99", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\shell\\open\\command\\DelegateExecute", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_3", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_58", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_59", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_56", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_57", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_54", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_55", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_52", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Security", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_50", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_51", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_1", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_0", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_3", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_2", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_5", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_4", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_7", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_6", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_9", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_8", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_129", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_128", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_121", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_120", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_123", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_122", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_125", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_124", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_127", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_126", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{2227A280-3AEA-1069-A2DE-08002B30309D}\\LocalizedString", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_142", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_49", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_48", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_47", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_46", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_45", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_44", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_43", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_42", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_41", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_40", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\DevicePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\\System.ItemNameDisplay", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\Data", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_82", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_83", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_80", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_81", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_86", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_87", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_84", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_85", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_88", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_89", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_37", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_36", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_35", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_34", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_33", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_32", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_31", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_30", "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@C:\\Windows\\system32\\netshell.dll,-1200", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_39", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_38", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\Category", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_9", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_8", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Description", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_104", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_75", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_3", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_2", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_1", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_0", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_7", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_6", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_5", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_4", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\StreamResourceType", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_101", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_102", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_71", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_103", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\_LabelFromReg", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_68", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_69", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_66", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_41", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_64", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\InfoTip", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_62", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_63", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_60", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_61", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_106", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_63", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\PreCreate", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_12", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_13", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_10", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_11", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_16", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_17", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_14", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_15", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_18", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_19", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\SourcePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\RestrictedAttributes", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\UseOldHostResolutionOrder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\\InProcServer32\\(Default)", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_129", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_128", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_127", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_126", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_125", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\Security", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_123", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_122", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_121", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_120", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_103", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_102", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\NoFileFolderJunction", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}", "HKEY_CURRENT_USER\\AppEvents\\Schemes\\Apps\\.Default\\Open\\.Current\\Default Flags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\Attributes", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_145", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{11DBB47C-A525-400B-9E80-A54615A090C0}\\InProcServer32\\(Default)", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_105", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_100", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoDriveTypeAutoRun", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_14", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_15", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_16", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_17", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_10", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_11", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_12", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_13", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_142", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_18", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_19", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoCommonGroups", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_108", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_128", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_129", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\PublishExpandedPath", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_125", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\PinToNameSpaceTree", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_127", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_120", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_121", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_122", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_123", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_8", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_9", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_0", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_1", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_2", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\LocalRedirectOnly", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_4", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_5", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_6", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_7", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_91", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsFORPARSING", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_108", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_109", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_68", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_69", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_64", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_65", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_66", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_67", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_60", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_61", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_62", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\PublishExpandedPath", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_22", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_23", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_20", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_21", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_26", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_27", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_24", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_25", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\InitFolderHandler", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_28", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_29", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_97", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_96", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_95", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_94", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_93", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_92", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Desktop", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_90", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_99", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_98", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoDriveAutoRun", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_105", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\LocalizedName", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_133", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\LocalRedirectOnly", "HKEY_CURRENT_USER\\Control Panel\\Personalization\\Desktop Slideshow\\Flags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoPropertiesRecycleBin", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\AccessProviders\\MartaExtension", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoPropertiesMyComputer", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_8", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_9", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_6", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_7", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_4", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_5", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_2", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_3", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_0", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_1", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_69", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_68", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_67", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_63", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_62", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_61", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_60", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_67", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_66", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_65", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_64", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_114", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_115", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_116", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_65", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_110", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_111", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_112", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_113", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_107", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_118", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_119", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\Attributes", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_116", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_117", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_114", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\Stream", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_112", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_113", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_110", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_111", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\LocalizedName", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_118", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_119", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_58", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_59", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\PreCreate", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Cached\\{11DBB47C-A525-400B-9E80-A54615A090C0} {7F9185B0-CB92-43C5-80A9-92277A4F7B54} 0xFFFF", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_50", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_51", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Drive\\shellex\\FolderExtensions\\{fbeb8a05-beee-4442-804e-409d6c4515e9}\\DriveMask", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_53", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_54", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_55", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_56", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_57", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_115", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_29", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_28", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_25", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_24", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_27", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_26", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_21", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_20", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_23", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_22", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{2227A280-3AEA-1069-A2DE-08002B30309D}\\System.ItemNameDisplay", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\LocalRedirectOnly", "HKEY_CURRENT_USER\\Control Panel\\Personalization\\Desktop Slideshow\\Shuffle", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoControlPanel", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_20", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_21", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_22", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_23", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_24", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_25", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_26", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_27", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_28", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_29", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_146", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_147", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_140", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_141", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_142", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_143", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\ParentFolder", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_92", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\StringCacheSettings\\StringCacheGeneration", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_117", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\Name", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_59", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_58", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_72", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_53", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_52", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_51", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_50", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_57", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_56", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_55", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_54", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_55", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_54", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_57", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_56", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_51", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_50", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_53", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_52", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_139", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_59", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_58", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsFORDISPLAY", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_138", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\shell\\open\\ExplorerHost", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\RelativePath", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\Generation", "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@C:\\Windows\\system32\\prnfldr.dll,-8036", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_135", "HKEY_CURRENT_USER\\AppEvents\\Schemes\\Apps\\.Default\\Close\\.Current\\Default Flags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\PreCreate", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_137", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoInternetIcon", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_136", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_29", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_28", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_27", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_26", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_25", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_24", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_23", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_22", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_21", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_20", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\MapNetDriveVerbs", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\QueryForInfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\Roamable", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_140", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\crypt32\\DebugHeapFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\Name", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_11", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\Data", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\UseDropHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Category", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_147", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_146", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_145", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_144", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_143", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\ParsingName", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_141", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_140", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\ParsingName", "HKEY_CURRENT_USER\\Control Panel\\Personalization\\Desktop Slideshow\\AnimationDuration", "HKEY_CURRENT_USER\\AppEvents\\Schemes\\Apps\\.Default\\Open\\.Current\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\\InProcServer32\\LoadWithoutCOM", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_60", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_63", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_62", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_65", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_64", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_67", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_66", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_69", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_68", "HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\SystemSetupInProgress", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\\{B725F130-47EF-101A-A5F1-02608C9EEBAC} 10", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_139", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_138", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_133", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_132", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_131", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\FolderTypeID", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_137", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_136", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_135", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_134", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HideFolderVerbs", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_117", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_117", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_116", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_115", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_114", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_113", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\InitFolderHandler", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_110", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_119", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_118", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_19", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_18", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\InitFolderHandler", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_11", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_10", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_13", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_12", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_15", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_14", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_17", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_16", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HideInWebView", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\shell\\open\\LaunchExplorerFlags", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_19", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_18", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_17", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_16", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_15", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_14", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_13", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_12", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\StreamResourceType", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_10", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_80", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_81", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_82", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_83", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_84", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_85", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_86", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_87", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_88", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_89", "HKEY_CURRENT_USER\\Control Panel\\Personalization\\Desktop Slideshow\\Interval", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE\\PageAllocatorUseSystemHeap", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\Name", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_74", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_61", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_76", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_77", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_70", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_72", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_73", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_78", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_79", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_124", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_130", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HasNavigationEnum", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_89", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_88", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_101", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_100", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_107", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_106", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\FolderTypeID", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_104", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_81", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_80", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_83", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_82", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_85", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_84", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_87", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_86", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_115", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\AppData", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{2ABC0864-9677-42E5-882A-D415C556C284}\\ProxyStubClsid32\\(Default)", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_78", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_105", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_104", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_107", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_106", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_101", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_100", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_103", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_102", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_109", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_108", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\Cache", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_112", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_38", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_39", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_36", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_37", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_34", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_35", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_32", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_33", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_30", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_31", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\UseHostnameAsAlias", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoDrives", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_102", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_103", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_100", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_101", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_106", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_107", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_104", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_105", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\LocalizedName", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_108", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_109", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_83", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_82", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_81", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_80", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_87", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_86", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_85", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_84", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_89", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_88", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_52", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\\SortOrderIndex", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsUniversalDelegate", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_46", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_47", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_44", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_45", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_42", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_43", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_40", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_41", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_126", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_127", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_124", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_125", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_122", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_123", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_48", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_49", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\QueryForOverlay", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_124", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_44", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_45", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_46", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{21EC2020-3AEA-1069-A2DD-08002B30309D}\\SortOrderIndex", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_40", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_41", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_42", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_43", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_48", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_49", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_38", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsParseDisplayName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\shell\\open\\LocalServerOnly", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_30", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_31", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_32", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_33", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_34", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_35", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_36", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_37", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\Generation", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_128", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_129", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Roamable", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\LdapClientIntegrity", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\Description", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_148", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_111", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_141", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_140", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_143", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_142", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_145", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_144", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_147", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_146", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_49", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_48", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_45", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_44", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_47", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_46", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\\LocalizedString", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_40", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_43", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_42", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{2227A280-3AEA-1069-A2DE-08002B30309D}\\{B725F130-47EF-101A-A5F1-02608C9EEBAC} 10", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_138", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_139", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_132", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_133", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_130", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_131", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_136", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_137", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_134", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_135", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\StreamResource", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_72", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_73", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_70", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_71", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_76", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_77", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_74", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_75", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\FolderTypeID", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_78", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_79", "HKEY_CURRENT_USER\\AppEvents\\Schemes\\Apps\\.Default\\Close\\.Current\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\InitFolderHandler", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_91", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_90", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_93", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\PreCreate", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_95", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_94", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_97", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_96", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_99", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_98", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE\\PageAllocatorSystemHeapIsPrivate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\PnpLockdownFiles\\%SystemDrive%\\Users\\cuck\\AppData\\Local\\Temp\\windaepms.exe", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\Security", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_53", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_144", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_47", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_145", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Security_HKLM_only", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\Attributes", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_79", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Stream", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_75", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_74", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_77", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_76", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_71", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_70", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_73", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_72", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\Roamable", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_130", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_39", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HideOnDesktopPerUser", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CEIPEnable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\Roamable", "HKEY_CURRENT_USER\\AppEvents\\Schemes\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\ParentFolder" ], "directory_enumerated": [ "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\ink\\FSDEFINITIONS\\main\\*", "F:\\*", "Y:\\*", "T:\\*", "C:\\Windows\\System32\\*.*", "R:\\*", "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\ink\\hu-HU\\*", "K:\\*", "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\ink\\FSDEFINITIONS\\*", "M:\\*", "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\ink\\en-US\\*", "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\ink\\lv-LV\\*", "I:\\*", "D:\\*", "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\ink\\he-IL\\*", "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\ink\\et-EE\\*", "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\ink\\FSDEFINITIONS\\keypad\\*", "C:\\Windows\\System32", "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\ink\\de-DE\\*", "P:\\*", "N:\\*", "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\ink\\FSDEFINITIONS\\web\\*", "V:\\*", "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\ink\\FSDEFINITIONS\\auxpad\\*", "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\*", "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\ink\\FSDEFINITIONS\\oskpred\\*", "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\ink\\HWRCUSTOMIZATION\\*", "H:\\*", "C:\\PerfLogs\\Admin\\*", "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\ink\\FSDEFINITIONS\\symbols\\*", "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\ink\\hr-HR\\*", "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\ink\\lt-LT\\*", "W:\\*", "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\ink\\fr-FR\\*", "S:\\*", "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\ink\\*", "C:\\PROGRAM FILES\\COMMON FILES\\*", "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\ink\\FSDEFINITIONS\\OSKNUMPAD\\*", "U:\\*", "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\ink\\it-IT\\*", "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\ink\\es-ES\\*", "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\ink\\ko-KR\\*", "G:\\*", "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\ink\\ar-SA\\*", "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\ink\\FSDEFINITIONS\\numbers\\*", "C:\\*", "Q:\\*", "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\ink\\fi-FI\\*", "O:\\*", "C:\\CUCKOO-AGENT\\*", "E:\\*", "C:\\PROGRAM FILES\\*", "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\ink\\ja-JP\\*", "Z:\\*", "X:\\*", "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\ink\\el-GR\\*", "C:\\PerfLogs\\*", "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\ink\\cs-CZ\\*", "C:\\DOCUMENTS AND SETTINGS\\*", "C:\\Windows", "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\ink\\bg-BG\\*", "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\ink\\da-DK\\*", "C:\\Users\\cuck\\AppData\\Local\\Temp\\*", "L:\\*", "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\ink\\FSDEFINITIONS\\oskmenu\\*", "J:\\*" ], "directory_created": [ "C:\\Users\\cuck", "C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Caches", "C:\\Users\\cuck\\AppData\\Roaming", "C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\" ] }
[ { "yara": [], "sha1": "59017bf82301e0a0905acbe86311c5b8a1b5eae1", "name": "96dc950eec5b8bbb_autorun.inf", "filepath": "C:\\autorun.inf", "type": "Microsoft Windows Autorun file, ASCII text, with CRLF line terminators", "sha256": "96dc950eec5b8bbb440c5dafe55b960f32ae819874e8a65dc2a3ea8c15882125", "urls": [], "crc32": "9186E62C", "path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/4820\/files\/96dc950eec5b8bbb_autorun.inf", "ssdeep": null, "size": 288, "sha512": "5d9a7f85f2bff4e98a7311c811e34e0f9d6807bbbbab29d894307a9a4b427a9b08eb1977d99e6c77d43e90d14109cb1eb391375d40956f5c34e2ba84d558cd8d", "pids": [ 2816 ], "md5": "7bb99c897916f24300033bef83df9d6e" }, { "yara": [], "sha1": "5e3fb5a9d1bdc7457f791cbe394d3412b093646d", "name": "4a0c2745a37c7a6a_windaepms.exe", "filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\windaepms.exe", "type": "PE32 executable (GUI) Intel 80386, for MS Windows", "sha256": "4a0c2745a37c7a6a6d6b906ba59f86161f2cb933fb6b223b4b851c96a5a24e53", "urls": [], "crc32": "C16721AB", "path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/4820\/files\/4a0c2745a37c7a6a_windaepms.exe", "ssdeep": null, "size": 74752, "sha512": "1b0c2d240081796872dd63e4267697d3b6739e7699fe3fdc5ab381e2b259b2a9af533bf3acdbdd5c6ada260d462907759a4768b6576f4b9f725383090ef3b586", "pids": [ 2816 ], "md5": "88f6ec8d7bb768122cdb66e1f2a2b19a" }, { "yara": [], "sha1": "fce18a0e182657e379feef1e62b14020ee84f39f", "name": "0fbb1adc4c8cf65c_nrpds.exe", "filepath": "C:\\nrpds.exe", "type": "PE32 executable (GUI) Intel 80386, for MS Windows", "sha256": "0fbb1adc4c8cf65c919f8840c4d674cc37f2ff42e77737f9f0bb5a3621947d92", "urls": [], "crc32": "D703789C", "path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/4820\/files\/0fbb1adc4c8cf65c_nrpds.exe", "ssdeep": null, "size": 103140, "sha512": "e3190e34d262c613d1df68c92538a37509cdccb65ac603a74f673df4a72ecb94133c3ee0f02da8820000b9c0d116938753defd76923710a4efdd4aac3a51709f", "pids": [ 2816 ], "md5": "40fd045a6c7010b4a4d028643d7c39d3" }, { "yara": [], "sha1": "5fb1fe7784cf7e8b7fa5c9f1a2d0189a6332cdc2", "name": "eba6dc05194afb1b_system.ini", "filepath": "C:\\Windows\\system.ini", "type": "Windows SYSTEM.INI, ASCII text, with CRLF line terminators", "sha256": "eba6dc05194afb1bdf35f61865fd86a557d931b10bfedb10b176a65242a54274", "urls": [], "crc32": "EFE31153", "path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/4820\/files\/eba6dc05194afb1b_system.ini", "ssdeep": null, "size": 256, "sha512": "b6faf69d6f5c48da3486cf0818e0d4e0cba916934179777c230edf76183856251750d348a940ee99bc15ee54a8bbfa9e9364f2f820a256ca856eb75de1627026", "pids": [ 2816 ], "md5": "cd6efc4dc81adb1f396efaea08f465b0" } ]
[ { "process_path": "C:\\Users\\cuck\\AppData\\Local\\Temp\\bc26065d73abee805e03efb332b6fa543d4b62e3f1fedf955f305df0271618ed.bin", "process_name": "bc26065d73abee805e03efb332b6fa543d4b62e3f1fedf955f305df0271618ed.bin", "pid": 2816, "summary": { "file_created": [ "C:\\nrpds.exe", "C:\\autorun.inf", "C:\\Users\\cuck\\AppData\\Local\\Temp\\windaepms.exe" ], "regkey_written": [ "HKEY_CURRENT_USER\\Software\\Arxv\\c3_98", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_99", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Security Center\\Svc\\AntiVirusOverride", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_92", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_93", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_90", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_91", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_96", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_97", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_94", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_95", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_146", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_147", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_144", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_130", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_131", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_132", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_133", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_134", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_135", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_136", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_137", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_138", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_139", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_143", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_140", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_141", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_120", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_121", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_111", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_110", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_113", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_112", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_115", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_114", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_117", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_116", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_119", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_118", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_98", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_99", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_94", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_95", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_96", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_97", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_90", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_91", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_92", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_93", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_109", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Security Center\\FirewallOverride", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_73", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_72", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_71", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_70", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_77", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_76", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_75", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_74", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_135", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_134", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_79", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_78", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_131", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_130", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_133", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_132", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_31", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_30", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_33", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_32", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_35", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_34", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_37", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_36", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_39", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_38", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_58", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_59", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_56", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_57", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_54", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_55", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_52", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_53", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_50", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_51", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_1", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_0", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_3", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_2", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_5", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_4", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_7", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_6", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_9", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_8", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_129", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_128", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_121", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_120", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_123", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_122", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_125", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_124", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_127", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_126", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Security Center\\FirewallDisableNotify", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_49", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_48", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_47", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_46", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_45", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_44", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_43", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_42", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_41", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_40", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_82", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_83", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_80", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_81", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_86", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_87", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_84", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_85", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_88", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_89", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_37", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_36", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_35", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_34", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_33", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_32", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_31", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_30", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_39", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_38", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_9", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_8", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_104", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_3", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_2", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_1", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_0", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_7", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_6", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_5", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_4", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_100", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_101", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_102", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\GlobalUserOffline", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_103", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_68", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_69", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_66", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_67", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_64", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_65", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_62", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_63", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_60", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_61", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_106", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_107", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_12", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_13", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_10", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_11", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_16", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_17", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_14", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_15", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_18", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_19", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_105", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_129", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_23", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_127", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_126", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_125", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_28", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_123", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_122", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_121", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_120", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_103", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_102", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Security Center\\AntiVirusDisableNotify", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_145", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_14", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_15", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_16", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_17", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_10", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_11", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_12", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_13", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_142", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_18", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_19", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_108", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_128", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_129", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_124", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_125", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_126", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_127", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_120", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_121", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_122", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_123", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_8", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_9", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_0", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_1", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_2", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_3", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_4", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_5", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_6", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_7", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_108", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_109", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_68", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_69", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_64", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_65", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_66", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_67", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_60", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_61", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_62", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_63", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_22", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Security Center\\Svc\\UacDisableNotify", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_20", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_21", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_26", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_27", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_24", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_25", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_28", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_29", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile\\DoNotAllowExceptions", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_97", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_96", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_95", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_94", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_93", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_92", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_91", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_90", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_99", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_98", "HKEY_CURRENT_USER\\Software\\Arxv\\-2022283959\\418466543", "HKEY_CURRENT_USER\\Software\\Arxv\\-2022283959\\1801680227", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Security Center\\Svc\\UpdatesDisableNotify", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_8", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_9", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_6", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_7", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_4", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_5", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_2", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_3", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_0", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_1", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile\\EnableFirewall", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_69", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_68", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_63", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_62", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_61", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_60", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_67", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_66", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_65", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_64", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_114", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_115", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_116", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_117", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_110", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_111", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_112", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_113", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Security Center\\UpdatesDisableNotify", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_118", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_119", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Security Center\\Svc\\FirewallOverride", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_116", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_117", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_114", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_115", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_112", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_113", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_110", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_111", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_118", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_119", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_58", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_59", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_50", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_51", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_52", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_53", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_54", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_55", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_56", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_57", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_29", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_28", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_25", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_24", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_27", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_26", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_21", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_20", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_23", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_22", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile\\DisableNotifications", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_20", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_21", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_22", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_23", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_24", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_25", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_26", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_27", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_28", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_29", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_146", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_147", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_140", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_141", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_142", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_143", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Security Center\\UacDisableNotify", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_59", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_58", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_53", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_52", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_51", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_50", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_57", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_56", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_55", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_54", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_55", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_54", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_57", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_56", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_51", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_50", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_53", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_52", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_139", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_59", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_58", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_138", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_137", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_136", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_29", "HKEY_CURRENT_USER\\Software\\Arxv\\-2022283959\\-1383213684", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_27", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_26", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_25", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_24", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_23", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_22", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_21", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_20", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_147", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_146", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_145", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_144", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_143", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_142", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_141", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_140", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Security Center\\AntiVirusOverride", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_61", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_60", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_63", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_62", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_65", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_64", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_67", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_66", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_69", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_68", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_139", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_138", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_133", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_132", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_131", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_130", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_137", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_136", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_135", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_134", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_117", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_116", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_115", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_114", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_113", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_112", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_111", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_110", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_119", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_118", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_19", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_18", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_11", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_10", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_13", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_12", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_15", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_14", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_17", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_16", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_19", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_18", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_17", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_16", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_15", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_14", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_13", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_12", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_11", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_10", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_80", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_81", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_82", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_83", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_84", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_85", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_86", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_87", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_88", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_89", "HKEY_CURRENT_USER\\Software\\Arxv\\-2022283959\\-691606842", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_74", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_75", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_76", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_77", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_70", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_71", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_72", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_73", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_78", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_79", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_89", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_88", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_101", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_100", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_107", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_106", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_105", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_104", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_81", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_80", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_83", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_82", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_85", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_84", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_87", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_86", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Security Center\\Svc\\AntiVirusDisableNotify", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_105", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_104", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_107", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_106", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_101", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_100", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_103", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_102", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_109", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_108", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_38", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_39", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_36", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_37", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_34", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_35", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_32", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_33", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_30", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_31", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_102", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_103", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_100", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_101", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_106", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_107", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_104", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_105", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_108", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_109", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_83", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_82", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_81", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_80", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_87", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_86", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_85", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_84", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_89", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_88", "HKEY_CURRENT_USER\\Software\\Arxv\\-2022283959\\1110073385", "HKEY_CURRENT_USER\\Software\\Arxv\\-2022283959\\-2074820526", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_128", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_46", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_47", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_44", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_45", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_42", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_43", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_40", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_41", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_126", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_127", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_124", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_125", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_122", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_123", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_48", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_49", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_124", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_44", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_45", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_46", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_47", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_40", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_41", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_42", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_43", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_48", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_49", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_38", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_39", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_30", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_31", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_32", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_33", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_34", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_35", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_36", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_37", "HKEY_CURRENT_USER\\Software\\Arxv\\-2022283959\\-273140299", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_128", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_129", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Security Center\\Svc\\FirewallDisableNotify", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_141", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_140", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_143", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_142", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_145", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_144", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_147", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_146", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_49", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_48", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_45", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_44", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_47", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_46", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_41", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_40", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_43", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_42", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_138", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_139", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_132", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_133", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_130", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_131", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_136", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_137", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_134", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_135", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_72", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_73", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_70", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_71", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_76", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_77", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_74", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_75", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_78", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_79", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_91", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_90", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_93", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_92", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_95", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_94", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_97", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_96", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_99", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_98", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_144", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_145", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_79", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_78", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_75", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_74", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_77", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_76", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_71", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_70", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_73", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_72", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Hidden" ], "dll_loaded": [ "API-MS-Win-Security-LSALookup-L1-1-0.dll", "apphelp.dll", "kernel32.dll", "MSVCRT.dll", "ntmarta.dll", "PROPSYS.dll", "KERNEL32.DLL", "API-MS-Win-Core-LocalRegistry-L1-1-0.dll", "ole32.dll", "USER32.dll", "API-MS-Win-Security-SDDL-L1-1-0.dll", "WININET.DLL", "ADVAPI32.dll", "OLEAUT32", "OLEAUT32.dll", "profapi.dll", "SHELL32.dll", "sfc", "comctl32.dll", "MPR", "DEVRTL.dll", "SHELL32.DLL", "SETUPAPI.dll", "WS2_32.dll" ], "file_opened": [ "C:\\Windows\\system.ini", "C:\\Windows\\AppPatch\\sysmain.sdb", "C:\\Windows\\Globalization\\Sorting\\sortdefault.nls", "C:\\Windows\\System32\\", "C:\\Users\\cuck\\AppData\\Local\\Temp\\windaepms.exe", "C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000004.db", "C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Caches\\cversions.1.db", "C:\\Users\\cuck\\Desktop\\desktop.ini", "C:\\autorun.inf", "C:\\Windows\\System32\\ExplorerFrame.dll", "C:\\Windows\\winsxs\\FileMaps\\program_files_common_files_microsoft_shared_ink_3c86e3db0b3b254c.cdf-ms", "C:\\Windows\\System32\\explorerframe.dll" ], "regkey_opened": [ "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum", "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\Shell\\MuiCache ", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Security Center", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\KnownFolderSettings", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\Associations\\UrlAssociations\\Drive", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions", "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings", "HKEY_CLASSES_ROOT\\Drive", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Blocked", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Drive\\(Default)", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Setup", "HKEY_CLASSES_ROOT\\Drive\\shellex\\FolderExtensions\\{fbeb8a05-beee-4442-804e-409d6c4515e9}", "HKEY_CURRENT_USER\\Software\\Arxv", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\PropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Drive\\shell\\open", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings", "HKEY_CLASSES_ROOT\\Folder", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run", "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\crypt32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\shell\\open", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\policies\\system", "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile", "HKEY_CLASSES_ROOT\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Security Center\\Svc", "HKEY_LOCAL_MACHINE\\System\\Setup", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\", "HKEY_CLASSES_ROOT\\Drive\\shellex\\FolderExtensions", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\(Default)", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\LSA\\AccessProviders", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-699399860-4089948139-3198924279-1001", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Applications\\bc26065d73abee805e03efb332b6fa543d4b62e3f1fedf955f305df0271618ed.bin", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\KnownFolders", "HKEY_LOCAL_MACHINE\\system\\CurrentControlSet\\control\\NetworkProvider\\HwOrder", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\PropertyBag", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Cached", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\PropertyBag", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run", "HKEY_CLASSES_ROOT\\SystemFileAssociations\\Drive.Fixed", "HKEY_LOCAL_MACHINE\\software\\microsoft\\windows\\currentversion\\setup\\PnpLockdownFiles", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\PropertyBag", "HKEY_CLASSES_ROOT\\CLSID\\{11DBB47C-A525-400B-9E80-A54615A090C0}\\SupportedProtocols", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\Shell\\RegisteredApplications\\UrlAssociations\\Drive\\OpenWithProgids", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\LDAP", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\shell\\open\\(Default)", "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile\\AuthorizedApplications\\List", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\shell\\open", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\OLE\\Tracing", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\shell\\open\\command", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Drive\\CurVer", "HKEY_CURRENT_USER\\Software\\Arxv\\-2022283959", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Blocked", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1", "HKEY_CLASSES_ROOT\\CLSID\\{11DBB47C-A525-400B-9E80-A54615A090C0}\\InProcServer32", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\ShellNoRoam\\MUICache" ], "command_line": [ "C:\\" ], "file_written": [ "C:\\Windows\\system.ini", "C:\\nrpds.exe", "C:\\autorun.inf", "C:\\Users\\cuck\\AppData\\Local\\Temp\\windaepms.exe" ], "file_deleted": [ "C:\\Users\\cuck\\AppData\\Local\\Temp\\windaepms.exe" ], "file_exists": [ "C:\\nrpds.exe", "C:\\Users\\cuck\\AppData\\Local\\Temp\\windaepms.exe", "C:\\autorun.inf", "C:\\Windows\\System32\\explorerframe.dll" ], "mutex": [ "cmd.exeM_1692_", "svchost.exeM_1216_", "svchost.exeM_660_", "lsass.exeM_476_", "svchost.exeM_276_", "explorer.exeM_1788_", "wmpnetwk.exeM_1856_", "svchost.exeM_712_", "winlogon.exeM_424_", "dwm.exeM_1768_", "wininit.exeM_376_", "taskhost.exeM_1724_", "searchprotocolhost.exeM_1232_", "conhost.exeM_1700_", "svchost.exeM_1000_", "lsm.exeM_484_", "csrss.exeM_328_", "svchost.exeM_480_", "smss.exeM_252_", "searchprotocolhost.exeM_1092_", "python.exeM_1244_", "bc26065d73abee805e03efb332b6fa543d4b62e3f1fedf955f305df0271618eM_2816_", "spoolsv.exeM_1084_", "csrss.exeM_384_", "audiodg.exeM_2560_", "services.exeM_468_", "svchost.exeM_880_", "svchost.exeM_1548_", "uxJLpe1m", "svchost.exeM_592_", "mobsync.exeM_800_", "taskhost.exeM_2312_", "svchost.exeM_804_", "searchfilterhost.exeM_2676_", "Ap1mutx7", "explorer.exeM_2800_", "svchost.exeM_3000_", "python.exeM_2168_", "svchost.exeM_3064_", "svchost.exeM_1120_", "searchindexer.exeM_1316_" ], "file_failed": [ "\\??\\L:", "\\??\\N:", "\\??\\U:", "\\??\\H:", "\\??\\W:", "\\??\\J:", "\\??\\Q:", "C:\\autorun.inf", "\\??\\D:", "\\??\\S:", "\\??\\F:", "\\??\\M:", "\\??\\X:", "\\??\\Z:", "C:\\Windows\\winsxs\\FileMaps\\users_cuck_appdata_local_temp_c2004f3465698a5a.cdf-ms", "\\??\\O:", "\\??\\I:", "\\??\\T:", "\\??\\V:", "\\??\\K:", "\\??\\E:", "\\??\\P:", "\\??\\R:", "\\??\\G:", "\\??\\Y:" ], "guid": [ "{5762f2a7-4658-4c7a-a4ac-bdabfe154e0d}", "{489e9453-869b-4bcc-a1c7-48b5285fd9d8}", "{682159d9-c321-47ca-b3f1-30e36b2ec8b9}", "{9ba05972-f6a8-11cf-a442-00a0c90a8f39}", "{85cb6900-4d95-11cf-960c-0080c7f4ee85}", "{7f9185b0-cb92-43c5-80a9-92277a4f7b54}", "{11dbb47c-a525-400b-9e80-a54615a090c0}", "{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}" ], "file_read": [ "C:\\Windows\\winsxs\\FileMaps\\program_files_common_files_microsoft_shared_ink_3c86e3db0b3b254c.cdf-ms", "C:\\Windows\\system.ini", "C:\\Users\\cuck\\Desktop\\desktop.ini", "C:\\autorun.inf", "C:\\Windows\\System32\\ExplorerFrame.dll" ], "regkey_read": [ "HKEY_CURRENT_USER\\Software\\Arxv\\c3_98", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_99", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\CallForAttributes", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_92", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_93", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_90", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_91", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_96", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_97", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\Icon", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_95", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_146", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_147", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_144", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_130", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-699399860-4089948139-3198924279-1001\\ProfileImagePath", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_132", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_133", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_134", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_135", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoSetFolders", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_137", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_138", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_139", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_143", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\StreamResourceType", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_141", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_120", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\DisableImprovedZoneCheck", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\Description", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_94", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_121", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\LocalizedName", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_111", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_110", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_113", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_112", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\RelativePath", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_114", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\Attributes", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_116", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_119", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_118", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\ParsingName", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_98", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\Icon", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_94", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_95", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_96", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_97", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_90", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_91", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_92", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_93", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_109", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\ParentFolder", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_73", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\PublishExpandedPath", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_71", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_70", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_77", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_76", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_75", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_74", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsAliasedNotifications", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_134", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_79", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_78", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_131", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_126", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_36", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_132", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\StreamResource", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_131", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_31", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_30", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_33", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_32", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_35", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_34", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_37", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\FolderTypeID", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_39", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_38", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\InfoTip", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_136", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\ParentFolder", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_99", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\shell\\open\\command\\DelegateExecute", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_3", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_58", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_59", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_56", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_57", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_54", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_55", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_52", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Security", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_50", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_51", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_1", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_0", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_3", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_2", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_5", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_4", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_7", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_6", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_9", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_8", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_129", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_128", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_121", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_120", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_123", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_122", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_125", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_124", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_127", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_126", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_142", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_49", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_48", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_47", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_46", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_45", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_44", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_43", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_42", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_41", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_40", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\DevicePath", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\Data", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_82", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_83", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_80", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_81", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_86", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_87", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_84", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_85", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_88", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_89", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_37", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_36", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_35", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_34", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_33", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_32", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_31", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_30", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_39", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_38", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\Category", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_9", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_8", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Description", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_104", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_3", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_2", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_1", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_0", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_7", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_6", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_5", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_4", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\StreamResourceType", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_101", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_102", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_71", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_103", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_68", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_69", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_66", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_67", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_64", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\InfoTip", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_62", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_63", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_60", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_61", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_106", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_63", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\PreCreate", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_12", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_13", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_10", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_11", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_16", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_17", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_14", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_15", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_18", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_19", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\SourcePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\RestrictedAttributes", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\UseOldHostResolutionOrder", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_129", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_128", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_127", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_126", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_125", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\Security", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_123", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_122", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_121", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_120", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_103", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_102", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\NoFileFolderJunction", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\Attributes", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_145", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{11DBB47C-A525-400B-9E80-A54615A090C0}\\InProcServer32\\(Default)", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_105", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_100", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoDriveTypeAutoRun", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_14", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_15", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_16", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_17", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_10", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_11", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_12", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_13", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_142", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_18", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_19", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoCommonGroups", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_108", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_128", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_129", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\PublishExpandedPath", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_125", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\PinToNameSpaceTree", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_127", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_120", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_121", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_122", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_123", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_8", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_9", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_0", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_1", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_2", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\LocalRedirectOnly", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_4", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_5", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_6", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_7", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_91", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsFORPARSING", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_108", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_109", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_68", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_69", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_64", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_65", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_66", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_67", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_60", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_61", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_62", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\PublishExpandedPath", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_22", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_23", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_20", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_21", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_26", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_27", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_24", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_25", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\InitFolderHandler", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_28", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_29", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_97", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_96", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_95", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_94", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_93", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_92", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Desktop", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_90", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_99", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_98", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoDriveAutoRun", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_105", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\LocalizedName", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_133", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoPropertiesRecycleBin", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\AccessProviders\\MartaExtension", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoPropertiesMyComputer", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_8", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_9", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_6", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_7", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_4", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_5", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_2", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_3", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_0", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_1", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_69", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_68", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_63", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_62", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_61", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_60", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_67", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_66", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_65", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_64", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_114", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_115", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_116", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_65", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_110", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_111", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_112", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_113", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_107", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_118", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_119", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\Attributes", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_116", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_117", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_114", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\Stream", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_112", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_113", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_110", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_111", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\LocalizedName", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_118", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_119", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_58", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_59", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\PreCreate", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Cached\\{11DBB47C-A525-400B-9E80-A54615A090C0} {7F9185B0-CB92-43C5-80A9-92277A4F7B54} 0xFFFF", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_50", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_51", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Drive\\shellex\\FolderExtensions\\{fbeb8a05-beee-4442-804e-409d6c4515e9}\\DriveMask", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_53", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_54", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_55", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_56", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_57", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_115", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_29", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_28", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_25", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_24", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_27", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_26", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_21", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_20", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_23", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_22", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoControlPanel", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_20", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_21", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_22", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_23", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_24", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_25", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_26", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_27", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_28", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_29", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_146", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_147", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_140", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_141", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_142", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_143", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\ParentFolder", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_92", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_117", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\Name", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_59", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_58", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_72", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_53", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_52", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_51", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_50", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_57", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_56", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_55", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_54", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_55", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_54", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_57", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_56", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_51", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_50", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_53", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_52", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_139", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_59", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_58", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsFORDISPLAY", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_138", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\shell\\open\\ExplorerHost", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\RelativePath", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\Generation", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_135", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\PreCreate", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_137", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoInternetIcon", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_136", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_29", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_28", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_27", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_26", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_25", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_24", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_23", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_22", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_21", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_20", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\MapNetDriveVerbs", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\QueryForInfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\Roamable", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_140", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\crypt32\\DebugHeapFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\Name", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_11", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\Data", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\UseDropHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Category", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_147", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_146", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_145", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_144", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_143", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\ParsingName", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_141", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_140", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\ParsingName", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_61", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_60", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_63", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_62", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_65", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_64", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_67", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_66", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_69", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_68", "HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\SystemSetupInProgress", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_139", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_138", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_133", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_132", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_131", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\FolderTypeID", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_137", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_136", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_135", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_134", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HideFolderVerbs", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_117", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_117", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_116", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_115", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_114", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_113", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\InitFolderHandler", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_110", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_119", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_118", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_19", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_18", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\InitFolderHandler", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_11", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_10", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_13", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_12", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_15", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_14", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_17", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_16", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HideInWebView", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\shell\\open\\LaunchExplorerFlags", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_19", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_18", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_17", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_16", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_15", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_14", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_13", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_12", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\StreamResourceType", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_10", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_80", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_81", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_82", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_83", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_84", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_85", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_86", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_87", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_88", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_89", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE\\PageAllocatorUseSystemHeap", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\Name", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_74", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_75", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_76", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_77", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_70", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_72", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_73", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_78", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_79", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_124", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_130", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HasNavigationEnum", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_89", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_88", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_101", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_100", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_107", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_106", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\FolderTypeID", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_104", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_81", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_80", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_83", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_82", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_85", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_84", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_87", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_86", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_115", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\AppData", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_78", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_105", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_104", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_107", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_106", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_101", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_100", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_103", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_102", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_109", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_108", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\Cache", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_112", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_38", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_39", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_36", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_37", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_34", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_35", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_32", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_33", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_30", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_31", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\UseHostnameAsAlias", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoDrives", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_102", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_103", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_100", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_101", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_106", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_107", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_104", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_105", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\LocalizedName", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_108", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_109", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_83", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_82", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_81", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_80", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_87", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_86", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_85", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_84", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_89", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_88", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_52", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsUniversalDelegate", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_46", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_47", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_44", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_45", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_42", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_43", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_40", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_41", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_126", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_127", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_124", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_125", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_122", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_123", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_48", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_49", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\QueryForOverlay", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_124", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_44", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_45", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_46", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_47", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_40", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_41", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_42", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_43", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_48", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_49", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_38", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsParseDisplayName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\shell\\open\\LocalServerOnly", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_30", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_31", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_32", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_33", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_34", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_35", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_36", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_37", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\Generation", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_128", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_129", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Roamable", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\LdapClientIntegrity", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\Description", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_148", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_111", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_141", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_140", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_143", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_142", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_145", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_144", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_147", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_146", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_49", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_48", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_45", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_44", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_47", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_46", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_41", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_40", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_43", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_42", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_138", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_139", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_132", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_133", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_130", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_131", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_136", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_137", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_134", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_135", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\StreamResource", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_72", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_73", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_70", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_71", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_76", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_77", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_74", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_75", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\FolderTypeID", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_78", "HKEY_CURRENT_USER\\Software\\Arxv\\c1_79", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\InitFolderHandler", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_91", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_90", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_93", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\PreCreate", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_95", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_94", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_97", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_96", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_99", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_98", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE\\PageAllocatorSystemHeapIsPrivate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\PnpLockdownFiles\\%SystemDrive%\\Users\\cuck\\AppData\\Local\\Temp\\windaepms.exe", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\Security", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_53", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_144", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_145", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Security_HKLM_only", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\Attributes", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_79", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Stream", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_75", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_74", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_77", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_76", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_71", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_70", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_73", "HKEY_CURRENT_USER\\Software\\Arxv\\c4_72", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\Roamable", "HKEY_CURRENT_USER\\Software\\Arxv\\c2_130", "HKEY_CURRENT_USER\\Software\\Arxv\\c3_39", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HideOnDesktopPerUser", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CEIPEnable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\ParentFolder" ], "directory_enumerated": [ "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\ink\\FSDEFINITIONS\\main\\*", "F:\\*", "Y:\\*", "T:\\*", "C:\\Windows\\System32\\*.*", "R:\\*", "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\ink\\hu-HU\\*", "K:\\*", "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\ink\\FSDEFINITIONS\\*", "M:\\*", "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\ink\\en-US\\*", "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\ink\\lv-LV\\*", "I:\\*", "D:\\*", "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\ink\\he-IL\\*", "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\ink\\et-EE\\*", "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\ink\\FSDEFINITIONS\\keypad\\*", "C:\\Windows\\System32", "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\ink\\de-DE\\*", "P:\\*", "N:\\*", "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\ink\\FSDEFINITIONS\\web\\*", "V:\\*", "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\ink\\FSDEFINITIONS\\auxpad\\*", "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\*", "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\ink\\FSDEFINITIONS\\oskpred\\*", "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\ink\\HWRCUSTOMIZATION\\*", "H:\\*", "C:\\PerfLogs\\Admin\\*", "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\ink\\FSDEFINITIONS\\symbols\\*", "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\ink\\hr-HR\\*", "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\ink\\lt-LT\\*", "W:\\*", "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\ink\\fr-FR\\*", "S:\\*", "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\ink\\*", "C:\\PROGRAM FILES\\COMMON FILES\\*", "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\ink\\FSDEFINITIONS\\OSKNUMPAD\\*", "U:\\*", "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\ink\\it-IT\\*", "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\ink\\es-ES\\*", "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\ink\\ko-KR\\*", "G:\\*", "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\ink\\ar-SA\\*", "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\ink\\FSDEFINITIONS\\numbers\\*", "C:\\*", "Q:\\*", "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\ink\\fi-FI\\*", "O:\\*", "C:\\CUCKOO-AGENT\\*", "E:\\*", "C:\\PROGRAM FILES\\*", "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\ink\\ja-JP\\*", "Z:\\*", "X:\\*", "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\ink\\el-GR\\*", "C:\\PerfLogs\\*", "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\ink\\cs-CZ\\*", "C:\\DOCUMENTS AND SETTINGS\\*", "C:\\Windows", "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\ink\\bg-BG\\*", "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\ink\\da-DK\\*", "C:\\Users\\cuck\\AppData\\Local\\Temp\\*", "L:\\*", "C:\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\ink\\FSDEFINITIONS\\oskmenu\\*", "J:\\*" ], "directory_created": [ "C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Caches" ] }, "first_seen": 1578329585.578125, "ppid": 2016 }, { "process_path": "C:\\Windows\\System32\\mobsync.exe", "process_name": "mobsync.exe", "pid": 800, "summary": {}, "first_seen": 1578329587.483875, "ppid": 592 }, { "process_path": "C:\\Windows\\System32\\cmd.exe", "process_name": "cmd.exe", "pid": 1692, "summary": {}, "first_seen": 1578329586.75, "ppid": 1788 }, { "process_path": "C:\\Windows\\System32\\taskhost.exe", "process_name": "taskhost.exe", "pid": 1724, "summary": { "regkey_read": [ "HKEY_CURRENT_USER\\AppEvents\\Schemes\\(Default)", "HKEY_CURRENT_USER\\AppEvents\\Schemes\\Apps\\.Default\\Close\\.Current\\Default Flags", "HKEY_CURRENT_USER\\AppEvents\\Schemes\\Apps\\.Default\\Close\\.Current\\(Default)", "HKEY_CURRENT_USER\\AppEvents\\Schemes\\Apps\\.Default\\Open\\.Current\\(Default)", "HKEY_CURRENT_USER\\AppEvents\\Schemes\\Apps\\.Default\\Open\\.Current\\Default Flags" ] }, "first_seen": 1578329585.953125, "ppid": 468 }, { "process_path": "C:\\Windows\\System32\\conhost.exe", "process_name": "conhost.exe", "pid": 1700, "summary": {}, "first_seen": 1578329587.202625, "ppid": 384 }, { "process_path": "C:\\Windows\\System32\\dwm.exe", "process_name": "dwm.exe", "pid": 1768, "summary": {}, "first_seen": 1578329586.359375, "ppid": 804 }, { "process_path": "C:\\Windows\\System32\\lsass.exe", "process_name": "lsass.exe", "pid": 476, "summary": {}, "first_seen": 1578329585.328125, "ppid": 376 }, { "process_path": "C:\\Windows\\System32\\SearchProtocolHost.exe", "process_name": "SearchProtocolHost.exe", "pid": 1232, "summary": { "guid": [ "{00000323-0000-0000-c000-000000000046}", "{00000146-0000-0000-c000-000000000046}" ], "regkey_read": [ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles" ] }, "first_seen": 1578329598.374498, "ppid": 1316 }, { "process_path": "C:\\Windows\\explorer.exe", "process_name": "explorer.exe", "pid": 1788, "summary": { "regkey_written": [ "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Action Center\\Checks\\{01979c6a-42fa-414c-b8aa-eee2c8202018}.check.100\\CheckSetting", "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\LanguageList" ], "file_failed": [ "C:\\desktop.ini" ], "regkey_opened": [ "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Action Center\\Checks\\{01979c6a-42fa-414c-b8aa-eee2c8202018}.check.100" ], "file_exists": [ "C:\\" ], "file_opened": [ "C:\\Users\\desktop.ini", "C:\\Program Files (x86)\\desktop.ini", "C:\\Program Files\\desktop.ini", "C:\\" ], "guid": [ "{00000320-0000-0000-c000-000000000046}", "{00000323-0000-0000-c000-000000000046}", "{a47979d2-c419-11d9-a5b4-001185ad2b89}", "{00000146-0000-0000-c000-000000000046}", "{7007acc7-3202-11d1-aad2-00805fc1270e}", "{d0074ffd-570f-4a9b-8d69-199fdba5723b}", "{faedcf69-31fe-11d1-aad2-00805fc1270e}", "{d5f569d0-593b-101a-b569-08002b2dbf7a}", "{ba126ae5-2166-11d1-b1d0-00805fc1270e}", "{000214e6-0000-0000-c000-000000000046}" ], "file_read": [ "C:\\Users\\desktop.ini", "C:\\Program Files (x86)\\desktop.ini", "C:\\Program Files\\desktop.ini" ], "regkey_read": [ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{2227A280-3AEA-1069-A2DE-08002B30309D}\\LocalizedString", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{2227A280-3AEA-1069-A2DE-08002B30309D}\\System.ItemNameDisplay", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\\SortOrderIndex", "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@C:\\Windows\\system32\\prnfldr.dll,-8036", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\\{B725F130-47EF-101A-A5F1-02608C9EEBAC} 10", "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@C:\\Windows\\system32\\netshell.dll,-1200", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\\System.ItemNameDisplay", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{2227A280-3AEA-1069-A2DE-08002B30309D}\\{B725F130-47EF-101A-A5F1-02608C9EEBAC} 10", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\\InProcServer32\\LoadWithoutCOM", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{21EC2020-3AEA-1069-A2DD-08002B30309D}\\SortOrderIndex", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\\InProcServer32\\(Default)", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\StringCacheSettings\\StringCacheGeneration", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Drive\\shellex\\FolderExtensions\\{fbeb8a05-beee-4442-804e-409d6c4515e9}\\DriveMask", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\\LocalizedString", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\_LabelFromReg" ] }, "first_seen": 1578329586.5625, "ppid": 1740 }, { "process_path": "C:\\Windows\\explorer.exe", "process_name": "explorer.exe", "pid": 2800, "summary": { "directory_created": [ "C:\\Users\\cuck", "C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\", "C:\\Users\\cuck\\AppData\\Roaming" ], "dll_loaded": [ "API-MS-WIN-Service-Management-L1-1-0.dll", "VERSION.dll", "API-MS-WIN-Service-winsvc-L1-1-0.dll", "POWRPROF.DLL", "ADVAPI32.dll", "ole32.dll", "C:\\Windows\\system32\\FXSRESM.DLL", "slc.dll", "fxsst.dll" ], "file_opened": [ "C:\\Users\\cuck\\AppData\\Local\\Temp\\FXSAPIDebugLogFile.txt", "C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\slideshow.ini" ], "regkey_opened": [ "HKEY_CURRENT_USER\\Control Panel\\Personalization\\Desktop Slideshow", "HKEY_CURRENT_USER\\AppEvents\\EventLabels\\FaxSent", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fax\\Client\\ServiceStartup" ], "file_exists": [ "C:\\Users\\cuck", "C:\\Users\\cuck\\AppData\\Roaming" ], "guid": [ "{ba126ad1-2166-11d1-b1d0-00805fc1270e}", "{a47979d2-c419-11d9-a5b4-001185ad2b89}", "{b196b284-bab4-101a-b69c-00aa00341d07}", "{75847177-f077-4171-bd2c-a6bb2164fbd0}", "{b57046bc-32e5-428a-9887-19f712b907bf}" ], "regkey_read": [ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{7007ACC7-3202-11D1-AAD2-00805FC1270E}\\SortOrderIndex", "HKEY_CURRENT_USER\\Control Panel\\Personalization\\Desktop Slideshow\\AnimationDuration", "HKEY_CURRENT_USER\\Control Panel\\Personalization\\Desktop Slideshow\\Interval", "HKEY_CURRENT_USER\\Control Panel\\Personalization\\Desktop Slideshow\\Flags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{21EC2020-3AEA-1069-A2DD-08002B30309D}\\SortOrderIndex", "HKEY_CURRENT_USER\\Control Panel\\Personalization\\Desktop Slideshow\\Shuffle", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{2ABC0864-9677-42E5-882A-D415C556C284}\\ProxyStubClsid32\\(Default)" ] }, "first_seen": 1578329597.96825, "ppid": 424 } ]
[ { "markcount": 1, "families": [], "description": "Queries for the computername", "severity": 1, "marks": [ { "call": { "category": "misc", "status": 1, "stacktrace": [], "api": "GetComputerNameA", "return_value": 1, "arguments": { "computer_name": "CUCKPC" }, "time": 1578329585.750125, "tid": 2588, "flags": {} }, "pid": 2816, "type": "call", "cid": 286 } ], "references": [], "name": "antivm_queries_computername" }, { "markcount": 3, "families": [], "description": "One or more processes crashed", "severity": 1, "marks": [ { "call": { "category": "__notification__", "status": 1, "stacktrace": [], "raw": [ "stacktrace" ], "api": "__exception__", "return_value": 0, "arguments": { "stacktrace": "b\nc\n2\n6\n0\n6\n5\nd\n7\n3\na\nb\ne\ne\n8\n0\n5\ne\n0\n3\ne\nf\nb\n3\n3\n2\nb\n6\nf\na\n5\n4\n3\nd\n4\nb\n6\n2\ne\n3\nf\n1\nf\ne\nd\nf\n9\n5\n5\nf\n3\n0\n5\nd\nf\n0\n2\n7\n1\n6\n1\n8\ne\nd\n+\n0\nx\n2\nd\nc\nd\n \n@\n \n0\nx\n4\n0\n2\nd\nc\nd", "registers": { "esp": 31653680, "edi": 2179137553, "eax": 2179137553, "ebp": 31653720, "edx": 2179137554, "ebx": 32227724, "esi": 4205006, "ecx": 2008823930 }, "exception": { "instruction_r": "8a 08 40 84 c9 75 f9 2b c2 c7 45 fc fe ff ff ff", "symbol": "lstrlen+0x1a lstrcmpW-0x3f kernelbase+0xa34a", "instruction": "mov cl, byte ptr [eax]", "module": "KERNELBASE.dll", "exception_code": "0xc0000005", "offset": 41802, "address": "0x75dba34a" } }, "time": 1578329585.719125, "tid": 2588, "flags": {} }, "pid": 2816, "type": "call", "cid": 72 }, { "call": { "category": "__notification__", "status": 1, "stacktrace": [], "raw": [ "stacktrace" ], "api": "__exception__", "return_value": 0, "arguments": { "stacktrace": "0\nx\n5\n1\nf\n1\n9\n0\n4\n\n\n0\nx\n3\n0\n\n\n0\nx\n3\n0\n\n\n0\nx\n3\n0\n\n\n0\nx\n3\n0\n\n\n0\nx\n3\n0\n\n\n0\nx\n3\n0\n\n\n0\nx\n3\n0\n\n\n0\nx\n3\n0\n\n\n0\nx\n3\n0\n\n\n0\nx\n3\n0\n\n\n0\nx\n3\n0\n\n\n0\nx\n3\n0\n\n\n0\nx\n3\n0\n\n\n0\nx\n3\n0\n\n\n0\nx\n3\n0\n\n\n0\nx\n3\n0\n\n\n0\nx\n3\n0\n\n\n0\nx\n3\n0\n\n\n0\nx\n3\n0\n\n\n0\nx\n3\n0\n\n\n0\nx\n3\n0\n\n\n0\nx\n3\n0\n\n\n0\nx\n3\n0\n\n\n0\nx\n3\n0\n\n\n0\nx\n3\n0\n\n\n0\nx\n3\n0\n\n\n0\nx\n3\n0\n\n\n0\nx\n3\n0\n\n\n0\nx\n3\n0\n\n\n0\nx\n3\n0\n\n\n0\nx\n3\n0\n\n\n0\nx\n3\n0\n\n\n0\nx\n3\n0\n\n\n0\nx\n3\n0\n\n\n0\nx\n3\n0\n\n\n0\nx\n3\n0\n\n\n0\nx\n3\n0\n\n\n0\nx\n3\n0\n\n\n0\nx\n3\n0\n\n\n0\nx\n3\n0\n\n\n0\nx\n3\n0\n\n\n0\nx\n3\n0\n\n\n0\nx\n3\n0\n\n\n0\nx\n3\n0\n\n\n0\nx\n3\n0\n\n\n0\nx\n3\n0\n\n\n0\nx\n3\n0\n\n\n0\nx\n3\n0\n\n\n0\nx\n3\n0\n\n\n0\nx\n3\n0\n\n\n0\nx\n3\n0\n\n\n0\nx\n3\n0\n\n\n0\nx\n3\n0\n\n\n0\nx\n3\n0\n\n\n0\nx\n3\n0\n\n\n0\nx\n3\n0\n\n\n0\nx\n3\n0\n\n\n0\nx\n3\n0\n\n\n0\nx\n3\n0\n\n\n0\nx\n3\n0\n\n\n0\nx\n3\n0\n\n\n0\nx\n3\n0\n\n\n0\nx\n3\n0", "registers": { "r14": 247911176, "r9": 0, "rcx": 48, "rsi": 247911176, "r10": 0, "rbx": 98187056, "rdi": 98267440, "r11": 156302544, "r8": 2007859596, "rdx": 8796092387920, "rbp": 156299888, "r15": 262145, "r12": 262144, "rsp": 156299768, "rax": 85924096, "r13": 156301057 }, "exception": { "instruction_r": "83 3d 8d d1 02 00 00 68 53 12 69 fb c7 44 24 04", "instruction": "cmp dword ptr [rip + 0x2d18d], 0", "exception_code": "0xc0000005", "symbol": "", "address": "0x51f1904" } }, "time": 1578329587.4065, "tid": 2104, "flags": {} }, "pid": 1788, "type": "call", "cid": 1075 }, { "call": { "category": "__notification__", "status": 1, "stacktrace": [], "raw": [ "stacktrace" ], "api": "__exception__", "return_value": 0, "arguments": { "stacktrace": "R\na\ni\ns\ne\nE\nx\nc\ne\np\nt\ni\no\nn\n+\n0\nx\n3\nd\n \nF\nr\ne\ne\nE\nn\nv\ni\nr\no\nn\nm\ne\nn\nt\nS\nt\nr\ni\nn\ng\ns\nW\n-\n0\nx\n3\n7\n3\n \nk\ne\nr\nn\ne\nl\nb\na\ns\ne\n+\n0\nx\na\n4\n9\nd\n \n@\n \n0\nx\n7\nf\ne\nf\nd\na\n1\na\n4\n9\nd\n\n\nR\np\nc\nR\na\ni\ns\ne\nE\nx\nc\ne\np\nt\ni\no\nn\n+\n0\nx\n5\n3\n \nR\np\nc\nE\nx\nc\ne\np\nt\ni\no\nn\nF\ni\nl\nt\ne\nr\n-\n0\nx\n2\nb\nd\n \nr\np\nc\nr\nt\n4\n+\n0\nx\n1\n7\n3\nc\n3\n \n@\n \n0\nx\n7\nf\ne\nf\ne\ne\nf\n7\n3\nc\n3\n\n\nC\no\nG\ne\nt\nI\nn\ns\nt\na\nn\nc\ne\nF\nr\no\nm\nF\ni\nl\ne\n+\n0\nx\na\n7\n0\na\n \nH\nA\nC\nC\nE\nL\n_\nU\ns\ne\nr\nF\nr\ne\ne\n-\n0\nx\n1\n6\nc\n6\n \no\nl\ne\n3\n2\n+\n0\nx\n1\n7\n6\n2\nb\na\n \n@\n \n0\nx\n7\nf\ne\nf\nf\nb\n6\n6\n2\nb\na\n\n\nN\nd\nr\n6\n4\nA\ns\ny\nn\nc\nS\ne\nr\nv\ne\nr\nC\na\nl\nl\nA\nl\nl\n+\n0\nx\n1\n4\nc\n9\n \nN\nd\nr\n6\n4\nA\ns\ny\nn\nc\nC\nl\ni\ne\nn\nt\nC\na\nl\nl\n-\n0\nx\n5\n1\n7\n \nr\np\nc\nr\nt\n4\n+\n0\nx\nd\nb\n9\n4\n9\n \n@\n \n0\nx\n7\nf\ne\nf\ne\nf\nb\nb\n9\n4\n9\n\n\nC\no\nG\ne\nt\nI\nn\ns\nt\na\nn\nc\ne\nF\nr\no\nm\nF\ni\nl\ne\n+\n0\nx\n6\n6\n2\n0\n \nH\nA\nC\nC\nE\nL\n_\nU\ns\ne\nr\nF\nr\ne\ne\n-\n0\nx\n5\n7\nb\n0\n \no\nl\ne\n3\n2\n+\n0\nx\n1\n7\n2\n1\nd\n0\n \n@\n \n0\nx\n7\nf\ne\nf\nf\nb\n6\n2\n1\nd\n0\n\n\nD\nc\no\nm\nC\nh\na\nn\nn\ne\nl\nS\ne\nt\nH\nR\ne\ns\nu\nl\nt\n+\n0\nx\n3\n0\n6\n6\n \nO\nb\nj\ne\nc\nt\nS\nt\nu\nb\nl\ne\ns\ns\nC\nl\ni\ne\nn\nt\n3\n-\n0\nx\n7\ne\ne\n \no\nl\ne\n3\n2\n+\n0\nx\n2\nd\n8\na\n2\n \n@\n \n0\nx\n7\nf\ne\nf\nf\na\n1\nd\n8\na\n2\n\n\nO\nb\nj\ne\nc\nt\nS\nt\nu\nb\nl\ne\ns\ns\nC\nl\ni\ne\nn\nt\n5\n+\n0\nx\n1\n8\n3\n \nI\ns\nV\na\nl\ni\nd\nI\nn\nt\ne\nr\nf\na\nc\ne\n-\n0\nx\n1\n0\n5\nd\n \no\nl\ne\n3\n2\n+\n0\nx\n3\n1\nb\nb\n3\n \n@\n \n0\nx\n7\nf\ne\nf\nf\na\n2\n1\nb\nb\n3\n\n\nO\nb\nj\ne\nc\nt\nS\nt\nu\nb\nl\ne\ns\ns\nC\nl\ni\ne\nn\nt\n5\n+\n0\nx\nf\n2\n \nI\ns\nV\na\nl\ni\nd\nI\nn\nt\ne\nr\nf\na\nc\ne\n-\n0\nx\n1\n0\ne\ne\n \no\nl\ne\n3\n2\n+\n0\nx\n3\n1\nb\n2\n2\n \n@\n \n0\nx\n7\nf\ne\nf\nf\na\n2\n1\nb\n2\n2\n\n\nC\no\nM\na\nr\ns\nh\na\nl\nI\nn\nt\ne\nr\nf\na\nc\ne\n+\n0\nx\n2\n6\n3\nf\n \nO\nb\nj\ne\nc\nt\nS\nt\nu\nb\nl\ne\ns\ns\nC\nl\ni\ne\nn\nt\n5\n-\n0\nx\n2\n4\n5\n \no\nl\ne\n3\n2\n+\n0\nx\n3\n1\n7\ne\nb\n \n@\n \n0\nx\n7\nf\ne\nf\nf\na\n2\n1\n7\ne\nb\n\n\nC\no\nM\na\nr\ns\nh\na\nl\nI\nn\nt\ne\nr\nf\na\nc\ne\n+\n0\nx\n2\n2\n6\nb\n \nO\nb\nj\ne\nc\nt\nS\nt\nu\nb\nl\ne\ns\ns\nC\nl\ni\ne\nn\nt\n5\n-\n0\nx\n6\n1\n9\n \no\nl\ne\n3\n2\n+\n0\nx\n3\n1\n4\n1\n7\n \n@\n \n0\nx\n7\nf\ne\nf\nf\na\n2\n1\n4\n1\n7\n\n\nC\no\nS\ne\nt\nS\nt\na\nt\ne\n+\n0\nx\n4\n5\na\n \nD\nc\no\nm\nC\nh\na\nn\nn\ne\nl\nS\ne\nt\nH\nR\ne\ns\nu\nl\nt\n-\n0\nx\n1\n3\n4\n2\n \no\nl\ne\n3\n2\n+\n0\nx\n2\n9\n4\nf\na\n \n@\n \n0\nx\n7\nf\ne\nf\nf\na\n1\n9\n4\nf\na\n\n\nC\no\nS\ne\nt\nS\nt\na\nt\ne\n+\n0\nx\n3\n8\n8\n \nD\nc\no\nm\nC\nh\na\nn\nn\ne\nl\nS\ne\nt\nH\nR\ne\ns\nu\nl\nt\n-\n0\nx\n1\n4\n1\n4\n \no\nl\ne\n3\n2\n+\n0\nx\n2\n9\n4\n2\n8\n \n@\n \n0\nx\n7\nf\ne\nf\nf\na\n1\n9\n4\n2\n8\n\n\nC\no\nS\ne\nt\nS\nt\na\nt\ne\n+\n0\nx\na\na\n9\n \nD\nc\no\nm\nC\nh\na\nn\nn\ne\nl\nS\ne\nt\nH\nR\ne\ns\nu\nl\nt\n-\n0\nx\nc\nf\n3\n \no\nl\ne\n3\n2\n+\n0\nx\n2\n9\nb\n4\n9\n \n@\n \n0\nx\n7\nf\ne\nf\nf\na\n1\n9\nb\n4\n9\n\n\nC\no\nR\ne\ng\ni\ns\nt\ne\nr\nM\ne\ns\ns\na\ng\ne\nF\ni\nl\nt\ne\nr\n+\n0\nx\n1\n5\n3\nb\n \nC\no\nU\nn\ni\nn\ni\nt\ni\na\nl\ni\nz\ne\n-\n0\nx\n3\n3\n4\n1\n \no\nl\ne\n3\n2\n+\n0\nx\n1\nd\nf\nd\n3\n \n@\n \n0\nx\n7\nf\ne\nf\nf\na\n0\nd\nf\nd\n3\n\n\nC\no\nR\ne\ng\ni\ns\nt\ne\nr\nM\ne\ns\ns\na\ng\ne\nF\ni\nl\nt\ne\nr\n+\n0\nx\n1\n1\nc\n0\n \nC\no\nU\nn\ni\nn\ni\nt\ni\na\nl\ni\nz\ne\n-\n0\nx\n3\n6\nb\nc\n \no\nl\ne\n3\n2\n+\n0\nx\n1\nd\nc\n5\n8\n \n@\n \n0\nx\n7\nf\ne\nf\nf\na\n0\nd\nc\n5\n8\n\n\nC\no\nR\ne\ng\ni\ns\nt\ne\nr\nM\ne\ns\ns\na\ng\ne\nF\ni\nl\nt\ne\nr\n+\n0\nx\nb\n9\n7\n \nC\no\nU\nn\ni\nn\ni\nt\ni\na\nl\ni\nz\ne\n-\n0\nx\n3\nc\ne\n5\n \no\nl\ne\n3\n2\n+\n0\nx\n1\nd\n6\n2\nf\n \n@\n \n0\nx\n7\nf\ne\nf\nf\na\n0\nd\n6\n2\nf\n\n\nC\no\nR\ne\ng\ni\ns\nt\ne\nr\nM\ne\ns\ns\na\ng\ne\nF\ni\nl\nt\ne\nr\n+\n0\nx\n1\n3\nf\ne\n \nC\no\nU\nn\ni\nn\ni\nt\ni\na\nl\ni\nz\ne\n-\n0\nx\n3\n4\n7\ne\n \no\nl\ne\n3\n2\n+\n0\nx\n1\nd\ne\n9\n6\n \n@\n \n0\nx\n7\nf\ne\nf\nf\na\n0\nd\ne\n9\n6\n\n\nO\nb\nj\ne\nc\nt\nS\nt\nu\nb\nl\ne\ns\ns\nC\nl\ni\ne\nn\nt\n3\n2\n+\n0\nx\n7\n3\nc\n2\n \nC\no\nD\ni\ns\nc\no\nn\nn\ne\nc\nt\nC\no\nn\nt\ne\nx\nt\n-\n0\nx\n9\nc\nb\n6\n \no\nl\ne\n3\n2\n+\n0\nx\n4\na\ne\nc\n2\n \n@\n \n0\nx\n7\nf\ne\nf\nf\na\n3\na\ne\nc\n2\n\n\nC\no\nU\nn\ni\nn\ni\nt\ni\na\nl\ni\nz\ne\n+\n0\nx\n1\n0\n1\n0\n \nC\no\nI\nn\ni\nt\ni\na\nl\ni\nz\ne\nE\nx\n-\n0\nx\n7\n0\nc\n \no\nl\ne\n3\n2\n+\n0\nx\n2\n2\n3\n2\n4\n \n@\n \n0\nx\n7\nf\ne\nf\nf\na\n1\n2\n3\n2\n4\n\n\nC\no\nR\ne\ng\ni\ns\nt\ne\nr\nM\ne\ns\ns\na\ng\ne\nF\ni\nl\nt\ne\nr\n+\n0\nx\n3\nc\n3\n0\n \nC\no\nU\nn\ni\nn\ni\nt\ni\na\nl\ni\nz\ne\n-\n0\nx\nc\n4\nc\n \no\nl\ne\n3\n2\n+\n0\nx\n2\n0\n6\nc\n8\n \n@\n \n0\nx\n7\nf\ne\nf\nf\na\n1\n0\n6\nc\n8\n\n\nC\no\nR\ne\ng\ni\ns\nt\ne\nr\nM\ne\ns\ns\na\ng\ne\nF\ni\nl\nt\ne\nr\n+\n0\nx\n3\nc\n0\n1\n \nC\no\nU\nn\ni\nn\ni\nt\ni\na\nl\ni\nz\ne\n-\n0\nx\nc\n7\nb\n \no\nl\ne\n3\n2\n+\n0\nx\n2\n0\n6\n9\n9\n \n@\n \n0\nx\n7\nf\ne\nf\nf\na\n1\n0\n6\n9\n9\n\n\nC\no\nD\ni\ns\na\nb\nl\ne\nC\na\nl\nl\nC\na\nn\nc\ne\nl\nl\na\nt\ni\no\nn\n+\n0\nx\n3\nf\nc\n \nO\nb\nj\ne\nc\nt\nS\nt\nu\nb\nl\ne\ns\ns\nC\nl\ni\ne\nn\nt\n2\n4\n-\n0\nx\ne\n4\n \no\nl\ne\n3\n2\n+\n0\nx\ne\n7\na\nc\n \n@\n \n0\nx\n7\nf\ne\nf\nf\n9\nf\ne\n7\na\nc\n\n\nC\no\nU\nn\ni\nn\ni\nt\ni\na\nl\ni\nz\ne\n+\n0\nx\na\n6\n \nC\no\nI\nn\ni\nt\ni\na\nl\ni\nz\ne\nE\nx\n-\n0\nx\n1\n6\n7\n6\n \no\nl\ne\n3\n2\n+\n0\nx\n2\n1\n3\nb\na\n \n@\n \n0\nx\n7\nf\ne\nf\nf\na\n1\n1\n3\nb\na\n\n\nN\ne\nw\n_\no\nl\ne\n3\n2\n_\nC\no\nU\nn\ni\nn\ni\nt\ni\na\nl\ni\nz\ne\n+\n0\nx\n5\n7\n \nN\ne\nw\n_\no\nl\ne\n3\n2\n_\nO\nl\ne\nC\no\nn\nv\ne\nr\nt\nO\nL\nE\nS\nT\nR\nE\nA\nM\nT\no\nI\nS\nt\no\nr\na\ng\ne\n-\n0\nx\n5\n3\n \n@\n \n0\nx\n6\n5\na\na\n7\n6\n1\ne\n\n\nm\no\nb\ns\ny\nn\nc\n+\n0\nx\n6\n8\n4\n0\n \n@\n \n0\nx\nf\nf\n1\n0\n6\n8\n4\n0\n\n\nm\no\nb\ns\ny\nn\nc\n+\n0\nx\n7\n0\na\ne\n \n@\n \n0\nx\nf\nf\n1\n0\n7\n0\na\ne\n\n\nB\na\ns\ne\nT\nh\nr\ne\na\nd\nI\nn\ni\nt\nT\nh\nu\nn\nk\n+\n0\nx\nd\n \nC\nr\ne\na\nt\ne\nT\nh\nr\ne\na\nd\n-\n0\nx\n5\n3\n \nk\ne\nr\nn\ne\nl\n3\n2\n+\n0\nx\n1\n6\n5\n2\nd\n \n@\n \n0\nx\n7\n7\n7\na\n6\n5\n2\nd\n\n\nR\nt\nl\nU\ns\ne\nr\nT\nh\nr\ne\na\nd\nS\nt\na\nr\nt\n+\n0\nx\n2\n1\n \ns\nt\nr\nc\nh\nr\n-\n0\nx\n3\nd\nf\n \nn\nt\nd\nl\nl\n+\n0\nx\n2\nc\n5\n2\n1\n \n@\n \n0\nx\n7\n7\n9\nd\nc\n5\n2\n1", "registers": { "r14": 0, "r9": 0, "rcx": 1762560, "rsi": 0, "r10": 0, "rbx": 0, "rdi": 0, "r11": 1764320, "r8": 0, "rdx": 1, "rbp": 0, "r15": 0, "r12": 0, "rsp": 1769376, "rax": 2010841956, "r13": 0 }, "exception": { "instruction_r": "48 81 c4 c8 00 00 00 c3 48 85 f6 74 08 83 3b 00", "symbol": "RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d", "instruction": "add rsp, 0xc8", "module": "KERNELBASE.dll", "exception_code": "0x80010012", "offset": 42141, "address": "0x7fefda1a49d" } }, "time": 1578329587.858875, "tid": 1584, "flags": {} }, "pid": 800, "type": "call", "cid": 19 } ], "references": [], "name": "raises_exception" }, { "markcount": 0, "families": [], "description": "One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.", "severity": 2, "marks": [], "references": [], "name": "dumped_buffer" }, { "markcount": 2, "families": [], "description": "Allocates read-write-execute memory (usually to unpack itself)", "severity": 2, "marks": [ { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 2816, "region_size": 17358848, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "protection": 64, "process_handle": "0xffffffff", "allocation_type": 12288, "base_address": "0x01e30000" }, "time": 1578329585.687125, "tid": 2588, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT|MEM_RESERVE" } }, "pid": 2816, "type": "call", "cid": 36 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtProtectVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 2816, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 1, "length": 4096, "protection": 64, "process_handle": "0xffffffff", "base_address": "0x01e30000" }, "time": 1578329585.734125, "tid": 2588, "flags": { "protection": "PAGE_EXECUTE_READWRITE" } }, "pid": 2816, "type": "call", "cid": 192 } ], "references": [], "name": "allocates_rwx" }, { "markcount": 0, "families": [], "description": "Checks whether any human activity is being performed by constantly checking whether the foreground window changed", "severity": 2, "marks": [], "references": [ "https:\/\/www.virusbtn.com\/virusbulletin\/archive\/2015\/09\/vb201509-custom-packer.dkb" ], "name": "antisandbox_foregroundwindows" }, { "markcount": 1, "families": [], "description": "A process attempted to delay the analysis task.", "severity": 2, "marks": [ { "type": "generic", "description": "bc26065d73abee805e03efb332b6fa543d4b62e3f1fedf955f305df0271618ed.bin tried to sleep 844 seconds, actually delayed analysis time by 844 seconds" } ], "references": [], "name": "antisandbox_sleep" }, { "markcount": 1, "families": [], "description": "Creates an autorun.inf file", "severity": 2, "marks": [ { "category": "file", "ioc": "C:\\autorun.inf", "type": "ioc", "description": null } ], "references": [], "name": "spreading_autoruninf" }, { "markcount": 1, "families": [], "description": "Drops an executable to the user AppData folder", "severity": 2, "marks": [ { "category": "file", "ioc": "C:\\Users\\cuck\\AppData\\Local\\Temp\\windaepms.exe", "type": "ioc", "description": null } ], "references": [], "name": "exe_appdata" }, { "markcount": 1, "families": [], "description": "Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping", "severity": 2, "marks": [ { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "Process32NextW", "return_value": 1, "arguments": { "process_name": "SearchProtocolHost.exe", "snapshot_handle": "0x000002e8", "process_identifier": 1232 }, "time": 1578329598.109125, "tid": 1676, "flags": {} }, "pid": 2816, "type": "call", "cid": 2785 } ], "references": [], "name": "injection_process_search" }, { "markcount": 2, "families": [], "description": "The binary likely contains encrypted or compressed data indicative of a packer", "severity": 2, "marks": [ { "entropy": 7.990026038664141, "section": { "size_of_data": "0x00013200", "virtual_address": "0x00001000", "entropy": 7.990026038664141, "name": ".text", "virtual_size": "0x00014000" }, "type": "generic", "description": "A section with a high entropy has been found" }, { "entropy": 1, "type": "generic", "description": "Overall entropy of this PE file is high" } ], "references": [ "http:\/\/www.forensickb.com\/2013\/03\/file-entropy-explained.html", "http:\/\/virii.es\/U\/Using%20Entropy%20Analysis%20to%20Find%20Encrypted%20and%20Packed%20Malware.pdf" ], "name": "packer_entropy" }, { "markcount": 12, "families": [], "description": "Checks for the Locally Unique Identifier on the system for a suspicious privilege", "severity": 2, "marks": [ { "call": { "category": "system", "status": 1, "stacktrace": [], "api": "LookupPrivilegeValueW", "return_value": 1, "arguments": { "system_name": "", "privilege_name": "SeDebugPrivilege" }, "time": 1578329587.312125, "tid": 1676, "flags": {} }, "pid": 2816, "type": "call", "cid": 2425 }, { "call": { "category": "system", "status": 1, "stacktrace": [], "api": "LookupPrivilegeValueW", "return_value": 1, "arguments": { "system_name": "", "privilege_name": "SeDebugPrivilege" }, "time": 1578329597.875125, "tid": 1676, "flags": {} }, "pid": 2816, "type": "call", "cid": 2745 }, { "call": { "category": "system", "status": 1, "stacktrace": [], "api": "LookupPrivilegeValueW", "return_value": 1, "arguments": { "system_name": "", "privilege_name": "SeDebugPrivilege" }, "time": 1578329608.765125, "tid": 1676, "flags": {} }, "pid": 2816, "type": "call", "cid": 3057 }, { "call": { "category": "system", "status": 1, "stacktrace": [], "api": "LookupPrivilegeValueW", "return_value": 1, "arguments": { "system_name": "", "privilege_name": "SeDebugPrivilege" }, "time": 1578329619.047125, "tid": 1676, "flags": {} }, "pid": 2816, "type": "call", "cid": 3400 }, { "call": { "category": "system", "status": 1, "stacktrace": [], "api": "LookupPrivilegeValueW", "return_value": 1, "arguments": { "system_name": "", "privilege_name": "SeDebugPrivilege" }, "time": 1578329629.328125, "tid": 1676, "flags": {} }, "pid": 2816, "type": "call", "cid": 3612 }, { "call": { "category": "system", "status": 1, "stacktrace": [], "api": "LookupPrivilegeValueW", "return_value": 1, "arguments": { "system_name": "", "privilege_name": "SeDebugPrivilege" }, "time": 1578329639.609125, "tid": 1676, "flags": {} }, "pid": 2816, "type": "call", "cid": 3886 }, { "call": { "category": "system", "status": 1, "stacktrace": [], "api": "LookupPrivilegeValueW", "return_value": 1, "arguments": { "system_name": "", "privilege_name": "SeDebugPrivilege" }, "time": 1578329649.875125, "tid": 1676, "flags": {} }, "pid": 2816, "type": "call", "cid": 4110 }, { "call": { "category": "system", "status": 1, "stacktrace": [], "api": "LookupPrivilegeValueW", "return_value": 1, "arguments": { "system_name": "", "privilege_name": "SeDebugPrivilege" }, "time": 1578329660.140125, "tid": 1676, "flags": {} }, "pid": 2816, "type": "call", "cid": 4328 }, { "call": { "category": "system", "status": 1, "stacktrace": [], "api": "LookupPrivilegeValueW", "return_value": 1, "arguments": { "system_name": "", "privilege_name": "SeDebugPrivilege" }, "time": 1578329670.422125, "tid": 1676, "flags": {} }, "pid": 2816, "type": "call", "cid": 4569 }, { "call": { "category": "system", "status": 1, "stacktrace": [], "api": "LookupPrivilegeValueW", "return_value": 1, "arguments": { "system_name": "", "privilege_name": "SeDebugPrivilege" }, "time": 1578329680.672125, "tid": 1676, "flags": {} }, "pid": 2816, "type": "call", "cid": 4772 }, { "call": { "category": "system", "status": 1, "stacktrace": [], "api": "LookupPrivilegeValueW", "return_value": 1, "arguments": { "system_name": "", "privilege_name": "SeDebugPrivilege" }, "time": 1578329690.969125, "tid": 1676, "flags": {} }, "pid": 2816, "type": "call", "cid": 4996 }, { "call": { "category": "system", "status": 1, "stacktrace": [], "api": "LookupPrivilegeValueW", "return_value": 1, "arguments": { "system_name": "", "privilege_name": "SeDebugPrivilege" }, "time": 1578329701.265125, "tid": 1676, "flags": {} }, "pid": 2816, "type": "call", "cid": 5239 } ], "references": [], "name": "privilege_luid_check" }, { "markcount": 93, "families": [], "description": "Allocates execute permission to another process indicative of possible code injection", "severity": 3, "marks": [ { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 1724, "region_size": 8192, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "protection": 64, "process_handle": "0x000001e0", "allocation_type": 12288, "base_address": "0x002e0000" }, "time": 1578329585.875125, "tid": 1676, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT|MEM_RESERVE" } }, "pid": 2816, "type": "call", "cid": 1649 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 1768, "region_size": 8192, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "protection": 64, "process_handle": "0x000001dc", "allocation_type": 12288, "base_address": "0x00130000" }, "time": 1578329586.203125, "tid": 1676, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT|MEM_RESERVE" } }, "pid": 2816, "type": "call", "cid": 2304 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 1788, "region_size": 8192, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "protection": 64, "process_handle": "0x000001e0", "allocation_type": 12288, "base_address": "0x03e20000" }, "time": 1578329586.484125, "tid": 1676, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT|MEM_RESERVE" } }, "pid": 2816, "type": "call", "cid": 2351 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 1692, "region_size": 8192, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "protection": 64, "process_handle": "0x000001e0", "allocation_type": 12288, "base_address": "0x00140000" }, "time": 1578329586.656125, "tid": 1676, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT|MEM_RESERVE" } }, "pid": 2816, "type": "call", "cid": 2368 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 1700, "region_size": 8192, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "protection": 64, "process_handle": "0x000001dc", "allocation_type": 12288, "base_address": "0x01b20000" }, "time": 1578329586.859125, "tid": 1676, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT|MEM_RESERVE" } }, "pid": 2816, "type": "call", "cid": 2378 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 2168, "region_size": 8192, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "protection": 64, "process_handle": "0x000001e0", "allocation_type": 12288, "base_address": "0x01d20000" }, "time": 1578329587.312125, "tid": 1676, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT|MEM_RESERVE" } }, "pid": 2816, "type": "call", "cid": 2409 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 800, "region_size": 8192, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "protection": 64, "process_handle": "0x000001e0", "allocation_type": 12288, "base_address": "0x002d0000" }, "time": 1578329587.312125, "tid": 1676, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT|MEM_RESERVE" } }, "pid": 2816, "type": "call", "cid": 2432 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 1244, "region_size": 8192, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "protection": 64, "process_handle": "0x0000017c", "allocation_type": 12288, "base_address": "0x00350000" }, "time": 1578329587.578125, "tid": 1676, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT|MEM_RESERVE" } }, "pid": 2816, "type": "call", "cid": 2443 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 2816, "region_size": 8192, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "protection": 64, "process_handle": "0x0000017c", "allocation_type": 12288, "base_address": "0x03210000" }, "time": 1578329587.594125, "tid": 1676, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT|MEM_RESERVE" } }, "pid": 2816, "type": "call", "cid": 2473 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 2816, "region_size": 4096, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "protection": 64, "process_handle": "0x0000017c", "allocation_type": 12288, "base_address": "0x03260000" }, "time": 1578329587.594125, "tid": 1676, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT|MEM_RESERVE" } }, "pid": 2816, "type": "call", "cid": 2476 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 1724, "region_size": 8192, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "protection": 64, "process_handle": "0x000002f0", "allocation_type": 12288, "base_address": "0x02510000" }, "time": 1578329597.859125, "tid": 1676, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT|MEM_RESERVE" } }, "pid": 2816, "type": "call", "cid": 2688 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 1768, "region_size": 8192, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "protection": 64, "process_handle": "0x000002f4", "allocation_type": 12288, "base_address": "0x020d0000" }, "time": 1578329597.859125, "tid": 1676, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT|MEM_RESERVE" } }, "pid": 2816, "type": "call", "cid": 2697 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 1692, "region_size": 8192, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "protection": 64, "process_handle": "0x000002f0", "allocation_type": 12288, "base_address": "0x026c0000" }, "time": 1578329597.859125, "tid": 1676, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT|MEM_RESERVE" } }, "pid": 2816, "type": "call", "cid": 2709 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 1700, "region_size": 8192, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "protection": 64, "process_handle": "0x000002f4", "allocation_type": 12288, "base_address": "0x01d80000" }, "time": 1578329597.875125, "tid": 1676, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT|MEM_RESERVE" } }, "pid": 2816, "type": "call", "cid": 2718 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 2168, "region_size": 8192, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "protection": 64, "process_handle": "0x000002f0", "allocation_type": 12288, "base_address": "0x01d50000" }, "time": 1578329597.875125, "tid": 1676, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT|MEM_RESERVE" } }, "pid": 2816, "type": "call", "cid": 2733 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 1244, "region_size": 8192, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "protection": 64, "process_handle": "0x000002f4", "allocation_type": 12288, "base_address": "0x00380000" }, "time": 1578329597.875125, "tid": 1676, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT|MEM_RESERVE" } }, "pid": 2816, "type": "call", "cid": 2752 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 2800, "region_size": 8192, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "protection": 64, "process_handle": "0x000002f4", "allocation_type": 12288, "base_address": "0x04370000" }, "time": 1578329597.875125, "tid": 1676, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT|MEM_RESERVE" } }, "pid": 2816, "type": "call", "cid": 2780 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 1232, "region_size": 8192, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "protection": 64, "process_handle": "0x000002f0", "allocation_type": 12288, "base_address": "0x00230000" }, "time": 1578329598.109125, "tid": 1676, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT|MEM_RESERVE" } }, "pid": 2816, "type": "call", "cid": 2789 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 1724, "region_size": 8192, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "protection": 64, "process_handle": "0x000002f0", "allocation_type": 12288, "base_address": "0x02540000" }, "time": 1578329608.765125, "tid": 1676, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT|MEM_RESERVE" } }, "pid": 2816, "type": "call", "cid": 3000 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 1768, "region_size": 8192, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "protection": 64, "process_handle": "0x000002f4", "allocation_type": 12288, "base_address": "0x020e0000" }, "time": 1578329608.765125, "tid": 1676, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT|MEM_RESERVE" } }, "pid": 2816, "type": "call", "cid": 3009 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 1692, "region_size": 8192, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "protection": 64, "process_handle": "0x000002f0", "allocation_type": 12288, "base_address": "0x026d0000" }, "time": 1578329608.765125, "tid": 1676, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT|MEM_RESERVE" } }, "pid": 2816, "type": "call", "cid": 3021 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 1700, "region_size": 8192, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "protection": 64, "process_handle": "0x000002f4", "allocation_type": 12288, "base_address": "0x01da0000" }, "time": 1578329608.765125, "tid": 1676, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT|MEM_RESERVE" } }, "pid": 2816, "type": "call", "cid": 3030 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 2168, "region_size": 8192, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "protection": 64, "process_handle": "0x000002f0", "allocation_type": 12288, "base_address": "0x03300000" }, "time": 1578329608.765125, "tid": 1676, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT|MEM_RESERVE" } }, "pid": 2816, "type": "call", "cid": 3045 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 1244, "region_size": 8192, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "protection": 64, "process_handle": "0x000002f4", "allocation_type": 12288, "base_address": "0x00390000" }, "time": 1578329608.765125, "tid": 1676, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT|MEM_RESERVE" } }, "pid": 2816, "type": "call", "cid": 3064 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 2800, "region_size": 8192, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "protection": 64, "process_handle": "0x000002f0", "allocation_type": 12288, "base_address": "0x02be0000" }, "time": 1578329608.765125, "tid": 1676, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT|MEM_RESERVE" } }, "pid": 2816, "type": "call", "cid": 3088 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 1232, "region_size": 8192, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "protection": 64, "process_handle": "0x000002f4", "allocation_type": 12288, "base_address": "0x01d70000" }, "time": 1578329608.765125, "tid": 1676, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT|MEM_RESERVE" } }, "pid": 2816, "type": "call", "cid": 3097 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 1724, "region_size": 8192, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "protection": 64, "process_handle": "0x00000300", "allocation_type": 12288, "base_address": "0x02550000" }, "time": 1578329619.031125, "tid": 1676, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT|MEM_RESERVE" } }, "pid": 2816, "type": "call", "cid": 3343 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 1768, "region_size": 8192, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "protection": 64, "process_handle": "0x000001d0", "allocation_type": 12288, "base_address": "0x020f0000" }, "time": 1578329619.031125, "tid": 1676, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT|MEM_RESERVE" } }, "pid": 2816, "type": "call", "cid": 3352 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 1692, "region_size": 8192, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "protection": 64, "process_handle": "0x00000300", "allocation_type": 12288, "base_address": "0x026e0000" }, "time": 1578329619.031125, "tid": 1676, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT|MEM_RESERVE" } }, "pid": 2816, "type": "call", "cid": 3364 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 1700, "region_size": 8192, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "protection": 64, "process_handle": "0x000001d0", "allocation_type": 12288, "base_address": "0x01db0000" }, "time": 1578329619.047125, "tid": 1676, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT|MEM_RESERVE" } }, "pid": 2816, "type": "call", "cid": 3373 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 2168, "region_size": 8192, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "protection": 64, "process_handle": "0x00000300", "allocation_type": 12288, "base_address": "0x03310000" }, "time": 1578329619.047125, "tid": 1676, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT|MEM_RESERVE" } }, "pid": 2816, "type": "call", "cid": 3388 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 1244, "region_size": 8192, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "protection": 64, "process_handle": "0x000001d0", "allocation_type": 12288, "base_address": "0x003a0000" }, "time": 1578329619.047125, "tid": 1676, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT|MEM_RESERVE" } }, "pid": 2816, "type": "call", "cid": 3407 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 2800, "region_size": 8192, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "protection": 64, "process_handle": "0x00000300", "allocation_type": 12288, "base_address": "0x02bf0000" }, "time": 1578329619.047125, "tid": 1676, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT|MEM_RESERVE" } }, "pid": 2816, "type": "call", "cid": 3431 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 1232, "region_size": 8192, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "protection": 64, "process_handle": "0x000001d0", "allocation_type": 12288, "base_address": "0x01d80000" }, "time": 1578329619.047125, "tid": 1676, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT|MEM_RESERVE" } }, "pid": 2816, "type": "call", "cid": 3440 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 1724, "region_size": 8192, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "protection": 64, "process_handle": "0x00000300", "allocation_type": 12288, "base_address": "0x02560000" }, "time": 1578329629.312125, "tid": 1676, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT|MEM_RESERVE" } }, "pid": 2816, "type": "call", "cid": 3555 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 1768, "region_size": 8192, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "protection": 64, "process_handle": "0x000001d0", "allocation_type": 12288, "base_address": "0x02200000" }, "time": 1578329629.312125, "tid": 1676, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT|MEM_RESERVE" } }, "pid": 2816, "type": "call", "cid": 3564 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 1692, "region_size": 8192, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "protection": 64, "process_handle": "0x00000300", "allocation_type": 12288, "base_address": "0x026f0000" }, "time": 1578329629.312125, "tid": 1676, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT|MEM_RESERVE" } }, "pid": 2816, "type": "call", "cid": 3576 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 1700, "region_size": 8192, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "protection": 64, "process_handle": "0x000001d0", "allocation_type": 12288, "base_address": "0x01dc0000" }, "time": 1578329629.328125, "tid": 1676, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT|MEM_RESERVE" } }, "pid": 2816, "type": "call", "cid": 3585 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 2168, "region_size": 8192, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "protection": 64, "process_handle": "0x00000300", "allocation_type": 12288, "base_address": "0x03320000" }, "time": 1578329629.328125, "tid": 1676, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT|MEM_RESERVE" } }, "pid": 2816, "type": "call", "cid": 3600 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 1244, "region_size": 8192, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "protection": 64, "process_handle": "0x000001d0", "allocation_type": 12288, "base_address": "0x003b0000" }, "time": 1578329629.328125, "tid": 1676, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT|MEM_RESERVE" } }, "pid": 2816, "type": "call", "cid": 3619 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 2800, "region_size": 8192, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "protection": 64, "process_handle": "0x00000300", "allocation_type": 12288, "base_address": "0x052a0000" }, "time": 1578329629.344125, "tid": 1676, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT|MEM_RESERVE" } }, "pid": 2816, "type": "call", "cid": 3643 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 1232, "region_size": 8192, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "protection": 64, "process_handle": "0x000001d0", "allocation_type": 12288, "base_address": "0x01f10000" }, "time": 1578329629.344125, "tid": 1676, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT|MEM_RESERVE" } }, "pid": 2816, "type": "call", "cid": 3652 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 1724, "region_size": 8192, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "protection": 64, "process_handle": "0x00000324", "allocation_type": 12288, "base_address": "0x02570000" }, "time": 1578329639.594125, "tid": 1676, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT|MEM_RESERVE" } }, "pid": 2816, "type": "call", "cid": 3829 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 1768, "region_size": 8192, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "protection": 64, "process_handle": "0x00000320", "allocation_type": 12288, "base_address": "0x02660000" }, "time": 1578329639.594125, "tid": 1676, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT|MEM_RESERVE" } }, "pid": 2816, "type": "call", "cid": 3838 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 1692, "region_size": 8192, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "protection": 64, "process_handle": "0x00000324", "allocation_type": 12288, "base_address": "0x02700000" }, "time": 1578329639.594125, "tid": 1676, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT|MEM_RESERVE" } }, "pid": 2816, "type": "call", "cid": 3850 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 1700, "region_size": 8192, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "protection": 64, "process_handle": "0x00000320", "allocation_type": 12288, "base_address": "0x01dd0000" }, "time": 1578329639.594125, "tid": 1676, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT|MEM_RESERVE" } }, "pid": 2816, "type": "call", "cid": 3859 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 2168, "region_size": 8192, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "protection": 64, "process_handle": "0x00000324", "allocation_type": 12288, "base_address": "0x03330000" }, "time": 1578329639.594125, "tid": 1676, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT|MEM_RESERVE" } }, "pid": 2816, "type": "call", "cid": 3874 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 1244, "region_size": 8192, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "protection": 64, "process_handle": "0x00000320", "allocation_type": 12288, "base_address": "0x003c0000" }, "time": 1578329639.609125, "tid": 1676, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT|MEM_RESERVE" } }, "pid": 2816, "type": "call", "cid": 3893 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 2800, "region_size": 8192, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "protection": 64, "process_handle": "0x00000324", "allocation_type": 12288, "base_address": "0x052d0000" }, "time": 1578329639.609125, "tid": 1676, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT|MEM_RESERVE" } }, "pid": 2816, "type": "call", "cid": 3917 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 1232, "region_size": 8192, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "protection": 64, "process_handle": "0x00000320", "allocation_type": 12288, "base_address": "0x01f30000" }, "time": 1578329639.609125, "tid": 1676, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT|MEM_RESERVE" } }, "pid": 2816, "type": "call", "cid": 3926 } ], "references": [], "name": "allocates_execute_remote_process" }, { "markcount": 1, "families": [], "description": "Installs itself for autorun at Windows startup", "severity": 3, "marks": [ { "category": "file", "ioc": "C:\\Windows\\system.ini", "type": "ioc", "description": null } ], "references": [], "name": "persistence_autorun" }, { "markcount": 1, "families": [], "description": "Operates on local firewall's policies and settings", "severity": 3, "marks": [ { "category": "registry", "ioc": "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile", "type": "ioc", "description": null } ], "references": [], "name": "bypass_firewall" }, { "markcount": 101, "families": [], "description": "Creates a thread using CreateRemoteThread in a non-child process indicative of process injection", "severity": 3, "marks": [ { "category": "Process injection", "ioc": "Process 2816 created a remote thread in non-child process 1724", "type": "ioc", "description": null }, { "call": { "category": "process", "status": 0, "stacktrace": [], "last_error": 5, "nt_status": -1073741790, "api": "CreateRemoteThread", "return_value": 0, "arguments": { "thread_identifier": 0, "process_identifier": 1724, "function_address": "0x002e0000", "flags": 0, "process_handle": "0x000001e0", "parameter": "0x00000000", "stack_size": 0 }, "time": 1578329586.156125, "tid": 1676, "flags": {} }, "pid": 2816, "type": "call", "cid": 1696 }, { "category": "Process injection", "ioc": "Process 2816 created a remote thread in non-child process 1768", "type": "ioc", "description": null }, { "call": { "category": "process", "status": 0, "stacktrace": [], "last_error": 5, "nt_status": -1073741790, "api": "CreateRemoteThread", "return_value": 0, "arguments": { "thread_identifier": 0, "process_identifier": 1768, "function_address": "0x00130000", "flags": 0, "process_handle": "0x000001dc", "parameter": "0x00000000", "stack_size": 0 }, "time": 1578329586.484125, "tid": 1676, "flags": {} }, "pid": 2816, "type": "call", "cid": 2344 }, { "category": "Process injection", "ioc": "Process 2816 created a remote thread in non-child process 1788", "type": "ioc", "description": null }, { "call": { "category": "process", "status": 0, "stacktrace": [], "last_error": 5, "nt_status": -1073741790, "api": "CreateRemoteThread", "return_value": 0, "arguments": { "thread_identifier": 0, "process_identifier": 1788, "function_address": "0x03e20000", "flags": 0, "process_handle": "0x000001e0", "parameter": "0x00000000", "stack_size": 0 }, "time": 1578329586.656125, "tid": 1676, "flags": {} }, "pid": 2816, "type": "call", "cid": 2354 }, { "category": "Process injection", "ioc": "Process 2816 created a remote thread in non-child process 1692", "type": "ioc", "description": null }, { "call": { "category": "process", "status": 0, "stacktrace": [], "last_error": 5, "nt_status": -1073741790, "api": "CreateRemoteThread", "return_value": 0, "arguments": { "thread_identifier": 0, "process_identifier": 1692, "function_address": "0x00140000", "flags": 0, "process_handle": "0x000001e0", "parameter": "0x00000000", "stack_size": 0 }, "time": 1578329586.859125, "tid": 1676, "flags": {} }, "pid": 2816, "type": "call", "cid": 2371 }, { "category": "Process injection", "ioc": "Process 2816 created a remote thread in non-child process 1700", "type": "ioc", "description": null }, { "call": { "category": "process", "status": 0, "stacktrace": [], "last_error": 5, "nt_status": -1073741790, "api": "CreateRemoteThread", "return_value": 0, "arguments": { "thread_identifier": 0, "process_identifier": 1700, "function_address": "0x01b20000", "flags": 0, "process_handle": "0x000001dc", "parameter": "0x00000000", "stack_size": 0 }, "time": 1578329587.312125, "tid": 1676, "flags": {} }, "pid": 2816, "type": "call", "cid": 2388 }, { "category": "Process injection", "ioc": "Process 2816 created a remote thread in non-child process 2168", "type": "ioc", "description": null }, { "call": { "category": "process", "status": 0, "stacktrace": [], "last_error": 5, "nt_status": -1073741790, "api": "CreateRemoteThread", "return_value": 0, "arguments": { "thread_identifier": 0, "process_identifier": 2168, "function_address": "0x01d20000", "flags": 0, "process_handle": "0x000001e0", "parameter": "0x00000000", "stack_size": 0 }, "time": 1578329587.312125, "tid": 1676, "flags": {} }, "pid": 2816, "type": "call", "cid": 2411 }, { "category": "Process injection", "ioc": "Process 2816 created a remote thread in non-child process 800", "type": "ioc", "description": null }, { "call": { "category": "process", "status": 0, "stacktrace": [], "last_error": 5, "nt_status": -1073741790, "api": "CreateRemoteThread", "return_value": 0, "arguments": { "thread_identifier": 0, "process_identifier": 800, "function_address": "0x002d0000", "flags": 0, "process_handle": "0x000001e0", "parameter": "0x00000000", "stack_size": 0 }, "time": 1578329587.578125, "tid": 1676, "flags": {} }, "pid": 2816, "type": "call", "cid": 2436 }, { "category": "Process injection", "ioc": "Process 2816 created a remote thread in non-child process 1244", "type": "ioc", "description": null }, { "call": { "category": "process", "status": 0, "stacktrace": [], "last_error": 5, "nt_status": -1073741790, "api": "CreateRemoteThread", "return_value": 0, "arguments": { "thread_identifier": 0, "process_identifier": 1244, "function_address": "0x00350000", "flags": 0, "process_handle": "0x0000017c", "parameter": "0x00000000", "stack_size": 0 }, "time": 1578329587.594125, "tid": 1676, "flags": {} }, "pid": 2816, "type": "call", "cid": 2445 }, { "call": { "category": "process", "status": 0, "stacktrace": [], "last_error": 5, "nt_status": -1073741790, "api": "CreateRemoteThread", "return_value": 0, "arguments": { "thread_identifier": 0, "process_identifier": 1724, "function_address": "0x02510000", "flags": 0, "process_handle": "0x000002f0", "parameter": "0x00000000", "stack_size": 0 }, "time": 1578329597.859125, "tid": 1676, "flags": {} }, "pid": 2816, "type": "call", "cid": 2690 }, { "call": { "category": "process", "status": 0, "stacktrace": [], "last_error": 5, "nt_status": -1073741790, "api": "CreateRemoteThread", "return_value": 0, "arguments": { "thread_identifier": 0, "process_identifier": 1768, "function_address": "0x020d0000", "flags": 0, "process_handle": "0x000002f4", "parameter": "0x00000000", "stack_size": 0 }, "time": 1578329597.859125, "tid": 1676, "flags": {} }, "pid": 2816, "type": "call", "cid": 2699 }, { "call": { "category": "process", "status": 0, "stacktrace": [], "last_error": 5, "nt_status": -1073741790, "api": "CreateRemoteThread", "return_value": 0, "arguments": { "thread_identifier": 0, "process_identifier": 1692, "function_address": "0x026c0000", "flags": 0, "process_handle": "0x000002f0", "parameter": "0x00000000", "stack_size": 0 }, "time": 1578329597.875125, "tid": 1676, "flags": {} }, "pid": 2816, "type": "call", "cid": 2711 }, { "call": { "category": "process", "status": 0, "stacktrace": [], "last_error": 5, "nt_status": -1073741790, "api": "CreateRemoteThread", "return_value": 0, "arguments": { "thread_identifier": 0, "process_identifier": 1700, "function_address": "0x01d80000", "flags": 0, "process_handle": "0x000002f4", "parameter": "0x00000000", "stack_size": 0 }, "time": 1578329597.875125, "tid": 1676, "flags": {} }, "pid": 2816, "type": "call", "cid": 2720 }, { "call": { "category": "process", "status": 0, "stacktrace": [], "last_error": 5, "nt_status": -1073741790, "api": "CreateRemoteThread", "return_value": 0, "arguments": { "thread_identifier": 0, "process_identifier": 2168, "function_address": "0x01d50000", "flags": 0, "process_handle": "0x000002f0", "parameter": "0x00000000", "stack_size": 0 }, "time": 1578329597.875125, "tid": 1676, "flags": {} }, "pid": 2816, "type": "call", "cid": 2735 }, { "call": { "category": "process", "status": 0, "stacktrace": [], "last_error": 5, "nt_status": -1073741790, "api": "CreateRemoteThread", "return_value": 0, "arguments": { "thread_identifier": 0, "process_identifier": 1244, "function_address": "0x00380000", "flags": 0, "process_handle": "0x000002f4", "parameter": "0x00000000", "stack_size": 0 }, "time": 1578329597.875125, "tid": 1676, "flags": {} }, "pid": 2816, "type": "call", "cid": 2754 }, { "category": "Process injection", "ioc": "Process 2816 created a remote thread in non-child process 2800", "type": "ioc", "description": null }, { "call": { "category": "process", "status": 0, "stacktrace": [], "last_error": 5, "nt_status": -1073741790, "api": "CreateRemoteThread", "return_value": 0, "arguments": { "thread_identifier": 0, "process_identifier": 2800, "function_address": "0x04370000", "flags": 0, "process_handle": "0x000002f4", "parameter": "0x00000000", "stack_size": 0 }, "time": 1578329598.109125, "tid": 1676, "flags": {} }, "pid": 2816, "type": "call", "cid": 2782 }, { "category": "Process injection", "ioc": "Process 2816 created a remote thread in non-child process 1232", "type": "ioc", "description": null }, { "call": { "category": "process", "status": 0, "stacktrace": [], "last_error": 5, "nt_status": -1073741790, "api": "CreateRemoteThread", "return_value": 0, "arguments": { "thread_identifier": 0, "process_identifier": 1232, "function_address": "0x00230000", "flags": 0, "process_handle": "0x000002f0", "parameter": "0x00000000", "stack_size": 0 }, "time": 1578329598.515125, "tid": 1676, "flags": {} }, "pid": 2816, "type": "call", "cid": 2802 }, { "call": { "category": "process", "status": 0, "stacktrace": [], "last_error": 5, "nt_status": -1073741790, "api": "CreateRemoteThread", "return_value": 0, "arguments": { "thread_identifier": 0, "process_identifier": 1724, "function_address": "0x02540000", "flags": 0, "process_handle": "0x000002f0", "parameter": "0x00000000", "stack_size": 0 }, "time": 1578329608.765125, "tid": 1676, "flags": {} }, "pid": 2816, "type": "call", "cid": 3002 }, { "call": { "category": "process", "status": 0, "stacktrace": [], "last_error": 5, "nt_status": -1073741790, "api": "CreateRemoteThread", "return_value": 0, "arguments": { "thread_identifier": 0, "process_identifier": 1768, "function_address": "0x020e0000", "flags": 0, "process_handle": "0x000002f4", "parameter": "0x00000000", "stack_size": 0 }, "time": 1578329608.765125, "tid": 1676, "flags": {} }, "pid": 2816, "type": "call", "cid": 3011 }, { "call": { "category": "process", "status": 0, "stacktrace": [], "last_error": 5, "nt_status": -1073741790, "api": "CreateRemoteThread", "return_value": 0, "arguments": { "thread_identifier": 0, "process_identifier": 1692, "function_address": "0x026d0000", "flags": 0, "process_handle": "0x000002f0", "parameter": "0x00000000", "stack_size": 0 }, "time": 1578329608.765125, "tid": 1676, "flags": {} }, "pid": 2816, "type": "call", "cid": 3023 }, { "call": { "category": "process", "status": 0, "stacktrace": [], "last_error": 5, "nt_status": -1073741790, "api": "CreateRemoteThread", "return_value": 0, "arguments": { "thread_identifier": 0, "process_identifier": 1700, "function_address": "0x01da0000", "flags": 0, "process_handle": "0x000002f4", "parameter": "0x00000000", "stack_size": 0 }, "time": 1578329608.765125, "tid": 1676, "flags": {} }, "pid": 2816, "type": "call", "cid": 3032 }, { "call": { "category": "process", "status": 0, "stacktrace": [], "last_error": 5, "nt_status": -1073741790, "api": "CreateRemoteThread", "return_value": 0, "arguments": { "thread_identifier": 0, "process_identifier": 2168, "function_address": "0x03300000", "flags": 0, "process_handle": "0x000002f0", "parameter": "0x00000000", "stack_size": 0 }, "time": 1578329608.765125, "tid": 1676, "flags": {} }, "pid": 2816, "type": "call", "cid": 3047 }, { "call": { "category": "process", "status": 0, "stacktrace": [], "last_error": 5, "nt_status": -1073741790, "api": "CreateRemoteThread", "return_value": 0, "arguments": { "thread_identifier": 0, "process_identifier": 1244, "function_address": "0x00390000", "flags": 0, "process_handle": "0x000002f4", "parameter": "0x00000000", "stack_size": 0 }, "time": 1578329608.765125, "tid": 1676, "flags": {} }, "pid": 2816, "type": "call", "cid": 3066 }, { "call": { "category": "process", "status": 0, "stacktrace": [], "last_error": 5, "nt_status": -1073741790, "api": "CreateRemoteThread", "return_value": 0, "arguments": { "thread_identifier": 0, "process_identifier": 2800, "function_address": "0x02be0000", "flags": 0, "process_handle": "0x000002f0", "parameter": "0x00000000", "stack_size": 0 }, "time": 1578329608.765125, "tid": 1676, "flags": {} }, "pid": 2816, "type": "call", "cid": 3090 }, { "call": { "category": "process", "status": 0, "stacktrace": [], "last_error": 5, "nt_status": -1073741790, "api": "CreateRemoteThread", "return_value": 0, "arguments": { "thread_identifier": 0, "process_identifier": 1232, "function_address": "0x01d70000", "flags": 0, "process_handle": "0x000002f4", "parameter": "0x00000000", "stack_size": 0 }, "time": 1578329608.765125, "tid": 1676, "flags": {} }, "pid": 2816, "type": "call", "cid": 3099 }, { "call": { "category": "process", "status": 0, "stacktrace": [], "last_error": 5, "nt_status": -1073741790, "api": "CreateRemoteThread", "return_value": 0, "arguments": { "thread_identifier": 0, "process_identifier": 1724, "function_address": "0x02550000", "flags": 0, "process_handle": "0x00000300", "parameter": "0x00000000", "stack_size": 0 }, "time": 1578329619.031125, "tid": 1676, "flags": {} }, "pid": 2816, "type": "call", "cid": 3345 }, { "call": { "category": "process", "status": 0, "stacktrace": [], "last_error": 5, "nt_status": -1073741790, "api": "CreateRemoteThread", "return_value": 0, "arguments": { "thread_identifier": 0, "process_identifier": 1768, "function_address": "0x020f0000", "flags": 0, "process_handle": "0x000001d0", "parameter": "0x00000000", "stack_size": 0 }, "time": 1578329619.031125, "tid": 1676, "flags": {} }, "pid": 2816, "type": "call", "cid": 3354 }, { "call": { "category": "process", "status": 0, "stacktrace": [], "last_error": 5, "nt_status": -1073741790, "api": "CreateRemoteThread", "return_value": 0, "arguments": { "thread_identifier": 0, "process_identifier": 1692, "function_address": "0x026e0000", "flags": 0, "process_handle": "0x00000300", "parameter": "0x00000000", "stack_size": 0 }, "time": 1578329619.031125, "tid": 1676, "flags": {} }, "pid": 2816, "type": "call", "cid": 3366 }, { "call": { "category": "process", "status": 0, "stacktrace": [], "last_error": 5, "nt_status": -1073741790, "api": "CreateRemoteThread", "return_value": 0, "arguments": { "thread_identifier": 0, "process_identifier": 1700, "function_address": "0x01db0000", "flags": 0, "process_handle": "0x000001d0", "parameter": "0x00000000", "stack_size": 0 }, "time": 1578329619.047125, "tid": 1676, "flags": {} }, "pid": 2816, "type": "call", "cid": 3375 }, { "call": { "category": "process", "status": 0, "stacktrace": [], "last_error": 5, "nt_status": -1073741790, "api": "CreateRemoteThread", "return_value": 0, "arguments": { "thread_identifier": 0, "process_identifier": 2168, "function_address": "0x03310000", "flags": 0, "process_handle": "0x00000300", "parameter": "0x00000000", "stack_size": 0 }, "time": 1578329619.047125, "tid": 1676, "flags": {} }, "pid": 2816, "type": "call", "cid": 3390 }, { "call": { "category": "process", "status": 0, "stacktrace": [], "last_error": 5, "nt_status": -1073741790, "api": "CreateRemoteThread", "return_value": 0, "arguments": { "thread_identifier": 0, "process_identifier": 1244, "function_address": "0x003a0000", "flags": 0, "process_handle": "0x000001d0", "parameter": "0x00000000", "stack_size": 0 }, "time": 1578329619.047125, "tid": 1676, "flags": {} }, "pid": 2816, "type": "call", "cid": 3409 }, { "call": { "category": "process", "status": 0, "stacktrace": [], "last_error": 5, "nt_status": -1073741790, "api": "CreateRemoteThread", "return_value": 0, "arguments": { "thread_identifier": 0, "process_identifier": 2800, "function_address": "0x02bf0000", "flags": 0, "process_handle": "0x00000300", "parameter": "0x00000000", "stack_size": 0 }, "time": 1578329619.047125, "tid": 1676, "flags": {} }, "pid": 2816, "type": "call", "cid": 3433 }, { "call": { "category": "process", "status": 0, "stacktrace": [], "last_error": 5, "nt_status": -1073741790, "api": "CreateRemoteThread", "return_value": 0, "arguments": { "thread_identifier": 0, "process_identifier": 1232, "function_address": "0x01d80000", "flags": 0, "process_handle": "0x000001d0", "parameter": "0x00000000", "stack_size": 0 }, "time": 1578329619.047125, "tid": 1676, "flags": {} }, "pid": 2816, "type": "call", "cid": 3442 }, { "call": { "category": "process", "status": 0, "stacktrace": [], "last_error": 5, "nt_status": -1073741790, "api": "CreateRemoteThread", "return_value": 0, "arguments": { "thread_identifier": 0, "process_identifier": 1724, "function_address": "0x02560000", "flags": 0, "process_handle": "0x00000300", "parameter": "0x00000000", "stack_size": 0 }, "time": 1578329629.312125, "tid": 1676, "flags": {} }, "pid": 2816, "type": "call", "cid": 3557 }, { "call": { "category": "process", "status": 0, "stacktrace": [], "last_error": 5, "nt_status": -1073741790, "api": "CreateRemoteThread", "return_value": 0, "arguments": { "thread_identifier": 0, "process_identifier": 1768, "function_address": "0x02200000", "flags": 0, "process_handle": "0x000001d0", "parameter": "0x00000000", "stack_size": 0 }, "time": 1578329629.312125, "tid": 1676, "flags": {} }, "pid": 2816, "type": "call", "cid": 3566 }, { "call": { "category": "process", "status": 0, "stacktrace": [], "last_error": 5, "nt_status": -1073741790, "api": "CreateRemoteThread", "return_value": 0, "arguments": { "thread_identifier": 0, "process_identifier": 1692, "function_address": "0x026f0000", "flags": 0, "process_handle": "0x00000300", "parameter": "0x00000000", "stack_size": 0 }, "time": 1578329629.328125, "tid": 1676, "flags": {} }, "pid": 2816, "type": "call", "cid": 3578 }, { "call": { "category": "process", "status": 0, "stacktrace": [], "last_error": 5, "nt_status": -1073741790, "api": "CreateRemoteThread", "return_value": 0, "arguments": { "thread_identifier": 0, "process_identifier": 1700, "function_address": "0x01dc0000", "flags": 0, "process_handle": "0x000001d0", "parameter": "0x00000000", "stack_size": 0 }, "time": 1578329629.328125, "tid": 1676, "flags": {} }, "pid": 2816, "type": "call", "cid": 3587 }, { "call": { "category": "process", "status": 0, "stacktrace": [], "last_error": 5, "nt_status": -1073741790, "api": "CreateRemoteThread", "return_value": 0, "arguments": { "thread_identifier": 0, "process_identifier": 2168, "function_address": "0x03320000", "flags": 0, "process_handle": "0x00000300", "parameter": "0x00000000", "stack_size": 0 }, "time": 1578329629.328125, "tid": 1676, "flags": {} }, "pid": 2816, "type": "call", "cid": 3602 }, { "call": { "category": "process", "status": 0, "stacktrace": [], "last_error": 5, "nt_status": -1073741790, "api": "CreateRemoteThread", "return_value": 0, "arguments": { "thread_identifier": 0, "process_identifier": 1244, "function_address": "0x003b0000", "flags": 0, "process_handle": "0x000001d0", "parameter": "0x00000000", "stack_size": 0 }, "time": 1578329629.328125, "tid": 1676, "flags": {} }, "pid": 2816, "type": "call", "cid": 3621 }, { "call": { "category": "process", "status": 0, "stacktrace": [], "last_error": 5, "nt_status": -1073741790, "api": "CreateRemoteThread", "return_value": 0, "arguments": { "thread_identifier": 0, "process_identifier": 2800, "function_address": "0x052a0000", "flags": 0, "process_handle": "0x00000300", "parameter": "0x00000000", "stack_size": 0 }, "time": 1578329629.344125, "tid": 1676, "flags": {} }, "pid": 2816, "type": "call", "cid": 3645 }, { "call": { "category": "process", "status": 0, "stacktrace": [], "last_error": 5, "nt_status": -1073741790, "api": "CreateRemoteThread", "return_value": 0, "arguments": { "thread_identifier": 0, "process_identifier": 1232, "function_address": "0x01f10000", "flags": 0, "process_handle": "0x000001d0", "parameter": "0x00000000", "stack_size": 0 }, "time": 1578329629.344125, "tid": 1676, "flags": {} }, "pid": 2816, "type": "call", "cid": 3654 } ], "references": [ "www.endgame.com\/blog\/technical-blog\/ten-process-injection-techniques-technical-survey-common-and-trending-process" ], "name": "injection_createremotethread" }, { "markcount": 104, "families": [], "description": "Manipulates memory of a non-child process indicative of process injection", "severity": 3, "marks": [ { "category": "Process injection", "ioc": "Process 2816 manipulating memory of non-child process 1724", "type": "ioc", "description": null }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 1724, "region_size": 8192, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "protection": 64, "process_handle": "0x000001e0", "allocation_type": 12288, "base_address": "0x002e0000" }, "time": 1578329585.875125, "tid": 1676, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT|MEM_RESERVE" } }, "pid": 2816, "type": "call", "cid": 1649 }, { "category": "Process injection", "ioc": "Process 2816 manipulating memory of non-child process 1768", "type": "ioc", "description": null }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 1768, "region_size": 8192, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "protection": 64, "process_handle": "0x000001dc", "allocation_type": 12288, "base_address": "0x00130000" }, "time": 1578329586.203125, "tid": 1676, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT|MEM_RESERVE" } }, "pid": 2816, "type": "call", "cid": 2304 }, { "category": "Process injection", "ioc": "Process 2816 manipulating memory of non-child process 1788", "type": "ioc", "description": null }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 1788, "region_size": 8192, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "protection": 64, "process_handle": "0x000001e0", "allocation_type": 12288, "base_address": "0x03e20000" }, "time": 1578329586.484125, "tid": 1676, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT|MEM_RESERVE" } }, "pid": 2816, "type": "call", "cid": 2351 }, { "category": "Process injection", "ioc": "Process 2816 manipulating memory of non-child process 1692", "type": "ioc", "description": null }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 1692, "region_size": 8192, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "protection": 64, "process_handle": "0x000001e0", "allocation_type": 12288, "base_address": "0x00140000" }, "time": 1578329586.656125, "tid": 1676, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT|MEM_RESERVE" } }, "pid": 2816, "type": "call", "cid": 2368 }, { "category": "Process injection", "ioc": "Process 2816 manipulating memory of non-child process 1700", "type": "ioc", "description": null }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 1700, "region_size": 8192, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "protection": 64, "process_handle": "0x000001dc", "allocation_type": 12288, "base_address": "0x01b20000" }, "time": 1578329586.859125, "tid": 1676, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT|MEM_RESERVE" } }, "pid": 2816, "type": "call", "cid": 2378 }, { "category": "Process injection", "ioc": "Process 2816 manipulating memory of non-child process 2168", "type": "ioc", "description": null }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 2168, "region_size": 8192, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "protection": 64, "process_handle": "0x000001e0", "allocation_type": 12288, "base_address": "0x01d20000" }, "time": 1578329587.312125, "tid": 1676, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT|MEM_RESERVE" } }, "pid": 2816, "type": "call", "cid": 2409 }, { "category": "Process injection", "ioc": "Process 2816 manipulating memory of non-child process 800", "type": "ioc", "description": null }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 800, "region_size": 8192, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "protection": 64, "process_handle": "0x000001e0", "allocation_type": 12288, "base_address": "0x002d0000" }, "time": 1578329587.312125, "tid": 1676, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT|MEM_RESERVE" } }, "pid": 2816, "type": "call", "cid": 2432 }, { "category": "Process injection", "ioc": "Process 2816 manipulating memory of non-child process 1244", "type": "ioc", "description": null }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 1244, "region_size": 8192, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "protection": 64, "process_handle": "0x0000017c", "allocation_type": 12288, "base_address": "0x00350000" }, "time": 1578329587.578125, "tid": 1676, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT|MEM_RESERVE" } }, "pid": 2816, "type": "call", "cid": 2443 }, { "category": "Process injection", "ioc": "Process 2816 manipulating memory of non-child process 2816", "type": "ioc", "description": null }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 2816, "region_size": 8192, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "protection": 64, "process_handle": "0x0000017c", "allocation_type": 12288, "base_address": "0x03210000" }, "time": 1578329587.594125, "tid": 1676, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT|MEM_RESERVE" } }, "pid": 2816, "type": "call", "cid": 2473 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 2816, "region_size": 4096, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "protection": 64, "process_handle": "0x0000017c", "allocation_type": 12288, "base_address": "0x03260000" }, "time": 1578329587.594125, "tid": 1676, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT|MEM_RESERVE" } }, "pid": 2816, "type": "call", "cid": 2476 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 1724, "region_size": 8192, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "protection": 64, "process_handle": "0x000002f0", "allocation_type": 12288, "base_address": "0x02510000" }, "time": 1578329597.859125, "tid": 1676, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT|MEM_RESERVE" } }, "pid": 2816, "type": "call", "cid": 2688 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 1768, "region_size": 8192, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "protection": 64, "process_handle": "0x000002f4", "allocation_type": 12288, "base_address": "0x020d0000" }, "time": 1578329597.859125, "tid": 1676, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT|MEM_RESERVE" } }, "pid": 2816, "type": "call", "cid": 2697 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 1692, "region_size": 8192, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "protection": 64, "process_handle": "0x000002f0", "allocation_type": 12288, "base_address": "0x026c0000" }, "time": 1578329597.859125, "tid": 1676, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT|MEM_RESERVE" } }, "pid": 2816, "type": "call", "cid": 2709 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 1700, "region_size": 8192, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "protection": 64, "process_handle": "0x000002f4", "allocation_type": 12288, "base_address": "0x01d80000" }, "time": 1578329597.875125, "tid": 1676, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT|MEM_RESERVE" } }, "pid": 2816, "type": "call", "cid": 2718 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 2168, "region_size": 8192, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "protection": 64, "process_handle": "0x000002f0", "allocation_type": 12288, "base_address": "0x01d50000" }, "time": 1578329597.875125, "tid": 1676, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT|MEM_RESERVE" } }, "pid": 2816, "type": "call", "cid": 2733 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 1244, "region_size": 8192, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "protection": 64, "process_handle": "0x000002f4", "allocation_type": 12288, "base_address": "0x00380000" }, "time": 1578329597.875125, "tid": 1676, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT|MEM_RESERVE" } }, "pid": 2816, "type": "call", "cid": 2752 }, { "category": "Process injection", "ioc": "Process 2816 manipulating memory of non-child process 2800", "type": "ioc", "description": null }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 2800, "region_size": 8192, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "protection": 64, "process_handle": "0x000002f4", "allocation_type": 12288, "base_address": "0x04370000" }, "time": 1578329597.875125, "tid": 1676, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT|MEM_RESERVE" } }, "pid": 2816, "type": "call", "cid": 2780 }, { "category": "Process injection", "ioc": "Process 2816 manipulating memory of non-child process 1232", "type": "ioc", "description": null }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 1232, "region_size": 8192, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "protection": 64, "process_handle": "0x000002f0", "allocation_type": 12288, "base_address": "0x00230000" }, "time": 1578329598.109125, "tid": 1676, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT|MEM_RESERVE" } }, "pid": 2816, "type": "call", "cid": 2789 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 1724, "region_size": 8192, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "protection": 64, "process_handle": "0x000002f0", "allocation_type": 12288, "base_address": "0x02540000" }, "time": 1578329608.765125, "tid": 1676, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT|MEM_RESERVE" } }, "pid": 2816, "type": "call", "cid": 3000 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 1768, "region_size": 8192, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "protection": 64, "process_handle": "0x000002f4", "allocation_type": 12288, "base_address": "0x020e0000" }, "time": 1578329608.765125, "tid": 1676, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT|MEM_RESERVE" } }, "pid": 2816, "type": "call", "cid": 3009 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 1692, "region_size": 8192, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "protection": 64, "process_handle": "0x000002f0", "allocation_type": 12288, "base_address": "0x026d0000" }, "time": 1578329608.765125, "tid": 1676, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT|MEM_RESERVE" } }, "pid": 2816, "type": "call", "cid": 3021 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 1700, "region_size": 8192, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "protection": 64, "process_handle": "0x000002f4", "allocation_type": 12288, "base_address": "0x01da0000" }, "time": 1578329608.765125, "tid": 1676, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT|MEM_RESERVE" } }, "pid": 2816, "type": "call", "cid": 3030 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 2168, "region_size": 8192, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "protection": 64, "process_handle": "0x000002f0", "allocation_type": 12288, "base_address": "0x03300000" }, "time": 1578329608.765125, "tid": 1676, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT|MEM_RESERVE" } }, "pid": 2816, "type": "call", "cid": 3045 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 1244, "region_size": 8192, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "protection": 64, "process_handle": "0x000002f4", "allocation_type": 12288, "base_address": "0x00390000" }, "time": 1578329608.765125, "tid": 1676, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT|MEM_RESERVE" } }, "pid": 2816, "type": "call", "cid": 3064 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 2800, "region_size": 8192, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "protection": 64, "process_handle": "0x000002f0", "allocation_type": 12288, "base_address": "0x02be0000" }, "time": 1578329608.765125, "tid": 1676, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT|MEM_RESERVE" } }, "pid": 2816, "type": "call", "cid": 3088 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 1232, "region_size": 8192, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "protection": 64, "process_handle": "0x000002f4", "allocation_type": 12288, "base_address": "0x01d70000" }, "time": 1578329608.765125, "tid": 1676, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT|MEM_RESERVE" } }, "pid": 2816, "type": "call", "cid": 3097 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 1724, "region_size": 8192, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "protection": 64, "process_handle": "0x00000300", "allocation_type": 12288, "base_address": "0x02550000" }, "time": 1578329619.031125, "tid": 1676, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT|MEM_RESERVE" } }, "pid": 2816, "type": "call", "cid": 3343 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 1768, "region_size": 8192, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "protection": 64, "process_handle": "0x000001d0", "allocation_type": 12288, "base_address": "0x020f0000" }, "time": 1578329619.031125, "tid": 1676, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT|MEM_RESERVE" } }, "pid": 2816, "type": "call", "cid": 3352 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 1692, "region_size": 8192, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "protection": 64, "process_handle": "0x00000300", "allocation_type": 12288, "base_address": "0x026e0000" }, "time": 1578329619.031125, "tid": 1676, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT|MEM_RESERVE" } }, "pid": 2816, "type": "call", "cid": 3364 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 1700, "region_size": 8192, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "protection": 64, "process_handle": "0x000001d0", "allocation_type": 12288, "base_address": "0x01db0000" }, "time": 1578329619.047125, "tid": 1676, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT|MEM_RESERVE" } }, "pid": 2816, "type": "call", "cid": 3373 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 2168, "region_size": 8192, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "protection": 64, "process_handle": "0x00000300", "allocation_type": 12288, "base_address": "0x03310000" }, "time": 1578329619.047125, "tid": 1676, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT|MEM_RESERVE" } }, "pid": 2816, "type": "call", "cid": 3388 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 1244, "region_size": 8192, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "protection": 64, "process_handle": "0x000001d0", "allocation_type": 12288, "base_address": "0x003a0000" }, "time": 1578329619.047125, "tid": 1676, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT|MEM_RESERVE" } }, "pid": 2816, "type": "call", "cid": 3407 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 2800, "region_size": 8192, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "protection": 64, "process_handle": "0x00000300", "allocation_type": 12288, "base_address": "0x02bf0000" }, "time": 1578329619.047125, "tid": 1676, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT|MEM_RESERVE" } }, "pid": 2816, "type": "call", "cid": 3431 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 1232, "region_size": 8192, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "protection": 64, "process_handle": "0x000001d0", "allocation_type": 12288, "base_address": "0x01d80000" }, "time": 1578329619.047125, "tid": 1676, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT|MEM_RESERVE" } }, "pid": 2816, "type": "call", "cid": 3440 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 1724, "region_size": 8192, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "protection": 64, "process_handle": "0x00000300", "allocation_type": 12288, "base_address": "0x02560000" }, "time": 1578329629.312125, "tid": 1676, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT|MEM_RESERVE" } }, "pid": 2816, "type": "call", "cid": 3555 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 1768, "region_size": 8192, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "protection": 64, "process_handle": "0x000001d0", "allocation_type": 12288, "base_address": "0x02200000" }, "time": 1578329629.312125, "tid": 1676, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT|MEM_RESERVE" } }, "pid": 2816, "type": "call", "cid": 3564 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 1692, "region_size": 8192, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "protection": 64, "process_handle": "0x00000300", "allocation_type": 12288, "base_address": "0x026f0000" }, "time": 1578329629.312125, "tid": 1676, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT|MEM_RESERVE" } }, "pid": 2816, "type": "call", "cid": 3576 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 1700, "region_size": 8192, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "protection": 64, "process_handle": "0x000001d0", "allocation_type": 12288, "base_address": "0x01dc0000" }, "time": 1578329629.328125, "tid": 1676, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT|MEM_RESERVE" } }, "pid": 2816, "type": "call", "cid": 3585 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 2168, "region_size": 8192, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "protection": 64, "process_handle": "0x00000300", "allocation_type": 12288, "base_address": "0x03320000" }, "time": 1578329629.328125, "tid": 1676, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT|MEM_RESERVE" } }, "pid": 2816, "type": "call", "cid": 3600 } ], "references": [ "www.endgame.com\/blog\/technical-blog\/ten-process-injection-techniques-technical-survey-common-and-trending-process" ], "name": "injection_modifies_memory" }, { "markcount": 1, "families": [], "description": "Creates a windows hook that monitors keyboard input (keylogger)", "severity": 3, "marks": [ { "call": { "category": "system", "status": 1, "stacktrace": [], "api": "SetWindowsHookExW", "return_value": 15991535, "arguments": { "thread_identifier": 0, "callback_function": "0x00000000ffe9ae10", "module_address": "0x00000000ffdf0000", "hook_identifier": 13 }, "time": 1578329649.12425, "tid": 1776, "flags": { "hook_identifier": "WH_KEYBOARD_LL" } }, "pid": 2800, "type": "call", "cid": 2143 } ], "references": [], "name": "infostealer_keylogger" }, { "markcount": 12, "families": [], "description": "Modifies security center warnings", "severity": 3, "marks": [ { "category": "registry", "ioc": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Security Center\\Svc\\UpdatesDisableNotify", "type": "ioc", "description": null }, { "category": "registry", "ioc": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Security Center\\UacDisableNotify", "type": "ioc", "description": null }, { "category": "registry", "ioc": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Security Center\\Svc\\AntiVirusOverride", "type": "ioc", "description": null }, { "category": "registry", "ioc": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Security Center\\UpdatesDisableNotify", "type": "ioc", "description": null }, { "category": "registry", "ioc": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Security Center\\AntiVirusOverride", "type": "ioc", "description": null }, { "category": "registry", "ioc": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Security Center\\Svc\\FirewallOverride", "type": "ioc", "description": null }, { "category": "registry", "ioc": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Security Center\\Svc\\UacDisableNotify", "type": "ioc", "description": null }, { "category": "registry", "ioc": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Security Center\\FirewallDisableNotify", "type": "ioc", "description": null }, { "category": "registry", "ioc": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Security Center\\Svc\\AntiVirusDisableNotify", "type": "ioc", "description": null }, { "category": "registry", "ioc": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Security Center\\AntiVirusDisableNotify", "type": "ioc", "description": null }, { "category": "registry", "ioc": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Security Center\\FirewallOverride", "type": "ioc", "description": null }, { "category": "registry", "ioc": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Security Center\\Svc\\FirewallDisableNotify", "type": "ioc", "description": null } ], "references": [], "name": "modifies_security_center_warnings" }, { "markcount": 1, "families": [], "description": "Attempts to modify Explorer settings to prevent hidden files from being displayed", "severity": 3, "marks": [ { "category": "registry", "ioc": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Hidden", "type": "ioc", "description": null } ], "references": [], "name": "stealth_hiddenfile" }, { "markcount": 10, "families": [], "description": "Disables Windows Security features", "severity": 5, "marks": [ { "type": "generic", "description": "attempts to disable user access control", "registry": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA" }, { "type": "generic", "description": "attempts to disable antivirus notifications", "registry": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Security Center\\AntiVirusOverride" }, { "type": "generic", "description": "attempts to disable antivirus notifications", "registry": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Security Center\\AntiVirusDisableNotify" }, { "type": "generic", "description": "attempts to disable firewall notifications", "registry": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Security Center\\FirewallDisableNotify" }, { "type": "generic", "description": "attempts to disable firewall notifications", "registry": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Security Center\\FirewallOverride" }, { "type": "generic", "description": "attempts to disable windows update notifications", "registry": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Security Center\\UpdatesDisableNotify" }, { "type": "generic", "description": "disables user access control notifications", "registry": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Security Center\\UacDisableNotify" }, { "type": "generic", "description": "attempts to disable windows firewall", "registry": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile\\EnableFirewall" }, { "type": "generic", "description": "attempts to disable firewall exceptions", "registry": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile\\DoNotAllowExceptions" }, { "type": "generic", "description": "attempts to disable firewall notifications", "registry": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile\\DisableNotifications" } ], "references": [], "name": "disables_security" } ]
The Yara rules did not detect anything in the file.
{ "tls": [], "udp": [ { "src": "192.168.56.101", "dst": "192.168.56.255", "offset": 546, "time": 3.0865049362182617, "dport": 137, "sport": 137 }, { "src": "192.168.56.101", "dst": "192.168.56.255", "offset": 5874, "time": 9.094645023345947, "dport": 138, "sport": 138 }, { "src": "192.168.56.101", "dst": "224.0.0.252", "offset": 7718, "time": 3.015049934387207, "dport": 5355, "sport": 51001 }, { "src": "192.168.56.101", "dst": "224.0.0.252", "offset": 8046, "time": 1.0450878143310547, "dport": 5355, "sport": 53595 }, { "src": "192.168.56.101", "dst": "224.0.0.252", "offset": 8374, "time": 3.0296239852905273, "dport": 5355, "sport": 53848 }, { "src": "192.168.56.101", "dst": "224.0.0.252", "offset": 8702, "time": 1.5494928359985352, "dport": 5355, "sport": 54255 }, { "src": "192.168.56.101", "dst": "224.0.0.252", "offset": 9030, "time": -0.0847480297088623, "dport": 5355, "sport": 55314 }, { "src": "192.168.56.101", "dst": "239.255.255.250", "offset": 9358, "time": 1.5631349086761475, "dport": 1900, "sport": 1900 }, { "src": "192.168.56.101", "dst": "239.255.255.250", "offset": 28768, "time": 1.076200008392334, "dport": 3702, "sport": 49152 }, { "src": "192.168.56.101", "dst": "239.255.255.250", "offset": 37152, "time": 3.1321418285369873, "dport": 1900, "sport": 53598 } ], "dns_servers": [], "http": [], "icmp": [], "smtp": [], "tcp": [], "smtp_ex": [], "mitm": [], "hosts": [], "pcap_sha256": "06bbfe31b8360b056ab7e918be03455df35102c6febb3f8a642b4004f0a69186", "dns": [], "http_ex": [], "domains": [], "dead_hosts": [], "sorted_pcap_sha256": "95e9d1d457927365f9c1aa912d7efcff8b6dcfe1c4d33e651e8dc7ea6f1c758f", "irc": [], "https_ex": [] }
The instructions below shows how to remove eath.exe with help from the FreeFixer removal tool. Basically, you install FreeFixer, scan your computer, check the eath.exe file for removal, restart your computer and scan it again to verify that eath.exe has been successfully removed. Here are the removal instructions in more detail:
Property | Value |
---|---|
MD5 | 26927bcf1733b933c9b1e49b10d31216 |
SHA256 | bc26065d73abee805e03efb332b6fa543d4b62e3f1fedf955f305df0271618ed |
These are some of the error messages that can appear related to eath.exe:
eath.exe has encountered a problem and needs to close. We are sorry for the inconvenience.
eath.exe - Application Error. The instruction at "0xXXXXXXXX" referenced memory at "0xXXXXXXXX". The memory could not be "read/written". Click on OK to terminate the program.
eath.exe has stopped working.
End Program - eath.exe. This program is not responding.
eath.exe is not a valid Win32 application.
eath.exe - Application Error. The application failed to initialize properly (0xXXXXXXXX). Click OK to terminate the application.
To help other users, please let us know what you will do with eath.exe:
Please share with the other users what you think about this file. What does this file do? Is it legitimate or something that your computer is better without? Do you know how it was installed on your system? Did you install it yourself or did it come bundled with some other software? Is it running smoothly or do you get some error message? Any information that will help to document this file is welcome. Thank you for your contributions.
I'm reading all new comments so don't hesitate to post a question about the file. If I don't have the answer perhaps another user can help you.
No comments posted yet.