What is hjwrtpov.exe?
hjwrtpov.exe is usually located in the 'c:\users\%USERNAME%\appdata\roaming\vp\' folder.
Some of the anti-virus scanners at VirusTotal detected hjwrtpov.exe.
If you have additional information about the file, please share it with the FreeFixer users by posting a comment at the bottom of this page.
Digital signatures [?]
hjwrtpov.exe is not signed.
VirusTotal report
53 of the 72 anti-virus programs at VirusTotal detected the hjwrtpov.exe file. That's a 74% detection rate.
| Scanner | Detection Name |
|---|---|
| Acronis | suspicious |
| Ad-Aware | Trojan.GenericKD.33285795 |
| AegisLab | Trojan.Win32.Androm.m!c |
| AhnLab-V3 | Malware/Win32.Generic.C3468317 |
| Alibaba | Packed:Win32/Themida.07456c1a |
| APEX | Malicious |
| Arcabit | Trojan.Generic.D1FBE6A3 |
| Avast | Win32:DropperX-gen [Drp] |
| AVG | Win32:DropperX-gen [Drp] |
| Avira | BDS/Androm.xrlrh |
| BitDefender | Trojan.GenericKD.33285795 |
| BitDefenderTheta | Gen:NN.ZexaF.34090.rAWaaGfIdHai |
| ClamAV | Win.Packed.Gamarue-7172976-0 |
| CrowdStrike | win/malicious_confidence_100% (W) |
| Cybereason | malicious.2b79d0 |
| Cylance | Unsafe |
| DrWeb | Trojan.Siggen9.12176 |
| eGambit | Unsafe.AI_Score_99% |
| Emsisoft | Trojan.GenericKD.33285795 (B) |
| Endgame | malicious (high confidence) |
| ESET-NOD32 | a variant of Win32/Packed.Themida.GZV |
| F-Secure | Backdoor.BDS/Androm.xrlrh |
| FireEye | Generic.mg.4e635aede93017c1 |
| GData | Trojan.GenericKD.33285795 |
| Ikarus | Trojan.Win32.Themida |
| Invincea | heuristic |
| K7AntiVirus | Trojan ( 0040f4ef1 ) |
| K7GW | Trojan ( 0040f4ef1 ) |
| Kaspersky | HEUR:Backdoor.Win32.Androm.gen |
| Malwarebytes | Spyware.CryptBot.Themida.Generic |
| MAX | malware (ai score=81) |
| MaxSecure | Trojan.Malware.300983.susgen |
| McAfee | Artemis!4E635AEDE930 |
| McAfee-GW-Edition | BehavesLike.Win32.Generic.vc |
| Microsoft | Trojan:Win32/Occamy.C |
| MicroWorld-eScan | Trojan.GenericKD.33285795 |
| NANO-Antivirus | Trojan.Win32.TrjGen.haxszg |
| Paloalto | generic.ml |
| Panda | Trj/CI.A |
| Qihoo-360 | Win32/Backdoor.650 |
| Rising | Backdoor.Androm!8.113 (CLOUD) |
| Sangfor | Malware |
| SentinelOne | DFI - Malicious PE |
| Sophos | Mal/Generic-S |
| Symantec | ML.Attribute.HighConfidence |
| Tencent | Win32.Trojan.Agent.Pfjn |
| Trapmine | malicious.high.ml.score |
| TrendMicro | TROJ_FRS.VSNTBF20 |
| TrendMicro-HouseCall | TROJ_FRS.VSNTBF20 |
| VBA32 | TScope.Malware-Cryptor.SB |
| VIPRE | Trojan.Win32.Generic!BT |
| Webroot | W32.Trojan.Gen |
| ZoneAlarm | HEUR:Backdoor.Win32.Androm.gen |
Sandbox Report
The following information was gathered by executing the file inside Cuckoo Sandbox.
Summary
Successfully executed process in sandbox.
Summary
{
"connects_ip": [
"127.0.0.1"
],
"downloads_file": [
"http:\/\/ip-api.com\/line"
],
"file_created": [
"C:\\ProgramData\\H8KmjWBbq\\Files\\_Screen.jpg",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\_FileCC.txt",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\Cookies\\Mozilla_Firefox_Cookies_ycHSjyz.txt",
"C:\\ProgramData\\H8KmjWBbq\\kLz4XtX0TChLR.zip",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\_FilePasswords.txt",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\_FileCookies.txt",
"C:\\ProgramData\\H8KmjWBbq\\Files\\_Info.txt",
"C:\\ProgramData\\H8KmjWBbq\\moz_cookies.db-wal",
"C:\\ProgramData\\H8KmjWBbq\\moz_cookies.db-shm",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\_FileForms.txt"
],
"directory_created": [
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Coins\\Electrum-btcp",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Coins\\ElectronCash",
"C:\\ProgramData\\Newfol",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Files",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Files\\Desktop",
"C:\\ProgramData\\H8KmjWBbq\\Files",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\Cookies",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Caches",
"C:\\ProgramData\\H8KmjWBbq",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Coins\\Electrum",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Files\\Other",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Coins"
],
"dll_loaded": [
"gdiplus.dll",
"C:\\Windows\\System32\\mswsock.dll",
"urlmon.dll",
"kernel32",
"winmm.dll",
"api-ms-win-core-sysinfo-l1-2-1",
"api-ms-win-core-localization-l1-2-1",
"api-ms-win-core-fibers-l1-1-1",
"dwmapi.dll",
"KERNEL32.dll",
"UxTheme.dll",
"DUI70.dll",
"ntdll.dll",
"C:\\Windows\\WinSxS\\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\\gdiplus.dll",
"C:\\Windows\\system32\\napinsp.dll",
"api-ms-win-core-synch-l1-2-0",
"ntmarta.dll",
"API-MS-WIN-Service-Management-L1-1-0.dll",
"PROPSYS.dll",
"WININET.dll",
"API-MS-Win-Core-LocalRegistry-L1-1-0.dll",
"DHCPCSVC.DLL",
"OLEAUT32.DLL",
"RASMAN.DLL",
"ole32.dll",
"USER32.dll",
"Comctl32.dll",
"API-MS-Win-Security-SDDL-L1-1-0.dll",
"API-MS-WIN-Service-winsvc-L1-1-0.dll",
"C:\\Windows\\system32\\DUser.dll",
"rtutils.dll",
"IPHLPAPI.DLL",
"wininet.dll",
"WindowsCodecs.dll",
"C:\\Windows\\system32\\xmllite.dll",
"CRYPT32.dll",
"C:\\Windows\\system32\\pnrpnsp.dll",
"api-ms-win-core-file-l2-1-1",
"SHELL32.dll",
"DNSAPI.dll",
"C:\\Windows\\System32\\winrnr.dll",
"DUser.dll",
"comctl32.dll",
"C:\\Program Files (x86)\\Mozilla Firefox\\nss3.dll",
"WS2_32.dll",
"NTDLL",
"kernel32.dll",
"GDI32.dll",
"ADVAPI32.dll",
"NTDLL.dll",
"SETUPAPI.dll",
"OLEACC.dll",
"user32.dll",
"OLEAUT32.dll"
],
"file_failed": [
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\_FilePasswords.txt\\@\\@\\@",
"C:\\ProgramData\\H8KmjWBbq\\Files\\_FilePasswords.txt\\@\\@",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 3\\LoginDataCopy",
"C:\\ProgramData\\H8KmjWBbq\\172773668.txt",
"C:\\ProgramData\\H8KmjWBbq\\Files\\_Info.txt\\0\\0\\0\\0",
"C:\\Users\\cuck\\AppData\\Roaming\\Exodus Eden",
"C:\\ProgramData\\H8KmjWBbq\\Files\\_FilePasswords.txt\\@",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 1\\LoginDataCopy",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Files",
"C:\\ProgramData\\H8KmjWBbq\\Files\\_FilePasswords.txt\\@\\@\\@",
"C:\\Users\\cuck\\AppData\\Local\\360Chrome\\Chrome\\User Data\\Default\\WebDataCopy",
"C:\\ProgramData\\H8KmjWBbq\\Files\\_Screen.jpg\\0\\0\\0\\@\\@",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Files\\Other",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\_FileForms.txt\\@\\@\\@",
"C:\\ProgramData\\H8KmjWBbq\\Files\\_FilePasswords.txt\\@\\@\\@\\@\\@\\@",
"C:\\Users\\cuck\\AppData\\Local\\Torch\\User Data\\Default\\CookiesCopy",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\_FileCookies.txt\\@\\@",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\WebDataCopy",
"C:\\ProgramData\\H8KmjWBbq\\Files\\_Screen.jpg\\0\\0\\0\\@",
"C:\\Users\\cuck\\Desktop\\secret.txt",
"\\??\\SIWVID",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Browser\\User Data\\Default\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Roaming\\brave\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\360Chrome\\Chrome\\User Data\\Default\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Roaming\\Opera Software\\Opera Stable\\CookiesCopy",
"C:\\ProgramData\\H8KmjWBbq\\Files\\_Info.txt\\0\\0\\0",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers",
"C:\\Users\\cuck\\AppData\\Roaming\\brave\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Roaming\\MultiBitHD",
"C:\\Users\\cuck\\AppData\\Roaming\\Opera Software\\Opera Stable\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Roaming\\Exodus",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Default\\CookiesCopy",
"C:\\ProgramData\\H8KmjWBbq\\Files\\_Info.txt\\0\\0",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\_FileForms.txt\\@\\@\\@\\@\\@",
"C:\\ProgramData\\H8KmjWBbq\\Files\\_Info.txt\\0",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 1\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Torch\\User Data\\Default\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Browser\\User Data\\Default\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\360Chrome\\Chrome\\User Data\\Default\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 2\\CookiesCopy",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\Cookies\\Mozilla_Firefox_Cookies_ycHSjyz.txt\\`\\`",
"C:\\Program Files (x86)\\Common Files\\nss3.dll",
"C:\\Users\\cuck\\AppData\\Roaming\\Jaxx",
"C:\\Users\\cuck\\AppData\\Roaming\\waves-client",
"C:\\Program Files (x86)\\Internet Explorer\\nss3.dll",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Roaming\\Atomic",
"C:\\Users\\cuck\\AppData\\Local\\Slimjet\\User Data\\Default\\WebDataCopy",
"C:\\ProgramData\\H8KmjWBbq\\Files\\_Screen.jpg\\0\\0",
"C:\\Users\\cuck\\AppData\\Local\\Torch\\User Data\\Default\\WebDataCopy",
"C:\\Users\\cuck\\Documents\\Monero",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\Cookies\\Mozilla_Firefox_Cookies_ycHSjyz.txt\\`\\`\\`",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 3\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 2\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\CentBrowser\\User Data\\Default\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Roaming\\ElectronCash",
"C:\\Users\\cuck\\AppData\\Roaming\\Electrum-btcp",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 1\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Default\\LoginDataCopy",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\Cookies\\Mozilla_Firefox_Cookies_ycHSjyz.txt\\`\\`\\`\\`",
"C:\\Users\\cuck\\AppData\\Roaming\\Opera Software\\Opera Stable\\WebDataCopy",
"C:\\ProgramData\\H8KmjWBbq\\Files\\_FilePasswords.txt\\@\\@\\@\\@",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\_FileForms.txt\\@",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\_FileCookies.txt\\@\\@\\@",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\_FilePasswords.txt\\@",
"C:\\Users\\cuck\\AppData\\Local\\Vivaldi\\User Data\\Default\\WebDataCopy",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\_FileCookies.txt\\@",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\_FileCookies.txt\\@\\@\\@\\@",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\Cookies\\Mozilla_Firefox_Cookies_ycHSjyz.txt\\`",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\_FileForms.txt\\@\\@",
"C:\\ProgramData\\H8KmjWBbq\\Files\\_Screen.jpg\\0\\0\\0",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Default\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Comodo\\Dragon\\User Data\\Default\\LoginDataCopy",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\_FileCookies.txt\\@\\@\\@\\@\\P",
"\\??\\NTICE",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 2\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Slimjet\\User Data\\Default\\CookiesCopy",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Files\\Desktop",
"C:\\Users\\cuck\\AppData\\Local\\Comodo\\Dragon\\User Data\\Default\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\CentBrowser\\User Data\\Default\\LoginDataCopy",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\_FileForms.txt\\@\\@\\@\\@",
"C:\\Users\\cuck\\AppData\\Local\\Slimjet\\User Data\\Default\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 1\\CookiesCopy",
"C:\\ProgramData\\H8KmjWBbq\\Files\\_Screen.jpg\\0",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\_FilePasswords.txt\\@\\@\\@\\P\\P",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 3\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 3\\WebDataCopy",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\_FilePasswords.txt\\@\\@",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Coins\\ElectronCash",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 3\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 1\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Roaming\\Electrum",
"C:\\Users\\cuck\\AppData\\Roaming\\com.liberty.jaxx",
"C:\\Users\\cuck\\Desktop\\report.doc",
"C:\\Users\\cuck\\AppData\\Local\\Vivaldi\\User Data\\Default\\CookiesCopy",
"C:\\ProgramData\\H8KmjWBbq\\Files\\_Info.txt\\0\\0\\0\\0\\@",
"C:\\ProgramData\\H8KmjWBbq\\Files\\_Screen.jpg\\0\\0\\0\\@\\@\\@",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Coins",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 2\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\CentBrowser\\User Data\\Default\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\Comodo\\Dragon\\User Data\\Default\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Roaming\\brave\\CookiesCopy",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\Cookies",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\_FilePasswords.txt\\@\\@\\@\\P",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Browser\\User Data\\Default\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\Vivaldi\\User Data\\Default\\LoginDataCopy",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Coins\\Electrum-btcp",
"C:\\ProgramData\\H8KmjWBbq\\Files\\_Info.txt\\0\\0\\0\\0\\@\\@",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 2\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 1\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 3\\CookiesCopy",
"C:\\ProgramData\\H8KmjWBbq\\Files\\_FilePasswords.txt\\@\\@\\@\\@\\@",
"\\??\\SICE",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Coins\\Electrum",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 2\\LoginDataCopy"
],
"file_copied": [
[
"C:\\Users\\cuck\\AppData\\Local\\Torch\\User Data\\Default\\Cookies",
"C:\\Users\\cuck\\AppData\\Local\\Torch\\User Data\\Default\\CookiesCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Slimjet\\User Data\\Default\\Cookies",
"C:\\Users\\cuck\\AppData\\Local\\Slimjet\\User Data\\Default\\CookiesCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 3\\Web Data",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 3\\WebDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\CentBrowser\\User Data\\Default\\Cookies",
"C:\\Users\\cuck\\AppData\\Local\\CentBrowser\\User Data\\Default\\CookiesCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Default\\Web Data",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Default\\WebDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Browser\\User Data\\Default\\Web Data",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Browser\\User Data\\Default\\WebDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\CookiesCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Torch\\User Data\\Default\\Login Data",
"C:\\Users\\cuck\\AppData\\Local\\Torch\\User Data\\Default\\LoginDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Slimjet\\User Data\\Default\\Web Data",
"C:\\Users\\cuck\\AppData\\Local\\Slimjet\\User Data\\Default\\WebDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 2\\Login Data",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 2\\LoginDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 3\\Web Data",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 3\\WebDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Vivaldi\\User Data\\Default\\Cookies",
"C:\\Users\\cuck\\AppData\\Local\\Vivaldi\\User Data\\Default\\CookiesCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 1\\Login Data",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 1\\LoginDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 3\\Cookies",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 3\\CookiesCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Comodo\\Dragon\\User Data\\Default\\Web Data",
"C:\\Users\\cuck\\AppData\\Local\\Comodo\\Dragon\\User Data\\Default\\WebDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\CentBrowser\\User Data\\Default\\Web Data",
"C:\\Users\\cuck\\AppData\\Local\\CentBrowser\\User Data\\Default\\WebDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 3\\Cookies",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 3\\CookiesCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 2\\Web Data",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 2\\WebDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Roaming\\brave\\Cookies",
"C:\\Users\\cuck\\AppData\\Roaming\\brave\\CookiesCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 2\\Cookies",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 2\\CookiesCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 2\\Web Data",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 2\\WebDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 1\\Cookies",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 1\\CookiesCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 1\\Web Data",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 1\\WebDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Default\\Cookies",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Default\\CookiesCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\360Chrome\\Chrome\\User Data\\Default\\Login Data",
"C:\\Users\\cuck\\AppData\\Local\\360Chrome\\Chrome\\User Data\\Default\\LoginDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Browser\\User Data\\Default\\Cookies",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Browser\\User Data\\Default\\CookiesCopy"
],
[
"C:\\Users\\cuck\\AppData\\Roaming\\Opera Software\\Opera Stable\\Login Data",
"C:\\Users\\cuck\\AppData\\Roaming\\Opera Software\\Opera Stable\\LoginDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Data",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\WebDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 2\\Login Data",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 2\\LoginDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Roaming\\brave\\Web Data",
"C:\\Users\\cuck\\AppData\\Roaming\\brave\\WebDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Roaming\\Opera Software\\Opera Stable\\Web Data",
"C:\\Users\\cuck\\AppData\\Roaming\\Opera Software\\Opera Stable\\WebDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\cookies.sqlite",
"C:\\ProgramData\\H8KmjWBbq\\moz_cookies.db"
],
[
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Browser\\User Data\\Default\\Login Data",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Browser\\User Data\\Default\\LoginDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 1\\Cookies",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 1\\CookiesCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 2\\Cookies",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 2\\CookiesCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 3\\Login Data",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 3\\LoginDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\CentBrowser\\User Data\\Default\\Login Data",
"C:\\Users\\cuck\\AppData\\Local\\CentBrowser\\User Data\\Default\\LoginDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Vivaldi\\User Data\\Default\\Web Data",
"C:\\Users\\cuck\\AppData\\Local\\Vivaldi\\User Data\\Default\\WebDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Roaming\\Opera Software\\Opera Stable\\Cookies",
"C:\\Users\\cuck\\AppData\\Roaming\\Opera Software\\Opera Stable\\CookiesCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 1\\Web Data",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 1\\WebDataCopy"
],
[
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\_FilePasswords.txt",
"C:\\ProgramData\\H8KmjWBbq\\Files\\_FilePasswords.txt"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Torch\\User Data\\Default\\Web Data",
"C:\\Users\\cuck\\AppData\\Local\\Torch\\User Data\\Default\\WebDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\360Chrome\\Chrome\\User Data\\Default\\Web Data",
"C:\\Users\\cuck\\AppData\\Local\\360Chrome\\Chrome\\User Data\\Default\\WebDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Vivaldi\\User Data\\Default\\Login Data",
"C:\\Users\\cuck\\AppData\\Local\\Vivaldi\\User Data\\Default\\LoginDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\LoginDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 3\\Login Data",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 3\\LoginDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Comodo\\Dragon\\User Data\\Default\\Login Data",
"C:\\Users\\cuck\\AppData\\Local\\Comodo\\Dragon\\User Data\\Default\\LoginDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Roaming\\brave\\Login Data",
"C:\\Users\\cuck\\AppData\\Roaming\\brave\\LoginDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Comodo\\Dragon\\User Data\\Default\\Cookies",
"C:\\Users\\cuck\\AppData\\Local\\Comodo\\Dragon\\User Data\\Default\\CookiesCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\360Chrome\\Chrome\\User Data\\Default\\Cookies",
"C:\\Users\\cuck\\AppData\\Local\\360Chrome\\Chrome\\User Data\\Default\\CookiesCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 1\\Login Data",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 1\\LoginDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Default\\Login Data",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Default\\LoginDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Slimjet\\User Data\\Default\\Login Data",
"C:\\Users\\cuck\\AppData\\Local\\Slimjet\\User Data\\Default\\LoginDataCopy"
]
],
"connects_host": [
"rifat02.info"
],
"regkey_opened": [
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\DnsClient",
"HKEY_CLASSES_ROOT\\Directory",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.ini",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{26656EAA-54EB-4E6F-8F85-4F0EF901A406}\\ProxyStubClsid32",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\",
"HKEY_CURRENT_USER\\Software\\Wine",
"HKEY_CLASSES_ROOT\\Folder",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\Clsid",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\3",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\LSA\\AccessProviders",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-699399860-4089948139-3198924279-1001",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\ShellEx\\IconHandler",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\(Default)",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\Explorer",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Security",
"HKEY_CLASSES_ROOT\\.ini",
"HKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\DnsCache\\Parameters",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\Clsid",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Applications\\4dc9f1b81127c4ea0704ccb1e26fbe6c4eaa9da02d337a3cac6d8178df17267a.bin",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\Explorer",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced",
"HKEY_CLASSES_ROOT\\SystemFileAssociations\\text",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\windows\\CurrentVersion\\Internet Settings\\Connections",
"HKEY_CLASSES_ROOT\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\Security",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\text\\ShellEx\\IconHandler",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\BrowseInPlace",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\Associations\\UrlAssociations\\Directory",
"HKEY_CLASSES_ROOT\\inifile",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\DocObject",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\inifile\\Clsid",
"HKEY_CLASSES_ROOT\\Interface\\{618736E0-3C3D-11CF-810C-00AA00389B71}\\ProxyStubClsid32",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts",
"HKEY_CURRENT_USER\\Software\\Microsoft\\windows\\CurrentVersion\\Internet Settings\\Wpad",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\CurVer",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{8A40A45D-055C-4B62-ABD7-6D613E2CEAEC}\\ProxyStubClsid32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\BrowseInPlace",
"HKEY_CURRENT_USER\\Interface\\{8A40A45D-055C-4B62-ABD7-6D613E2CEAEC}",
"HKEY_CURRENT_USER\\Interface\\{55272A00-42CB-11CE-8135-00AA004BB851}",
"HKEY_CLASSES_ROOT\\SystemFileAssociations\\.ini",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{2A1C9EB2-DF62-4154-B800-63278FCB8037}\\ProxyStubClsid32",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Class\\{4D36E968-E325-11CE-BFC1-08002BE10318}\\0000",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\DocObject",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",
"HKEY_CURRENT_USER\\Interface\\{BCD1DE7E-2DB1-418B-B047-4A74E101F8C1}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\ShellEx\\IconHandler",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Setup",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\Shell\\RegisteredApplications\\UrlAssociations\\Directory\\OpenWithProgids",
"HKEY_CLASSES_ROOT\\.ini\\OpenWithProgids",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\inifile\\DocObject",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Tracing\\RASMANCS",
"HKEY_LOCAL_MACHINE\\Hardware\\description\\System",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\text\\Clsid",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\inifile\\ShellEx\\IconHandler",
"HKEY_CURRENT_USER\\Interface\\{2A1C9EB2-DF62-4154-B800-63278FCB8037}",
"HKEY_CLASSES_ROOT\\CLSID\\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\\Instance\\Disabled",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.ini\\(Default)",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.ini\\UserChoice",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\DirectUI",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\text\\DocObject",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\Clsid",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Extensible Cache",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\inifile\\BrowseInPlace",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{55272A00-42CB-11CE-8135-00AA004BB851}\\ProxyStubClsid32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\text\\BrowseInPlace",
"HKEY_CLASSES_ROOT\\CLSID\\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\\Instance",
"HKEY_CURRENT_USER\\Interface\\{26656EAA-54EB-4E6F-8F85-4F0EF901A406}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{BCD1DE7E-2DB1-418B-B047-4A74E101F8C1}\\ProxyStubClsid32",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\LDAP",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\OLE\\Tracing",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache",
"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Tracing",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\ShellEx\\IconHandler",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\inifile\\CurVer",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.ini\\OpenWithProgids",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\crypt32",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\OleAut",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\System\\DNSClient",
"HKEY_CLASSES_ROOT\\AllFilesystemObjects",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\inifile\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\DocObject",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLEAUT",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters",
"HKEY_LOCAL_MACHINE\\HARDWARE\\ACPI\\DSDT\\VBOX__",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\BrowseInPlace"
],
"resolves_host": [
"wpad",
"cuckpc",
"ip-api.com"
],
"file_written": [
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\_FileCC.txt",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\Cookies\\Mozilla_Firefox_Cookies_ycHSjyz.txt",
"C:\\ProgramData\\H8KmjWBbq\\172773668.txt",
"C:\\ProgramData\\H8KmjWBbq\\kLz4XtX0TChLR.zip",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\_FilePasswords.txt",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\_FileCookies.txt",
"C:\\ProgramData\\H8KmjWBbq\\Files\\_Screen.jpg",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\_FileForms.txt",
"C:\\ProgramData\\H8KmjWBbq\\Files\\_Info.txt"
],
"file_deleted": [
"C:\\Users\\cuck\\AppData\\Local\\CentBrowser\\User Data\\Default\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Roaming\\brave\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 3\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 3\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 3\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\CentBrowser\\User Data\\Default\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Default\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 1\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\Comodo\\Dragon\\User Data\\Default\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 3\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 1\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Default\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 1\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Roaming\\Opera Software\\Opera Stable\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 1\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Vivaldi\\User Data\\Default\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\Torch\\User Data\\Default\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\360Chrome\\Chrome\\User Data\\Default\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Roaming\\Opera Software\\Opera Stable\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\360Chrome\\Chrome\\User Data\\Default\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 2\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Vivaldi\\User Data\\Default\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 2\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\Comodo\\Dragon\\User Data\\Default\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Roaming\\brave\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\Torch\\User Data\\Default\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 3\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Default\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Comodo\\Dragon\\User Data\\Default\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Browser\\User Data\\Default\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\Vivaldi\\User Data\\Default\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Browser\\User Data\\Default\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\Slimjet\\User Data\\Default\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Browser\\User Data\\Default\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 2\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Roaming\\brave\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Slimjet\\User Data\\Default\\CookiesCopy",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\_FileCC.txt",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 2\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 2\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 1\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\360Chrome\\Chrome\\User Data\\Default\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\Torch\\User Data\\Default\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\CentBrowser\\User Data\\Default\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Slimjet\\User Data\\Default\\LoginDataCopy",
"C:\\ProgramData\\H8KmjWBbq\\moz_cookies.db-wal",
"C:\\ProgramData\\H8KmjWBbq\\moz_cookies.db-shm",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 1\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 3\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Roaming\\Opera Software\\Opera Stable\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 2\\LoginDataCopy"
],
"file_exists": [
"C:\\Users\\cuck\\AppData\\Local\\CentBrowser\\User Data\\Default\\WebDataCopy",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Coins\\Electrum-btcp\\wallets",
"C:\\Users\\cuck\\AppData\\Roaming\\brave\\LoginDataCopy",
"C:\\Windows\\SysWOW64",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Coins\\Exodus",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 3\\LoginDataCopy",
"C:\\ProgramData\\Avg",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 3\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 3\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\CentBrowser\\User Data\\Default\\CookiesCopy",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Coins\\Atomic",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Coins\\MultiBitHD",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Default\\CookiesCopy",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Coins\\Jaxx",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 1\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\Comodo\\Dragon\\User Data\\Default\\WebDataCopy",
"C:\\ProgramData\\H8KmjWBbq\\moz_cookies.db-journal",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 3\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 1\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Default\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 1\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Roaming\\Opera Software\\Opera Stable\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 1\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Vivaldi\\User Data\\Default\\CookiesCopy",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Coins\\com.liberty.jaxx",
"C:\\Users\\cuck\\AppData\\Local\\Torch\\User Data\\Default\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\360Chrome\\Chrome\\User Data\\Default\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Roaming\\Opera Software\\Opera Stable\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\360Chrome\\Chrome\\User Data\\Default\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 2\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Vivaldi\\User Data\\Default\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 2\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\Comodo\\Dragon\\User Data\\Default\\CookiesCopy",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Coins\\Exodus Eden",
"C:\\Users\\cuck\\AppData\\Roaming\\brave\\CookiesCopy",
"C:\\ProgramData\\Newfol",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Coins\\Monero",
"C:\\Users\\cuck\\AppData\\Local\\Torch\\User Data\\Default\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 3\\CookiesCopy",
"C:\\ProgramData\\AVAST Software",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\WebDataCopy",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Coins\\waves-client",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Default\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Comodo\\Dragon\\User Data\\Default\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Browser\\User Data\\Default\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\Vivaldi\\User Data\\Default\\LoginDataCopy",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Coins\\Electrum\\wallets",
"C:\\Users\\cuck\\AppData\\Local\\Slimjet\\User Data\\Default\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Browser\\User Data\\Default\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 2\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\BraveSoftware\\Brave-Browser\\User Data\\Local State",
"C:\\Users\\cuck\\AppData\\Local\\Slimjet\\User Data\\Default\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Browser\\User Data\\Default\\CookiesCopy",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Coins\\ElectronCash\\wallets",
"C:\\Users\\cuck\\AppData\\Roaming\\brave\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 2\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 3\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 1\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\360Chrome\\Chrome\\User Data\\Default\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\Torch\\User Data\\Default\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Local State",
"C:\\Users\\cuck\\AppData\\Local\\CentBrowser\\User Data\\Default\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Slimjet\\User Data\\Default\\LoginDataCopy",
"C:\\ProgramData\\H8KmjWBbq\\moz_cookies.db-wal",
"C:\\ProgramData\\H8KmjWBbq\\moz_cookies.db",
"C:\\ProgramData\\H8KmjWBbq\\moz_cookies.db-shm",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 1\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 2\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Roaming\\Opera Software\\Opera Stable\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 2\\LoginDataCopy"
],
"mutex": [
"IESQMMUTEX_0_208"
],
"file_opened": [
"C:\\ProgramData",
"C:\\",
"C:\\Users\\cuck\\AppData",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000004.db",
"C:\\Users\\cuck\\Documents\\desktop.ini",
"C:\\ProgramData\\H8KmjWBbq\\172773668.txt",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Caches\\cversions.1.db",
"C:\\Users\\cuck\\Desktop",
"C:\\Users\\cuck\\AppData\\Local\\Temp",
"C:\\ProgramData\\H8KmjWBbq\\Files",
"C:\\Windows\\SysWOW64\\en-US\\KERNELBASE.dll.mui",
"C:\\ProgramData\\H8KmjWBbq\\Files\\_Screen.jpg",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Files",
"C:\\Windows\\resources\\Themes\\Aero\\Shell\\NormalColor\\ShellStyle.dll",
"C:\\Users\\cuck\\AppData\\Roaming",
"C:\\Users",
"C:\\Users\\cuck\\Desktop\\desktop.ini",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\_FileForms.txt",
"C:\\Users\\cuck\\Documents",
"C:\\Windows\\System32\\ntdll.dll",
"C:\\Users\\desktop.ini",
"C:\\ProgramData\\H8KmjWBbq\\Files\\_FilePasswords.txt",
"C:\\Users\\cuck",
"C:\\ProgramData\\H8KmjWBbq\\Files\\_Info.txt",
"C:\\ProgramData\\H8KmjWBbq",
"C:\\Windows\\System32\\oleaccrc.dll",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls",
"C:\\Program Files (x86)\\Mozilla Firefox\\nss3.dll",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\_FileCC.txt",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\Cookies\\Mozilla_Firefox_Cookies_ycHSjyz.txt",
"C:\\Program Files (x86)\\Mozilla Firefox",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\_FilePasswords.txt",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\_FileCookies.txt",
"C:\\ProgramData\\H8KmjWBbq\\moz_cookies.db",
"C:\\ProgramData\\H8KmjWBbq\\kLz4XtX0TChLR.zip"
],
"guid": [
"{ea1afb91-9e28-4b86-90e9-9e9f8a5eefaf}",
"{a1faf330-ef97-11ce-9bc9-00aa00608e01}",
"{3eef301f-b596-4c0b-bd92-013beafce793}",
"{0c9fb851-e5c9-43eb-a370-f0677b13874c}",
"{078759d3-423b-48ad-ab6a-5638c2884dbe}",
"{a47979d2-c419-11d9-a5b4-001185ad2b89}",
"{dcb00000-570f-4a9b-8d69-199fdba5723b}",
"{56fdf344-fd6d-11d0-958a-006097c9a090}",
"{eb6339bf-eb6a-437a-82da-a56e7e4f9cdc}",
"{9e175b6d-f52a-11d8-b9a5-505054503030}",
"{dcb00c01-570f-4a9b-8d69-199fdba5723b}",
"{f8383852-fcd3-11d1-a6b9-006097df5bd4}",
"{5762f2a7-4658-4c7a-a4ac-bdabfe154e0d}",
"{d0074ffd-570f-4a9b-8d69-199fdba5723b}",
"{b056521a-9b10-425e-b616-1fcd828db3b1}",
"{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}"
],
"file_read": [
"C:\\ProgramData\\H8KmjWBbq\\Files\\_Screen.jpg",
"C:\\Users\\cuck\\Desktop\\desktop.ini",
"C:\\Windows\\System32\\ntdll.dll",
"C:\\Users\\cuck\\Documents\\desktop.ini",
"C:\\Users\\desktop.ini",
"C:\\ProgramData\\H8KmjWBbq\\Files\\_FilePasswords.txt",
"C:\\ProgramData\\H8KmjWBbq\\kLz4XtX0TChLR.zip",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\_FilePasswords.txt",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\_FileCookies.txt",
"C:\\ProgramData\\H8KmjWBbq\\Files\\_Info.txt",
"C:\\ProgramData\\H8KmjWBbq\\moz_cookies.db",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\Cookies\\Mozilla_Firefox_Cookies_ycHSjyz.txt",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\_FileForms.txt"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\inifile\\AlwaysShowExt",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\NoFileFolderConnection",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASAPI32\\EnableConsoleTracing",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\UseHostnameAsAlias",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-699399860-4089948139-3198924279-1001\\ProfileImagePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\TurnOffSPIAnimations",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoSetFolders",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\NeverShowExt",
"HKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System\\SystemBiosVersion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{618736E0-3C3D-11CF-810C-00AA00389B71}\\ProxyStubClsid32\\(Default)",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Filter",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ini\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsFORDISPLAY",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASAPI32\\FileTracingMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\SourcePath",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\Generation",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\AutoProxyDetectType",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\AllowFileCLSIDJunctions",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\UseOldHostResolutionOrder",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Domain",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ReleaseId",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language Groups\\1",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\DisableImprovedZoneCheck",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ini\\Content Type",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoInternetIcon",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\Data",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\HideIcons",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsUniversalDelegate",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{55272A00-42CB-11CE-8135-00AA004BB851}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\text\\IsShortcut",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\MaxUndoItems",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\AutoCheckSelect",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\QueryForOverlay",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\Attributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\MapNetDriveVerbs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\QueryForInfoTip",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\\DefaultConnectionSettings",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}",
"HKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0\\ProcessorNameString",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\AlwaysShowExt",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\NeverShowExt",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsParseDisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\CurrentBuildNumber",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\crypt32\\DebugHeapFlags",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{BCD1DE7E-2DB1-418B-B047-4A74E101F8C1}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASAPI32\\FileDirectory",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\IsShortcut",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsAliasedNotifications",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\Windows Error Reporting\\WMR\\Disable",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\EMPTY",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\UseDropHandler",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoCommonGroups",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Time Zones\\Pacific Standard Time\\Dynamic DST\\FirstEntry",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\IconsOnly",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\NoNetCrawling",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{8A40A45D-055C-4B62-ABD7-6D613E2CEAEC}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\PinToNameSpaceTree",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASAPI32\\MaxFileSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\DocObject",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\CLASS\\{4D36E968-E325-11CE-BFC1-08002BE10318}\\0000\\DriverDesc",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\inifile\\IsShortcut",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Time Zones\\Pacific Standard Time\\Dynamic DST\\2018",
"HKEY_CURRENT_USER\\Control Panel\\Desktop\\MuiCached\\MachinePreferredUILanguages",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\LdapClientIntegrity",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\Security\\DisableSecuritySettingsCheck",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASAPI32\\EnableFileTracing",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\AutoDetect",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsFORPARSING",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\inifile\\DocObject",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\SeparateProcess",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\BrowseInPlace",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\UILanguages\\en-US\\Type",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASAPI32\\ConsoleTracingMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ini\\PerceivedType",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\DontPrettyPath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{26656EAA-54EB-4E6F-8F85-4F0EF901A406}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Advanced\\MaxUndoItems",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\EnableFileTracing",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HideFolderVerbs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProductName",
"HKEY_CURRENT_USER\\Control Panel\\Desktop\\PreferredUILanguages",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoNetCrawling",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\UILanguages\\en-US\\AlternateCodePage",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\WebView",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\text\\NeverShowExt",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\AppData",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Hostname",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\text\\AlwaysShowExt",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowCompColor",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\text\\DocObject",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\ClassicShell",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HideInWebView",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{2A1C9EB2-DF62-4154-B800-63278FCB8037}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\DocObject",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\IsShortcut",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\inifile\\NeverShowExt",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\FileTracingMask",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\CallForAttributes",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\AccessProviders\\MartaExtension",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoPropertiesMyComputer",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\ConsoleTracingMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Time Zones\\Pacific Standard Time\\Dynamic DST\\LastEntry",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE\\PageAllocatorSystemHeapIsPrivate",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\inifile\\BrowseInPlace",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\NoFileFolderJunction",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\text\\BrowseInPlace",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Security\\DisableSecuritySettingsCheck",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\MaxFileSize",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\WpadLastNetwork",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\3\\1A10",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellState",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Security_HKLM_only",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\DevicePath",
"HKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System\\VideoBiosVersion",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowTypeOverlay",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE\\PageAllocatorUseSystemHeap",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\Data",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\HideFileExt",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\EnableConsoleTracing",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\RestrictedAttributes",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\MapNetDrvBtn",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\DontShowSuperHidden",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\BrowseInPlace",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HasNavigationEnum",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Hidden",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\SeparateProcess",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language\\InstallLanguageFallback",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\Generation",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\DocObject",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HideOnDesktopPerUser",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\NeverShowExt",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\IsShortcut",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\ProgramData",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowSuperHidden",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\FileDirectory",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoControlPanel",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoSimpleStartMenu",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowInfoTip",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoWebView",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Locale\\00000409",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoPropertiesRecycleBin",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\BrowseInPlace",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Time Zones\\Pacific Standard Time\\Dynamic DST\\2007"
],
"directory_enumerated": [
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\4\\7\\b\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Network Shortcuts\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\WER\\*.*",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\1\\6\\6\\b\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\pip\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\gmp\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache\\Low\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Printer Shortcuts\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\SHYNOLTK\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\UTC--2*",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\_FileForms.txt\\@\\@\\*",
"C:\\Users\\cuck\\AppData\\Local\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\permanent\\chrome\\idb\\1657114595AmcateirvtiSty.files\\*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds Cache\\wallet.dat",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\_FilePasswords.txt\\@\\@\\*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Printer Shortcuts\\*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\minidumps\\UTC--2*",
"C:\\Users\\cuck\\Recent\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\1\\6\\6\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Libraries\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\b\\b\\8\\7\\6\\wallet.dat",
"C:\\Users\\cuck\\NetHood\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\WER\\ERC\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-699399860-4089948139-3198924279-1001\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\1024\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\*",
"C:\\Users\\cuck\\Favorites\\Windows Live\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Printer Shortcuts\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\f\\e\\d\\0\\e\\wallet.dat",
"C:\\Users\\cuck\\PrintHood\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\default\\about+newtab\\idb\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Accessibility\\*.*",
"C:\\Users\\cuck\\My Documents\\UTC--2*",
"C:\\Users\\cuck\\Documents\\My Music\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\thumbnails\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\1\\6\\6\\b\\1\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\*.pbk",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\updates\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Network\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Burn\\Burn\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\History\\UTC--2*",
"C:\\Users\\cuck\\Favorites\\MSN Websites\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\sessionstore-backups\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\*",
"C:\\ProgramData\\H8KmjWBbq\\Files\\_Info.txt\\*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\datareporting\\archived\\2018-06\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Burn\\wallet.dat",
"C:\\Users\\cuck\\Templates\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\f\\e\\d\\0\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\cache2\\entries\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\Low\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\WER\\ERC\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\permanent\\chrome\\idb\\*",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\4\\e\\e\\3\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Accessibility\\wallet.dat",
"C:\\Users\\cuck\\SendTo\\*.*",
"C:\\Users\\cuck\\Favorites\\Links for United States\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\WER\\ReportArchive\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Extensions\\*.*",
"C:\\Users\\cuck\\Desktop\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\safebrowsing\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\D3L171UH\\UTC--2*",
"C:\\ProgramData\\H8KmjWBbq\\Files\\_FilePasswords.txt\\@\\@\\@\\*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\pip\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\SystemCertificates\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\datareporting\\archived\\2018-06\\*",
"C:\\Users\\cuck\\Contacts\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Media Center Programs\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-699399860-4089948139-3198924279-1001\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Credentials\\*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\1\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds\\Feeds for United States~\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\D3L171UH\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\4\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\b\\b\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Network\\Connections\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\default\\*",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\f\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Accessibility\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\default\\UTC--2*",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\Cookies\\Mozilla_Firefox_Cookies_ycHSjyz.txt\\`\\`\\`\\*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Network\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\cache2\\entries\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\updates\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Credentials\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\permanent\\chrome\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\default\\about+newtab\\idb\\3312185054sbndi_pspte.files\\*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\1KH9UWN0\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\default\\about+newtab\\idb\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\saved-telemetry-pings\\UTC--2*",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Coins\\ElectronCash\\*",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\4\\e\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\GameExplorer\\wallet.dat",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\WER\\ReportArchive\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\b\\b\\8\\7\\UTC--2*",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Files\\Desktop\\*",
"C:\\Users\\cuck\\Favorites\\Windows Live\\*.*",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\_FileCookies.txt\\@\\@\\@\\@\\*",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\_FileForms.txt\\@\\@\\@\\*",
"C:\\Users\\cuck\\Start Menu\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\4\\*.*",
"C:\\Users\\cuck\\Documents\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Network\\Connections\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\1033\\*.*",
"C:\\Users\\cuck\\Templates\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\safebrowsing\\wallet.dat",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\_FileForms.txt\\@\\*",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\default\\moz-safe-about+home\\idb\\UTC--2*",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\_FileCookies.txt\\@\\@\\*",
"C:\\Users\\cuck\\SendTo\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Caches\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds Cache\\VU6ZINQW\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\mozilla-temp-files\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\permanent\\chrome\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\gmp\\*",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\Firefox\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\History\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\default\\moz-safe-about+home\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\safebrowsing\\google4\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Burn\\Burn\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\4\\7\\b\\7\\2\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\permanent\\chrome\\*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\sessionstore-backups\\*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds\\Feeds for United States~\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\f\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\EIDFNJNY\\wallet.dat",
"C:\\ProgramData\\H8KmjWBbq\\Files\\_Info.txt\\0\\0\\0\\0\\@\\*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Mail\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\UTC--2*",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\UTC--2*",
"C:\\Users\\cuck\\Desktop\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Network Shortcuts\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Explorer\\UTC--2*",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE\\Low\\*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\WER\\ReportArchive\\wallet.dat",
"C:\\Users\\cuck\\AppData\\LocalLow\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds Cache\\ZQR1HVQK\\*.*",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\_FileCookies.txt\\*",
"C:\\Users\\cuck\\AppData\\Roaming\\Media Center Programs\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\b\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\default\\moz-safe-about+home\\idb\\3312185054sbndi_pspte.files\\*",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\4\\7\\b\\7\\2\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds Cache\\UTC--2*",
"C:\\Users\\cuck\\AppData\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Sidebar\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\crashes\\events\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds Cache\\6KHYU14N\\wallet.dat",
"C:\\Users\\cuck\\Documents\\My Videos\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\f\\e\\*.*",
"C:\\Users\\cuck\\Saved Games\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Crypto\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\default\\about+newtab\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Network Shortcuts\\*",
"C:\\Users\\cuck\\AppData\\LocalLow\\Mozilla\\UTC--2*",
"C:\\Users\\cuck\\Favorites\\Microsoft Websites\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\*.*",
"C:\\ProgramData\\H8KmjWBbq\\Files\\_Screen.jpg\\0\\0\\0\\@\\@\\*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-699399860-4089948139-3198924279-1001\\*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\datareporting\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Pending Pings\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-699399860-4089948139-3198924279-1001\\*.*",
"C:\\ProgramData\\H8KmjWBbq\\Files\\_Info.txt\\0\\0\\0\\0\\*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\f\\e\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\b\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Virtualized\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Active\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Libraries\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\permanent\\*.*",
"C:\\Users\\cuck\\Favorites\\Links for United States\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\saved-telemetry-pings\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\permanent\\chrome\\idb\\1657114595AmcateirvtiSty.files\\*.*",
"C:\\ProgramData\\H8KmjWBbq\\Files\\*",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\thumbnails\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Protect\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Crypto\\*",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\4\\e\\e\\UTC--2*",
"C:\\Users\\cuck\\Cookies\\wallet.dat",
"C:\\Users\\cuck\\AppData\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\3X0GYJB7\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Libraries\\*",
"C:\\Users\\cuck\\Saved Games\\*.*",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\_FileForms.txt\\*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds Cache\\VU6ZINQW\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\permanent\\chrome\\idb\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\*",
"C:\\Users\\cuck\\AppData\\LocalLow\\Mozilla\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\WER\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Themes\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations\\*",
"C:\\Users\\cuck\\AppData\\Local\\Application Data\\wallet.dat",
"C:\\ProgramData\\H8KmjWBbq\\Files\\_Screen.jpg\\0\\0\\0\\*",
"C:\\Users\\cuck\\Application Data\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\EIDFNJNY\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Ringtones\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\*",
"C:\\Users\\cuck\\My Documents\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\SHYNOLTK\\*.*",
"C:\\Users\\cuck\\Favorites\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Media Center Programs\\*",
"C:\\Users\\cuck\\Favorites\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds\\Feeds for United States~\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\3X0GYJB7\\UTC--2*",
"C:\\Users\\cuck\\Pictures\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\UTC--2*",
"C:\\Users\\cuck\\Local Settings\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\*.*",
"C:\\ProgramData\\H8KmjWBbq\\Files\\_Screen.jpg\\0\\0\\0\\@\\*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\*",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\4\\e\\e\\wallet.dat",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Coins\\*",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\OfflineCache\\*.*",
"C:\\ProgramData\\H8KmjWBbq\\Files\\_Info.txt\\0\\0\\*",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\Firefox\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\4\\e\\e\\3\\1\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE\\Low\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\crashes\\events\\*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Extensions\\*",
"C:\\Users\\cuck\\AppData\\Roaming\\Identities\\{183045C5-6B41-4C94-A7FA-BE70B5E7A9D3}\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Themes\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Themes\\wallet.dat",
"C:\\ProgramData\\H8KmjWBbq\\Files\\_FilePasswords.txt\\*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00040617\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Credentials\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\D3L171UH\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\SendTo\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Temporary Internet Files\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\startupCache\\*.*",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\Cookies\\Mozilla_Firefox_Cookies_ycHSjyz.txt\\`\\*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\permanent\\*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\Low\\*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\datareporting\\archived\\2018-06\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Network Shortcuts\\wallet.dat",
"C:\\Users\\cuck\\Documents\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\permanent\\chrome\\idb\\3561288849sdhlie.files\\wallet.dat",
"C:\\Users\\cuck\\AppData\\LocalLow\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WPDNSE\\wallet.dat",
"C:\\Users\\cuck\\Documents\\My Videos\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\QQUHP74Z\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Media Player\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\SystemExtensionsDev\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WPDNSE\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\OfflineCache\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\default\\moz-safe-about+home\\idb\\3312185054sbndi_pspte.files\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\permanent\\UTC--2*",
"C:\\Users\\cuck\\Links\\wallet.dat",
"C:\\Users\\cuck\\Downloads\\*.*",
"C:\\ProgramData\\H8KmjWBbq\\Files\\_FilePasswords.txt\\@\\@\\*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00040617\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds Cache\\6KHYU14N\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Extensions\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\Low\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache\\Low\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Sidebar\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Media Center Programs\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\b\\b\\8\\7\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\*",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\datareporting\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\minidumps\\*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\OFC88ECH\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\gmp\\WINNT_x86-msvc\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\1KH9UWN0\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Libraries\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Printer Shortcuts\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE\\UTC--2*",
"C:\\Users\\cuck\\Documents\\My Pictures\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Protect\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE\\*",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\MSHist012019040920190410\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\EIDFNJNY\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Media\\UTC--2*",
"C:\\Users\\cuck\\Searches\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.files\\*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\Low\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\cache2\\doomed\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\MSHist012019040920190410\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.files\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\thumbnails\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\crashes\\*",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\b\\b\\8\\7\\6\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\4\\7\\b\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Pending Pings\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\*",
"C:\\Users\\cuck\\Favorites\\MSN Websites\\wallet.dat",
"C:\\Users\\cuck\\Documents\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\bookmarkbackups\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\datareporting\\archived\\*.*",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\f\\e\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\QQUHP74Z\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\QQUHP74Z\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds Cache\\ZQR1HVQK\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\default\\about+newtab\\*",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\mozilla-temp-files\\UTC--2*",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds Cache\\K6VAOA4J\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\mozilla-temp-files\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\UTC--2*",
"C:\\Users\\cuck\\Music\\wallet.dat",
"C:\\Users\\cuck\\Videos\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\UTC--2*",
"C:\\Users\\cuck\\Saved Games\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\datareporting\\archived\\2018-06\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\rasphone.pbk",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\*",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\b\\*.*",
"C:\\ProgramData\\Microsoft\\Network\\Connections\\Pbk\\*.pbk",
"C:\\Users\\cuck\\Favorites\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\startupCache\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\I6GMLZZB\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\minidumps\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds Cache\\K6VAOA4J\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Mail\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\1\\6\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\safebrowsing\\google4\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Network\\Connections\\*",
"C:\\Users\\cuck\\AppData\\Local\\*.*",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\*.*",
"C:\\Users\\cuck\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Burn\\Burn\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\temporary\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\4\\7\\b\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\pip\\*.*",
"C:\\Users\\cuck\\AppData\\LocalLow\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\Application Data\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Crypto\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\cache2\\doomed\\*.*",
"C:\\Users\\cuck\\Recent\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\b\\b\\8\\7\\wallet.dat",
"C:\\Users\\cuck\\Templates\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Identities\\*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\temporary\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\default\\moz-safe-about+home\\*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\permanent\\chrome\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\wallet.dat",
"C:\\Users\\cuck\\Pictures\\wallet.dat",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\4\\e\\e\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Identities\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\1\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\wallet.dat",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\*.*",
"C:\\Users\\cuck\\Favorites\\Links\\UTC--2*",
"C:\\Users\\cuck\\Application Data\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\cache2\\doomed\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\1\\6\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-699399860-4089948139-3198924279-1001\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\permanent\\chrome\\idb\\3561288849sdhlie.files\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\History\\wallet.dat",
"C:\\Users\\cuck\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\4\\e\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\1\\6\\6\\UTC--2*",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\wallet.dat",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\_FilePasswords.txt\\@\\@\\@\\P\\*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\SendTo\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Sidebar\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\f\\e\\d\\0\\e\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\cache2\\entries\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\SHYNOLTK\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\datareporting\\*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\WER\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\VirtualStore\\UTC--2*",
"C:\\ProgramData\\H8KmjWBbq\\Files\\_Info.txt\\0\\0\\0\\*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\GameExplorer\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\permanent\\chrome\\idb\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds Cache\\K6VAOA4J\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\Low\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.files\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\*.*",
"C:\\Users\\cuck\\AppData\\LocalLow\\Mozilla\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\wallet.dat",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\1\\6\\6\\b\\1\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\gmp\\WINNT_x86-msvc\\*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Extensions\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\safebrowsing\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\GameExplorer\\*.*",
"C:\\Users\\cuck\\Contacts\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Credentials\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\cache2\\wallet.dat",
"C:\\Users\\cuck\\Favorites\\Windows Live\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Active\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Credentials\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\f\\e\\d\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\default\\moz-safe-about+home\\idb\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\permanent\\chrome\\idb\\3561288849sdhlie.files\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\SendTo\\*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\default\\moz-safe-about+home\\idb\\*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\crashes\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\3X0GYJB7\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\permanent\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Low\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Identities\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Network\\Connections\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Burn\\*.*",
"C:\\Users\\cuck\\NetHood\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\UTC--2*",
"C:\\Users\\cuck\\Cookies\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\SendTo\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\default\\about+newtab\\idb\\3312185054sbndi_pspte.files\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\permanent\\chrome\\idb\\1657114595AmcateirvtiSty.files\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\*",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\Cookies\\Mozilla_Firefox_Cookies_ycHSjyz.txt\\`\\`\\*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\saved-telemetry-pings\\wallet.dat",
"C:\\Users\\cuck\\Videos\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\VirtualStore\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\*",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\*.*",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\Application Data\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\4\\e\\e\\3\\1\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\default\\about+newtab\\idb\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\f\\e\\d\\0\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE\\Low\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\crashes\\events\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\updates\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Identities\\{183045C5-6B41-4C94-A7FA-BE70B5E7A9D3}\\*.*",
"C:\\Users\\cuck\\Pictures\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\startupCache\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Media Player\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\minidumps\\wallet.dat",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\_FileCookies.txt\\@\\*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\I6GMLZZB\\wallet.dat",
"C:\\Users\\cuck\\Music\\UTC--2*",
"C:\\Users\\cuck\\Favorites\\MSN Websites\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\4\\7\\b\\7\\UTC--2*",
"C:\\Users\\cuck\\Music\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\*.*",
"C:\\Users\\cuck\\Searches\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\SystemCertificates\\*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\permanent\\chrome\\idb\\1657114595AmcateirvtiSty.files\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\f\\e\\d\\0\\e\\UTC--2*",
"C:\\Users\\cuck\\Favorites\\Links for United States\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\4\\7\\UTC--2*",
"C:\\Users\\cuck\\Start Menu\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\*.*",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\_FileCookies.txt\\@\\@\\@\\*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\1KH9UWN0\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\Firefox\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\crashes\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\wallet.dat",
"C:\\Users\\cuck\\AppData\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\1033\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\default\\moz-safe-about+home\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Temporary Internet Files\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-699399860-4089948139-3198924279-1001\\UTC--2*",
"C:\\ProgramData\\H8KmjWBbq\\Files\\_Screen.jpg\\0\\0\\*",
"C:\\Users\\cuck\\NetHood\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache\\*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\default\\about+newtab\\idb\\*",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Files\\Other\\*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\events\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\1\\6\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\default\\about+newtab\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\events\\*",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\f\\e\\d\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE\\Low\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\b\\b\\8\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\*.*",
"C:\\ProgramData\\H8KmjWBbq\\Files\\_Screen.jpg\\0\\*",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\b\\b\\8\\wallet.dat",
"C:\\Users\\cuck\\Start Menu\\wallet.dat",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Coins\\Electrum-btcp\\*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\SystemExtensionsDev\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Protect\\*.*",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Coins\\Electrum\\*",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Files\\*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\b\\b\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\1033\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\gmp\\WINNT_x86-msvc\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\default\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds Cache\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\*.*",
"C:\\Users\\cuck\\Documents\\My Music\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\default\\moz-safe-about+home\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.files\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\default\\*.*",
"C:\\Users\\cuck\\Documents\\My Pictures\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\default\\about+newtab\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Ringtones\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\4\\e\\e\\3\\1\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\4\\7\\b\\7\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\SystemExtensionsDev\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\WER\\ERC\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Internet Explorer\\*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\sessionstore-backups\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\events\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\events\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\f\\e\\d\\0\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Low\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\VirtualStore\\*.*",
"C:\\Users\\cuck\\Documents\\My Videos\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Virtualized\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\1\\UTC--2*",
"C:\\ProgramData\\H8KmjWBbq\\Files\\_Info.txt\\0\\*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\wallet.dat",
"C:\\Users\\cuck\\Contacts\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\default\\moz-safe-about+home\\idb\\3312185054sbndi_pspte.files\\UTC--2*",
"C:\\Users\\cuck\\Links\\UTC--2*",
"C:\\Users\\cuck\\Favorites\\Links\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Internet Explorer\\wallet.dat",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\_FileForms.txt\\@\\@\\@\\@\\*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\temporary\\*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\datareporting\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache\\Low\\*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\Low\\*.*",
"C:\\Program Files (x86)\\*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Caches\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Accessibility\\*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Internet Explorer\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WPDNSE\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Burn\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\b\\b\\wallet.dat",
"C:\\Windows\\System32\\ras\\*.pbk",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\4\\7\\b\\7\\*.*",
"C:\\Users\\cuck\\PrintHood\\*.*",
"C:\\Users\\cuck\\Documents\\My Pictures\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\datareporting\\archived\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\*",
"C:\\Users\\cuck\\Videos\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\saved-telemetry-pings\\*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\temporary\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\1\\6\\6\\b\\1\\UTC--2*",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\_FilePasswords.txt\\*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\*.*",
"C:\\ProgramData\\Microsoft\\Network\\Connections\\Pbk\\rasphone.pbk",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\permanent\\chrome\\idb\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\sessionstore-backups\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\1\\6\\6\\b\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\jumpListCache\\wallet.dat",
"C:\\Users\\cuck\\Searches\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Media Player\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\*",
"C:\\Users\\cuck\\Application Data\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools\\*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Protect\\*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\UTC--2*",
"C:\\ProgramData\\H8KmjWBbq\\Files\\_FilePasswords.txt\\@\\*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\SystemExtensionsDev\\*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\jumpListCache\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\datareporting\\archived\\*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\OFC88ECH\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Identities\\{183045C5-6B41-4C94-A7FA-BE70B5E7A9D3}\\*",
"C:\\Users\\cuck\\Local Settings\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Caches\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Network\\*",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\1\\6\\6\\b\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\SystemCertificates\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\wallet.dat",
"C:\\ProgramData\\H8KmjWBbq\\Files\\_FilePasswords.txt\\@\\@\\@\\@\\@\\*",
"C:\\Users\\cuck\\SendTo\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\4\\7\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\cache2\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\bookmarkbackups\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\gmp\\WINNT_x86-msvc\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Mail\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Identities\\{183045C5-6B41-4C94-A7FA-BE70B5E7A9D3}\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00040617\\*.*",
"C:\\ProgramData\\H8KmjWBbq\\Files\\_Screen.jpg\\*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-699399860-4089948139-3198924279-1001\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Explorer\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\default\\about+newtab\\idb\\3312185054sbndi_pspte.files\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\crashes\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Identities\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Network\\UTC--2*",
"C:\\Users\\cuck\\Documents\\My Music\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\*",
"C:\\Users\\cuck\\PrintHood\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Credentials\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\bookmarkbackups\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\crashes\\events\\wallet.dat",
"C:\\Users\\cuck\\Favorites\\Links\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Media\\wallet.dat",
"C:\\Users\\cuck\\My Documents\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\datareporting\\archived\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\1024\\*.*",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\Cookies\\Mozilla_Firefox_Cookies_ycHSjyz.txt\\*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\MSHist012019040920190410\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Pending Pings\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds Cache\\VU6ZINQW\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\1\\6\\6\\wallet.dat",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\Cookies\\*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\default\\moz-safe-about+home\\idb\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\4\\7\\*.*",
"C:\\Users\\cuck\\UTC--2*",
"C:\\Users\\cuck\\Downloads\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\gmp\\UTC--2*",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\Low\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\b\\b\\8\\7\\6\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\jumpListCache\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\4\\e\\e\\3\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\default\\moz-safe-about+home\\idb\\3312185054sbndi_pspte.files\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\4\\7\\b\\7\\2\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\wallet.dat",
"C:\\ProgramData\\H8KmjWBbq\\Files\\_FilePasswords.txt\\@\\@\\@\\@\\*",
"C:\\Users\\cuck\\Downloads\\UTC--2*",
"C:\\Users\\cuck\\Cookies\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Pending Pings\\*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\default\\about+newtab\\idb\\3312185054sbndi_pspte.files\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\OFC88ECH\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\cache2\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\4\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\gmp\\*.*",
"C:\\Users\\cuck\\Links\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\f\\e\\d\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\bookmarkbackups\\*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds Cache\\6KHYU14N\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\I6GMLZZB\\UTC--2*",
"C:\\Users\\cuck\\Favorites\\Microsoft Websites\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Ringtones\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\4\\e\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\permanent\\chrome\\idb\\3561288849sdhlie.files\\*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Temporary Internet Files\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\*",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\4\\e\\e\\3\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Virtualized\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\*.*",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\_FilePasswords.txt\\@\\@\\@\\*",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\OfflineCache\\wallet.dat",
"C:\\Users\\cuck\\Local Settings\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\safebrowsing\\google4\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds Cache\\ZQR1HVQK\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\1024\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Explorer\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\f\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Media\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Active\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\wallet.dat",
"C:\\Users\\cuck\\Recent\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Crypto\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\SystemCertificates\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\b\\b\\8\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache\\Low\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Credentials\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Low\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools\\wallet.dat",
"C:\\Users\\cuck\\Favorites\\Microsoft Websites\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-699399860-4089948139-3198924279-1001\\*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\*",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\*.*",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\_FilePasswords.txt\\@\\*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\*.*",
"C:\\Users\\cuck\\Desktop\\UTC--2*"
],
"regkey_written": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\EnableConsoleTracing",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}\\WpadDecisionReason",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}\\WpadDecision",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}\\WpadNetworkName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\EnableFileTracing",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\\DefaultConnectionSettings",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\MaxFileSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\FileTracingMask",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}\\WpadDecisionTime",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\WpadLastNetwork",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\ConsoleTracingMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\FileDirectory"
]
}Dropped
[
{
"yara": [],
"sha1": "fe777100b0ab894356e786ac9a46ce065d775139",
"name": "466a22d1c4d2105f_mozilla_firefox_cookies_ychsjyz.txt",
"filepath": "C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\Cookies\\Mozilla_Firefox_Cookies_ycHSjyz.txt",
"type": "UTF-8 Unicode (with BOM) text, with CRLF line terminators",
"sha256": "466a22d1c4d2105f0c0b40ee32f44057d9eb7b744d6d2b435d281ca93a2e1cf6",
"urls": [],
"crc32": "F100563E",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/5456\/files\/466a22d1c4d2105f_mozilla_firefox_cookies_ychsjyz.txt",
"ssdeep": null,
"size": 1976,
"sha512": "a7f89b19e36e18f64b90e80f8d2fbc0353d372a61735371190bb8af7ebc54cb0377db18f559d34601a60aa41696b11e1329d54a04aa02cf9805a2a22b97ae0f6",
"pids": [
1664
],
"md5": "290be866b4cb0b443ce9474313d38c61"
},
{
"yara": [],
"sha1": "608eeb7488042453c9ca40f7e1398fc1a270f3f4",
"name": "fd4c9fda9cd3f9ae_moz_cookies.db-shm",
"filepath": "C:\\ProgramData\\H8KmjWBbq\\moz_cookies.db-shm",
"type": "data",
"sha256": "fd4c9fda9cd3f9ae7c962b0ddf37232294d55580e1aa165aa06129b8549389eb",
"urls": [],
"crc32": "DDC506B6",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/5456\/files\/fd4c9fda9cd3f9ae_moz_cookies.db-shm",
"ssdeep": null,
"size": 32768,
"sha512": "d8d75760f29b1e27ac9430bc4f4ffcec39f1590be5aef2bfb5a535850302e067c288ef59cf3b2c5751009a22a6957733f9f80fa18f2b0d33d90c068a3f08f3b0",
"pids": [],
"md5": "b7c14ec6110fa820ca6b65f5aec85911"
},
{
"yara": [],
"sha1": "2a41e9e936cc96912217594ef119f42c361b1a87",
"name": "e669d1b41e82b229__info.txt",
"filepath": "C:\\ProgramData\\H8KmjWBbq\\Files\\_Info.txt",
"type": "Little-endian UTF-16 Unicode text, with CRLF, CR line terminators",
"sha256": "e669d1b41e82b2295055bc11b044370eb3d62f6682b7730e46ad2fe80a20d07e",
"urls": [],
"crc32": "2076180E",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/5456\/files\/e669d1b41e82b229__info.txt",
"ssdeep": null,
"size": 1526,
"sha512": "644a2e1bc42d17a8b511efd2c4ceba5c03600f1a2ae15dd847101014112a2c3dd4ef6d87b70810fd17f4641c061c5c25bbf67306614364328494f05391bfea12",
"pids": [
1664
],
"md5": "e9e157a499ab075384a0ba4c7c4229c8"
},
{
"yara": [],
"sha1": "57218c316b6921e2cd61027a2387edc31a2d9471",
"name": "f1945cd6c19e56b3__FileCC.txt",
"filepath": "C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\_FileCC.txt",
"type": "UTF-8 Unicode text, with no line terminators",
"sha256": "f1945cd6c19e56b3c1c78943ef5ec18116907a4ca1efc40a57d48ab1db7adfc5",
"urls": [],
"crc32": "011097E1",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/5456\/files\/f1945cd6c19e56b3__FileCC.txt",
"ssdeep": null,
"size": 3,
"sha512": "37c783b80b1d458b89e712c2dfe2777050eff0aefc9f6d8beedee77807d9aeb2e27d14815cf4f0229b1d36c186bb5f2b5ef55e632b108cc41e9fb964c39b42a5",
"pids": [
1664
],
"md5": "ecaa88f7fa0bf610a5a26cf545dcd3aa"
},
{
"yara": [],
"sha1": "da39a3ee5e6b4b0d3255bfef95601890afd80709",
"name": "e3b0c44298fc1c14_moz_cookies.db-wal",
"type": "empty",
"sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"urls": [],
"crc32": "00000000",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/5456\/files\/e3b0c44298fc1c14_moz_cookies.db-wal",
"ssdeep": null,
"size": 0,
"sha512": "cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e",
"md5": "d41d8cd98f00b204e9800998ecf8427e"
},
{
"yara": [],
"sha1": "bc81b9a30daf548f0cafc6a3dac640e61b712def",
"name": "e444ddbbb6876dff__screen.jpg",
"filepath": "C:\\ProgramData\\H8KmjWBbq\\Files\\_Screen.jpg",
"type": "JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 800x600, frames 3",
"sha256": "e444ddbbb6876dfffcca0e269ecdef86df79751ebea2439aaae5a13df6d57b77",
"urls": [],
"crc32": "43E3DCBA",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/5456\/files\/e444ddbbb6876dff__screen.jpg",
"ssdeep": null,
"size": 14159,
"sha512": "9ca824104d6c6a73dab8e586e7f01e39646aad9ef28af29d73c2e887ecadf7dbc98fd5a02a3eca3db9ef953f9c457fe7107dbc10eb891cdaf18ebd00c3e8e6bb",
"pids": [
1664
],
"md5": "a353c3dc46a6158901073e2bc6883f39"
},
{
"yara": [],
"sha1": "9b0e0cbed7d75c88326b926870c16abf274dfb15",
"name": "e48f98d5c262aea7_klz4xtx0tchlr.zip",
"filepath": "C:\\ProgramData\\H8KmjWBbq\\kLz4XtX0TChLR.zip",
"type": "Zip archive data, at least v2.0 to extract",
"sha256": "e48f98d5c262aea746488364e5b7fd7af670f81fefe94632f653ce9b3b12a924",
"urls": [],
"crc32": "BD0FDB05",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/5456\/files\/e48f98d5c262aea7_klz4xtx0tchlr.zip",
"ssdeep": null,
"size": 10462,
"sha512": "c93f6df48d3e2d323a8d3ad2ad5fa58cceeca87aa31b7719242d012b81ef68479f8147e7051903403739fba6b373afb9373ad8abf00c5aed808a929b6defa525",
"pids": [
1664
],
"md5": "b9be415ec88b121958685587fc38d6e7"
}
]Generic
[
{
"process_path": "C:\\Users\\cuck\\AppData\\Local\\Temp\\4dc9f1b81127c4ea0704ccb1e26fbe6c4eaa9da02d337a3cac6d8178df17267a.bin",
"process_name": "4dc9f1b81127c4ea0704ccb1e26fbe6c4eaa9da02d337a3cac6d8178df17267a.bin",
"pid": 1664,
"summary": {
"connects_ip": [
"127.0.0.1"
],
"downloads_file": [
"http:\/\/ip-api.com\/line"
],
"file_created": [
"C:\\ProgramData\\H8KmjWBbq\\Files\\_Screen.jpg",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\_FileCC.txt",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\Cookies\\Mozilla_Firefox_Cookies_ycHSjyz.txt",
"C:\\ProgramData\\H8KmjWBbq\\kLz4XtX0TChLR.zip",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\_FilePasswords.txt",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\_FileCookies.txt",
"C:\\ProgramData\\H8KmjWBbq\\Files\\_Info.txt",
"C:\\ProgramData\\H8KmjWBbq\\moz_cookies.db-wal",
"C:\\ProgramData\\H8KmjWBbq\\moz_cookies.db-shm",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\_FileForms.txt"
],
"directory_created": [
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Coins\\Electrum-btcp",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Coins\\ElectronCash",
"C:\\ProgramData\\Newfol",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Files",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Files\\Desktop",
"C:\\ProgramData\\H8KmjWBbq\\Files",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\Cookies",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Caches",
"C:\\ProgramData\\H8KmjWBbq",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Coins\\Electrum",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Files\\Other",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Coins"
],
"dll_loaded": [
"gdiplus.dll",
"C:\\Windows\\System32\\mswsock.dll",
"urlmon.dll",
"kernel32",
"winmm.dll",
"api-ms-win-core-sysinfo-l1-2-1",
"api-ms-win-core-localization-l1-2-1",
"api-ms-win-core-fibers-l1-1-1",
"dwmapi.dll",
"KERNEL32.dll",
"UxTheme.dll",
"DUI70.dll",
"ntdll.dll",
"C:\\Windows\\WinSxS\\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\\gdiplus.dll",
"C:\\Windows\\system32\\napinsp.dll",
"api-ms-win-core-synch-l1-2-0",
"ntmarta.dll",
"API-MS-WIN-Service-Management-L1-1-0.dll",
"PROPSYS.dll",
"WININET.dll",
"API-MS-Win-Core-LocalRegistry-L1-1-0.dll",
"DHCPCSVC.DLL",
"OLEAUT32.DLL",
"RASMAN.DLL",
"ole32.dll",
"USER32.dll",
"Comctl32.dll",
"API-MS-Win-Security-SDDL-L1-1-0.dll",
"API-MS-WIN-Service-winsvc-L1-1-0.dll",
"C:\\Windows\\system32\\DUser.dll",
"rtutils.dll",
"IPHLPAPI.DLL",
"wininet.dll",
"WindowsCodecs.dll",
"C:\\Windows\\system32\\xmllite.dll",
"CRYPT32.dll",
"C:\\Windows\\system32\\pnrpnsp.dll",
"api-ms-win-core-file-l2-1-1",
"SHELL32.dll",
"DNSAPI.dll",
"C:\\Windows\\System32\\winrnr.dll",
"DUser.dll",
"comctl32.dll",
"C:\\Program Files (x86)\\Mozilla Firefox\\nss3.dll",
"WS2_32.dll",
"NTDLL",
"kernel32.dll",
"GDI32.dll",
"ADVAPI32.dll",
"NTDLL.dll",
"SETUPAPI.dll",
"OLEACC.dll",
"user32.dll",
"OLEAUT32.dll"
],
"file_failed": [
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\_FilePasswords.txt\\@\\@\\@",
"C:\\ProgramData\\H8KmjWBbq\\Files\\_FilePasswords.txt\\@\\@",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 3\\LoginDataCopy",
"C:\\ProgramData\\H8KmjWBbq\\172773668.txt",
"C:\\ProgramData\\H8KmjWBbq\\Files\\_Info.txt\\0\\0\\0\\0",
"C:\\Users\\cuck\\AppData\\Roaming\\Exodus Eden",
"C:\\ProgramData\\H8KmjWBbq\\Files\\_FilePasswords.txt\\@",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 1\\LoginDataCopy",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Files",
"C:\\ProgramData\\H8KmjWBbq\\Files\\_FilePasswords.txt\\@\\@\\@",
"C:\\Users\\cuck\\AppData\\Local\\360Chrome\\Chrome\\User Data\\Default\\WebDataCopy",
"C:\\ProgramData\\H8KmjWBbq\\Files\\_Screen.jpg\\0\\0\\0\\@\\@",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Files\\Other",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\_FileForms.txt\\@\\@\\@",
"C:\\ProgramData\\H8KmjWBbq\\Files\\_FilePasswords.txt\\@\\@\\@\\@\\@\\@",
"C:\\Users\\cuck\\AppData\\Local\\Torch\\User Data\\Default\\CookiesCopy",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\_FileCookies.txt\\@\\@",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\WebDataCopy",
"C:\\ProgramData\\H8KmjWBbq\\Files\\_Screen.jpg\\0\\0\\0\\@",
"C:\\Users\\cuck\\Desktop\\secret.txt",
"\\??\\SIWVID",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Browser\\User Data\\Default\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Roaming\\brave\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\360Chrome\\Chrome\\User Data\\Default\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Roaming\\Opera Software\\Opera Stable\\CookiesCopy",
"C:\\ProgramData\\H8KmjWBbq\\Files\\_Info.txt\\0\\0\\0",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers",
"C:\\Users\\cuck\\AppData\\Roaming\\brave\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Roaming\\MultiBitHD",
"C:\\Users\\cuck\\AppData\\Roaming\\Opera Software\\Opera Stable\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Roaming\\Exodus",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Default\\CookiesCopy",
"C:\\ProgramData\\H8KmjWBbq\\Files\\_Info.txt\\0\\0",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\_FileForms.txt\\@\\@\\@\\@\\@",
"C:\\ProgramData\\H8KmjWBbq\\Files\\_Info.txt\\0",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 1\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Torch\\User Data\\Default\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Browser\\User Data\\Default\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\360Chrome\\Chrome\\User Data\\Default\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 2\\CookiesCopy",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\Cookies\\Mozilla_Firefox_Cookies_ycHSjyz.txt\\`\\`",
"C:\\Program Files (x86)\\Common Files\\nss3.dll",
"C:\\Users\\cuck\\AppData\\Roaming\\Jaxx",
"C:\\Users\\cuck\\AppData\\Roaming\\waves-client",
"C:\\Program Files (x86)\\Internet Explorer\\nss3.dll",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Roaming\\Atomic",
"C:\\Users\\cuck\\AppData\\Local\\Slimjet\\User Data\\Default\\WebDataCopy",
"C:\\ProgramData\\H8KmjWBbq\\Files\\_Screen.jpg\\0\\0",
"C:\\Users\\cuck\\AppData\\Local\\Torch\\User Data\\Default\\WebDataCopy",
"C:\\Users\\cuck\\Documents\\Monero",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\Cookies\\Mozilla_Firefox_Cookies_ycHSjyz.txt\\`\\`\\`",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 3\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 2\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\CentBrowser\\User Data\\Default\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Roaming\\ElectronCash",
"C:\\Users\\cuck\\AppData\\Roaming\\Electrum-btcp",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 1\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Default\\LoginDataCopy",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\Cookies\\Mozilla_Firefox_Cookies_ycHSjyz.txt\\`\\`\\`\\`",
"C:\\Users\\cuck\\AppData\\Roaming\\Opera Software\\Opera Stable\\WebDataCopy",
"C:\\ProgramData\\H8KmjWBbq\\Files\\_FilePasswords.txt\\@\\@\\@\\@",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\_FileForms.txt\\@",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\_FileCookies.txt\\@\\@\\@",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\_FilePasswords.txt\\@",
"C:\\Users\\cuck\\AppData\\Local\\Vivaldi\\User Data\\Default\\WebDataCopy",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\_FileCookies.txt\\@",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\_FileCookies.txt\\@\\@\\@\\@",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\Cookies\\Mozilla_Firefox_Cookies_ycHSjyz.txt\\`",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\_FileForms.txt\\@\\@",
"C:\\ProgramData\\H8KmjWBbq\\Files\\_Screen.jpg\\0\\0\\0",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Default\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Comodo\\Dragon\\User Data\\Default\\LoginDataCopy",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\_FileCookies.txt\\@\\@\\@\\@\\P",
"\\??\\NTICE",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 2\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Slimjet\\User Data\\Default\\CookiesCopy",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Files\\Desktop",
"C:\\Users\\cuck\\AppData\\Local\\Comodo\\Dragon\\User Data\\Default\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\CentBrowser\\User Data\\Default\\LoginDataCopy",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\_FileForms.txt\\@\\@\\@\\@",
"C:\\Users\\cuck\\AppData\\Local\\Slimjet\\User Data\\Default\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 1\\CookiesCopy",
"C:\\ProgramData\\H8KmjWBbq\\Files\\_Screen.jpg\\0",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\_FilePasswords.txt\\@\\@\\@\\P\\P",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 3\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 3\\WebDataCopy",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\_FilePasswords.txt\\@\\@",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Coins\\ElectronCash",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 3\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 1\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Roaming\\Electrum",
"C:\\Users\\cuck\\AppData\\Roaming\\com.liberty.jaxx",
"C:\\Users\\cuck\\Desktop\\report.doc",
"C:\\Users\\cuck\\AppData\\Local\\Vivaldi\\User Data\\Default\\CookiesCopy",
"C:\\ProgramData\\H8KmjWBbq\\Files\\_Info.txt\\0\\0\\0\\0\\@",
"C:\\ProgramData\\H8KmjWBbq\\Files\\_Screen.jpg\\0\\0\\0\\@\\@\\@",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Coins",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 2\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\CentBrowser\\User Data\\Default\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\Comodo\\Dragon\\User Data\\Default\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Roaming\\brave\\CookiesCopy",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\Cookies",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\_FilePasswords.txt\\@\\@\\@\\P",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Browser\\User Data\\Default\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\Vivaldi\\User Data\\Default\\LoginDataCopy",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Coins\\Electrum-btcp",
"C:\\ProgramData\\H8KmjWBbq\\Files\\_Info.txt\\0\\0\\0\\0\\@\\@",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 2\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 1\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 3\\CookiesCopy",
"C:\\ProgramData\\H8KmjWBbq\\Files\\_FilePasswords.txt\\@\\@\\@\\@\\@",
"\\??\\SICE",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Coins\\Electrum",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 2\\LoginDataCopy"
],
"file_copied": [
[
"C:\\Users\\cuck\\AppData\\Local\\Torch\\User Data\\Default\\Cookies",
"C:\\Users\\cuck\\AppData\\Local\\Torch\\User Data\\Default\\CookiesCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Slimjet\\User Data\\Default\\Cookies",
"C:\\Users\\cuck\\AppData\\Local\\Slimjet\\User Data\\Default\\CookiesCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 3\\Web Data",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 3\\WebDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\CentBrowser\\User Data\\Default\\Cookies",
"C:\\Users\\cuck\\AppData\\Local\\CentBrowser\\User Data\\Default\\CookiesCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Default\\Web Data",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Default\\WebDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Browser\\User Data\\Default\\Web Data",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Browser\\User Data\\Default\\WebDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\CookiesCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Torch\\User Data\\Default\\Login Data",
"C:\\Users\\cuck\\AppData\\Local\\Torch\\User Data\\Default\\LoginDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Slimjet\\User Data\\Default\\Web Data",
"C:\\Users\\cuck\\AppData\\Local\\Slimjet\\User Data\\Default\\WebDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 2\\Login Data",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 2\\LoginDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 3\\Web Data",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 3\\WebDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Vivaldi\\User Data\\Default\\Cookies",
"C:\\Users\\cuck\\AppData\\Local\\Vivaldi\\User Data\\Default\\CookiesCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 1\\Login Data",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 1\\LoginDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 3\\Cookies",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 3\\CookiesCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Comodo\\Dragon\\User Data\\Default\\Web Data",
"C:\\Users\\cuck\\AppData\\Local\\Comodo\\Dragon\\User Data\\Default\\WebDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\CentBrowser\\User Data\\Default\\Web Data",
"C:\\Users\\cuck\\AppData\\Local\\CentBrowser\\User Data\\Default\\WebDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 3\\Cookies",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 3\\CookiesCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 2\\Web Data",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 2\\WebDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Roaming\\brave\\Cookies",
"C:\\Users\\cuck\\AppData\\Roaming\\brave\\CookiesCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 2\\Cookies",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 2\\CookiesCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 2\\Web Data",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 2\\WebDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 1\\Cookies",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 1\\CookiesCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 1\\Web Data",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 1\\WebDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Default\\Cookies",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Default\\CookiesCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\360Chrome\\Chrome\\User Data\\Default\\Login Data",
"C:\\Users\\cuck\\AppData\\Local\\360Chrome\\Chrome\\User Data\\Default\\LoginDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Browser\\User Data\\Default\\Cookies",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Browser\\User Data\\Default\\CookiesCopy"
],
[
"C:\\Users\\cuck\\AppData\\Roaming\\Opera Software\\Opera Stable\\Login Data",
"C:\\Users\\cuck\\AppData\\Roaming\\Opera Software\\Opera Stable\\LoginDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Data",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\WebDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 2\\Login Data",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 2\\LoginDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Roaming\\brave\\Web Data",
"C:\\Users\\cuck\\AppData\\Roaming\\brave\\WebDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Roaming\\Opera Software\\Opera Stable\\Web Data",
"C:\\Users\\cuck\\AppData\\Roaming\\Opera Software\\Opera Stable\\WebDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\cookies.sqlite",
"C:\\ProgramData\\H8KmjWBbq\\moz_cookies.db"
],
[
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Browser\\User Data\\Default\\Login Data",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Browser\\User Data\\Default\\LoginDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 1\\Cookies",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 1\\CookiesCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 2\\Cookies",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 2\\CookiesCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 3\\Login Data",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 3\\LoginDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\CentBrowser\\User Data\\Default\\Login Data",
"C:\\Users\\cuck\\AppData\\Local\\CentBrowser\\User Data\\Default\\LoginDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Vivaldi\\User Data\\Default\\Web Data",
"C:\\Users\\cuck\\AppData\\Local\\Vivaldi\\User Data\\Default\\WebDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Roaming\\Opera Software\\Opera Stable\\Cookies",
"C:\\Users\\cuck\\AppData\\Roaming\\Opera Software\\Opera Stable\\CookiesCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 1\\Web Data",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 1\\WebDataCopy"
],
[
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\_FilePasswords.txt",
"C:\\ProgramData\\H8KmjWBbq\\Files\\_FilePasswords.txt"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Torch\\User Data\\Default\\Web Data",
"C:\\Users\\cuck\\AppData\\Local\\Torch\\User Data\\Default\\WebDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\360Chrome\\Chrome\\User Data\\Default\\Web Data",
"C:\\Users\\cuck\\AppData\\Local\\360Chrome\\Chrome\\User Data\\Default\\WebDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Vivaldi\\User Data\\Default\\Login Data",
"C:\\Users\\cuck\\AppData\\Local\\Vivaldi\\User Data\\Default\\LoginDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\LoginDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 3\\Login Data",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 3\\LoginDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Comodo\\Dragon\\User Data\\Default\\Login Data",
"C:\\Users\\cuck\\AppData\\Local\\Comodo\\Dragon\\User Data\\Default\\LoginDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Roaming\\brave\\Login Data",
"C:\\Users\\cuck\\AppData\\Roaming\\brave\\LoginDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Comodo\\Dragon\\User Data\\Default\\Cookies",
"C:\\Users\\cuck\\AppData\\Local\\Comodo\\Dragon\\User Data\\Default\\CookiesCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\360Chrome\\Chrome\\User Data\\Default\\Cookies",
"C:\\Users\\cuck\\AppData\\Local\\360Chrome\\Chrome\\User Data\\Default\\CookiesCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 1\\Login Data",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 1\\LoginDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Default\\Login Data",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Default\\LoginDataCopy"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Slimjet\\User Data\\Default\\Login Data",
"C:\\Users\\cuck\\AppData\\Local\\Slimjet\\User Data\\Default\\LoginDataCopy"
]
],
"connects_host": [
"rifat02.info"
],
"regkey_opened": [
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\DnsClient",
"HKEY_CLASSES_ROOT\\Directory",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.ini",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{26656EAA-54EB-4E6F-8F85-4F0EF901A406}\\ProxyStubClsid32",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\",
"HKEY_CURRENT_USER\\Software\\Wine",
"HKEY_CLASSES_ROOT\\Folder",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\Clsid",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\3",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\LSA\\AccessProviders",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-699399860-4089948139-3198924279-1001",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\ShellEx\\IconHandler",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\(Default)",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\Explorer",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Security",
"HKEY_CLASSES_ROOT\\.ini",
"HKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\DnsCache\\Parameters",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\Clsid",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Applications\\4dc9f1b81127c4ea0704ccb1e26fbe6c4eaa9da02d337a3cac6d8178df17267a.bin",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\Explorer",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced",
"HKEY_CLASSES_ROOT\\SystemFileAssociations\\text",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\windows\\CurrentVersion\\Internet Settings\\Connections",
"HKEY_CLASSES_ROOT\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\Security",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\text\\ShellEx\\IconHandler",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\BrowseInPlace",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\Associations\\UrlAssociations\\Directory",
"HKEY_CLASSES_ROOT\\inifile",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\DocObject",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\inifile\\Clsid",
"HKEY_CLASSES_ROOT\\Interface\\{618736E0-3C3D-11CF-810C-00AA00389B71}\\ProxyStubClsid32",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts",
"HKEY_CURRENT_USER\\Software\\Microsoft\\windows\\CurrentVersion\\Internet Settings\\Wpad",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\CurVer",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{8A40A45D-055C-4B62-ABD7-6D613E2CEAEC}\\ProxyStubClsid32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\BrowseInPlace",
"HKEY_CURRENT_USER\\Interface\\{8A40A45D-055C-4B62-ABD7-6D613E2CEAEC}",
"HKEY_CURRENT_USER\\Interface\\{55272A00-42CB-11CE-8135-00AA004BB851}",
"HKEY_CLASSES_ROOT\\SystemFileAssociations\\.ini",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{2A1C9EB2-DF62-4154-B800-63278FCB8037}\\ProxyStubClsid32",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Class\\{4D36E968-E325-11CE-BFC1-08002BE10318}\\0000",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\DocObject",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",
"HKEY_CURRENT_USER\\Interface\\{BCD1DE7E-2DB1-418B-B047-4A74E101F8C1}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\ShellEx\\IconHandler",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Setup",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\Shell\\RegisteredApplications\\UrlAssociations\\Directory\\OpenWithProgids",
"HKEY_CLASSES_ROOT\\.ini\\OpenWithProgids",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\inifile\\DocObject",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Tracing\\RASMANCS",
"HKEY_LOCAL_MACHINE\\Hardware\\description\\System",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\text\\Clsid",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\inifile\\ShellEx\\IconHandler",
"HKEY_CURRENT_USER\\Interface\\{2A1C9EB2-DF62-4154-B800-63278FCB8037}",
"HKEY_CLASSES_ROOT\\CLSID\\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\\Instance\\Disabled",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.ini\\(Default)",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.ini\\UserChoice",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\DirectUI",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\text\\DocObject",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\Clsid",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Extensible Cache",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\inifile\\BrowseInPlace",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{55272A00-42CB-11CE-8135-00AA004BB851}\\ProxyStubClsid32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\text\\BrowseInPlace",
"HKEY_CLASSES_ROOT\\CLSID\\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\\Instance",
"HKEY_CURRENT_USER\\Interface\\{26656EAA-54EB-4E6F-8F85-4F0EF901A406}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{BCD1DE7E-2DB1-418B-B047-4A74E101F8C1}\\ProxyStubClsid32",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\LDAP",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\OLE\\Tracing",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache",
"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Tracing",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\ShellEx\\IconHandler",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\inifile\\CurVer",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.ini\\OpenWithProgids",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\crypt32",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\OleAut",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\System\\DNSClient",
"HKEY_CLASSES_ROOT\\AllFilesystemObjects",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\inifile\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\DocObject",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLEAUT",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters",
"HKEY_LOCAL_MACHINE\\HARDWARE\\ACPI\\DSDT\\VBOX__",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\BrowseInPlace"
],
"resolves_host": [
"wpad",
"cuckpc",
"ip-api.com"
],
"file_written": [
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\_FileCC.txt",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\Cookies\\Mozilla_Firefox_Cookies_ycHSjyz.txt",
"C:\\ProgramData\\H8KmjWBbq\\172773668.txt",
"C:\\ProgramData\\H8KmjWBbq\\kLz4XtX0TChLR.zip",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\_FilePasswords.txt",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\_FileCookies.txt",
"C:\\ProgramData\\H8KmjWBbq\\Files\\_Screen.jpg",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\_FileForms.txt",
"C:\\ProgramData\\H8KmjWBbq\\Files\\_Info.txt"
],
"file_deleted": [
"C:\\Users\\cuck\\AppData\\Local\\CentBrowser\\User Data\\Default\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Roaming\\brave\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 3\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 3\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 3\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\CentBrowser\\User Data\\Default\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Default\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 1\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\Comodo\\Dragon\\User Data\\Default\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 3\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 1\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Default\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 1\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Roaming\\Opera Software\\Opera Stable\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 1\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Vivaldi\\User Data\\Default\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\Torch\\User Data\\Default\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\360Chrome\\Chrome\\User Data\\Default\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Roaming\\Opera Software\\Opera Stable\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\360Chrome\\Chrome\\User Data\\Default\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 2\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Vivaldi\\User Data\\Default\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 2\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\Comodo\\Dragon\\User Data\\Default\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Roaming\\brave\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\Torch\\User Data\\Default\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 3\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Default\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Comodo\\Dragon\\User Data\\Default\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Browser\\User Data\\Default\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\Vivaldi\\User Data\\Default\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Browser\\User Data\\Default\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\Slimjet\\User Data\\Default\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Browser\\User Data\\Default\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 2\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Roaming\\brave\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Slimjet\\User Data\\Default\\CookiesCopy",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\_FileCC.txt",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 2\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 2\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 1\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\360Chrome\\Chrome\\User Data\\Default\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\Torch\\User Data\\Default\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\CentBrowser\\User Data\\Default\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Slimjet\\User Data\\Default\\LoginDataCopy",
"C:\\ProgramData\\H8KmjWBbq\\moz_cookies.db-wal",
"C:\\ProgramData\\H8KmjWBbq\\moz_cookies.db-shm",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 1\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 3\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Roaming\\Opera Software\\Opera Stable\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 2\\LoginDataCopy"
],
"file_exists": [
"C:\\Users\\cuck\\AppData\\Local\\CentBrowser\\User Data\\Default\\WebDataCopy",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Coins\\Electrum-btcp\\wallets",
"C:\\Users\\cuck\\AppData\\Roaming\\brave\\LoginDataCopy",
"C:\\Windows\\SysWOW64",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Coins\\Exodus",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 3\\LoginDataCopy",
"C:\\ProgramData\\Avg",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 3\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 3\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\CentBrowser\\User Data\\Default\\CookiesCopy",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Coins\\Atomic",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Coins\\MultiBitHD",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Default\\CookiesCopy",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Coins\\Jaxx",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 1\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\Comodo\\Dragon\\User Data\\Default\\WebDataCopy",
"C:\\ProgramData\\H8KmjWBbq\\moz_cookies.db-journal",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 3\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 1\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Default\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 1\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Roaming\\Opera Software\\Opera Stable\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 1\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Vivaldi\\User Data\\Default\\CookiesCopy",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Coins\\com.liberty.jaxx",
"C:\\Users\\cuck\\AppData\\Local\\Torch\\User Data\\Default\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\360Chrome\\Chrome\\User Data\\Default\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Roaming\\Opera Software\\Opera Stable\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\360Chrome\\Chrome\\User Data\\Default\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 2\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Vivaldi\\User Data\\Default\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 2\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\Comodo\\Dragon\\User Data\\Default\\CookiesCopy",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Coins\\Exodus Eden",
"C:\\Users\\cuck\\AppData\\Roaming\\brave\\CookiesCopy",
"C:\\ProgramData\\Newfol",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Coins\\Monero",
"C:\\Users\\cuck\\AppData\\Local\\Torch\\User Data\\Default\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 3\\CookiesCopy",
"C:\\ProgramData\\AVAST Software",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\WebDataCopy",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Coins\\waves-client",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Default\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Comodo\\Dragon\\User Data\\Default\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Browser\\User Data\\Default\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\Vivaldi\\User Data\\Default\\LoginDataCopy",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Coins\\Electrum\\wallets",
"C:\\Users\\cuck\\AppData\\Local\\Slimjet\\User Data\\Default\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Browser\\User Data\\Default\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 2\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\BraveSoftware\\Brave-Browser\\User Data\\Local State",
"C:\\Users\\cuck\\AppData\\Local\\Slimjet\\User Data\\Default\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\CocCoc\\Browser\\User Data\\Default\\CookiesCopy",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Coins\\ElectronCash\\wallets",
"C:\\Users\\cuck\\AppData\\Roaming\\brave\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 2\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 3\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 1\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\360Chrome\\Chrome\\User Data\\Default\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\Torch\\User Data\\Default\\WebDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Local State",
"C:\\Users\\cuck\\AppData\\Local\\CentBrowser\\User Data\\Default\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Local\\Slimjet\\User Data\\Default\\LoginDataCopy",
"C:\\ProgramData\\H8KmjWBbq\\moz_cookies.db-wal",
"C:\\ProgramData\\H8KmjWBbq\\moz_cookies.db",
"C:\\ProgramData\\H8KmjWBbq\\moz_cookies.db-shm",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 1\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 2\\LoginDataCopy",
"C:\\Users\\cuck\\AppData\\Roaming\\Opera Software\\Opera Stable\\CookiesCopy",
"C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 2\\LoginDataCopy"
],
"mutex": [
"IESQMMUTEX_0_208"
],
"file_opened": [
"C:\\ProgramData",
"C:\\",
"C:\\Users\\cuck\\AppData",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000004.db",
"C:\\Users\\cuck\\Documents\\desktop.ini",
"C:\\ProgramData\\H8KmjWBbq\\172773668.txt",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Caches\\cversions.1.db",
"C:\\Users\\cuck\\Desktop",
"C:\\Users\\cuck\\AppData\\Local\\Temp",
"C:\\ProgramData\\H8KmjWBbq\\Files",
"C:\\Windows\\SysWOW64\\en-US\\KERNELBASE.dll.mui",
"C:\\ProgramData\\H8KmjWBbq\\Files\\_Screen.jpg",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Files",
"C:\\Windows\\resources\\Themes\\Aero\\Shell\\NormalColor\\ShellStyle.dll",
"C:\\Users\\cuck\\AppData\\Roaming",
"C:\\Users",
"C:\\Users\\cuck\\Desktop\\desktop.ini",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\_FileForms.txt",
"C:\\Users\\cuck\\Documents",
"C:\\Windows\\System32\\ntdll.dll",
"C:\\Users\\desktop.ini",
"C:\\ProgramData\\H8KmjWBbq\\Files\\_FilePasswords.txt",
"C:\\Users\\cuck",
"C:\\ProgramData\\H8KmjWBbq\\Files\\_Info.txt",
"C:\\ProgramData\\H8KmjWBbq",
"C:\\Windows\\System32\\oleaccrc.dll",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls",
"C:\\Program Files (x86)\\Mozilla Firefox\\nss3.dll",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\_FileCC.txt",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\Cookies\\Mozilla_Firefox_Cookies_ycHSjyz.txt",
"C:\\Program Files (x86)\\Mozilla Firefox",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\_FilePasswords.txt",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\_FileCookies.txt",
"C:\\ProgramData\\H8KmjWBbq\\moz_cookies.db",
"C:\\ProgramData\\H8KmjWBbq\\kLz4XtX0TChLR.zip"
],
"guid": [
"{ea1afb91-9e28-4b86-90e9-9e9f8a5eefaf}",
"{a1faf330-ef97-11ce-9bc9-00aa00608e01}",
"{3eef301f-b596-4c0b-bd92-013beafce793}",
"{0c9fb851-e5c9-43eb-a370-f0677b13874c}",
"{078759d3-423b-48ad-ab6a-5638c2884dbe}",
"{a47979d2-c419-11d9-a5b4-001185ad2b89}",
"{dcb00000-570f-4a9b-8d69-199fdba5723b}",
"{56fdf344-fd6d-11d0-958a-006097c9a090}",
"{eb6339bf-eb6a-437a-82da-a56e7e4f9cdc}",
"{9e175b6d-f52a-11d8-b9a5-505054503030}",
"{dcb00c01-570f-4a9b-8d69-199fdba5723b}",
"{f8383852-fcd3-11d1-a6b9-006097df5bd4}",
"{5762f2a7-4658-4c7a-a4ac-bdabfe154e0d}",
"{d0074ffd-570f-4a9b-8d69-199fdba5723b}",
"{b056521a-9b10-425e-b616-1fcd828db3b1}",
"{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}"
],
"file_read": [
"C:\\ProgramData\\H8KmjWBbq\\Files\\_Screen.jpg",
"C:\\Users\\cuck\\Desktop\\desktop.ini",
"C:\\Windows\\System32\\ntdll.dll",
"C:\\Users\\cuck\\Documents\\desktop.ini",
"C:\\Users\\desktop.ini",
"C:\\ProgramData\\H8KmjWBbq\\Files\\_FilePasswords.txt",
"C:\\ProgramData\\H8KmjWBbq\\kLz4XtX0TChLR.zip",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\_FilePasswords.txt",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\_FileCookies.txt",
"C:\\ProgramData\\H8KmjWBbq\\Files\\_Info.txt",
"C:\\ProgramData\\H8KmjWBbq\\moz_cookies.db",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\Cookies\\Mozilla_Firefox_Cookies_ycHSjyz.txt",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\_FileForms.txt"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\inifile\\AlwaysShowExt",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\NoFileFolderConnection",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASAPI32\\EnableConsoleTracing",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\UseHostnameAsAlias",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-699399860-4089948139-3198924279-1001\\ProfileImagePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\TurnOffSPIAnimations",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoSetFolders",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\NeverShowExt",
"HKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System\\SystemBiosVersion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{618736E0-3C3D-11CF-810C-00AA00389B71}\\ProxyStubClsid32\\(Default)",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Filter",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ini\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsFORDISPLAY",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASAPI32\\FileTracingMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\SourcePath",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\Generation",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\AutoProxyDetectType",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\AllowFileCLSIDJunctions",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\UseOldHostResolutionOrder",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Domain",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ReleaseId",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language Groups\\1",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\DisableImprovedZoneCheck",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ini\\Content Type",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoInternetIcon",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\Data",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\HideIcons",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsUniversalDelegate",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{55272A00-42CB-11CE-8135-00AA004BB851}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\text\\IsShortcut",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\MaxUndoItems",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\AutoCheckSelect",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\QueryForOverlay",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\Attributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\MapNetDriveVerbs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\QueryForInfoTip",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\\DefaultConnectionSettings",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}",
"HKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0\\ProcessorNameString",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\AlwaysShowExt",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\NeverShowExt",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsParseDisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\CurrentBuildNumber",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\crypt32\\DebugHeapFlags",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{BCD1DE7E-2DB1-418B-B047-4A74E101F8C1}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASAPI32\\FileDirectory",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\IsShortcut",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsAliasedNotifications",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\Windows Error Reporting\\WMR\\Disable",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\EMPTY",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\UseDropHandler",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoCommonGroups",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Time Zones\\Pacific Standard Time\\Dynamic DST\\FirstEntry",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\IconsOnly",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\NoNetCrawling",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{8A40A45D-055C-4B62-ABD7-6D613E2CEAEC}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\PinToNameSpaceTree",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASAPI32\\MaxFileSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\DocObject",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\CLASS\\{4D36E968-E325-11CE-BFC1-08002BE10318}\\0000\\DriverDesc",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\inifile\\IsShortcut",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Time Zones\\Pacific Standard Time\\Dynamic DST\\2018",
"HKEY_CURRENT_USER\\Control Panel\\Desktop\\MuiCached\\MachinePreferredUILanguages",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\LdapClientIntegrity",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\Security\\DisableSecuritySettingsCheck",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASAPI32\\EnableFileTracing",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\AutoDetect",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsFORPARSING",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\inifile\\DocObject",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\SeparateProcess",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\BrowseInPlace",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\UILanguages\\en-US\\Type",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASAPI32\\ConsoleTracingMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ini\\PerceivedType",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\DontPrettyPath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{26656EAA-54EB-4E6F-8F85-4F0EF901A406}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Advanced\\MaxUndoItems",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\EnableFileTracing",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HideFolderVerbs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProductName",
"HKEY_CURRENT_USER\\Control Panel\\Desktop\\PreferredUILanguages",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoNetCrawling",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\UILanguages\\en-US\\AlternateCodePage",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\WebView",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\text\\NeverShowExt",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\AppData",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Hostname",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\text\\AlwaysShowExt",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowCompColor",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\text\\DocObject",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\ClassicShell",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HideInWebView",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{2A1C9EB2-DF62-4154-B800-63278FCB8037}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\DocObject",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\IsShortcut",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\inifile\\NeverShowExt",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\FileTracingMask",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\CallForAttributes",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\AccessProviders\\MartaExtension",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoPropertiesMyComputer",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\ConsoleTracingMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Time Zones\\Pacific Standard Time\\Dynamic DST\\LastEntry",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE\\PageAllocatorSystemHeapIsPrivate",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\inifile\\BrowseInPlace",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\NoFileFolderJunction",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\text\\BrowseInPlace",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Security\\DisableSecuritySettingsCheck",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\MaxFileSize",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\WpadLastNetwork",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\3\\1A10",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellState",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Security_HKLM_only",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\DevicePath",
"HKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System\\VideoBiosVersion",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowTypeOverlay",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE\\PageAllocatorUseSystemHeap",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\Data",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\HideFileExt",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\EnableConsoleTracing",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\RestrictedAttributes",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\MapNetDrvBtn",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\DontShowSuperHidden",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\BrowseInPlace",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HasNavigationEnum",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Hidden",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\SeparateProcess",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language\\InstallLanguageFallback",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\Generation",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\DocObject",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HideOnDesktopPerUser",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\NeverShowExt",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\IsShortcut",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\ProgramData",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowSuperHidden",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\FileDirectory",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoControlPanel",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoSimpleStartMenu",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowInfoTip",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoWebView",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Locale\\00000409",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoPropertiesRecycleBin",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\BrowseInPlace",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Time Zones\\Pacific Standard Time\\Dynamic DST\\2007"
],
"directory_enumerated": [
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\4\\7\\b\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Network Shortcuts\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\WER\\*.*",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\1\\6\\6\\b\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\pip\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\gmp\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache\\Low\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Printer Shortcuts\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\SHYNOLTK\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\UTC--2*",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\_FileForms.txt\\@\\@\\*",
"C:\\Users\\cuck\\AppData\\Local\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\permanent\\chrome\\idb\\1657114595AmcateirvtiSty.files\\*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds Cache\\wallet.dat",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\_FilePasswords.txt\\@\\@\\*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Printer Shortcuts\\*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\minidumps\\UTC--2*",
"C:\\Users\\cuck\\Recent\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\1\\6\\6\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Libraries\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\b\\b\\8\\7\\6\\wallet.dat",
"C:\\Users\\cuck\\NetHood\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\WER\\ERC\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-699399860-4089948139-3198924279-1001\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\1024\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\*",
"C:\\Users\\cuck\\Favorites\\Windows Live\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Printer Shortcuts\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\f\\e\\d\\0\\e\\wallet.dat",
"C:\\Users\\cuck\\PrintHood\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\default\\about+newtab\\idb\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Accessibility\\*.*",
"C:\\Users\\cuck\\My Documents\\UTC--2*",
"C:\\Users\\cuck\\Documents\\My Music\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\thumbnails\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\1\\6\\6\\b\\1\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\*.pbk",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\updates\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Network\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Burn\\Burn\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\History\\UTC--2*",
"C:\\Users\\cuck\\Favorites\\MSN Websites\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\sessionstore-backups\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\*",
"C:\\ProgramData\\H8KmjWBbq\\Files\\_Info.txt\\*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\datareporting\\archived\\2018-06\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Burn\\wallet.dat",
"C:\\Users\\cuck\\Templates\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\f\\e\\d\\0\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\cache2\\entries\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\Low\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\WER\\ERC\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\permanent\\chrome\\idb\\*",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\4\\e\\e\\3\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Accessibility\\wallet.dat",
"C:\\Users\\cuck\\SendTo\\*.*",
"C:\\Users\\cuck\\Favorites\\Links for United States\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\WER\\ReportArchive\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Extensions\\*.*",
"C:\\Users\\cuck\\Desktop\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\safebrowsing\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\D3L171UH\\UTC--2*",
"C:\\ProgramData\\H8KmjWBbq\\Files\\_FilePasswords.txt\\@\\@\\@\\*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\pip\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\SystemCertificates\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\datareporting\\archived\\2018-06\\*",
"C:\\Users\\cuck\\Contacts\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Media Center Programs\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-699399860-4089948139-3198924279-1001\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Credentials\\*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\1\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds\\Feeds for United States~\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\D3L171UH\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\4\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\b\\b\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Network\\Connections\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\default\\*",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\f\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Accessibility\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\default\\UTC--2*",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\Cookies\\Mozilla_Firefox_Cookies_ycHSjyz.txt\\`\\`\\`\\*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Network\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\cache2\\entries\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\updates\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Credentials\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\permanent\\chrome\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\default\\about+newtab\\idb\\3312185054sbndi_pspte.files\\*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\1KH9UWN0\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\default\\about+newtab\\idb\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\saved-telemetry-pings\\UTC--2*",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Coins\\ElectronCash\\*",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\4\\e\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\GameExplorer\\wallet.dat",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\WER\\ReportArchive\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\b\\b\\8\\7\\UTC--2*",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Files\\Desktop\\*",
"C:\\Users\\cuck\\Favorites\\Windows Live\\*.*",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\_FileCookies.txt\\@\\@\\@\\@\\*",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\_FileForms.txt\\@\\@\\@\\*",
"C:\\Users\\cuck\\Start Menu\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\4\\*.*",
"C:\\Users\\cuck\\Documents\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Network\\Connections\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\1033\\*.*",
"C:\\Users\\cuck\\Templates\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\safebrowsing\\wallet.dat",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\_FileForms.txt\\@\\*",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\default\\moz-safe-about+home\\idb\\UTC--2*",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\_FileCookies.txt\\@\\@\\*",
"C:\\Users\\cuck\\SendTo\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Caches\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds Cache\\VU6ZINQW\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\mozilla-temp-files\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\permanent\\chrome\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\gmp\\*",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\Firefox\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\History\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\default\\moz-safe-about+home\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\safebrowsing\\google4\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Burn\\Burn\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\4\\7\\b\\7\\2\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\permanent\\chrome\\*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\sessionstore-backups\\*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds\\Feeds for United States~\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\f\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\EIDFNJNY\\wallet.dat",
"C:\\ProgramData\\H8KmjWBbq\\Files\\_Info.txt\\0\\0\\0\\0\\@\\*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Mail\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\UTC--2*",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\UTC--2*",
"C:\\Users\\cuck\\Desktop\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Network Shortcuts\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Explorer\\UTC--2*",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE\\Low\\*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\WER\\ReportArchive\\wallet.dat",
"C:\\Users\\cuck\\AppData\\LocalLow\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds Cache\\ZQR1HVQK\\*.*",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\_FileCookies.txt\\*",
"C:\\Users\\cuck\\AppData\\Roaming\\Media Center Programs\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\b\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\default\\moz-safe-about+home\\idb\\3312185054sbndi_pspte.files\\*",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\4\\7\\b\\7\\2\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds Cache\\UTC--2*",
"C:\\Users\\cuck\\AppData\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Sidebar\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\crashes\\events\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds Cache\\6KHYU14N\\wallet.dat",
"C:\\Users\\cuck\\Documents\\My Videos\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\f\\e\\*.*",
"C:\\Users\\cuck\\Saved Games\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Crypto\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\default\\about+newtab\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Network Shortcuts\\*",
"C:\\Users\\cuck\\AppData\\LocalLow\\Mozilla\\UTC--2*",
"C:\\Users\\cuck\\Favorites\\Microsoft Websites\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\*.*",
"C:\\ProgramData\\H8KmjWBbq\\Files\\_Screen.jpg\\0\\0\\0\\@\\@\\*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-699399860-4089948139-3198924279-1001\\*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\datareporting\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Pending Pings\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-699399860-4089948139-3198924279-1001\\*.*",
"C:\\ProgramData\\H8KmjWBbq\\Files\\_Info.txt\\0\\0\\0\\0\\*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\f\\e\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\b\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Virtualized\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Active\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Libraries\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\permanent\\*.*",
"C:\\Users\\cuck\\Favorites\\Links for United States\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\saved-telemetry-pings\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\permanent\\chrome\\idb\\1657114595AmcateirvtiSty.files\\*.*",
"C:\\ProgramData\\H8KmjWBbq\\Files\\*",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\thumbnails\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Protect\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Crypto\\*",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\4\\e\\e\\UTC--2*",
"C:\\Users\\cuck\\Cookies\\wallet.dat",
"C:\\Users\\cuck\\AppData\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\3X0GYJB7\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Libraries\\*",
"C:\\Users\\cuck\\Saved Games\\*.*",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\_FileForms.txt\\*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds Cache\\VU6ZINQW\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\permanent\\chrome\\idb\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\*",
"C:\\Users\\cuck\\AppData\\LocalLow\\Mozilla\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\WER\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Themes\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations\\*",
"C:\\Users\\cuck\\AppData\\Local\\Application Data\\wallet.dat",
"C:\\ProgramData\\H8KmjWBbq\\Files\\_Screen.jpg\\0\\0\\0\\*",
"C:\\Users\\cuck\\Application Data\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\EIDFNJNY\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Ringtones\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\*",
"C:\\Users\\cuck\\My Documents\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\SHYNOLTK\\*.*",
"C:\\Users\\cuck\\Favorites\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Media Center Programs\\*",
"C:\\Users\\cuck\\Favorites\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds\\Feeds for United States~\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\3X0GYJB7\\UTC--2*",
"C:\\Users\\cuck\\Pictures\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\UTC--2*",
"C:\\Users\\cuck\\Local Settings\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\*.*",
"C:\\ProgramData\\H8KmjWBbq\\Files\\_Screen.jpg\\0\\0\\0\\@\\*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\*",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\4\\e\\e\\wallet.dat",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Coins\\*",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\OfflineCache\\*.*",
"C:\\ProgramData\\H8KmjWBbq\\Files\\_Info.txt\\0\\0\\*",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\Firefox\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\4\\e\\e\\3\\1\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE\\Low\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\crashes\\events\\*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Extensions\\*",
"C:\\Users\\cuck\\AppData\\Roaming\\Identities\\{183045C5-6B41-4C94-A7FA-BE70B5E7A9D3}\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Themes\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Themes\\wallet.dat",
"C:\\ProgramData\\H8KmjWBbq\\Files\\_FilePasswords.txt\\*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00040617\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Credentials\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\D3L171UH\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\SendTo\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Temporary Internet Files\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\startupCache\\*.*",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\Cookies\\Mozilla_Firefox_Cookies_ycHSjyz.txt\\`\\*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\permanent\\*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\Low\\*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\datareporting\\archived\\2018-06\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Network Shortcuts\\wallet.dat",
"C:\\Users\\cuck\\Documents\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\permanent\\chrome\\idb\\3561288849sdhlie.files\\wallet.dat",
"C:\\Users\\cuck\\AppData\\LocalLow\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WPDNSE\\wallet.dat",
"C:\\Users\\cuck\\Documents\\My Videos\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\QQUHP74Z\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Media Player\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\SystemExtensionsDev\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WPDNSE\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\OfflineCache\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\default\\moz-safe-about+home\\idb\\3312185054sbndi_pspte.files\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\permanent\\UTC--2*",
"C:\\Users\\cuck\\Links\\wallet.dat",
"C:\\Users\\cuck\\Downloads\\*.*",
"C:\\ProgramData\\H8KmjWBbq\\Files\\_FilePasswords.txt\\@\\@\\*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00040617\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds Cache\\6KHYU14N\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Extensions\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\Low\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache\\Low\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Sidebar\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Media Center Programs\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\b\\b\\8\\7\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\*",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\datareporting\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\minidumps\\*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\OFC88ECH\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\gmp\\WINNT_x86-msvc\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\1KH9UWN0\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Libraries\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Printer Shortcuts\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE\\UTC--2*",
"C:\\Users\\cuck\\Documents\\My Pictures\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Protect\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE\\*",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\MSHist012019040920190410\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\EIDFNJNY\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Media\\UTC--2*",
"C:\\Users\\cuck\\Searches\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.files\\*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\Low\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\cache2\\doomed\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\MSHist012019040920190410\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.files\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\thumbnails\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\crashes\\*",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\b\\b\\8\\7\\6\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\4\\7\\b\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Pending Pings\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\*",
"C:\\Users\\cuck\\Favorites\\MSN Websites\\wallet.dat",
"C:\\Users\\cuck\\Documents\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\bookmarkbackups\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\datareporting\\archived\\*.*",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\f\\e\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\QQUHP74Z\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\QQUHP74Z\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds Cache\\ZQR1HVQK\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\default\\about+newtab\\*",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\mozilla-temp-files\\UTC--2*",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds Cache\\K6VAOA4J\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\mozilla-temp-files\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\UTC--2*",
"C:\\Users\\cuck\\Music\\wallet.dat",
"C:\\Users\\cuck\\Videos\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\UTC--2*",
"C:\\Users\\cuck\\Saved Games\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\datareporting\\archived\\2018-06\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\rasphone.pbk",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\*",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\b\\*.*",
"C:\\ProgramData\\Microsoft\\Network\\Connections\\Pbk\\*.pbk",
"C:\\Users\\cuck\\Favorites\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\startupCache\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\I6GMLZZB\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\minidumps\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds Cache\\K6VAOA4J\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Mail\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\1\\6\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\safebrowsing\\google4\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Network\\Connections\\*",
"C:\\Users\\cuck\\AppData\\Local\\*.*",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\*.*",
"C:\\Users\\cuck\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Burn\\Burn\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\temporary\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\4\\7\\b\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\pip\\*.*",
"C:\\Users\\cuck\\AppData\\LocalLow\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\Application Data\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Crypto\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\cache2\\doomed\\*.*",
"C:\\Users\\cuck\\Recent\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\b\\b\\8\\7\\wallet.dat",
"C:\\Users\\cuck\\Templates\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Identities\\*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\temporary\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\default\\moz-safe-about+home\\*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\permanent\\chrome\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\wallet.dat",
"C:\\Users\\cuck\\Pictures\\wallet.dat",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\4\\e\\e\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Identities\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\1\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\wallet.dat",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\*.*",
"C:\\Users\\cuck\\Favorites\\Links\\UTC--2*",
"C:\\Users\\cuck\\Application Data\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\cache2\\doomed\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\1\\6\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-699399860-4089948139-3198924279-1001\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\permanent\\chrome\\idb\\3561288849sdhlie.files\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\History\\wallet.dat",
"C:\\Users\\cuck\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\4\\e\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\1\\6\\6\\UTC--2*",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\wallet.dat",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\_FilePasswords.txt\\@\\@\\@\\P\\*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\SendTo\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Sidebar\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\f\\e\\d\\0\\e\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\cache2\\entries\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\SHYNOLTK\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\datareporting\\*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\WER\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\VirtualStore\\UTC--2*",
"C:\\ProgramData\\H8KmjWBbq\\Files\\_Info.txt\\0\\0\\0\\*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\GameExplorer\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\permanent\\chrome\\idb\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds Cache\\K6VAOA4J\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\Low\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.files\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\*.*",
"C:\\Users\\cuck\\AppData\\LocalLow\\Mozilla\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\wallet.dat",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\1\\6\\6\\b\\1\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\gmp\\WINNT_x86-msvc\\*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Extensions\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\safebrowsing\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\GameExplorer\\*.*",
"C:\\Users\\cuck\\Contacts\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Credentials\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\cache2\\wallet.dat",
"C:\\Users\\cuck\\Favorites\\Windows Live\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Active\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Credentials\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\f\\e\\d\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\default\\moz-safe-about+home\\idb\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\permanent\\chrome\\idb\\3561288849sdhlie.files\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\SendTo\\*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\default\\moz-safe-about+home\\idb\\*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\crashes\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\3X0GYJB7\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\permanent\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Low\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Identities\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Network\\Connections\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Burn\\*.*",
"C:\\Users\\cuck\\NetHood\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\UTC--2*",
"C:\\Users\\cuck\\Cookies\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\SendTo\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\default\\about+newtab\\idb\\3312185054sbndi_pspte.files\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\permanent\\chrome\\idb\\1657114595AmcateirvtiSty.files\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\*",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\Cookies\\Mozilla_Firefox_Cookies_ycHSjyz.txt\\`\\`\\*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\saved-telemetry-pings\\wallet.dat",
"C:\\Users\\cuck\\Videos\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\VirtualStore\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\*",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\*.*",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\Application Data\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\4\\e\\e\\3\\1\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\default\\about+newtab\\idb\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\f\\e\\d\\0\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE\\Low\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\crashes\\events\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\updates\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Identities\\{183045C5-6B41-4C94-A7FA-BE70B5E7A9D3}\\*.*",
"C:\\Users\\cuck\\Pictures\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\startupCache\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Media Player\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\minidumps\\wallet.dat",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\_FileCookies.txt\\@\\*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\I6GMLZZB\\wallet.dat",
"C:\\Users\\cuck\\Music\\UTC--2*",
"C:\\Users\\cuck\\Favorites\\MSN Websites\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\4\\7\\b\\7\\UTC--2*",
"C:\\Users\\cuck\\Music\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\*.*",
"C:\\Users\\cuck\\Searches\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\SystemCertificates\\*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\permanent\\chrome\\idb\\1657114595AmcateirvtiSty.files\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\f\\e\\d\\0\\e\\UTC--2*",
"C:\\Users\\cuck\\Favorites\\Links for United States\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\4\\7\\UTC--2*",
"C:\\Users\\cuck\\Start Menu\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\*.*",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\_FileCookies.txt\\@\\@\\@\\*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\1KH9UWN0\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\Firefox\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\crashes\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\wallet.dat",
"C:\\Users\\cuck\\AppData\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\1033\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\default\\moz-safe-about+home\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Temporary Internet Files\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-699399860-4089948139-3198924279-1001\\UTC--2*",
"C:\\ProgramData\\H8KmjWBbq\\Files\\_Screen.jpg\\0\\0\\*",
"C:\\Users\\cuck\\NetHood\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache\\*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\default\\about+newtab\\idb\\*",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Files\\Other\\*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\events\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\1\\6\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\default\\about+newtab\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\events\\*",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\f\\e\\d\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE\\Low\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\b\\b\\8\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\*.*",
"C:\\ProgramData\\H8KmjWBbq\\Files\\_Screen.jpg\\0\\*",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\b\\b\\8\\wallet.dat",
"C:\\Users\\cuck\\Start Menu\\wallet.dat",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Coins\\Electrum-btcp\\*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\SystemExtensionsDev\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Protect\\*.*",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Coins\\Electrum\\*",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Files\\*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\b\\b\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\1033\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\gmp\\WINNT_x86-msvc\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\default\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds Cache\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\*.*",
"C:\\Users\\cuck\\Documents\\My Music\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\default\\moz-safe-about+home\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.files\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\default\\*.*",
"C:\\Users\\cuck\\Documents\\My Pictures\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\default\\about+newtab\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Ringtones\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\4\\e\\e\\3\\1\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\4\\7\\b\\7\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\SystemExtensionsDev\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\WER\\ERC\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Internet Explorer\\*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\sessionstore-backups\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\events\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\events\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\f\\e\\d\\0\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Low\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\VirtualStore\\*.*",
"C:\\Users\\cuck\\Documents\\My Videos\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Virtualized\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\1\\UTC--2*",
"C:\\ProgramData\\H8KmjWBbq\\Files\\_Info.txt\\0\\*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\wallet.dat",
"C:\\Users\\cuck\\Contacts\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\default\\moz-safe-about+home\\idb\\3312185054sbndi_pspte.files\\UTC--2*",
"C:\\Users\\cuck\\Links\\UTC--2*",
"C:\\Users\\cuck\\Favorites\\Links\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Internet Explorer\\wallet.dat",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\_FileForms.txt\\@\\@\\@\\@\\*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\temporary\\*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\datareporting\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache\\Low\\*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\Low\\*.*",
"C:\\Program Files (x86)\\*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Caches\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Accessibility\\*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Internet Explorer\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WPDNSE\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Burn\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\b\\b\\wallet.dat",
"C:\\Windows\\System32\\ras\\*.pbk",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\4\\7\\b\\7\\*.*",
"C:\\Users\\cuck\\PrintHood\\*.*",
"C:\\Users\\cuck\\Documents\\My Pictures\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\datareporting\\archived\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\*",
"C:\\Users\\cuck\\Videos\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\saved-telemetry-pings\\*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\temporary\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\1\\6\\6\\b\\1\\UTC--2*",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\_FilePasswords.txt\\*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\*.*",
"C:\\ProgramData\\Microsoft\\Network\\Connections\\Pbk\\rasphone.pbk",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\permanent\\chrome\\idb\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\sessionstore-backups\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\1\\6\\6\\b\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\jumpListCache\\wallet.dat",
"C:\\Users\\cuck\\Searches\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Media Player\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\*",
"C:\\Users\\cuck\\Application Data\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools\\*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Protect\\*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\UTC--2*",
"C:\\ProgramData\\H8KmjWBbq\\Files\\_FilePasswords.txt\\@\\*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\SystemExtensionsDev\\*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\jumpListCache\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\datareporting\\archived\\*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\OFC88ECH\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Identities\\{183045C5-6B41-4C94-A7FA-BE70B5E7A9D3}\\*",
"C:\\Users\\cuck\\Local Settings\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Caches\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Network\\*",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\1\\6\\6\\b\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\SystemCertificates\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\wallet.dat",
"C:\\ProgramData\\H8KmjWBbq\\Files\\_FilePasswords.txt\\@\\@\\@\\@\\@\\*",
"C:\\Users\\cuck\\SendTo\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\4\\7\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\cache2\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\bookmarkbackups\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\gmp\\WINNT_x86-msvc\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Mail\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Identities\\{183045C5-6B41-4C94-A7FA-BE70B5E7A9D3}\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00040617\\*.*",
"C:\\ProgramData\\H8KmjWBbq\\Files\\_Screen.jpg\\*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-699399860-4089948139-3198924279-1001\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Explorer\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\default\\about+newtab\\idb\\3312185054sbndi_pspte.files\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\crashes\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Identities\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Network\\UTC--2*",
"C:\\Users\\cuck\\Documents\\My Music\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\*",
"C:\\Users\\cuck\\PrintHood\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Credentials\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\bookmarkbackups\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\crashes\\events\\wallet.dat",
"C:\\Users\\cuck\\Favorites\\Links\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Media\\wallet.dat",
"C:\\Users\\cuck\\My Documents\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\datareporting\\archived\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\1024\\*.*",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\Cookies\\Mozilla_Firefox_Cookies_ycHSjyz.txt\\*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\MSHist012019040920190410\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Pending Pings\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds Cache\\VU6ZINQW\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\1\\6\\6\\wallet.dat",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\Cookies\\*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\default\\moz-safe-about+home\\idb\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\4\\7\\*.*",
"C:\\Users\\cuck\\UTC--2*",
"C:\\Users\\cuck\\Downloads\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\gmp\\UTC--2*",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\Low\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\b\\b\\8\\7\\6\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\jumpListCache\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\4\\e\\e\\3\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\default\\moz-safe-about+home\\idb\\3312185054sbndi_pspte.files\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\4\\7\\b\\7\\2\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\wallet.dat",
"C:\\ProgramData\\H8KmjWBbq\\Files\\_FilePasswords.txt\\@\\@\\@\\@\\*",
"C:\\Users\\cuck\\Downloads\\UTC--2*",
"C:\\Users\\cuck\\Cookies\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Pending Pings\\*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\default\\about+newtab\\idb\\3312185054sbndi_pspte.files\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\OFC88ECH\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\cache2\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\4\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\gmp\\*.*",
"C:\\Users\\cuck\\Links\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\f\\e\\d\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\bookmarkbackups\\*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds Cache\\6KHYU14N\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\I6GMLZZB\\UTC--2*",
"C:\\Users\\cuck\\Favorites\\Microsoft Websites\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Ringtones\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\4\\e\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\storage\\permanent\\chrome\\idb\\3561288849sdhlie.files\\*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Temporary Internet Files\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\*",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\4\\e\\e\\3\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Virtualized\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\*.*",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\_FilePasswords.txt\\@\\@\\@\\*",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\OfflineCache\\wallet.dat",
"C:\\Users\\cuck\\Local Settings\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\74r5sasm.default\\safebrowsing\\google4\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds Cache\\ZQR1HVQK\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\1024\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Explorer\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\f\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Media\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Active\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\wallet.dat",
"C:\\Users\\cuck\\Recent\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Crypto\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\SystemCertificates\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\pip\\cache\\http\\b\\b\\8\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache\\Low\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Credentials\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Low\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools\\wallet.dat",
"C:\\Users\\cuck\\Favorites\\Microsoft Websites\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\wallet.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-699399860-4089948139-3198924279-1001\\*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\*.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\*",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\UTC--2*",
"C:\\Users\\cuck\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\*.*",
"C:\\ProgramData\\H8KmjWBbq\\Files\\Browsers\\_FilePasswords.txt\\@\\*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\*.*",
"C:\\Users\\cuck\\Desktop\\UTC--2*"
],
"regkey_written": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\EnableConsoleTracing",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}\\WpadDecisionReason",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}\\WpadDecision",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}\\WpadNetworkName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\EnableFileTracing",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\\DefaultConnectionSettings",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\MaxFileSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\FileTracingMask",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}\\WpadDecisionTime",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\WpadLastNetwork",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\ConsoleTracingMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\FileDirectory"
]
},
"first_seen": 1581929586.71875,
"ppid": 2448
},
{
"process_path": "C:\\Windows\\System32\\lsass.exe",
"process_name": "lsass.exe",
"pid": 476,
"summary": {},
"first_seen": 1581929586.40625,
"ppid": 376
}
]Signatures
[
{
"markcount": 1,
"families": [],
"description": "Queries for the computername",
"severity": 1,
"marks": [
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "GetComputerNameW",
"return_value": 1,
"arguments": {
"computer_name": "CUCKPC"
},
"time": 1581929593.51575,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 11238
}
],
"references": [],
"name": "antivm_queries_computername"
},
{
"markcount": 60,
"families": [],
"description": "Checks if process is being debugged by a debugger",
"severity": 1,
"marks": [
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": 0,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1581929587.20275,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 5669
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1581929589.20275,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 10976
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1581929591.21875,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 10990
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1581929593.23475,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 11143
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1581929595.24975,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 15096
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1581929597.26575,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 15119
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1581929599.28075,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 15134
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1581929601.29675,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 15153
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1581929603.31275,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 15174
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1581929605.32775,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 15193
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1581929607.34375,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 15210
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1581929609.35975,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 15234
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1581929611.37475,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 15253
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1581929613.39075,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 15269
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1581929615.40575,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 15300
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1581929617.42175,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 15316
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1581929619.43775,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 15335
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1581929621.45275,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 15350
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1581929623.46875,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 15370
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1581929625.48475,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 15394
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1581929627.49975,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 15406
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1581929629.51575,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 15428
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1581929631.53075,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 15448
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1581929633.54675,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 15467
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1581929635.56275,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 15484
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1581929637.57775,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 15506
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1581929639.59375,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 15528
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1581929641.60975,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 15540
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1581929643.62475,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 15559
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1581929645.64075,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 15583
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1581929647.65575,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 15606
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1581929649.67175,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 15626
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1581929651.68775,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 15640
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1581929653.70275,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 15666
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1581929655.71875,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 15686
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1581929657.73475,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 15707
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1581929659.74975,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 15730
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1581929661.76575,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 15749
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1581929663.78075,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 15768
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1581929665.79675,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 15784
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1581929667.81275,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 15799
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1581929669.82775,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 15820
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1581929671.84375,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 15843
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1581929673.85975,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 15866
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1581929675.87475,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 15890
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1581929677.89075,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 15906
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1581929679.90575,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 15928
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1581929681.92175,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 15940
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1581929683.93775,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 15963
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1581929685.95275,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 15984
}
],
"references": [],
"name": "checks_debugger"
},
{
"markcount": 1,
"families": [],
"description": "Tries to locate where the browsers are installed",
"severity": 1,
"marks": [
{
"category": "file",
"ioc": "C:\\Program Files (x86)\\Mozilla Firefox\\nss3.dll",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "locates_browser"
},
{
"markcount": 1,
"families": [],
"description": "Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available",
"severity": 1,
"marks": [
{
"call": {
"category": "system",
"status": 1,
"stacktrace": [],
"api": "GlobalMemoryStatusEx",
"return_value": 1,
"arguments": {},
"time": 1581929593.51575,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 11258
}
],
"references": [],
"name": "antivm_memory_available"
},
{
"markcount": 5,
"families": [],
"description": "The executable contains unknown PE section names indicative of a packer (could be a false positive)",
"severity": 1,
"marks": [
{
"category": "section",
"ioc": " \\x00 ",
"type": "ioc",
"description": null
},
{
"category": "section",
"ioc": ".idata ",
"type": "ioc",
"description": null
},
{
"category": "section",
"ioc": " ",
"type": "ioc",
"description": null
},
{
"category": "section",
"ioc": "bublcksk",
"type": "ioc",
"description": null
},
{
"category": "section",
"ioc": "uydimcfa",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "pe_features"
},
{
"markcount": 114,
"families": [],
"description": "One or more processes crashed",
"severity": 1,
"marks": [
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "R\nt\nl\nI\nn\ni\nt\ni\na\nl\ni\nz\ne\nE\nx\nc\ne\np\nt\ni\no\nn\nC\nh\na\ni\nn\n+\n0\nx\n6\n3\n \nR\nt\nl\nA\nl\nl\no\nc\na\nt\ne\nA\nc\nt\ni\nv\na\nt\ni\no\nn\nC\no\nn\nt\ne\nx\nt\nS\nt\na\nc\nk\n-\n0\nx\na\n1\n \nn\nt\nd\nl\nl\n+\n0\nx\n3\n9\ne\nd\n2\n \n@\n \n0\nx\n7\n7\nb\nc\n9\ne\nd\n2\n\n\nR\nt\nl\nI\nn\ni\nt\ni\na\nl\ni\nz\ne\nE\nx\nc\ne\np\nt\ni\no\nn\nC\nh\na\ni\nn\n+\n0\nx\n3\n6\n \nR\nt\nl\nA\nl\nl\no\nc\na\nt\ne\nA\nc\nt\ni\nv\na\nt\ni\no\nn\nC\no\nn\nt\ne\nx\nt\nS\nt\na\nc\nk\n-\n0\nx\nc\ne\n \nn\nt\nd\nl\nl\n+\n0\nx\n3\n9\ne\na\n5\n \n@\n \n0\nx\n7\n7\nb\nc\n9\ne\na\n5",
"registers": {
"esp": 1636316,
"edi": 0,
"eax": 1,
"ebp": 1636332,
"edx": 24326144,
"ebx": 2130567168,
"esi": 0,
"ecx": 0
},
"exception": {
"instruction_r": "fb e9 4e 01 00 00 60 8b 74 24 24 8b 7c 24 28 fc",
"symbol": "4dc9f1b81127c4ea0704ccb1e26fbe6c4eaa9da02d337a3cac6d8178df17267a+0x3820b9",
"instruction": "sti",
"module": "4dc9f1b81127c4ea0704ccb1e26fbe6c4eaa9da02d337a3cac6d8178df17267a.bin",
"exception_code": "0xc0000096",
"offset": 3678393,
"address": "0x15720b9"
}
},
"time": 1581929586.82775,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 0
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 1636280,
"edi": 1975189736,
"eax": 28570,
"ebp": 3955195924,
"edx": 19701354,
"ebx": 366756247,
"esi": 3,
"ecx": 1975386112
},
"exception": {
"instruction_r": "fb 83 ec 04 89 04 24 b8 70 4b fd 7b c1 e8 07 e9",
"symbol": "4dc9f1b81127c4ea0704ccb1e26fbe6c4eaa9da02d337a3cac6d8178df17267a+0xda3a4",
"instruction": "sti",
"module": "4dc9f1b81127c4ea0704ccb1e26fbe6c4eaa9da02d337a3cac6d8178df17267a.bin",
"exception_code": "0xc0000096",
"offset": 893860,
"address": "0x12ca3a4"
}
},
"time": 1581929586.82775,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 1
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 1636284,
"edi": 1975189736,
"eax": 28570,
"ebp": 3955195924,
"edx": 19704212,
"ebx": 0,
"esi": 240873,
"ecx": 1975386112
},
"exception": {
"instruction_r": "fb 55 e9 50 fb ff ff 5c 51 b9 e6 91 7a 5d 50 e9",
"symbol": "4dc9f1b81127c4ea0704ccb1e26fbe6c4eaa9da02d337a3cac6d8178df17267a+0xda815",
"instruction": "sti",
"module": "4dc9f1b81127c4ea0704ccb1e26fbe6c4eaa9da02d337a3cac6d8178df17267a.bin",
"exception_code": "0xc0000096",
"offset": 894997,
"address": "0x12ca815"
}
},
"time": 1581929586.82775,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 2
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 1636280,
"edi": 1975189736,
"eax": 32271,
"ebp": 3955195924,
"edx": 2111867392,
"ebx": 19705503,
"esi": 240873,
"ecx": 1975386112
},
"exception": {
"instruction_r": "fb 83 ec 04 e9 df 00 00 00 f7 d0 c1 e0 06 e9 c0",
"symbol": "4dc9f1b81127c4ea0704ccb1e26fbe6c4eaa9da02d337a3cac6d8178df17267a+0xdb64e",
"instruction": "sti",
"module": "4dc9f1b81127c4ea0704ccb1e26fbe6c4eaa9da02d337a3cac6d8178df17267a.bin",
"exception_code": "0xc0000096",
"offset": 898638,
"address": "0x12cb64e"
}
},
"time": 1581929586.82775,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 3
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 1636284,
"edi": 1975189736,
"eax": 32271,
"ebp": 3955195924,
"edx": 1259,
"ebx": 19737774,
"esi": 240873,
"ecx": 4294937648
},
"exception": {
"instruction_r": "fb 56 be fb 7d fb 4d e9 44 01 00 00 89 e7 81 c7",
"symbol": "4dc9f1b81127c4ea0704ccb1e26fbe6c4eaa9da02d337a3cac6d8178df17267a+0xdb113",
"instruction": "sti",
"module": "4dc9f1b81127c4ea0704ccb1e26fbe6c4eaa9da02d337a3cac6d8178df17267a.bin",
"exception_code": "0xc0000096",
"offset": 897299,
"address": "0x12cb113"
}
},
"time": 1581929586.82775,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 4
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 1636280,
"edi": 19740902,
"eax": 32172,
"ebp": 3955195924,
"edx": 2130566132,
"ebx": 54264636,
"esi": 21245112,
"ecx": 21260288
},
"exception": {
"instruction_r": "fb 57 bf 24 8e bf 2c 51 89 3c 24 89 1c 24 bb 02",
"symbol": "4dc9f1b81127c4ea0704ccb1e26fbe6c4eaa9da02d337a3cac6d8178df17267a+0x256fd9",
"instruction": "sti",
"module": "4dc9f1b81127c4ea0704ccb1e26fbe6c4eaa9da02d337a3cac6d8178df17267a.bin",
"exception_code": "0xc0000096",
"offset": 2453465,
"address": "0x1446fd9"
}
},
"time": 1581929586.82775,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 10
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 1636284,
"edi": 807657,
"eax": 32172,
"ebp": 3955195924,
"edx": 0,
"ebx": 54264636,
"esi": 21245112,
"ecx": 21263408
},
"exception": {
"instruction_r": "fb 57 68 d7 b1 f7 7d e9 00 00 00 00 8b 3c 24 e9",
"symbol": "4dc9f1b81127c4ea0704ccb1e26fbe6c4eaa9da02d337a3cac6d8178df17267a+0x257393",
"instruction": "sti",
"module": "4dc9f1b81127c4ea0704ccb1e26fbe6c4eaa9da02d337a3cac6d8178df17267a.bin",
"exception_code": "0xc0000096",
"offset": 2454419,
"address": "0x1447393"
}
},
"time": 1581929586.82775,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 11
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 1636280,
"edi": 807657,
"eax": 30979,
"ebp": 3955195924,
"edx": 483781062,
"ebx": 54264636,
"esi": 21267247,
"ecx": 21263408
},
"exception": {
"instruction_r": "fb 81 ec 04 00 00 00 89 1c 24 56 89 04 24 c7 04",
"symbol": "4dc9f1b81127c4ea0704ccb1e26fbe6c4eaa9da02d337a3cac6d8178df17267a+0x25851f",
"instruction": "sti",
"module": "4dc9f1b81127c4ea0704ccb1e26fbe6c4eaa9da02d337a3cac6d8178df17267a.bin",
"exception_code": "0xc0000096",
"offset": 2458911,
"address": "0x144851f"
}
},
"time": 1581929586.82775,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 12
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 1636284,
"edi": 50665,
"eax": 30979,
"ebp": 3955195924,
"edx": 483781062,
"ebx": 54264636,
"esi": 21270142,
"ecx": 0
},
"exception": {
"instruction_r": "fb b8 60 5f 7f 65 f7 d8 92 f7 d2 92 0d a5 11 f7",
"symbol": "4dc9f1b81127c4ea0704ccb1e26fbe6c4eaa9da02d337a3cac6d8178df17267a+0x2589ba",
"instruction": "sti",
"module": "4dc9f1b81127c4ea0704ccb1e26fbe6c4eaa9da02d337a3cac6d8178df17267a.bin",
"exception_code": "0xc0000096",
"offset": 2460090,
"address": "0x14489ba"
}
},
"time": 1581929586.82775,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 13
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 1636284,
"edi": 3867000,
"eax": 33085,
"ebp": 3955195924,
"edx": 3867000,
"ebx": 21272131,
"esi": 21315173,
"ecx": 21272131
},
"exception": {
"instruction_r": "fb 56 89 3c 24 c7 04 24 d2 77 00 3c ff 34 24 ff",
"symbol": "4dc9f1b81127c4ea0704ccb1e26fbe6c4eaa9da02d337a3cac6d8178df17267a+0x25bef3",
"instruction": "sti",
"module": "4dc9f1b81127c4ea0704ccb1e26fbe6c4eaa9da02d337a3cac6d8178df17267a.bin",
"exception_code": "0xc0000096",
"offset": 2473715,
"address": "0x144bef3"
}
},
"time": 1581929586.84375,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 17
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 1636284,
"edi": 202985,
"eax": 33085,
"ebp": 3955195924,
"edx": 0,
"ebx": 21272131,
"esi": 21285541,
"ecx": 21272131
},
"exception": {
"instruction_r": "fb 55 54 e9 18 fa ff ff 29 de 81 ee f2 39 ff 57",
"symbol": "4dc9f1b81127c4ea0704ccb1e26fbe6c4eaa9da02d337a3cac6d8178df17267a+0x25c75d",
"instruction": "sti",
"module": "4dc9f1b81127c4ea0704ccb1e26fbe6c4eaa9da02d337a3cac6d8178df17267a.bin",
"exception_code": "0xc0000096",
"offset": 2475869,
"address": "0x144c75d"
}
},
"time": 1581929586.84375,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 18
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 1636276,
"edi": 3878248,
"eax": 1447909480,
"ebp": 3955195924,
"edx": 22104,
"ebx": 1975324853,
"esi": 21306981,
"ecx": 20
},
"exception": {
"instruction_r": "ed 64 8f 05 00 00 00 00 53 54 5b e9 1a c9 ff ff",
"symbol": "4dc9f1b81127c4ea0704ccb1e26fbe6c4eaa9da02d337a3cac6d8178df17267a+0x265f4a",
"instruction": "in eax, dx",
"module": "4dc9f1b81127c4ea0704ccb1e26fbe6c4eaa9da02d337a3cac6d8178df17267a.bin",
"exception_code": "0xc0000096",
"offset": 2514762,
"address": "0x1455f4a"
}
},
"time": 1581929586.84375,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 23
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 1636276,
"edi": 3878248,
"eax": 1,
"ebp": 3955195924,
"edx": 22104,
"ebx": 0,
"esi": 21306981,
"ecx": 20
},
"exception": {
"instruction_r": "0f 3f 07 0b 64 8f 05 00 00 00 00 83 c4 04 83 fb",
"symbol": "4dc9f1b81127c4ea0704ccb1e26fbe6c4eaa9da02d337a3cac6d8178df17267a+0x262ef6",
"address": "0x1452ef6",
"module": "4dc9f1b81127c4ea0704ccb1e26fbe6c4eaa9da02d337a3cac6d8178df17267a.bin",
"exception_code": "0xc000001d",
"offset": 2502390
}
},
"time": 1581929586.84375,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 24
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 1636276,
"edi": 3878248,
"eax": 1447909480,
"ebp": 3955195924,
"edx": 22104,
"ebx": 2256917605,
"esi": 21306981,
"ecx": 10
},
"exception": {
"instruction_r": "ed 81 fb 68 58 4d 56 75 0a c7 85 35 2a 6d 15 01",
"symbol": "4dc9f1b81127c4ea0704ccb1e26fbe6c4eaa9da02d337a3cac6d8178df17267a+0x2632f2",
"instruction": "in eax, dx",
"module": "4dc9f1b81127c4ea0704ccb1e26fbe6c4eaa9da02d337a3cac6d8178df17267a.bin",
"exception_code": "0xc0000096",
"offset": 2503410,
"address": "0x14532f2"
}
},
"time": 1581929586.84375,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 25
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 1636244,
"edi": 0,
"eax": 1636244,
"ebp": 3955195924,
"edx": 2130553257,
"ebx": 21342109,
"esi": 0,
"ecx": 21341353
},
"exception": {
"instruction_r": "cd 01 eb 00 e8 06 00 00 00 3c 0c cf ad ee 9b 80",
"symbol": "4dc9f1b81127c4ea0704ccb1e26fbe6c4eaa9da02d337a3cac6d8178df17267a+0x26a6d0",
"instruction": "int 1",
"module": "4dc9f1b81127c4ea0704ccb1e26fbe6c4eaa9da02d337a3cac6d8178df17267a.bin",
"exception_code": "0xc0000005",
"offset": 2533072,
"address": "0x145a6d0"
}
},
"time": 1581929586.99975,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 2615
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 1636280,
"edi": 3878248,
"eax": 32410,
"ebp": 3955195924,
"edx": 2130566132,
"ebx": 36097140,
"esi": 11624,
"ecx": 21343579
},
"exception": {
"instruction_r": "fb 55 e9 a6 fe ff ff 29 eb 81 c3 0d 08 d7 6b 5d",
"symbol": "4dc9f1b81127c4ea0704ccb1e26fbe6c4eaa9da02d337a3cac6d8178df17267a+0x26b299",
"instruction": "sti",
"module": "4dc9f1b81127c4ea0704ccb1e26fbe6c4eaa9da02d337a3cac6d8178df17267a.bin",
"exception_code": "0xc0000096",
"offset": 2536089,
"address": "0x145b299"
}
},
"time": 1581929586.99975,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 2616
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 1636284,
"edi": 3878248,
"eax": 32410,
"ebp": 3955195924,
"edx": 2130566132,
"ebx": 36097140,
"esi": 11624,
"ecx": 21375989
},
"exception": {
"instruction_r": "fb e9 7d 00 00 00 ff 34 24 5f 55 e9 79 fa ff ff",
"symbol": "4dc9f1b81127c4ea0704ccb1e26fbe6c4eaa9da02d337a3cac6d8178df17267a+0x26b453",
"instruction": "sti",
"module": "4dc9f1b81127c4ea0704ccb1e26fbe6c4eaa9da02d337a3cac6d8178df17267a.bin",
"exception_code": "0xc0000096",
"offset": 2536531,
"address": "0x145b453"
}
},
"time": 1581929586.99975,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 2617
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 1636284,
"edi": 3878248,
"eax": 32410,
"ebp": 3955195924,
"edx": 4294937576,
"ebx": 2283,
"esi": 11624,
"ecx": 21375989
},
"exception": {
"instruction_r": "fb 52 c7 04 24 8a 67 66 60 89 2c 24 bd 18 9a 77",
"symbol": "4dc9f1b81127c4ea0704ccb1e26fbe6c4eaa9da02d337a3cac6d8178df17267a+0x26b630",
"instruction": "sti",
"module": "4dc9f1b81127c4ea0704ccb1e26fbe6c4eaa9da02d337a3cac6d8178df17267a.bin",
"exception_code": "0xc0000096",
"offset": 2537008,
"address": "0x145b630"
}
},
"time": 1581929586.99975,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 2618
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 1636284,
"edi": 21399625,
"eax": 27311,
"ebp": 3955195924,
"edx": 654654,
"ebx": 2283,
"esi": 11624,
"ecx": 21342508
},
"exception": {
"instruction_r": "fb 68 00 c2 1a 5d 89 3c 24 89 e7 e9 55 fe ff ff",
"symbol": "4dc9f1b81127c4ea0704ccb1e26fbe6c4eaa9da02d337a3cac6d8178df17267a+0x272331",
"instruction": "sti",
"module": "4dc9f1b81127c4ea0704ccb1e26fbe6c4eaa9da02d337a3cac6d8178df17267a.bin",
"exception_code": "0xc0000096",
"offset": 2564913,
"address": "0x1462331"
}
},
"time": 1581929586.99975,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 2619
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 1636284,
"edi": 21399625,
"eax": 27311,
"ebp": 3955195924,
"edx": 4294943036,
"ebx": 2283,
"esi": 11624,
"ecx": 2298801283
},
"exception": {
"instruction_r": "fb 52 e9 ad 02 00 00 5a e9 88 02 00 00 5a b9 04",
"symbol": "4dc9f1b81127c4ea0704ccb1e26fbe6c4eaa9da02d337a3cac6d8178df17267a+0x2720ac",
"instruction": "sti",
"module": "4dc9f1b81127c4ea0704ccb1e26fbe6c4eaa9da02d337a3cac6d8178df17267a.bin",
"exception_code": "0xc0000096",
"offset": 2564268,
"address": "0x14620ac"
}
},
"time": 1581929586.99975,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 2620
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 1636272,
"edi": 21425778,
"eax": 27220,
"ebp": 3955195924,
"edx": 6,
"ebx": 36097362,
"esi": 1975260176,
"ecx": 6
},
"exception": {
"instruction_r": "fb 52 ba c0 a8 7b 57 4a 81 c2 01 00 00 00 83 ec",
"symbol": "4dc9f1b81127c4ea0704ccb1e26fbe6c4eaa9da02d337a3cac6d8178df17267a+0x27ee7e",
"instruction": "sti",
"module": "4dc9f1b81127c4ea0704ccb1e26fbe6c4eaa9da02d337a3cac6d8178df17267a.bin",
"exception_code": "0xc0000096",
"offset": 2616958,
"address": "0x146ee7e"
}
},
"time": 1581929587.17175,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 5536
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 1636276,
"edi": 21452998,
"eax": 27220,
"ebp": 3955195924,
"edx": 6,
"ebx": 36097362,
"esi": 1975260176,
"ecx": 6
},
"exception": {
"instruction_r": "fb 68 11 fe a3 1b 89 14 24 c7 04 24 a1 14 fd 77",
"symbol": "4dc9f1b81127c4ea0704ccb1e26fbe6c4eaa9da02d337a3cac6d8178df17267a+0x27ef38",
"instruction": "sti",
"module": "4dc9f1b81127c4ea0704ccb1e26fbe6c4eaa9da02d337a3cac6d8178df17267a.bin",
"exception_code": "0xc0000096",
"offset": 2617144,
"address": "0x146ef38"
}
},
"time": 1581929587.17175,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 5537
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 1636276,
"edi": 21428498,
"eax": 27220,
"ebp": 3955195924,
"edx": 6,
"ebx": 36097362,
"esi": 0,
"ecx": 3914880080
},
"exception": {
"instruction_r": "fb 68 de 89 38 7d 89 3c 24 57 bf 41 fa 94 61 89",
"symbol": "4dc9f1b81127c4ea0704ccb1e26fbe6c4eaa9da02d337a3cac6d8178df17267a+0x27f843",
"instruction": "sti",
"module": "4dc9f1b81127c4ea0704ccb1e26fbe6c4eaa9da02d337a3cac6d8178df17267a.bin",
"exception_code": "0xc0000096",
"offset": 2619459,
"address": "0x146f843"
}
},
"time": 1581929587.17175,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 5538
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 1636276,
"edi": 21428498,
"eax": 1179202795,
"ebp": 3955195924,
"edx": 6,
"ebx": 385100164,
"esi": 0,
"ecx": 21431821
},
"exception": {
"instruction_r": "fb 56 89 e6 81 c6 04 00 00 00 e9 d6 03 00 00 58",
"symbol": "4dc9f1b81127c4ea0704ccb1e26fbe6c4eaa9da02d337a3cac6d8178df17267a+0x27ff61",
"instruction": "sti",
"module": "4dc9f1b81127c4ea0704ccb1e26fbe6c4eaa9da02d337a3cac6d8178df17267a.bin",
"exception_code": "0xc0000096",
"offset": 2621281,
"address": "0x146ff61"
}
},
"time": 1581929587.17175,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 5539
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 1636276,
"edi": 3942217990,
"eax": 21468285,
"ebp": 3955195924,
"edx": 84201,
"ebx": 3959421742,
"esi": 0,
"ecx": 2152029730
},
"exception": {
"instruction_r": "fb 52 89 3c 24 89 0c 24 c7 04 24 78 00 bf 65 e9",
"symbol": "4dc9f1b81127c4ea0704ccb1e26fbe6c4eaa9da02d337a3cac6d8178df17267a+0x2889ce",
"instruction": "sti",
"module": "4dc9f1b81127c4ea0704ccb1e26fbe6c4eaa9da02d337a3cac6d8178df17267a.bin",
"exception_code": "0xc0000096",
"offset": 2656718,
"address": "0x14789ce"
}
},
"time": 1581929587.17175,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 5541
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 1636240,
"edi": 21578661,
"eax": 27778,
"ebp": 3955195924,
"edx": 21583962,
"ebx": 0,
"esi": 21578692,
"ecx": 3349086208
},
"exception": {
"instruction_r": "fb 57 51 b9 bf bb 3d 67 89 cf 59 53 bb 26 63 ff",
"symbol": "4dc9f1b81127c4ea0704ccb1e26fbe6c4eaa9da02d337a3cac6d8178df17267a+0x2a5afe",
"instruction": "sti",
"module": "4dc9f1b81127c4ea0704ccb1e26fbe6c4eaa9da02d337a3cac6d8178df17267a.bin",
"exception_code": "0xc0000096",
"offset": 2775806,
"address": "0x1495afe"
}
},
"time": 1581929587.17175,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 5573
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 1636244,
"edi": 21578661,
"eax": 27778,
"ebp": 3955195924,
"edx": 21587072,
"ebx": 0,
"esi": 7792982,
"ecx": 3349086208
},
"exception": {
"instruction_r": "fb 56 e9 bc 0b 00 00 be ab e8 df 6f 81 e6 c2 7a",
"symbol": "4dc9f1b81127c4ea0704ccb1e26fbe6c4eaa9da02d337a3cac6d8178df17267a+0x2a586d",
"instruction": "sti",
"module": "4dc9f1b81127c4ea0704ccb1e26fbe6c4eaa9da02d337a3cac6d8178df17267a.bin",
"exception_code": "0xc0000096",
"offset": 2775149,
"address": "0x149586d"
}
},
"time": 1581929587.17175,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 5574
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 1636244,
"edi": 21578661,
"eax": 28741,
"ebp": 3955195924,
"edx": 1065028119,
"ebx": 21616025,
"esi": 7792982,
"ecx": 3349086208
},
"exception": {
"instruction_r": "fb 51 e9 55 08 00 00 55 bd 08 95 fd 2f e9 39 01",
"symbol": "4dc9f1b81127c4ea0704ccb1e26fbe6c4eaa9da02d337a3cac6d8178df17267a+0x2a692d",
"instruction": "sti",
"module": "4dc9f1b81127c4ea0704ccb1e26fbe6c4eaa9da02d337a3cac6d8178df17267a.bin",
"exception_code": "0xc0000096",
"offset": 2779437,
"address": "0x149692d"
}
},
"time": 1581929587.17175,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 5575
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 1636244,
"edi": 21578661,
"eax": 28741,
"ebp": 3955195924,
"edx": 1065028119,
"ebx": 21590545,
"esi": 483098720,
"ecx": 0
},
"exception": {
"instruction_r": "fb 50 89 2c 24 89 0c 24 b9 db a7 fb 7b 87 f1 4e",
"symbol": "4dc9f1b81127c4ea0704ccb1e26fbe6c4eaa9da02d337a3cac6d8178df17267a+0x2a6d0c",
"instruction": "sti",
"module": "4dc9f1b81127c4ea0704ccb1e26fbe6c4eaa9da02d337a3cac6d8178df17267a.bin",
"exception_code": "0xc0000096",
"offset": 2780428,
"address": "0x1496d0c"
}
},
"time": 1581929587.17175,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 5576
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 1636244,
"edi": 21578661,
"eax": 27520,
"ebp": 3955195924,
"edx": 4294942508,
"ebx": 21620121,
"esi": 483098720,
"ecx": 7399761
},
"exception": {
"instruction_r": "fb 81 ec 04 00 00 00 89 14 24 56 e9 06 00 00 00",
"symbol": "4dc9f1b81127c4ea0704ccb1e26fbe6c4eaa9da02d337a3cac6d8178df17267a+0x2a7b59",
"instruction": "sti",
"module": "4dc9f1b81127c4ea0704ccb1e26fbe6c4eaa9da02d337a3cac6d8178df17267a.bin",
"exception_code": "0xc0000096",
"offset": 2784089,
"address": "0x1497b59"
}
},
"time": 1581929587.17175,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 5577
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 1636240,
"edi": 21578661,
"eax": 31539,
"ebp": 3955195924,
"edx": 4294942508,
"ebx": 16782487,
"esi": 483153718,
"ecx": 21601141
},
"exception": {
"instruction_r": "fb 81 c1 82 e3 ce 2e 52 e9 80 00 00 00 c7 04 24",
"symbol": "4dc9f1b81127c4ea0704ccb1e26fbe6c4eaa9da02d337a3cac6d8178df17267a+0x2a9e43",
"instruction": "sti",
"module": "4dc9f1b81127c4ea0704ccb1e26fbe6c4eaa9da02d337a3cac6d8178df17267a.bin",
"exception_code": "0xc0000096",
"offset": 2793027,
"address": "0x1499e43"
}
},
"time": 1581929587.17175,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 5578
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 1636244,
"edi": 21578661,
"eax": 31539,
"ebp": 3955195924,
"edx": 4294942508,
"ebx": 16782487,
"esi": 483153718,
"ecx": 21632680
},
"exception": {
"instruction_r": "fb 31 ff ff 34 0f e9 00 00 00 00 ff 34 24 8b 34",
"symbol": "4dc9f1b81127c4ea0704ccb1e26fbe6c4eaa9da02d337a3cac6d8178df17267a+0x2aa4e8",
"instruction": "sti",
"module": "4dc9f1b81127c4ea0704ccb1e26fbe6c4eaa9da02d337a3cac6d8178df17267a.bin",
"exception_code": "0xc0000096",
"offset": 2794728,
"address": "0x149a4e8"
}
},
"time": 1581929587.17175,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 5579
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 1636244,
"edi": 4294938592,
"eax": 31539,
"ebp": 3955195924,
"edx": 4294942508,
"ebx": 16782487,
"esi": 1342204512,
"ecx": 21632680
},
"exception": {
"instruction_r": "fb 56 51 b9 71 7c ff 1f 81 e9 48 ce f7 5f 50 b8",
"symbol": "4dc9f1b81127c4ea0704ccb1e26fbe6c4eaa9da02d337a3cac6d8178df17267a+0x2a9ba3",
"instruction": "sti",
"module": "4dc9f1b81127c4ea0704ccb1e26fbe6c4eaa9da02d337a3cac6d8178df17267a.bin",
"exception_code": "0xc0000096",
"offset": 2792355,
"address": "0x1499ba3"
}
},
"time": 1581929587.17175,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 5580
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 1636244,
"edi": 21604784,
"eax": 21645114,
"ebp": 3955195924,
"edx": 0,
"ebx": 717331853,
"esi": 4294943728,
"ecx": 1983578254
},
"exception": {
"instruction_r": "fb 57 c7 04 24 fd 22 74 2d 89 14 24 50 b8 94 0e",
"symbol": "4dc9f1b81127c4ea0704ccb1e26fbe6c4eaa9da02d337a3cac6d8178df17267a+0x2ae50b",
"instruction": "sti",
"module": "4dc9f1b81127c4ea0704ccb1e26fbe6c4eaa9da02d337a3cac6d8178df17267a.bin",
"exception_code": "0xc0000096",
"offset": 2811147,
"address": "0x149e50b"
}
},
"time": 1581929587.17175,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 5582
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 1636240,
"edi": 21604784,
"eax": 28368,
"ebp": 3955195924,
"edx": 21622159,
"ebx": 19704533,
"esi": 4294943728,
"ecx": 66003252
},
"exception": {
"instruction_r": "fb 53 55 bd 45 88 ad 7f 81 cd ec f0 fc 7f e9 c3",
"symbol": "4dc9f1b81127c4ea0704ccb1e26fbe6c4eaa9da02d337a3cac6d8178df17267a+0x2af4f3",
"instruction": "sti",
"module": "4dc9f1b81127c4ea0704ccb1e26fbe6c4eaa9da02d337a3cac6d8178df17267a.bin",
"exception_code": "0xc0000096",
"offset": 2815219,
"address": "0x149f4f3"
}
},
"time": 1581929587.17175,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 5583
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 1636244,
"edi": 21604784,
"eax": 28368,
"ebp": 3955195924,
"edx": 21625231,
"ebx": 19704533,
"esi": 24811,
"ecx": 0
},
"exception": {
"instruction_r": "fb 51 e9 76 ff ff ff 05 04 00 00 00 83 e8 04 87",
"symbol": "4dc9f1b81127c4ea0704ccb1e26fbe6c4eaa9da02d337a3cac6d8178df17267a+0x2af94a",
"instruction": "sti",
"module": "4dc9f1b81127c4ea0704ccb1e26fbe6c4eaa9da02d337a3cac6d8178df17267a.bin",
"exception_code": "0xc0000096",
"offset": 2816330,
"address": "0x149f94a"
}
},
"time": 1581929587.17175,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 5584
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 1636244,
"edi": 3923806544,
"eax": 32233,
"ebp": 3955195924,
"edx": 4294938096,
"ebx": 21679463,
"esi": 256,
"ecx": 16309
},
"exception": {
"instruction_r": "fb 50 89 3c 24 54 5f 81 c7 04 00 00 00 e9 0f 00",
"symbol": "4dc9f1b81127c4ea0704ccb1e26fbe6c4eaa9da02d337a3cac6d8178df17267a+0x2b51bb",
"instruction": "sti",
"module": "4dc9f1b81127c4ea0704ccb1e26fbe6c4eaa9da02d337a3cac6d8178df17267a.bin",
"exception_code": "0xc0000096",
"offset": 2838971,
"address": "0x14a51bb"
}
},
"time": 1581929587.18775,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 5585
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 1636244,
"edi": 3923806544,
"eax": 21678216,
"ebp": 3955195924,
"edx": 384687619,
"ebx": 488209963,
"esi": 256,
"ecx": 16309
},
"exception": {
"instruction_r": "fb 57 89 2c 24 89 0c 24 c7 04 24 a2 10 37 7f 81",
"symbol": "4dc9f1b81127c4ea0704ccb1e26fbe6c4eaa9da02d337a3cac6d8178df17267a+0x2b659e",
"instruction": "sti",
"module": "4dc9f1b81127c4ea0704ccb1e26fbe6c4eaa9da02d337a3cac6d8178df17267a.bin",
"exception_code": "0xc0000096",
"offset": 2844062,
"address": "0x14a659e"
}
},
"time": 1581929587.18775,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 5586
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 1636244,
"edi": 4294942224,
"eax": 21678216,
"ebp": 3955195924,
"edx": 384687619,
"ebx": 488209963,
"esi": 322689,
"ecx": 16309
},
"exception": {
"instruction_r": "fb 57 bf 71 2b 5b 5f e9 38 fe ff ff 81 c2 b2 dd",
"symbol": "4dc9f1b81127c4ea0704ccb1e26fbe6c4eaa9da02d337a3cac6d8178df17267a+0x2b614e",
"instruction": "sti",
"module": "4dc9f1b81127c4ea0704ccb1e26fbe6c4eaa9da02d337a3cac6d8178df17267a.bin",
"exception_code": "0xc0000096",
"offset": 2842958,
"address": "0x14a614e"
}
},
"time": 1581929587.18775,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 5587
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 1636240,
"edi": 21703127,
"eax": 32726,
"ebp": 3955195924,
"edx": 2130566132,
"ebx": 21723718,
"esi": 4294897333,
"ecx": 0
},
"exception": {
"instruction_r": "fb 81 c3 76 cb db 6b e9 13 01 00 00 89 e6 81 c6",
"symbol": "4dc9f1b81127c4ea0704ccb1e26fbe6c4eaa9da02d337a3cac6d8178df17267a+0x2c7b1a",
"instruction": "sti",
"module": "4dc9f1b81127c4ea0704ccb1e26fbe6c4eaa9da02d337a3cac6d8178df17267a.bin",
"exception_code": "0xc0000096",
"offset": 2915098,
"address": "0x14b7b1a"
}
},
"time": 1581929587.18775,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 5607
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 1636244,
"edi": 21703127,
"eax": 32726,
"ebp": 3955195924,
"edx": 2130566132,
"ebx": 21756444,
"esi": 4294897333,
"ecx": 0
},
"exception": {
"instruction_r": "fb 31 c9 ff 34 19 e9 ba 08 00 00 58 89 ca 8b 0c",
"symbol": "4dc9f1b81127c4ea0704ccb1e26fbe6c4eaa9da02d337a3cac6d8178df17267a+0x2c7a9d",
"instruction": "sti",
"module": "4dc9f1b81127c4ea0704ccb1e26fbe6c4eaa9da02d337a3cac6d8178df17267a.bin",
"exception_code": "0xc0000096",
"offset": 2914973,
"address": "0x14b7a9d"
}
},
"time": 1581929587.18775,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 5608
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 1636244,
"edi": 4843857,
"eax": 32726,
"ebp": 3955195924,
"edx": 2130566132,
"ebx": 21756444,
"esi": 4294897333,
"ecx": 4294937332
},
"exception": {
"instruction_r": "fb e9 eb 04 00 00 2d f5 91 00 41 01 c6 8b 04 24",
"symbol": "4dc9f1b81127c4ea0704ccb1e26fbe6c4eaa9da02d337a3cac6d8178df17267a+0x2c7ef0",
"instruction": "sti",
"module": "4dc9f1b81127c4ea0704ccb1e26fbe6c4eaa9da02d337a3cac6d8178df17267a.bin",
"exception_code": "0xc0000096",
"offset": 2916080,
"address": "0x14b7ef0"
}
},
"time": 1581929587.18775,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 5609
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 1636240,
"edi": 21749871,
"eax": 27144,
"ebp": 3955195924,
"edx": 1979908096,
"ebx": 21733231,
"esi": 8699884,
"ecx": 21476003
},
"exception": {
"instruction_r": "fb 68 4f f0 49 76 89 0c 24 c7 04 24 33 ba ff 79",
"symbol": "4dc9f1b81127c4ea0704ccb1e26fbe6c4eaa9da02d337a3cac6d8178df17267a+0x2ceb85",
"instruction": "sti",
"module": "4dc9f1b81127c4ea0704ccb1e26fbe6c4eaa9da02d337a3cac6d8178df17267a.bin",
"exception_code": "0xc0000096",
"offset": 2943877,
"address": "0x14beb85"
}
},
"time": 1581929587.20275,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 5661
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 1636244,
"edi": 21777015,
"eax": 27144,
"ebp": 3955195924,
"edx": 1979908096,
"ebx": 21733231,
"esi": 8699884,
"ecx": 21476003
},
"exception": {
"instruction_r": "fb 51 89 34 24 53 e9 d2 02 00 00 ff 34 24 5a 81",
"symbol": "4dc9f1b81127c4ea0704ccb1e26fbe6c4eaa9da02d337a3cac6d8178df17267a+0x2ce2e0",
"instruction": "sti",
"module": "4dc9f1b81127c4ea0704ccb1e26fbe6c4eaa9da02d337a3cac6d8178df17267a.bin",
"exception_code": "0xc0000096",
"offset": 2941664,
"address": "0x14be2e0"
}
},
"time": 1581929587.20275,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 5662
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 1636244,
"edi": 21752987,
"eax": 0,
"ebp": 3955195924,
"edx": 1979908096,
"ebx": 21733231,
"esi": 8699884,
"ecx": 2179434839
},
"exception": {
"instruction_r": "fb 55 bd d1 c2 6f 38 55 59 ff 34 24 5d 81 c4 04",
"symbol": "4dc9f1b81127c4ea0704ccb1e26fbe6c4eaa9da02d337a3cac6d8178df17267a+0x2ce9de",
"instruction": "sti",
"module": "4dc9f1b81127c4ea0704ccb1e26fbe6c4eaa9da02d337a3cac6d8178df17267a.bin",
"exception_code": "0xc0000096",
"offset": 2943454,
"address": "0x14be9de"
}
},
"time": 1581929587.20275,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 5663
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 1636244,
"edi": 21777395,
"eax": 4294943920,
"ebp": 3955195924,
"edx": 1548802152,
"ebx": 21754251,
"esi": 21754247,
"ecx": 21823078
},
"exception": {
"instruction_r": "fb 52 89 34 24 be 8e 0a f7 0b f7 d6 81 c6 97 23",
"symbol": "4dc9f1b81127c4ea0704ccb1e26fbe6c4eaa9da02d337a3cac6d8178df17267a+0x2da1d7",
"instruction": "sti",
"module": "4dc9f1b81127c4ea0704ccb1e26fbe6c4eaa9da02d337a3cac6d8178df17267a.bin",
"exception_code": "0xc0000096",
"offset": 2990551,
"address": "0x14ca1d7"
}
},
"time": 1581929587.20275,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 5670
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 1636244,
"edi": 21777395,
"eax": 28826,
"ebp": 3955195924,
"edx": 21844451,
"ebx": 17762236,
"esi": 151775970,
"ecx": 10
},
"exception": {
"instruction_r": "fb e9 0b 00 00 00 33 0c 24 31 0c 24 e9 8d 02 00",
"symbol": "4dc9f1b81127c4ea0704ccb1e26fbe6c4eaa9da02d337a3cac6d8178df17267a+0x2de973",
"instruction": "sti",
"module": "4dc9f1b81127c4ea0704ccb1e26fbe6c4eaa9da02d337a3cac6d8178df17267a.bin",
"exception_code": "0xc0000096",
"offset": 3008883,
"address": "0x14ce973"
}
},
"time": 1581929587.20275,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 5673
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 1636244,
"edi": 21777395,
"eax": 28826,
"ebp": 3955195924,
"edx": 21844451,
"ebx": 4294941328,
"esi": 151775970,
"ecx": 1015632471
},
"exception": {
"instruction_r": "fb 57 89 04 24 b8 a8 56 fe 71 e9 75 01 00 00 5f",
"symbol": "4dc9f1b81127c4ea0704ccb1e26fbe6c4eaa9da02d337a3cac6d8178df17267a+0x2de85f",
"instruction": "sti",
"module": "4dc9f1b81127c4ea0704ccb1e26fbe6c4eaa9da02d337a3cac6d8178df17267a.bin",
"exception_code": "0xc0000096",
"offset": 3008607,
"address": "0x14ce85f"
}
},
"time": 1581929587.20275,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 5674
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 1636240,
"edi": 21852368,
"eax": 31153,
"ebp": 3955195924,
"edx": 1979908096,
"ebx": 21831580,
"esi": 8699884,
"ecx": 21476003
},
"exception": {
"instruction_r": "fb 83 ec 04 89 0c 24 89 e1 81 c1 04 00 00 00 83",
"symbol": "4dc9f1b81127c4ea0704ccb1e26fbe6c4eaa9da02d337a3cac6d8178df17267a+0x2e7ca0",
"instruction": "sti",
"module": "4dc9f1b81127c4ea0704ccb1e26fbe6c4eaa9da02d337a3cac6d8178df17267a.bin",
"exception_code": "0xc0000096",
"offset": 3046560,
"address": "0x14d7ca0"
}
},
"time": 1581929587.20275,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 5691
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 1636244,
"edi": 21855673,
"eax": 31153,
"ebp": 3955195924,
"edx": 1979908096,
"ebx": 21831580,
"esi": 2179172691,
"ecx": 0
},
"exception": {
"instruction_r": "fb 51 e9 7f fb ff ff c1 e6 02 50 b8 a9 e1 bd 5f",
"symbol": "4dc9f1b81127c4ea0704ccb1e26fbe6c4eaa9da02d337a3cac6d8178df17267a+0x2e7a28",
"instruction": "sti",
"module": "4dc9f1b81127c4ea0704ccb1e26fbe6c4eaa9da02d337a3cac6d8178df17267a.bin",
"exception_code": "0xc0000096",
"offset": 3045928,
"address": "0x14d7a28"
}
},
"time": 1581929587.20275,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 5692
}
],
"references": [],
"name": "raises_exception"
},
{
"markcount": 34,
"families": [],
"description": "Allocates read-write-execute memory (usually to unpack itself)",
"severity": 2,
"marks": [
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1664,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 8192,
"protection": 64,
"process_handle": "0xffffffff",
"base_address": "0x77c2f000"
},
"time": 1581929587.21875,
"tid": 2736,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 1664,
"type": "call",
"cid": 5723
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1664,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 8192,
"protection": 64,
"process_handle": "0xffffffff",
"base_address": "0x77ba0000"
},
"time": 1581929587.21875,
"tid": 2736,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 1664,
"type": "call",
"cid": 5725
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1664,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 401408,
"protection": 64,
"process_handle": "0xffffffff",
"base_address": "0x011f1000"
},
"time": 1581929587.24975,
"tid": 2736,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 1664,
"type": "call",
"cid": 5816
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1664,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00910000"
},
"time": 1581929587.26575,
"tid": 2736,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 1664,
"type": "call",
"cid": 5843
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1664,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00960000"
},
"time": 1581929587.26575,
"tid": 2736,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 1664,
"type": "call",
"cid": 5844
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1664,
"region_size": 8192,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x009c0000"
},
"time": 1581929587.26575,
"tid": 2736,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 1664,
"type": "call",
"cid": 5845
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1664,
"region_size": 65536,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x009d0000"
},
"time": 1581929587.26575,
"tid": 2736,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 1664,
"type": "call",
"cid": 5846
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1664,
"region_size": 8192,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00b60000"
},
"time": 1581929587.26575,
"tid": 2736,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 1664,
"type": "call",
"cid": 5847
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1664,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00c30000"
},
"time": 1581929587.26575,
"tid": 2736,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 1664,
"type": "call",
"cid": 5848
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1664,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00c80000"
},
"time": 1581929587.26575,
"tid": 2736,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 1664,
"type": "call",
"cid": 5849
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1664,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00c90000"
},
"time": 1581929587.26575,
"tid": 2736,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 1664,
"type": "call",
"cid": 5854
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1664,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00ce0000"
},
"time": 1581929587.26575,
"tid": 2736,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 1664,
"type": "call",
"cid": 5856
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1664,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00d30000"
},
"time": 1581929587.26575,
"tid": 2736,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 1664,
"type": "call",
"cid": 5857
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1664,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00d40000"
},
"time": 1581929587.26575,
"tid": 2736,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 1664,
"type": "call",
"cid": 5858
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1664,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00e90000"
},
"time": 1581929587.28075,
"tid": 2736,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 1664,
"type": "call",
"cid": 5860
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1664,
"region_size": 8192,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00ee0000"
},
"time": 1581929587.28075,
"tid": 2736,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 1664,
"type": "call",
"cid": 5863
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1664,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00ef0000"
},
"time": 1581929587.28075,
"tid": 2736,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 1664,
"type": "call",
"cid": 5864
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1664,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x01000000"
},
"time": 1581929587.28075,
"tid": 2736,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 1664,
"type": "call",
"cid": 5865
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1664,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x01050000"
},
"time": 1581929587.28075,
"tid": 2736,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 1664,
"type": "call",
"cid": 5866
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1664,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x011d0000"
},
"time": 1581929587.28075,
"tid": 2736,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 1664,
"type": "call",
"cid": 5867
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1664,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x011e0000"
},
"time": 1581929587.28075,
"tid": 2736,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 1664,
"type": "call",
"cid": 5868
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1664,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x02b40000"
},
"time": 1581929587.28075,
"tid": 2736,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 1664,
"type": "call",
"cid": 5869
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1664,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x02bd0000"
},
"time": 1581929587.28075,
"tid": 2736,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 1664,
"type": "call",
"cid": 5870
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1664,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x02ce0000"
},
"time": 1581929587.28075,
"tid": 2736,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 1664,
"type": "call",
"cid": 5874
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1664,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00b60000"
},
"time": 1581929587.28075,
"tid": 2736,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 1664,
"type": "call",
"cid": 5877
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1664,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x02d30000"
},
"time": 1581929587.28075,
"tid": 2736,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 1664,
"type": "call",
"cid": 5878
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1664,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00b60000"
},
"time": 1581929587.28075,
"tid": 2736,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 1664,
"type": "call",
"cid": 5880
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1664,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00b60000"
},
"time": 1581929587.28075,
"tid": 2736,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 1664,
"type": "call",
"cid": 5882
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1664,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00b60000"
},
"time": 1581929587.28075,
"tid": 2736,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 1664,
"type": "call",
"cid": 5884
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1664,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00b60000"
},
"time": 1581929587.28075,
"tid": 2736,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 1664,
"type": "call",
"cid": 5886
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1664,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00b60000"
},
"time": 1581929587.28075,
"tid": 2736,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 1664,
"type": "call",
"cid": 5888
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1664,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00b60000"
},
"time": 1581929587.28075,
"tid": 2736,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 1664,
"type": "call",
"cid": 5890
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1664,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00b60000"
},
"time": 1581929587.28075,
"tid": 2736,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 1664,
"type": "call",
"cid": 5892
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1664,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x03220000"
},
"time": 1581929588.26575,
"tid": 1424,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 1664,
"type": "call",
"cid": 8062
}
],
"references": [],
"name": "allocates_rwx"
},
{
"markcount": 1,
"families": [],
"description": "A process attempted to delay the analysis task.",
"severity": 2,
"marks": [
{
"type": "generic",
"description": "4dc9f1b81127c4ea0704ccb1e26fbe6c4eaa9da02d337a3cac6d8178df17267a.bin tried to sleep 1195 seconds, actually delayed analysis time by 1195 seconds"
}
],
"references": [],
"name": "antisandbox_sleep"
},
{
"markcount": 25,
"families": [],
"description": "Steals private information from local Internet browsers",
"severity": 2,
"marks": [
{
"category": "file",
"ioc": "C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 2\\WebDataCopy",
"type": "ioc",
"description": null
},
{
"category": "file",
"ioc": "C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 2\\CookiesCopy",
"type": "ioc",
"description": null
},
{
"category": "file",
"ioc": "C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 1\\LoginDataCopy",
"type": "ioc",
"description": null
},
{
"category": "file",
"ioc": "C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 3\\LoginDataCopy",
"type": "ioc",
"description": null
},
{
"category": "file",
"ioc": "C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 2\\LoginDataCopy",
"type": "ioc",
"description": null
},
{
"category": "file",
"ioc": "C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\WebDataCopy",
"type": "ioc",
"description": null
},
{
"category": "file",
"ioc": "C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\CookiesCopy",
"type": "ioc",
"description": null
},
{
"category": "file",
"ioc": "C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Local State",
"type": "ioc",
"description": null
},
{
"category": "file",
"ioc": "C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\LoginDataCopy",
"type": "ioc",
"description": null
},
{
"category": "file",
"ioc": "C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 1\\CookiesCopy",
"type": "ioc",
"description": null
},
{
"category": "file",
"ioc": "C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 3\\WebDataCopy",
"type": "ioc",
"description": null
},
{
"category": "file",
"ioc": "C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 3\\CookiesCopy",
"type": "ioc",
"description": null
},
{
"category": "file",
"ioc": "C:\\Users\\cuck\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 1\\WebDataCopy",
"type": "ioc",
"description": null
},
{
"category": "file",
"ioc": "C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Default\\LoginDataCopy",
"type": "ioc",
"description": null
},
{
"category": "file",
"ioc": "C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 2\\WebDataCopy",
"type": "ioc",
"description": null
},
{
"category": "file",
"ioc": "C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 1\\LoginDataCopy",
"type": "ioc",
"description": null
},
{
"category": "file",
"ioc": "C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 1\\WebDataCopy",
"type": "ioc",
"description": null
},
{
"category": "file",
"ioc": "C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 3\\LoginDataCopy",
"type": "ioc",
"description": null
},
{
"category": "file",
"ioc": "C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 3\\WebDataCopy",
"type": "ioc",
"description": null
},
{
"category": "file",
"ioc": "C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 2\\CookiesCopy",
"type": "ioc",
"description": null
},
{
"category": "file",
"ioc": "C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 2\\LoginDataCopy",
"type": "ioc",
"description": null
},
{
"category": "file",
"ioc": "C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Default\\CookiesCopy",
"type": "ioc",
"description": null
},
{
"category": "file",
"ioc": "C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 3\\CookiesCopy",
"type": "ioc",
"description": null
},
{
"category": "file",
"ioc": "C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Profile 1\\CookiesCopy",
"type": "ioc",
"description": null
},
{
"category": "file",
"ioc": "C:\\Users\\cuck\\AppData\\Local\\Chromium\\User Data\\Default\\WebDataCopy",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "infostealer_browser"
},
{
"markcount": 1,
"families": [],
"description": "Checks adapter addresses which can be used to detect virtual network interfaces",
"severity": 2,
"marks": [
{
"call": {
"category": "network",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": -1073741772,
"api": "GetAdaptersAddresses",
"return_value": 111,
"arguments": {
"flags": 0,
"family": 0
},
"time": 1581929588.67175,
"tid": 264,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 10947
}
],
"references": [],
"name": "antivm_network_adapters"
},
{
"markcount": 4,
"families": [],
"description": "The binary likely contains encrypted or compressed data indicative of a packer",
"severity": 2,
"marks": [
{
"entropy": 7.985016771999608,
"section": {
"size_of_data": "0x00061600",
"virtual_address": "0x00001000",
"entropy": 7.985016771999608,
"name": " \\x00 ",
"virtual_size": "0x000b2000"
},
"type": "generic",
"description": "A section with a high entropy has been found"
},
{
"entropy": 7.997254087129174,
"section": {
"size_of_data": "0x00023200",
"virtual_address": "0x000b3000",
"entropy": 7.997254087129174,
"name": ".rsrc",
"virtual_size": "0x00023085"
},
"type": "generic",
"description": "A section with a high entropy has been found"
},
{
"entropy": 7.957244340547787,
"section": {
"size_of_data": "0x001c0400",
"virtual_address": "0x00382000",
"entropy": 7.957244340547787,
"name": "bublcksk",
"virtual_size": "0x001c1000"
},
"type": "generic",
"description": "A section with a high entropy has been found"
},
{
"entropy": 0.99935469993547,
"type": "generic",
"description": "Overall entropy of this PE file is high"
}
],
"references": [
"http:\/\/www.forensickb.com\/2013\/03\/file-entropy-explained.html",
"http:\/\/virii.es\/U\/Using%20Entropy%20Analysis%20to%20Find%20Encrypted%20and%20Packed%20Malware.pdf"
],
"name": "packer_entropy"
},
{
"markcount": 1,
"families": [],
"description": "Expresses interest in specific running processes",
"severity": 2,
"marks": [
{
"category": "process",
"ioc": "system",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "process_interest"
},
{
"markcount": 1,
"families": [],
"description": "Queries for potentially installed applications",
"severity": 2,
"marks": [
{
"call": {
"category": "registry",
"status": 0,
"stacktrace": [],
"last_error": 183,
"nt_status": -1073741772,
"api": "RegOpenKeyExW",
"return_value": 2,
"arguments": {
"access": "0x00020119",
"base_handle": "0x80000001",
"key_handle": "0x00000000",
"regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall",
"regkey_r": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall",
"options": 0
},
"time": 1581929593.51575,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 11309
}
],
"references": [],
"name": "queries_programs"
},
{
"markcount": 2,
"families": [],
"description": "Attempts to identify installed AV products by installation directory",
"severity": 3,
"marks": [
{
"category": "file",
"ioc": "C:\\ProgramData\\AVAST Software",
"type": "ioc",
"description": null
},
{
"category": "file",
"ioc": "C:\\ProgramData\\Avg",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "antiav_detectfile"
},
{
"markcount": 3,
"families": [],
"description": "Checks for the presence of known devices from debuggers and forensic tools",
"severity": 3,
"marks": [
{
"category": "file",
"ioc": "\\??\\SICE",
"type": "ioc",
"description": null
},
{
"category": "file",
"ioc": "\\??\\SIWVID",
"type": "ioc",
"description": null
},
{
"category": "file",
"ioc": "\\??\\NTICE",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "antidbg_devices"
},
{
"markcount": 344,
"families": [],
"description": "Checks for the presence of known windows from debuggers and forensic tools",
"severity": 3,
"marks": [
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": 0,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "OLLYDBG",
"window_name": ""
},
"time": 1581929587.18775,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 5596
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": 0,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "GBDYLLO",
"window_name": ""
},
"time": 1581929587.18775,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 5597
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": 0,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "pediy06",
"window_name": ""
},
"time": 1581929587.18775,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 5598
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 126,
"nt_status": -1073741515,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "FilemonClass",
"window_name": ""
},
"time": 1581929587.20275,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 5677
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 126,
"nt_status": -1073741515,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "FilemonClass",
"window_name": ""
},
"time": 1581929587.20275,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 5677
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 126,
"nt_status": -1073741515,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "#0",
"window_name": "File Monitor - Sysinternals: www.sysinternals.com"
},
"time": 1581929587.20275,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 5678
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 126,
"nt_status": -1073741515,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "PROCMON_WINDOW_CLASS",
"window_name": ""
},
"time": 1581929587.20275,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 5679
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 126,
"nt_status": -1073741515,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "#0",
"window_name": "Process Monitor - Sysinternals: www.sysinternals.com"
},
"time": 1581929587.20275,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 5680
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 126,
"nt_status": -1073741515,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "RegmonClass",
"window_name": ""
},
"time": 1581929587.20275,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 5693
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 126,
"nt_status": -1073741515,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "RegmonClass",
"window_name": ""
},
"time": 1581929587.20275,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 5693
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 126,
"nt_status": -1073741515,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "#0",
"window_name": "Registry Monitor - Sysinternals: www.sysinternals.com"
},
"time": 1581929587.20275,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 5694
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 126,
"nt_status": -1073741515,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "18467-41",
"window_name": ""
},
"time": 1581929587.20275,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 5695
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": -1073741772,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "FilemonClass",
"window_name": ""
},
"time": 1581929587.24975,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 5802
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": -1073741772,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "FilemonClass",
"window_name": ""
},
"time": 1581929587.24975,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 5802
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": -1073741772,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "#0",
"window_name": "File Monitor - Sysinternals: www.sysinternals.com"
},
"time": 1581929587.24975,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 5803
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": -1073741772,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "PROCMON_WINDOW_CLASS",
"window_name": ""
},
"time": 1581929587.24975,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 5804
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": -1073741772,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "#0",
"window_name": "Process Monitor - Sysinternals: www.sysinternals.com"
},
"time": 1581929587.24975,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 5805
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "OLLYDBG",
"window_name": ""
},
"time": 1581929589.20275,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 10977
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "GBDYLLO",
"window_name": ""
},
"time": 1581929589.20275,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 10978
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "pediy06",
"window_name": ""
},
"time": 1581929589.20275,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 10979
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "OLLYDBG",
"window_name": ""
},
"time": 1581929591.21875,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 10991
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "GBDYLLO",
"window_name": ""
},
"time": 1581929591.21875,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 10992
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "pediy06",
"window_name": ""
},
"time": 1581929591.21875,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 10993
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": -1073741811,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "Regmonclass",
"window_name": ""
},
"time": 1581929591.28075,
"tid": 1616,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 11135
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": -1073741811,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "Regmonclass",
"window_name": ""
},
"time": 1581929591.28075,
"tid": 1616,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 11135
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": -1073741811,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "18467-41",
"window_name": ""
},
"time": 1581929591.59375,
"tid": 1616,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 11137
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": -1073741811,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "Filemonclass",
"window_name": ""
},
"time": 1581929591.90575,
"tid": 1616,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 11139
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": -1073741811,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "Filemonclass",
"window_name": ""
},
"time": 1581929591.90575,
"tid": 1616,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 11139
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": -1073741811,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "PROCMON_WINDOW_CLASS",
"window_name": ""
},
"time": 1581929591.90575,
"tid": 1616,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 11140
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "OLLYDBG",
"window_name": ""
},
"time": 1581929593.23475,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 11144
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "GBDYLLO",
"window_name": ""
},
"time": 1581929593.23475,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 11145
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "pediy06",
"window_name": ""
},
"time": 1581929593.23475,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 11146
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "OLLYDBG",
"window_name": ""
},
"time": 1581929595.24975,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 15097
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "GBDYLLO",
"window_name": ""
},
"time": 1581929595.24975,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 15098
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "pediy06",
"window_name": ""
},
"time": 1581929595.24975,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 15099
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": -1073741811,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "Regmonclass",
"window_name": ""
},
"time": 1581929595.90575,
"tid": 1616,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 15107
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": -1073741811,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "Regmonclass",
"window_name": ""
},
"time": 1581929595.90575,
"tid": 1616,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 15107
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": -1073741811,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "18467-41",
"window_name": ""
},
"time": 1581929596.21875,
"tid": 1616,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 15109
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": -1073741811,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "Filemonclass",
"window_name": ""
},
"time": 1581929596.53075,
"tid": 1616,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 15111
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": -1073741811,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "Filemonclass",
"window_name": ""
},
"time": 1581929596.53075,
"tid": 1616,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 15111
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": -1073741811,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "PROCMON_WINDOW_CLASS",
"window_name": ""
},
"time": 1581929596.53075,
"tid": 1616,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 15112
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "OLLYDBG",
"window_name": ""
},
"time": 1581929597.26575,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 15120
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "GBDYLLO",
"window_name": ""
},
"time": 1581929597.26575,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 15121
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "pediy06",
"window_name": ""
},
"time": 1581929597.26575,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 15122
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "OLLYDBG",
"window_name": ""
},
"time": 1581929599.28075,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 15135
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "GBDYLLO",
"window_name": ""
},
"time": 1581929599.28075,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 15136
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "pediy06",
"window_name": ""
},
"time": 1581929599.28075,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 15137
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": -1073741811,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "Regmonclass",
"window_name": ""
},
"time": 1581929600.53075,
"tid": 1616,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 15145
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": -1073741811,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "Regmonclass",
"window_name": ""
},
"time": 1581929600.53075,
"tid": 1616,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 15145
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": -1073741811,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "18467-41",
"window_name": ""
},
"time": 1581929600.84375,
"tid": 1616,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 15147
}
],
"references": [],
"name": "antidbg_windows"
},
{
"markcount": 2,
"families": [],
"description": "Checks the version of Bios, possibly for anti-virtualization",
"severity": 3,
"marks": [
{
"category": "registry",
"ioc": "HKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System\\SystemBiosVersion",
"type": "ioc",
"description": null
},
{
"category": "registry",
"ioc": "HKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System\\VideoBiosVersion",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "antivm_generic_bios"
},
{
"markcount": 1,
"families": [],
"description": "Checks the CPU name from registry, possibly for anti-virtualization",
"severity": 3,
"marks": [
{
"category": "registry",
"ioc": "HKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0\\ProcessorNameString",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "antivm_generic_cpu"
},
{
"markcount": 1,
"families": [],
"description": "Attempts to access Bitcoin\/ALTCoin wallets",
"severity": 3,
"marks": [
{
"category": "file",
"ioc": "C:\\ProgramData\\H8KmjWBbq\\Files\\Coins\\Electrum\\wallets",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "infostealer_bitcoin"
},
{
"markcount": 5,
"families": [],
"description": "Sets or modifies WPAD proxy autoconfiguration file for traffic interception",
"severity": 3,
"marks": [
{
"call": {
"category": "registry",
"status": 1,
"stacktrace": [],
"api": "RegSetValueExA",
"return_value": 0,
"arguments": {
"key_handle": "0x00000534",
"value": 1,
"regkey_r": "WpadDecisionReason",
"reg_type": 4,
"regkey": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}\\WpadDecisionReason"
},
"time": 1581929591.24975,
"tid": 264,
"flags": {
"reg_type": "REG_DWORD"
}
},
"pid": 1664,
"type": "call",
"cid": 11017
},
{
"call": {
"category": "registry",
"status": 1,
"stacktrace": [],
"api": "RegSetValueExA",
"return_value": 0,
"arguments": {
"key_handle": "0x00000534",
"value": "0M\t\u00d4\u0088\u00e5\u00d5\u0001",
"regkey_r": "WpadDecisionTime",
"reg_type": 3,
"regkey": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}\\WpadDecisionTime"
},
"time": 1581929591.24975,
"tid": 264,
"flags": {
"reg_type": "REG_BINARY"
}
},
"pid": 1664,
"type": "call",
"cid": 11018
},
{
"call": {
"category": "registry",
"status": 1,
"stacktrace": [],
"api": "RegSetValueExA",
"return_value": 0,
"arguments": {
"key_handle": "0x00000534",
"value": 3,
"regkey_r": "WpadDecision",
"reg_type": 4,
"regkey": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}\\WpadDecision"
},
"time": 1581929591.24975,
"tid": 264,
"flags": {
"reg_type": "REG_DWORD"
}
},
"pid": 1664,
"type": "call",
"cid": 11019
},
{
"call": {
"category": "registry",
"status": 1,
"stacktrace": [],
"api": "RegSetValueExW",
"return_value": 0,
"arguments": {
"key_handle": "0x00000534",
"value": "Unidentified network",
"regkey_r": "WpadNetworkName",
"reg_type": 1,
"regkey": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}\\WpadNetworkName"
},
"time": 1581929591.24975,
"tid": 264,
"flags": {
"reg_type": "REG_SZ"
}
},
"pid": 1664,
"type": "call",
"cid": 11020
},
{
"call": {
"category": "registry",
"status": 1,
"stacktrace": [],
"api": "RegSetValueExW",
"return_value": 0,
"arguments": {
"key_handle": "0x00000530",
"value": "{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}",
"regkey_r": "WpadLastNetwork",
"reg_type": 1,
"regkey": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\WpadLastNetwork"
},
"time": 1581929591.24975,
"tid": 264,
"flags": {
"reg_type": "REG_SZ"
}
},
"pid": 1664,
"type": "call",
"cid": 11088
}
],
"references": [],
"name": "modifies_proxy_wpad"
},
{
"markcount": 1,
"families": [],
"description": "Detects VirtualBox through the presence of a registry key",
"severity": 3,
"marks": [
{
"category": "registry",
"ioc": "HKEY_LOCAL_MACHINE\\HARDWARE\\ACPI\\DSDT\\VBOX__",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "antivm_vbox_keys"
},
{
"markcount": 1,
"families": [],
"description": "Detects VMWare through the in instruction feature",
"severity": 3,
"marks": [
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 1636276,
"edi": 3878248,
"eax": 1447909480,
"ebp": 3955195924,
"edx": 22104,
"ebx": 1975324853,
"esi": 21306981,
"ecx": 20
},
"exception": {
"instruction_r": "ed 64 8f 05 00 00 00 00 53 54 5b e9 1a c9 ff ff",
"symbol": "4dc9f1b81127c4ea0704ccb1e26fbe6c4eaa9da02d337a3cac6d8178df17267a+0x265f4a",
"instruction": "in eax, dx",
"module": "4dc9f1b81127c4ea0704ccb1e26fbe6c4eaa9da02d337a3cac6d8178df17267a.bin",
"exception_code": "0xc0000096",
"offset": 2514762,
"address": "0x1455f4a"
}
},
"time": 1581929586.84375,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 23
}
],
"references": [],
"name": "antivm_vmware_in_instruction"
},
{
"markcount": 1,
"families": [],
"description": "Detects the presence of Wine emulator",
"severity": 3,
"marks": [
{
"category": "registry",
"ioc": "HKEY_CURRENT_USER\\Software\\Wine",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "antiemu_wine"
}
]Yara
The Yara rules did not detect anything in the file.
Network
{
"tls": [],
"udp": [
{
"src": "192.168.56.101",
"dst": "192.168.56.255",
"offset": 662,
"time": 6.202451944351196,
"dport": 137,
"sport": 137
},
{
"src": "192.168.56.101",
"dst": "192.168.56.255",
"offset": 17006,
"time": 12.202229022979736,
"dport": 138,
"sport": 138
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 18850,
"time": 6.136878967285156,
"dport": 5355,
"sport": 51001
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 19178,
"time": 4.138168096542358,
"dport": 5355,
"sport": 53595
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 19506,
"time": 6.184876918792725,
"dport": 5355,
"sport": 53848
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 19834,
"time": 4.748365879058838,
"dport": 5355,
"sport": 54255
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 20162,
"time": 3.034648895263672,
"dport": 5355,
"sport": 55314
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 20490,
"time": 7.116219997406006,
"dport": 5355,
"sport": 55880
},
{
"src": "192.168.56.101",
"dst": "239.255.255.250",
"offset": 20810,
"time": 4.173476934432983,
"dport": 1900,
"sport": 1900
},
{
"src": "192.168.56.101",
"dst": "239.255.255.250",
"offset": 40220,
"time": 4.17375111579895,
"dport": 3702,
"sport": 49152
},
{
"src": "192.168.56.101",
"dst": "239.255.255.250",
"offset": 48604,
"time": 6.264458894729614,
"dport": 1900,
"sport": 53598
}
],
"dns_servers": [],
"http": [],
"icmp": [],
"smtp": [],
"tcp": [],
"smtp_ex": [],
"mitm": [],
"hosts": [],
"pcap_sha256": "70d4216243400f1088e4074b8736253d920a25836bb93fb082719207f268d54b",
"dns": [],
"http_ex": [],
"domains": [],
"dead_hosts": [],
"sorted_pcap_sha256": "54199e702753d2dbef95959ff96d7d5a194444b2a0b99ccf5b35e63cd872281a",
"irc": [],
"https_ex": []
}Screenshots
hjwrtpov.exe removal instructions
The instructions below shows how to remove hjwrtpov.exe with help from the FreeFixer removal tool. Basically, you install FreeFixer, scan your computer, check the hjwrtpov.exe file for removal, restart your computer and scan it again to verify that hjwrtpov.exe has been successfully removed. Here are the removal instructions in more detail:
- Download and install FreeFixer: http://www.freefixer.com/download.html
- Start FreeFixer and press the Start Scan button. The scan will finish in approximately five minutes.
- When the scan is finished, locate hjwrtpov.exe in the scan result and tick the checkbox next to the hjwrtpov.exe file. Do not check any other file for removal unless you are 100% sure you want to delete it. Tip: Press CTRL-F to open up FreeFixer's search dialog to quickly locate hjwrtpov.exe in the scan result.
c:\users\%USERNAME%\appdata\roaming\vp\hjwrtpov.exe 
- Scroll down to the bottom of the scan result and press the Fix button. FreeFixer will now delete the hjwrtpov.exe file.
- Restart your computer.
- Start FreeFixer and scan your computer again. If hjwrtpov.exe still remains in the scan result, proceed with the next step. If hjwrtpov.exe is gone from the scan result you're done.
- If hjwrtpov.exe still remains in the scan result, check its checkbox again in the scan result and click Fix.
- Restart your computer.
- Start FreeFixer and scan your computer again. Verify that hjwrtpov.exe no longer appear in the scan result.
Hashes [?]
| Property | Value |
|---|---|
| MD5 | 4e635aede93017c1fe530e82f8ae37e6 |
| SHA256 | 4dc9f1b81127c4ea0704ccb1e26fbe6c4eaa9da02d337a3cac6d8178df17267a |
Error Messages
These are some of the error messages that can appear related to hjwrtpov.exe:
hjwrtpov.exe has encountered a problem and needs to close. We are sorry for the inconvenience.
hjwrtpov.exe - Application Error. The instruction at "0xXXXXXXXX" referenced memory at "0xXXXXXXXX". The memory could not be "read/written". Click on OK to terminate the program.
hjwrtpov.exe has stopped working.
End Program - hjwrtpov.exe. This program is not responding.
hjwrtpov.exe is not a valid Win32 application.
hjwrtpov.exe - Application Error. The application failed to initialize properly (0xXXXXXXXX). Click OK to terminate the application.
What will you do with hjwrtpov.exe?
To help other users, please let us know what you will do with hjwrtpov.exe:
Comments
Please share with the other users what you think about this file. What does this file do? Is it legitimate or something that your computer is better without? Do you know how it was installed on your system? Did you install it yourself or did it come bundled with some other software? Is it running smoothly or do you get some error message? Any information that will help to document this file is welcome. Thank you for your contributions.
I'm reading all new comments so don't hesitate to post a question about the file. If I don't have the answer perhaps another user can help you.
No comments posted yet.