stub.exe is usually located in the 'c:\downloads\' folder.
Some of the anti-virus scanners at VirusTotal detected stub.exe.
If you have additional information about the file, please share it with the FreeFixer users by posting a comment at the bottom of this page.
The following is the available information on stub.exe:
Property | Value |
---|---|
Legal copyright | © Microsoft Corporation. All rights reserved |
File version | 1.2.0.1 |
Here's a screenshot of the file properties when displayed by Windows Explorer:
Legal copyright | © Microsoft Corporation. All rights.. |
File version | 1.2.0.1 |
stub.exe is not signed.
49 of the 69 anti-virus programs at VirusTotal detected the stub.exe file. That's a 71% detection rate.
Scanner | Detection Name |
---|---|
Acronis | suspicious |
Ad-Aware | AIT:Trojan.GenericTKA.16 |
AegisLab | Trojan.Win32.AutoIt.4!c |
Alibaba | TrojanSpy:Win32/AutoIt.b954b653 |
ALYac | AIT:Trojan.GenericTKA.16 |
Antiy-AVL | Trojan/Generic.ASVCS3S.1E5 |
Arcabit | AIT:Trojan.GenericTKA.16 |
Avast | Win32:Evo-gen [Susp] |
AVG | Win32:Evo-gen [Susp] |
Avira | HEUR/AGEN.1026171 |
Baidu | Win32.Trojan-Spy.Autoit.b |
BitDefender | AIT:Trojan.GenericTKA.16 |
ClamAV | Win.Malware.Autoit-6887871-0 |
CrowdStrike | win/malicious_confidence_100% (W) |
Cybereason | malicious.a2edae |
Cylance | Unsafe |
Cyren | W32/AutoIt.GQ.gen!Eldorado |
DrWeb | Trojan.AutoIt.276 |
Emsisoft | AIT:Trojan.GenericTKA.16 (B) |
Endgame | malicious (moderate confidence) |
ESET-NOD32 | a variant of Win32/Spy.Autoit.BY |
F-Prot | W32/AutoIt.GQ.gen!Eldorado |
F-Secure | Heuristic.HEUR/AGEN.1026171 |
FireEye | Generic.mg.53d9a23a2edaeb04 |
Fortinet | W32/Autoit.BY!tr.spy |
GData | AIT:Trojan.AutoIT.Agent.MR (2x) |
Ikarus | Dropper.AutoIt |
Jiangmin | TrojanSpy.AutoIt.ho |
K7AntiVirus | Spyware ( 004d8c0a1 ) |
K7GW | Spyware ( 004d8c0a1 ) |
Kaspersky | Trojan-Spy.Win32.AutoIt.cv |
MAX | malware (ai score=100) |
McAfee | Artemis!53D9A23A2EDA |
McAfee-GW-Edition | BehavesLike.Win32.Generic.cc |
Microsoft | PWS:AutoIt/Passup.A |
MicroWorld-eScan | AIT:Trojan.GenericTKA.16 |
NANO-Antivirus | Trojan.Win32.AutoIt.fpbuvb |
Paloalto | generic.ml |
Panda | Trj/Genetic.gen |
Qihoo-360 | HEUR/QVM11.1.9029.Malware.Gen |
SentinelOne | DFI - Suspicious PE |
Sophos | Mal/Generic-S |
Symantec | ML.Attribute.HighConfidence |
Tencent | Win32.Trojan-spy.Autoit.Swuz |
Trapmine | malicious.moderate.ml.score |
TrendMicro | TROJ_GEN.R002C0DDG19 |
TrendMicro-HouseCall | TROJ_GEN.R002C0DDG19 |
VBA32 | Trojan.Autoit.F |
ZoneAlarm | Trojan-Spy.Win32.AutoIt.cv |
The following information was gathered by executing the file inside Cuckoo Sandbox.
Successfully executed process in sandbox.
{ "file_created": [ "C:\\Users\\cuck\\AppData\\Roaming\\log\\Passwords.txt", "C:\\Users\\cuck\\AppData\\Local\\Temp\\aut8197.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\bozvxpz", "C:\\Users\\cuck\\AppData\\Roaming\\log\\Info.txt", "C:\\Users\\cuck\\AppData\\Local\\Temp\\kxpzmdz", "C:\\Users\\cuck\\AppData\\Local\\Temp\\aut578B.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\aut572C.tmp", "C:\\Users\\cuck\\AppData\\Roaming\\log\\logs_04.01.2020.htm" ], "file_recreated": [ "\\??\\nul", "C:\\Users\\cuck\\AppData\\Local\\Temp\\aut8197.tmp", "\\Device\\KsecDD", "C:\\Users\\cuck\\AppData\\Local\\Temp\\aut578B.tmp", "\\Device\\Http\\Communication", "C:\\Users\\cuck\\AppData\\Local\\Temp\\aut572C.tmp" ], "regkey_written": [ "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\mlang.dll,-4462", "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\napipsec.dll,-1", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\EnableFileTracing", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\\DefaultConnectionSettings", "HKEY_CURRENT_USER\\Software\\Microsoft\\IAM\\Server ID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\ConsentPromptBehaviorAdmin", "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\mlang.dll,-4386", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\AutoUpdate_RASMANCS\\ConsoleTracingMask", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\EnableConsoleTracing", "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\eapqec.dll,-101", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\AutoUpdate_RASMANCS\\FileDirectory", "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\eapqec.dll,-103", "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\eapqec.dll,-102", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\AutoUpdate_RASMANCS\\FileTracingMask", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\TaskbarNoNotification", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}\\WpadNetworkName", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}\\WpadDecisionTime", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\AutoUpdate_RASMANCS\\EnableFileTracing", "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\napipsec.dll,-4", "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\napipsec.dll,-2", "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\napipsec.dll,-3", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\AutoUpdate_RASMANCS\\EnableConsoleTracing", "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\LanguageList", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\FileTracingMask", "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\dhcpqec.dll,-103", "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\dhcpqec.dll,-102", "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\dhcpqec.dll,-101", "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\dhcpqec.dll,-100", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\ConsoleTracingMask", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\FileDirectory", "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\eapqec.dll,-100", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\AutoUpdate", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}\\WpadDecisionReason", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}\\WpadDecision", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\MaxFileSize", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\AutoUpdate_RASMANCS\\MaxFileSize", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\WpadLastNetwork", "HKEY_CURRENT_USER\\Software\\Microsoft\\IAM\\Default LDAP Account", "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\tsgqec.dll,-101", "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\tsgqec.dll,-100", "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\tsgqec.dll,-103", "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\tsgqec.dll,-102" ], "dll_loaded": [ "COMDLG32.dll", "RASMONTR.DLL", "C:\\Windows\\System32\\mswsock.dll", "API-MS-Win-Core-LocalRegistry-L1-1-0.dll", "WSHELPER.DLL", "RpcRtRemote.dll", "API-MS-WIN-Service-Management-L2-1-0.dll", "gdi32.dll", "DNSAPI.dll", "DHCPCSVC.DLL", "kernel32.dll", "UxTheme.dll", "NSHIPSEC.DLL", "dwmapi.dll", "ntdll.dll", "C:\\Windows\\WinSxS\\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\\gdiplus.dll", "HTTPAPI.dll", "WHHELPER.DLL", "HNETMON.DLL", "API-MS-WIN-Service-Management-L1-1-0.dll", "WININET.dll", "SXS.DLL", "C:\\Windows\\SysWOW64\\bcryptprimitives.dll", "KERNEL32.DLL", "DOT3CFG.DLL", "WSOCK32.dll", "RASMAN.DLL", "RPCNSH.DLL", "comctl32", "ole32.dll", "USERENV.dll", "NSHWFP.DLL", "USER32.dll", "IMM32.dll", "gdiplus.dll", "MPR.dll", "API-MS-Win-Security-SDDL-L1-1-0.dll", "API-MS-WIN-Service-winsvc-L1-1-0.dll", "rtutils.dll", "IPHLPAPI.DLL", "GPAPI.dll", "WLANCFG.DLL", "WinInet.dll", "Avicap32.dll", "DHCPCMONITOR.DLL", "C:\\Windows\\system32\\napinsp.dll", "OLEAUT32.dll", "C:\\Windows\\system32\\pnrpnsp.dll", "SHELL32.dll", "NAPMONTR.DLL", "NSHHTTP.DLL", "CRYPTSP.dll", "C:\\Windows\\System32\\winrnr.dll", "PSAPI.DLL", "comctl32.dll", "PEERDISTSH.DLL", "NETIOHLP.DLL", "COMCTL32.dll", "C:\\Windows\\system32\\NLAapi.dll", "VERSION.dll", "wininet.dll", "WINMM.dll", "AUTHFWCFG.DLL", "GDI32.dll", "MLANG.dll", "P2PNETSH.DLL", "IFMON.DLL", "C:\\Windows\\SysWOW64\\oleaut32.dll", "ADVAPI32.dll", "rpcrt4.dll", "WS2_32.dll", "FWCFG.DLL", "user32.dll", "userenv.dll" ], "file_opened": [ "", "C:\\Windows\\System32\\en-US\\mlang.dll.mui", "C:\\", "C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Mail\\account{E8B20193-B324-4F69-85C3-A585C87B3B69}.oeaccount", "C:\\Users\\cuck\\AppData\\Roaming\\log\\Info.txt", "\\Device\\NamedPipe\\", "C:\\Windows\\System32\\en-US\\eapqec.dll.mui", "C:\\Users\\cuck\\AppData\\Roaming\\", "C:\\Windows\\System32\\wbem\\wbemdisp.tlb", "C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Mail\\account{3F157EAB-C371-449F-8817-DE062D63E39B}.oeaccount", "C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Mail\\account{9505C2E7-137C-4315-8EBB-D4AE26FFA58D}.oeaccount", "C:\\Windows\\System32\\netmsg.dll", "C:\\Users\\cuck\\AppData\\Roaming\\log\\Passwords.txt", "C:\\Users\\cuck\\AppData\\Local\\Temp\\bozvxpz", "C:\\Users\\cuck\\AppData\\Local\\Temp\\a9c04c077b2bb66c9f77c1c4fe49210a0972081ebb457194fb493ae9e6a0f20f.bin", "C:\\Users\\cuck\\AppData\\Local\\Temp\\kxpzmdz", "C:\\Users\\cuck\\AppData\\Local\\Temp\\aut572C.tmp", "C:\\Windows\\SysWOW64\\stdole2.tlb", "C:\\Windows\\System32\\tsgqec.dll", "C:\\Users\\cuck\\AppData\\Local\\Temp\\aut8197.tmp", "C:\\Windows\\System32\\EAPQEC.DLL", "C:\\Program Files (x86)\\Common Files\\System\\ado\\msado15.dll", "C:\\Windows\\System32\\mlang.dll", "C:\\Users\\cuck\\AppData\\Local\\Temp", "C:\\Users\\cuck\\AppData\\Roaming\\log\\logs_04.01.2020.htm", "C:\\Windows\\Globalization\\Sorting\\sortdefault.nls", "C:\\Windows\\System32\\en-US\\napipsec.dll.mui", "C:\\Users\\cuck\\AppData\\Roaming\\log\\AutoUpdate.exe", "C:\\Windows\\System32\\napipsec.dll", "C:\\Windows\\SysWOW64\\cdosys.dll", "C:\\Windows\\System32\\DHCPQEC.DLL" ], "file_copied": [ [ "C:\\Users\\cuck\\AppData\\Local\\Temp\\aut578B.tmp", "C:\\Users\\cuck\\AppData\\Roaming\\log\\AutoUpdate.exe" ] ], "connects_host": [ "icanhazip.com", "62.108.34.111" ], "regkey_opened": [ "HKEY_CLASSES_ROOT\\.tiff", "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\DnsClient", "HKEY_CLASSES_ROOT\\.avi", "HKEY_CLASSES_ROOT\\.group", "HKEY_CLASSES_ROOT\\.wsc", "HKEY_CLASSES_ROOT\\.vssscc", "HKEY_CLASSES_ROOT\\.ai", "HKEY_CLASSES_ROOT\\.wsz", "HKEY_CLASSES_ROOT\\.au", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.64.1.1!7", "HKEY_CLASSES_ROOT\\.wvx", "HKEY_CLASSES_ROOT\\.c2r", "HKEY_CLASSES_ROOT\\.TTS", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.44.3.4!7", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\Roaming", "HKEY_CLASSES_ROOT\\.mlc", "HKEY_CLASSES_ROOT\\.js", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{55272A00-42CB-11CE-8135-00AA004BB851}\\ProxyStubClsid32", "HKEY_CLASSES_ROOT\\.gmmp", "HKEY_CLASSES_ROOT\\.evt", "HKEY_CLASSES_ROOT\\.xls", "HKEY_CLASSES_ROOT\\.eyb", "HKEY_CLASSES_ROOT\\.cda", "HKEY_CLASSES_ROOT\\.cdx", "HKEY_CLASSES_ROOT\\.xlb", "HKEY_CLASSES_ROOT\\.jbf", "HKEY_CLASSES_ROOT\\.com", "HKEY_CLASSES_ROOT\\.lst", "HKEY_CLASSES_ROOT\\.cod", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\Publisher", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion", "HKEY_CLASSES_ROOT\\.dct", "HKEY_CLASSES_ROOT\\.nls", "HKEY_CLASSES_ROOT\\.mov", "HKEY_CLASSES_ROOT\\.H1C", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\9", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\VFW", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\Roaming", "HKEY_CLASSES_ROOT\\.wm", "HKEY_CLASSES_ROOT\\.rsp", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Defaults\\Provider", "HKEY_CLASSES_ROOT\\.pch", "HKEY_CLASSES_ROOT\\txtfile", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\LocalConfig\\UI", "HKEY_CLASSES_ROOT\\.hpp", "HKEY_CLASSES_ROOT\\.wtx", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\Service", "HKEY_CLASSES_ROOT\\.rtf", "HKEY_CURRENT_USER\\CLSID\\{00000000-0000-0000-0000-000000000000}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.0", "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\System\\DNSClient", "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\Rpc", "HKEY_CLASSES_ROOT\\.m4v", "HKEY_CLASSES_ROOT\\.m4p", "HKEY_CLASSES_ROOT\\.art", "HKEY_CLASSES_ROOT\\.bkf", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{CD000001-8B95-11D1-82DB-00C04FB1625D}\\Progid", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocHandler", "HKEY_CLASSES_ROOT\\.m4a", "HKEY_CLASSES_ROOT\\.kci", "HKEY_CLASSES_ROOT\\.qds", "HKEY_CLASSES_ROOT\\.cab", "HKEY_CLASSES_ROOT\\.p12", "HKEY_CLASSES_ROOT\\.p10", "HKEY_CLASSES_ROOT\\.MTS", "HKEY_CLASSES_ROOT\\.cat", "HKEY_CLASSES_ROOT\\.aspx", "HKEY_CLASSES_ROOT\\.psd", "HKEY_CURRENT_USER\\Software\\AutoIt v3\\AutoIt", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\SecurityManager\\Restricted", "HKEY_CURRENT_USER\\Interface\\{2A1C9EB2-DF62-4154-B800-63278FCB8037}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\\ProxyStubClsid32", "HKEY_CLASSES_ROOT\\.ibq", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{B691E011-1797-432E-907A-4D8C69339129}\\6.0\\0", "HKEY_CLASSES_ROOT\\.sor", "HKEY_CLASSES_ROOT\\.blg", "HKEY_CLASSES_ROOT\\.chm", "HKEY_CLASSES_ROOT\\.chk", "HKEY_CLASSES_ROOT\\.sol", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Enhanced DSS and Diffie-Hellman Cryptographic Provider", "HKEY_CLASSES_ROOT\\.vob", "HKEY_CLASSES_ROOT\\.rat", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\DownloadManager\\Download", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0", "HKEY_CLASSES_ROOT\\.MOD", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\HostedCache\\Connection", "HKEY_CLASSES_ROOT\\.xps", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Rpc", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\LocalConfig\\Enroll\\HcsGroups", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\0", "HKEY_CLASSES_ROOT\\.log", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\Progid", "HKEY_CLASSES_ROOT\\.rc", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\CooperativeCaching", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\SecurityManager", "HKEY_CLASSES_ROOT\\.mpv2", "HKEY_CLASSES_ROOT\\.png", "HKEY_CLASSES_ROOT\\.pnf", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\DownloadManager\\Discovery", "HKEY_CLASSES_ROOT\\.doc", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\CacheMgr\\Republication", "HKEY_CLASSES_ROOT\\.faq", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\DownloadManager\\UtilityIndex", "HKEY_CLASSES_ROOT\\.dos", "HKEY_CLASSES_ROOT\\.dot", "HKEY_CLASSES_ROOT\\.jod", "HKEY_CLASSES_ROOT\\.csv", "HKEY_CLASSES_ROOT\\.css", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.64.1.1!7", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{CD000000-8B95-11D1-82DB-00C04FB1625D}\\1.0\\409", "HKEY_CLASSES_ROOT\\.mht", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\SecurityManager\\Restricted", "HKEY_CLASSES_ROOT\\.csa", "HKEY_CLASSES_ROOT\\.udt", "HKEY_CLASSES_ROOT\\.htx", "HKEY_CLASSES_ROOT\\.crds", "HKEY_CLASSES_ROOT\\.trg", "HKEY_CLASSES_ROOT\\.htt", "HKEY_CLASSES_ROOT\\.htw", "HKEY_CLASSES_ROOT\\.mcl", "HKEY_CLASSES_ROOT\\.udf", "HKEY_CLASSES_ROOT\\.htm", "HKEY_CLASSES_ROOT\\.shtm", "HKEY_CLASSES_ROOT\\.hta", "HKEY_CLASSES_ROOT\\.htc", "HKEY_CLASSES_ROOT\\.p7s", "HKEY_CLASSES_ROOT\\.txt", "HKEY_CLASSES_ROOT\\.WMS", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\CacheMgr\\Republication", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\PolicyProvider", "HKEY_CLASSES_ROOT\\.WMD", "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\System", "HKEY_CLASSES_ROOT\\.jfif", "HKEY_CLASSES_ROOT\\.wlt", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\NapAgent\\LocalConfig", "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Account Manager", "HKEY_CLASSES_ROOT\\.fon", "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\PeerDist", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Rpc\\Extensions", "HKEY_CLASSES_ROOT\\.wll", "HKEY_CLASSES_ROOT\\.cer", "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\BFE", "HKEY_CLASSES_ROOT\\.tab", "HKEY_CLASSES_ROOT\\.nfo", "HKEY_CLASSES_ROOT\\.cls", "HKEY_CLASSES_ROOT\\.ps1xml", "HKEY_CLASSES_ROOT\\.tar", "HKEY_CURRENT_USER\\Control Panel\\Mouse", "HKEY_CLASSES_ROOT\\.sst", "HKEY_CLASSES_ROOT\\.html", "HKEY_CLASSES_ROOT\\.xlt", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo", "HKEY_CLASSES_ROOT\\.reg", "HKEY_CLASSES_ROOT\\.mp2v", "HKEY_CLASSES_ROOT\\.usr", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\iphlpsvc\\Config", "HKEY_CLASSES_ROOT\\.pif", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Command Processor", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Setup", "HKEY_CLASSES_ROOT\\.pic", "HKEY_CLASSES_ROOT\\.res", "HKEY_CLASSES_ROOT\\.m14", "HKEY_CLASSES_ROOT\\.cpp", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", "HKEY_CLASSES_ROOT\\.cpl", "HKEY_CLASSES_ROOT\\.pbk", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\DownloadManager\\Upload", "HKEY_CLASSES_ROOT\\.386", "HKEY_CLASSES_ROOT\\.xlc", "HKEY_CLASSES_ROOT\\.AAC", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}", "HKEY_CLASSES_ROOT\\.evtx", "HKEY_LOCAL_MACHINE\\System\\Setup", "HKEY_CLASSES_ROOT\\.m1v", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\txtfile\\CLSID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft RSA SChannel Cryptographic Provider", "HKEY_CLASSES_ROOT\\.eprtx", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{B691E011-1797-432E-907A-4D8C69339129}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\NetSh", "HKEY_CLASSES_ROOT\\.vcf", "HKEY_CLASSES_ROOT\\.xsd", "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\MediaResources\\msvideo", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Account Manager\\Shared", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{00000134-0000-0000-C000-000000000046}\\ProxyStubClsid32", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows Mail", "HKEY_CLASSES_ROOT\\.ppt", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM", "HKEY_CLASSES_ROOT\\.pps", "HKEY_CLASSES_ROOT\\.tsv", "HKEY_CLASSES_ROOT\\.tsp", "HKEY_CLASSES_ROOT\\.hxx", "HKEY_CLASSES_ROOT\\.ilk", "HKEY_CURRENT_USER\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}", "HKEY_CLASSES_ROOT\\.sed", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{CD000001-8B95-11D1-82DB-00C04FB1625D}\\InprocHandler32", "HKEY_CLASSES_ROOT\\.ics", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\DownloadManager", "HKEY_CLASSES_ROOT\\.mk", "HKEY_CLASSES_ROOT\\.spc", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{2A1C9EB2-DF62-4154-B800-63278FCB8037}\\ProxyStubClsid32", "HKEY_CLASSES_ROOT\\.tdl", "HKEY_CURRENT_USER\\Interface\\{BCD1DE7E-2DB1-418B-B047-4A74E101F8C1}", "HKEY_CLASSES_ROOT\\.icc", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WINMGMTS\\CLSID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{CD000000-8B95-11D1-82DB-00C04FB1625D}\\1.0\\0\\win32", "HKEY_CLASSES_ROOT\\.mv", "HKEY_CLASSES_ROOT\\.icm", "HKEY_CLASSES_ROOT\\.icl", "HKEY_CLASSES_ROOT\\.ico", "HKEY_CLASSES_ROOT\\.der", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\InprocServer32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.44.3.4!7", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{027947E1-D731-11CE-A357-000000000001}\\ProxyStubClsid32", "HKEY_CLASSES_ROOT\\.xsl", "HKEY_CLASSES_ROOT\\.def", "HKEY_CLASSES_ROOT\\.ncb", "HKEY_CLASSES_ROOT\\.fky", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\InprocHandler32", "HKEY_CLASSES_ROOT\\.swf", "HKEY_CLASSES_ROOT\\.M2V", "HKEY_CLASSES_ROOT\\.z96", "HKEY_CLASSES_ROOT\\.M2T", "HKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System\\BIOS", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\DownloadManager\\Download", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{CD000001-8B95-11D1-82DB-00C04FB1625D}\\InprocHandler", "HKEY_CLASSES_ROOT\\.ttc", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.47.1.1!7", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\CacheMgr\\Publication", "HKEY_CURRENT_USER\\Interface\\{1C1C45EE-4395-11D2-B60B-00104B703EFD}", "HKEY_CLASSES_ROOT\\.zip", "HKEY_CLASSES_ROOT\\.bsc", "HKEY_CLASSES_ROOT\\.shtml", "HKEY_CLASSES_ROOT\\.psc1", "HKEY_CLASSES_ROOT\\.ghi", "HKEY_CLASSES_ROOT\\.dbg", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79617", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{CD000001-8B95-11D1-82DB-00C04FB1625D}\\TreatAs", "HKEY_CLASSES_ROOT\\.pmr", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{BCD1DE7E-2DB1-418B-B047-4A74E101F8C1}\\ProxyStubClsid32", "HKEY_CLASSES_ROOT\\.dbs", "HKEY_CLASSES_ROOT\\.3g2", "HKEY_CLASSES_ROOT\\.pml", "HKEY_CLASSES_ROOT\\.pmc", "HKEY_CLASSES_ROOT\\.pma", "HKEY_CLASSES_ROOT\\.ADTS", "HKEY_CLASSES_ROOT\\.pfx", "HKEY_CLASSES_ROOT\\.mig", "HKEY_CLASSES_ROOT\\.mid", "HKEY_CURRENT_USER\\CDO.Message", "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Tcpip6\\Parameters", "HKEY_CLASSES_ROOT\\.webpnp", "HKEY_CLASSES_ROOT\\.wpl", "HKEY_CLASSES_ROOT\\.pfm", "HKEY_CLASSES_ROOT\\.label", "HKEY_CLASSES_ROOT\\.sbr", "HKEY_CURRENT_USER\\Interface\\{00000134-0000-0000-C000-000000000046}", "HKEY_CLASSES_ROOT\\.cc", "HKEY_CURRENT_USER\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\OleAut", "HKEY_CLASSES_ROOT\\.bas", "HKEY_CLASSES_ROOT\\.bat", "HKEY_CLASSES_ROOT\\.cs", "HKEY_CLASSES_ROOT\\.VBE", "HKEY_CLASSES_ROOT\\.DVR", "HKEY_CLASSES_ROOT\\.asx", "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\System", "HKEY_CLASSES_ROOT\\.asp", "HKEY_CLASSES_ROOT\\.osdx", "HKEY_CLASSES_ROOT\\.db", "HKEY_CLASSES_ROOT\\.eps", "HKEY_CLASSES_ROOT\\.asm", "HKEY_CLASSES_ROOT\\.asa", "HKEY_CLASSES_ROOT\\.etp", "HKEY_CLASSES_ROOT\\.asc", "HKEY_LOCAL_MACHINE\\SYSTEM\\Setup", "HKEY_CLASSES_ROOT\\.asf", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Tracing\\AutoUpdate_RASMANCS", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{CD000000-8B95-11D1-82DB-00C04FB1625D}\\1.0", "HKEY_CLASSES_ROOT\\.latex", "HKEY_CLASSES_ROOT\\.otf", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Account Manager\\Preconfigured", "HKEY_CLASSES_ROOT\\.vxd", "HKEY_CLASSES_ROOT\\.sit", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\MIME\\Database\\Content Type\\text\/plain", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\DownloadManager", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Strong Cryptographic Provider", "HKEY_CLASSES_ROOT\\.cmd", "HKEY_CLASSES_ROOT\\.stl", "HKEY_CLASSES_ROOT\\.stm", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList", "HKEY_CLASSES_ROOT\\.theme", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local", "HKEY_CLASSES_ROOT\\.gadget", "HKEY_CLASSES_ROOT\\FirefoxHTML-E7CF176E110C211B", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{26656EAA-54EB-4E6F-8F85-4F0EF901A406}\\ProxyStubClsid32", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows Mail", "HKEY_CLASSES_ROOT\\.tif", "HKEY_CLASSES_ROOT\\.edrwx", "HKEY_CLASSES_ROOT\\.dat", "HKEY_CLASSES_ROOT\\.diz", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79621", "HKEY_CURRENT_USER\\CLSID\\{CD000001-8B95-11D1-82DB-00C04FB1625D}", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79623", "HKEY_CLASSES_ROOT\\.wdp", "HKEY_CLASSES_ROOT\\.wcx", "HKEY_CLASSES_ROOT\\.lnk", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-699399860-4089948139-3198924279-1001", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Enhanced RSA and AES Cryptographic Provider", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocServer32", "HKEY_CLASSES_ROOT\\.xslt", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\Publisher", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\LocalConfig\\Qecs\\79621", "HKEY_CLASSES_ROOT\\.rmi", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\LocalConfig\\Qecs\\79623", "HKEY_CLASSES_ROOT\\.psd1", "HKEY_CURRENT_USER\\FirefoxHTML-E7CF176E110C211B\\CLSID", "HKEY_CLASSES_ROOT\\.pl", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\DownloadManager\\Discovery", "HKEY_CURRENT_USER\\winmgmts", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Base DSS and Diffie-Hellman Cryptographic Provider", "HKEY_CLASSES_ROOT\\.midi", "HKEY_CLASSES_ROOT\\.jnt", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79619", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\WBEM\\CIMOM", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\LocalConfig\\(Default)", "HKEY_CLASSES_ROOT\\.lgn", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{CD000000-8B95-11D1-82DB-00C04FB1625D}", "HKEY_CLASSES_ROOT\\.csproj", "HKEY_CLASSES_ROOT\\.vbs", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{CD000000-8B95-11D1-82DB-00C04FB1625D}\\1.0\\0", "HKEY_CLASSES_ROOT\\.vbx", "HKEY_CLASSES_ROOT\\.3gp2", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{CD000000-8B95-11D1-82DB-00C04FB1625D}\\1.0\\9", "HKEY_CLASSES_ROOT\\.psm1", "HKEY_CLASSES_ROOT\\.cxx", "HKEY_CLASSES_ROOT\\.3gp", "HKEY_CLASSES_ROOT\\.JSE", "HKEY_CLASSES_ROOT\\.emf", "HKEY_CLASSES_ROOT\\.rc2", "HKEY_CLASSES_ROOT\\.vbproj", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\HostedCache", "HKEY_CLASSES_ROOT\\.gz", "HKEY_CLASSES_ROOT\\.img", "HKEY_CLASSES_ROOT\\.imc", "HKEY_CLASSES_ROOT\\.M2TS", "HKEY_CLASSES_ROOT\\.mpeg", "HKEY_CLASSES_ROOT\\.wbcat", "HKEY_CLASSES_ROOT\\.3gpp", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\HandleMgr", "HKEY_CLASSES_ROOT\\.xix", "HKEY_CLASSES_ROOT\\.user", "HKEY_CURRENT_USER\\Software\\Microsoft\\windows\\CurrentVersion\\Internet Settings\\Wpad", "HKEY_CLASSES_ROOT\\.fnd", "HKEY_CLASSES_ROOT\\.rct", "HKEY_CLASSES_ROOT\\.wmv", "HKEY_CLASSES_ROOT\\.idl", "HKEY_CLASSES_ROOT\\.wmp", "HKEY_CLASSES_ROOT\\.ps1", "HKEY_CLASSES_ROOT\\.wmx", "HKEY_CLASSES_ROOT\\.wmz", "HKEY_CLASSES_ROOT\\.fnt", "HKEY_CLASSES_ROOT\\.wmf", "HKEY_CLASSES_ROOT\\.wma", "HKEY_CURRENT_USER\\Interface\\{8A40A45D-055C-4B62-ABD7-6D613E2CEAEC}", "HKEY_CLASSES_ROOT\\.idq", "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment", "HKEY_CURRENT_USER\\Interface\\{55272A00-42CB-11CE-8135-00AA004BB851}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\TreatAs", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\LocalConfig\\Qecs\\79619", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\LocalConfig\\Qecs\\79617", "HKEY_CURRENT_USER\\Interface\\{423EC01E-2E35-11D2-B604-00104B703EFD}", "HKEY_CLASSES_ROOT\\.hqx", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Tracing\\RASMANCS", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft DH SChannel Cryptographic Provider", "HKEY_CLASSES_ROOT\\.mp4v", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0\\0\\win32", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", "HKEY_CLASSES_ROOT\\.msi", "HKEY_CLASSES_ROOT\\.lib", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CDO.Message\\CLSID", "HKEY_CLASSES_ROOT\\.msg", "HKEY_CLASSES_ROOT\\.msc", "HKEY_CLASSES_ROOT\\.gif", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\DownloadManager\\Peers\\Connection", "HKEY_CLASSES_ROOT\\.msu", "HKEY_CLASSES_ROOT\\.msp", "HKEY_CLASSES_ROOT\\.obj", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\DiscoveryManager", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\Progid", "HKEY_CLASSES_ROOT\\.webm", "HKEY_CLASSES_ROOT\\.RDP", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\SecurityManager", "HKEY_CLASSES_ROOT\\.IVF", "HKEY_CLASSES_ROOT\\.H1V", "HKEY_CLASSES_ROOT\\.H1W", "HKEY_CLASSES_ROOT\\.H1T", "HKEY_CLASSES_ROOT\\.dsw", "HKEY_CLASSES_ROOT\\.dsp", "HKEY_CLASSES_ROOT\\.H1S", "HKEY_CLASSES_ROOT\\.H1Q", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.47.1.1!7", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\LDAP", "HKEY_CLASSES_ROOT\\.movie", "HKEY_CLASSES_ROOT\\.H1F", "HKEY_CLASSES_ROOT\\.H1D", "HKEY_CLASSES_ROOT\\.viw", "HKEY_CLASSES_ROOT\\.mmf", "HKEY_CLASSES_ROOT\\.vsscc", "HKEY_CLASSES_ROOT\\.dsn", "HKEY_CLASSES_ROOT\\.H1K", "HKEY_CLASSES_ROOT\\.H1H", "HKEY_CLASSES_ROOT\\.xbap", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Diagnostics", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders", "HKEY_CLASSES_ROOT\\.ex_", "HKEY_CLASSES_ROOT\\.xrm-ms", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Tracing", "HKEY_CLASSES_ROOT\\.WSH", "HKEY_CLASSES_ROOT\\.bin", "HKEY_CLASSES_ROOT\\.aps", "HKEY_CLASSES_ROOT\\.jpg", "HKEY_CLASSES_ROOT\\.jpe", "HKEY_CLASSES_ROOT\\.exp", "HKEY_CLASSES_ROOT\\.ext", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\Compatibility\\a9c04c077b2bb66c9f77c1c4fe49210a0972081ebb457194fb493ae9e6a0f20f.bin", "HKEY_CLASSES_ROOT\\.mhtml", "HKEY_CURRENT_USER\\Software\\Microsoft\\IAM\\Accounts", "HKEY_CLASSES_ROOT\\.pyo", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{B691E011-1797-432E-907A-4D8C69339129}\\6.0", "HKEY_CLASSES_ROOT\\.text", "HKEY_CLASSES_ROOT\\.exe", "HKEY_CLASSES_ROOT\\.xml", "HKEY_CLASSES_ROOT\\.URL", "HKEY_CLASSES_ROOT\\.sql", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\DownloadManager\\Peers\\Connection", "HKEY_CLASSES_ROOT\\.hdp", "HKEY_CLASSES_ROOT\\.tgz", "HKEY_CLASSES_ROOT\\.xaml", "HKEY_CLASSES_ROOT\\.rgs", "HKEY_CLASSES_ROOT\\.grp", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\TreatAs", "HKEY_CURRENT_USER\\TypeLib", "HKEY_CLASSES_ROOT\\.tli", "HKEY_CLASSES_ROOT\\.tlh", "HKEY_CLASSES_ROOT\\.odt", "HKEY_CLASSES_ROOT\\.tlb", "HKEY_CLASSES_ROOT\\.wmdb", "HKEY_CLASSES_ROOT\\.py", "HKEY_CLASSES_ROOT\\.ogg", "HKEY_CLASSES_ROOT\\.ascx", "HKEY_CLASSES_ROOT\\.aif", "HKEY_CLASSES_ROOT\\.oga", "HKEY_CLASSES_ROOT\\.ps", "HKEY_CLASSES_ROOT\\.dib", "HKEY_CLASSES_ROOT\\.dic", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\0\\win32", "HKEY_CLASSES_ROOT\\.rll", "HKEY_CLASSES_ROOT\\.docx", "HKEY_CLASSES_ROOT\\.ogv", "HKEY_CLASSES_ROOT\\.rle", "HKEY_CLASSES_ROOT\\.sc2", "HKEY_CLASSES_ROOT\\.local", "HKEY_CLASSES_ROOT\\HTTP\\shell\\open\\command", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\HostedCache", "HKEY_CLASSES_ROOT\\.rul", "HKEY_CURRENT_USER\\Software\\Microsoft\\IAM", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\OID", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\LocalConfig\\Enroll\\HcsGroups\\(Default)", "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor", "HKEY_CLASSES_ROOT\\.pyc", "HKEY_CLASSES_ROOT\\.in_", "HKEY_CLASSES_ROOT\\.cur", "HKEY_CLASSES_ROOT\\.WSF", "HKEY_CLASSES_ROOT\\.pyw", "HKEY_CURRENT_USER\\MIME\\Database\\Rfc1766", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\Progid", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", "HKEY_CLASSES_ROOT\\.inv", "HKEY_CLASSES_ROOT\\.wri", "HKEY_CLASSES_ROOT\\.nvr", "HKEY_CLASSES_ROOT\\.easmx", "HKEY_CLASSES_ROOT\\.sct", "HKEY_CLASSES_ROOT\\.mak", "HKEY_CLASSES_ROOT\\.scr", "HKEY_CLASSES_ROOT\\.inx", "HKEY_CLASSES_ROOT\\.scp", "HKEY_CLASSES_ROOT\\.inf", "HKEY_CLASSES_ROOT\\.inc", "HKEY_CLASSES_ROOT\\.man", "HKEY_CLASSES_ROOT\\.m3u", "HKEY_CLASSES_ROOT\\.scf", "HKEY_CLASSES_ROOT\\.inl", "HKEY_CLASSES_ROOT\\.scd", "HKEY_CLASSES_ROOT\\.scc", "HKEY_CLASSES_ROOT\\.ini", "HKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\DiscoveryManager", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\DownloadManager\\Protocol", "HKEY_CLASSES_ROOT\\.jpeg", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\HandleMgr", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Base Cryptographic Provider v1.0", "HKEY_CLASSES_ROOT\\MIME\\Database\\Content Type", "HKEY_CLASSES_ROOT\\.snd", "HKEY_CLASSES_ROOT\\.xht", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\DnsCache\\Parameters", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0\\0", "HKEY_CLASSES_ROOT\\.bmp", "HKEY_CLASSES_ROOT\\.cgm", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Base DSS Cryptographic Provider", "HKEY_CLASSES_ROOT\\.jtx", "HKEY_CLASSES_ROOT\\.m4b", "HKEY_CURRENT_USER\\Software\\Microsoft\\windows\\CurrentVersion\\Internet Settings\\Connections", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{423EC01E-2E35-11D2-B604-00104B703EFD}\\ProxyStubClsid32", "HKEY_CLASSES_ROOT\\.jtp", "HKEY_CLASSES_ROOT\\.hhc", "HKEY_CLASSES_ROOT\\.sch", "HKEY_CLASSES_ROOT\\.ans", "HKEY_CLASSES_ROOT\\.ani", "HKEY_CLASSES_ROOT\\.dwfx", "HKEY_CLASSES_ROOT\\.p7m", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\409", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Enhanced Cryptographic Provider v1.0", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{8A40A45D-055C-4B62-ABD7-6D613E2CEAEC}\\ProxyStubClsid32", "HKEY_CLASSES_ROOT\\.p7b", "HKEY_CLASSES_ROOT\\.p7c", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Base Smart Card Crypto Provider", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winsat", "HKEY_CLASSES_ROOT\\.p7r", "HKEY_CLASSES_ROOT\\.pko", "HKEY_CLASSES_ROOT\\.vspscc", "HKEY_CLASSES_ROOT\\.pds", "HKEY_CLASSES_ROOT\\.crt", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\Compatibility\\AutoUpdate.exe", "HKEY_CLASSES_ROOT\\.rpc", "HKEY_CLASSES_ROOT\\.java", "HKEY_CLASSES_ROOT\\.pdb", "HKEY_CLASSES_ROOT\\.crd", "HKEY_CLASSES_ROOT\\.pdf", "HKEY_CLASSES_ROOT\\.UDL", "HKEY_CLASSES_ROOT\\.crl", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\DownloadManager\\Protocol", "HKEY_CLASSES_ROOT\\.drv", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\Progid", "HKEY_CLASSES_ROOT\\.ttf", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\CooperativeCaching", "HKEY_CLASSES_ROOT\\.bcp", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\HostedCache\\Connection", "HKEY_CLASSES_ROOT\\.jav", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{CD000001-8B95-11D1-82DB-00C04FB1625D}\\InprocServer32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\CacheMgr\\Publication", "HKEY_CLASSES_ROOT\\.TS", "HKEY_CLASSES_ROOT\\.camp", "HKEY_CLASSES_ROOT\\.aiff", "HKEY_CLASSES_ROOT\\.prf", "HKEY_CLASSES_ROOT\\.prc", "HKEY_CLASSES_ROOT\\.aifc", "HKEY_CLASSES_ROOT\\.WTV", "HKEY_CURRENT_USER\\Interface\\{26656EAA-54EB-4E6F-8F85-4F0EF901A406}", "HKEY_CLASSES_ROOT\\.xhtml", "HKEY_CLASSES_ROOT\\.plg", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{B691E011-1797-432E-907A-4D8C69339129}\\6.0\\0\\win32", "HKEY_CLASSES_ROOT\\.mydocs", "HKEY_CLASSES_ROOT\\.php3", "HKEY_CURRENT_USER\\Interface\\{027947E1-D731-11CE-A357-000000000001}", "HKEY_CLASSES_ROOT\\.sy_", "HKEY_CLASSES_ROOT\\.srf", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocHandler32", "HKEY_CLASSES_ROOT\\.DVR-MS", "HKEY_CLASSES_ROOT\\.fif", "HKEY_CLASSES_ROOT\\.i", "HKEY_CLASSES_ROOT\\.Job", "HKEY_CLASSES_ROOT\\.h", "HKEY_CLASSES_ROOT\\.msdvd", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\DownloadManager\\Upload", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\DownloadManager\\UtilityIndex", "HKEY_CLASSES_ROOT\\.asmx", "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\crypt32", "HKEY_CLASSES_ROOT\\.sys", "HKEY_CLASSES_ROOT\\.sym", "HKEY_CLASSES_ROOT\\.hlp", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\Service", "HKEY_CLASSES_ROOT\\.s", "HKEY_CLASSES_ROOT\\.mp2", "HKEY_CLASSES_ROOT\\.mp3", "HKEY_CLASSES_ROOT\\.mp4", "HKEY_CLASSES_ROOT\\.sr_", "HKEY_CLASSES_ROOT\\.odc", "HKEY_CLASSES_ROOT\\.wav", "HKEY_CLASSES_ROOT\\.wax", "HKEY_CLASSES_ROOT\\.odl", "HKEY_CLASSES_ROOT\\.oc_", "HKEY_CLASSES_ROOT\\.odh", "HKEY_CLASSES_ROOT\\.dl_", "HKEY_CLASSES_ROOT\\.wab", "HKEY_CLASSES_ROOT\\.ADT", "HKEY_CLASSES_ROOT\\.dll", "HKEY_CLASSES_ROOT\\.c", "HKEY_CLASSES_ROOT\\.a", "HKEY_CLASSES_ROOT\\.mpa", "HKEY_CLASSES_ROOT\\.ocx", "HKEY_CLASSES_ROOT\\.mpe", "HKEY_CLASSES_ROOT\\.iso", "HKEY_CLASSES_ROOT\\.mpg", "HKEY_CLASSES_ROOT\\.pot", "HKEY_CLASSES_ROOT\\.cdmp", "HKEY_CLASSES_ROOT\\.x", "HKEY_CLASSES_ROOT\\.vcproj", "HKEY_CLASSES_ROOT\\.z", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\InprocHandler" ], "resolves_host": [ "..localmachine", "cuckpc", "wpad", "localhost" ], "file_written": [ "C:\\Users\\cuck\\AppData\\Roaming\\log\\Passwords.txt", "C:\\Users\\cuck\\AppData\\Local\\Temp\\aut8197.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\bozvxpz", "C:\\Users\\cuck\\AppData\\Roaming\\log\\Info.txt", "C:\\Users\\cuck\\AppData\\Local\\Temp\\kxpzmdz", "C:\\Users\\cuck\\AppData\\Local\\Temp\\aut578B.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\aut572C.tmp", "C:\\Users\\cuck\\AppData\\Roaming\\log\\logs_04.01.2020.htm" ], "file_deleted": [ "C:\\Users\\cuck\\AppData\\Roaming\\log\\Passwords.txt", "C:\\Users\\cuck\\AppData\\Local\\Temp\\aut8197.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\bozvxpz", "C:\\Users\\cuck\\AppData\\Roaming\\log\\Info.txt", "C:\\Users\\cuck\\AppData\\Local\\Temp\\kxpzmdz", "C:\\Users\\cuck\\AppData\\Local\\Temp\\aut578B.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\aut572C.tmp" ], "file_exists": [ "C:\\Users\\cuck\\AppData\\Roaming\\log\\04-01-2020_11.53.jpg", "C:\\Users\\cuck\\AppData\\Roaming\\log\\Info.txt", "C:\\Users\\cuck\\AppData\\Roaming\\log\\ssfn*", "C:\\Users\\cuck\\AppData\\Roaming\\log\\*.htm", "C:\\Users\\cuck\\AppData\\Roaming\\log\\Passwords.txt", "C:\\Users\\cuck\\AppData\\Roaming\\log", "C:\\Windows\\System32\\C_932.NLS", "C:\\Windows\\System32\\qagentrt.dll", "C:\\Users\\cuck\\AppData\\Local\\Temp\\bozvxpz", "C:\\Users\\cuck\\AppData\\Local\\Temp\\a9c04c077b2bb66c9f77c1c4fe49210a0972081ebb457194fb493ae9e6a0f20f.bin", "C:\\Windows\\System32\\C_950.NLS", "C:\\Users\\cuck\\AppData\\Local\\Temp\\kxpzmdz", "C:\\Windows\\System32\\C_28591.NLS", "C:\\Windows\\System32\\tsgqec.dll", "C:\\Windows\\System32\\C_936.NLS", "C:\\Windows\\System32\\EAPQEC.DLL", "C:\\Windows\\System32\\dnsapi.dll", "C:\\Users\\cuck\\AppData\\Local\\Temp", "C:\\Users\\cuck\\AppData\\Roaming\\log\\logs_04.01.2020.htm", "C:\\Windows\\System32\\p2pcollab.dll", "C:\\Users\\cuck\\AppData\\Roaming\\log\\AutoUpdate.exe", "C:\\Windows\\System32\\C_949.NLS", "C:\\Users\\cuck\\AppData\\Local\\Temp\\web_history.dll", "C:\\Windows\\System32\\napipsec.dll", "C:\\Users\\cuck\\AppData\\Roaming\\log\\*.vdf", "C:\\Users\\cuck\\AppData\\Local\\Temp\\winmgmts:\\localhost\\root\\SecurityCenter2", "C:\\Windows\\System32\\DHCPQEC.DLL" ], "mutex": [ "IESQMMUTEX_0_208", "Global\\3a886eb8-fe40-4d0a-b78b-9e0bcb683fb7" ], "file_failed": [ "C:\\Users\\cuck\\AppData\\Local\\Temp\\winmgmts:\\localhost\\root\\SecurityCenter2" ], "guid": [ "{70b51430-b6ca-11d0-b9b9-00a0c922e750}", "{432a1da5-3888-4b9a-a734-cff1e448c5b9}", "{275c23e2-3747-11d0-9fea-00aa003f8646}", "{00000003-0000-0000-c000-000000000046}", "{00000146-0000-0000-c000-000000000046}", "{44aca674-e8fc-11d0-a07c-00c04fb68820}", "{ea4a0a43-1c8f-4c7b-a4b1-28ecbd96ba8c}", "{dccfc164-2b38-11d2-b7ec-00c04f8f5d9a}", "{00020400-0000-0000-c000-000000000046}", "{fd853ce8-7f86-11d0-8252-00c04fd85ab4}", "{dcb00c01-570f-4a9b-8d69-199fdba5723b}", "{fd465481-1384-11d0-abbd-0020afdfd10a}", "{0000011a-0000-0000-c000-000000000046}", "{cd000001-8b95-11d1-82db-00c04fb1625d}", "{0df2c7e6-3435-11d0-81d0-00c04fd85ab4}", "{bf0ec44a-c6ae-4bc5-a0ca-d33fa6c9c6c2}", "{d0074ffd-570f-4a9b-8d69-199fdba5723b}", "{674b6698-ee92-11d0-ad71-00c04fd8fdff}", "{3bc15af2-736c-477e-9e51-238af8667dcc}", "{0df2c7e2-3435-11d0-81d0-00c04fd85ab4}", "{d5f569d0-593b-101a-b569-08002b2dbf7a}", "{dc12a687-737f-11cf-884d-00aa004b2e24}", "{00000323-0000-0000-c000-000000000046}", "{a4f96ed0-f829-476e-81c0-cdc7bd2a0802}", "{172bddf8-ceea-11d1-8b05-00600806d9b6}", "{07a1127b-18cc-422a-b988-e892600fcc74}", "{cf4cc405-e2c5-4ddd-b3ce-5e7582d8c9fa}", "{f309ad18-d86a-11d0-a075-00c04fb68820}", "{dcb00000-570f-4a9b-8d69-199fdba5723b}", "{00000560-0000-0010-8000-00aa006d2ea4}", "{00000567-0000-0010-8000-00aa006d2ea4}", "{eb082ba1-df8a-46be-82f3-35bf9e9be52f}", "{a47979d2-c419-11d9-a5b4-001185ad2b89}", "{fd853ce6-7f86-11d0-8252-00c04fd85ab4}", "{3124c396-fb13-4836-a6ad-1317f1713688}", "{8d4b04e1-1331-11d0-81b8-00c04fd85ab4}", "{275c23e1-3747-11d0-9fea-00aa003f8646}", "{a9e69610-b80d-11d0-b9b9-00a0c922e750}", "{7c857801-7381-11cf-884d-00aa004b2e24}", "{8bc3f05e-d86b-11d0-a075-00c04fb68820}", "{4590f811-1d3a-11d0-891f-00aa004b2e24}", "{4590f812-1d3a-11d0-891f-00aa004b2e24}" ], "wmi_query": [ "Select * from AntiVirusProduct" ], "command_line": [ "C:\\Windows\\system32\\cmd.exe \/c C:\\Users\\cuck\\AppData\\Roaming\\log\\pass.exe all", "systeminfo", "HOSTNAME", "netsh firewall add allowedprogram program = STcONaURjstoJeQ(uMqeEfSfaGeNmho(\"yJmAEIBBXdvRXSFRGegUiJnA\")) name = STcONaURjstoJeQ(uMqeEfSfaGeNmho(\"XQ0V1bwVGZ0FQZ==\")) mode = ENABLE", "C:\\Users\\cuck\\AppData\\Roaming\\log\\AutoUpdate.exe", "C:\\Windows\\system32\\cmd.exe \/k HOSTNAME", "C:\\Windows\\system32\\cmd.exe \/k systeminfo", "C:\\Windows\\system32\\cmd.exe \/c netsh firewall add allowedprogram program = STcONaURjstoJeQ(uMqeEfSfaGeNmho(\"yJmAEIBBXdvRXSFRGegUiJnA\")) name = STcONaURjstoJeQ(uMqeEfSfaGeNmho(\"XQ0V1bwVGZ0FQZ==\")) mode = ENABLE", "\"C:\\Windows\\system32\\rundll32.exe\" \"C:\\Windows\\syswow64\\WININET.dll\",DispatchAPICall 1 " ], "file_read": [ "C:\\Windows\\System32\\wbem\\wbemdisp.tlb", "C:\\Users\\cuck\\AppData\\Local\\Temp\\aut8197.tmp", "C:\\Users\\cuck\\AppData\\Roaming\\log\\Info.txt", "C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Mail\\account{E8B20193-B324-4F69-85C3-A585C87B3B69}.oeaccount", "C:\\Users\\cuck\\AppData\\Local\\Temp\\bozvxpz", "C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Mail\\account{9505C2E7-137C-4315-8EBB-D4AE26FFA58D}.oeaccount", "C:\\Users\\cuck\\AppData\\Local\\Temp\\kxpzmdz", "C:\\Users\\cuck\\AppData\\Local\\Temp\\aut572C.tmp", "C:\\Program Files (x86)\\Common Files\\System\\ado\\msado15.dll", "C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Mail\\account{3F157EAB-C371-449F-8817-DE062D63E39B}.oeaccount", "C:\\Users\\cuck\\AppData\\Roaming\\log\\logs_04.01.2020.htm", "C:\\Windows\\SysWOW64\\cdosys.dll", "C:\\Windows\\SysWOW64\\stdole2.tlb" ], "regkey_read": [ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.nvr\\Content Type", "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DisableUNCCheck", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\Service\\PolicyRefreshInProgress", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\MaxRpcSize", "HKEY_CURRENT_USER\\.html\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.c2r\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\DiscoveryManager\\DiscoveryProviderDllPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.tdl\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-699399860-4089948139-3198924279-1001\\ProfileImagePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.rmi\\Content Type", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79623\\Component Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.TS\\Content Type", "HKEY_CURRENT_USER\\.htm\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\Extensions\\RemoteRpcDll", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.p12\\Content Type", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79619\\Validator Clsid", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pko\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.camp\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.icm\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.rgs\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.bmp\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\SourcePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.inx\\Content Type", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79617\\Description", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\AutoUpdate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.tlh\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.xlc\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.fnd\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.odl\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mlc\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.msi\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.rat\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.idq\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mmf\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.asmx\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.sql\\Content Type", "HKEY_CURRENT_USER\\.oga\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.gif\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pbk\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.3g2\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\HostedCache\\ServerRole", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.odt\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.exe\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\AutoUpdate_RASMANCS\\FileDirectory", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows Mail\\Disable RFC2646 Wrapping", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.44.3.4!7\\Name", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79621\\Vendor Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.tar\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mp2v\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.bat\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.odc\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.xlb\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\EnableExtensions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\CurrentBuildNumber", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.asx\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wmv\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\HostedCache\\MaxPendingDownloads", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.au\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.p7m\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.H1H\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.xslt\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledSessions\\MachineThrottling", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASAPI32\\EnableFileTracing", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.hta\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.rpc\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mpeg\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mhtml\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ex_\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.exp\\Content Type", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79623\\Enabled", "HKEY_CURRENT_USER\\.htm\\(Default)", "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DefaultColor", "HKEY_CURRENT_USER\\.xhtml\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.cpp\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.inc\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wmp\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ADT\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{26656EAA-54EB-4E6F-8F85-4F0EF901A406}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.a\\Content Type", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79621\\Enabled", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winsat\\PrimaryAdapterString", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\DownloadManager\\TransportDllPath", "HKEY_CURRENT_USER\\Software\\Microsoft\\IAM\\Accounts\\PreConfigVer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\HostedCache\\ClientAuth", "HKEY_CURRENT_USER\\Software\\Microsoft\\IAM\\Default News Account", "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\eapqec.dll,-101", "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\eapqec.dll,-100", "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\eapqec.dll,-103", "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\eapqec.dll,-102", "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\p2pcollab.dll,-8042", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.xix\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Enhanced Cryptographic Provider v1.0\\Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.sym\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.cdmp\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mid\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\Roaming\\RefreshDllName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft RSA SChannel Cryptographic Provider\\Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{2A1C9EB2-DF62-4154-B800-63278FCB8037}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.fky\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.jpg\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\FileDirectory", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\FileTracingMask", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.lst\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.text\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wmdb\\Content Type", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CodePage\\950", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\AutoUpdate_RASAPI32\\ConsoleTracingMask", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.plg\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.sol\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.grp\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\DisableUNCCheck", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.cpl\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.H1F\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pyo\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.H1T\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\DevicePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ascx\\Content Type", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.jtx\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.scf\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\MIME\\Database\\Rfc1766\\041D", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pmr\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\InprocServer32\\InprocServer32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.local\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.txt\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mpg\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.snd\\Content Type", "HKEY_CURRENT_USER\\Software\\Microsoft\\IAM\\Default Mail Account", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.aiff\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledProcesses\\F6C4EC9A", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\AutoUpdate_RASAPI32\\FileTracingMask", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.icc\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{8A40A45D-055C-4B62-ABD7-6D613E2CEAEC}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ghi\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{CD000001-8B95-11D1-82DB-00C04FB1625D}\\ProgID\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.prf\\Content Type", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Domain", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.z\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wsz\\Content Type", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.aps\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.usr\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.47.1.1!7\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.i\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Account Manager\\Preconfigured\\PreConfigVerNTDS", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.css\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.xlt\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.3gpp\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.dct\\Content Type", "HKEY_CURRENT_USER\\.ogg\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.doc\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wmf\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Account Manager\\Preconfigured\\PreConfigVer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.edrwx\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\Service\\Enable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.trg\\Content Type", "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\AutoRun", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.hdp\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ai\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ini\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.bkf\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.psm1\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pl\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pif\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.icl\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.etp\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.dot\\Content Type", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79619\\Component Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.evt\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.fnt\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CDO.Message\\CLSID\\(Default)", "HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\SystemSetupInProgress", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pic\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.WSH\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.psd1\\Content Type", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SESSION MANAGER\\Environment\\PROCESSOR_ARCHITECTURE", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.faq\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ppt\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.dl_\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mpe\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.cer\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.MOD\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.DVR-MS\\Content Type", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\UseOldHostResolutionOrder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\ProgramData", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79623\\Config Clsid", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.lib\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.rtf\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.drv\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.db\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.xml\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mov\\Content Type", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79619\\Enabled", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Base Smart Card Crypto Provider\\Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.dsw\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.eyb\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.URL\\Content Type", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}\\WpadDecision", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\PathCompletionChar", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79623\\Description", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\LocalConfig\\Tracing Level", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.vxd\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.nls\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.vbproj\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.scc\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.aif\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\(Default)", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79619\\Registration Date", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{CD000001-8B95-11D1-82DB-00C04FB1625D}\\InprocServer32\\ThreadingModel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.osdx\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\InprocServer32\\ThreadingModel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.lnk\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.bas\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.jod\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.eps\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledSessions\\GlobalSession", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.jpeg\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.sed\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.rle\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.asf\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\GpSvcDebugLevel", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79619\\Config Clsid", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.crds\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.sc2\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wcx\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.386\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.user\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.nfo\\Content Type", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79623\\Vendor Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\WBEM\\CIMOM\\EnableObjectValidation", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0\\0\\win32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\HostedCache\\MaxSimultaneousUploads", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\AutoUpdate_RASMANCS\\EnableConsoleTracing", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.art\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\InprocServer32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.m1v\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.H1Q\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\WBEM\\CIMOM\\Logging", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.aifc\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ADTS\\Content Type", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\UseHostnameAsAlias", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\DelayedExpansion", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CodePage\\0", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.3gp2\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\AutoUpdate_RASMANCS\\FileTracingMask", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79621\\Info Clsid", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.asc\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mpa\\Content Type", "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\mlang.dll,-4462", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{423EC01E-2E35-11D2-B604-00104B703EFD}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.jtp\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mak\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.p7b\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.tlb\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.blg\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.jfif\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pfm\\Content Type", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\AppData", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.64.1.1!7\\Name", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CodePage\\949", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.scr\\Content Type", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Hostname", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.htt\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.cur\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.tif\\Content Type", "HKEY_CURRENT_USER\\.xht\\Content Type", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79619\\Info Clsid", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Base Cryptographic Provider v1.0\\Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.p7c\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.htx\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.tsp\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ilk\\Content Type", "HKEY_CURRENT_USER\\HTTP\\shell\\open\\command\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.gmmp\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.WMD\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ps\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.docx\\Content Type", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79621\\Validator Clsid", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.hpp\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.kci\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.WTV\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ext\\Content Type", "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\tsgqec.dll,-101", "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\tsgqec.dll,-100", "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\tsgqec.dll,-103", "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\tsgqec.dll,-102", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ttc\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.gadget\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.H1V\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.webpnp\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.WSF\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.csa\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.htc\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.aspx\\Content Type", "HKEY_CURRENT_USER\\.webm\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.H1C\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.H1S\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.dbs\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.viw\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.cdx\\Content Type", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79621\\Description", "HKEY_CURRENT_USER\\Software\\Microsoft\\IAM\\Default LDAP Account", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.xls\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\0\\win32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.Job\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.M2TS\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.inf\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.asm\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.VBE\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.iso\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.dbg\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.msdvd\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.tgz\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{00000134-0000-0000-C000-000000000046}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pdb\\Content Type", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CodePage\\932", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.zip\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.m4b\\Content Type", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CodePage\\936", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.tiff\\Content Type", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\LocalConfig\\PlumbIpsecPolicy", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows Mail\\Disable RFC2646 Wrapping", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.otf\\Content Type", "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DelayedExpansion", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASAPI32\\EnableConsoleTracing", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ani\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\CompletionChar", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.H1K\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.tsv\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wpl\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.reg\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.jnt\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.avi\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.hlp\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pps\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Base DSS Cryptographic Provider\\Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wlt\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.3gp\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{CD000001-8B95-11D1-82DB-00C04FB1625D}\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\HostedCache\\MaxPendingOffers", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.cmd\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mht\\Content Type", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79623\\Version", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pma\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pnf\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.hxx\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.dwfx\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wbcat\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ocx\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.vbx\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\UserenvDebugLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.rc\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.s\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.IVF\\Content Type", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79617\\Friendly Name", "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\mlang.dll,-4386", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.csv\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.bin\\Content Type", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\\DefaultConnectionSettings", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\AutoUpdate_RASMANCS\\MaxFileSize", "HKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0\\ProcessorNameString", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.udf\\Content Type", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\AutoProxyDetectType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.rc2\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wdp\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\AutoUpdate_RASMANCS\\ConsoleTracingMask", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.dos\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\DefaultColor", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\crypt32\\DebugHeapFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.idl\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.inl\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\SecurityManager\\BlockSize", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79621\\Component Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\Windows Error Reporting\\WMR\\Disable", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\DisabledComponents", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows Mail\\No modify accts", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ico\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\SecurityManager\\Restricted\\Seed", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASAPI32\\MaxFileSize", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.xps\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.label\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.sys\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.m3u\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.vcf\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.msg\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.cod\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASAPI32\\ConsoleTracingMask", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.inv\\Content Type", "HKEY_CURRENT_USER\\.shtml\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.scd\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\AutoRun", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pch\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.dsn\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.eprtx\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.cab\\Content Type", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\IPHLPSVC\\config\\Connectivity_Platform_Enabled", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.RDP\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.dll\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.vbs\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.WMS\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pmc\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.tab\\Content Type", "HKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System\\BIOS\\BaseBoardManufacturer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\MIME\\Database\\Content Type\\text\/plain\\Extension", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.csproj\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{CD000001-8B95-11D1-82DB-00C04FB1625D}\\InprocServer32\\InprocServer32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wav\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.udt\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.m14\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wsc\\Content Type", "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\CompletionChar", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.z96\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Drivers32\\msvideo5", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Drivers32\\msvideo4", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Drivers32\\msvideo7", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Drivers32\\msvideo6", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Drivers32\\msvideo1", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Drivers32\\msvideo3", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Drivers32\\msvideo2", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.man\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.vcproj\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.def\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Drivers32\\msvideo9", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Drivers32\\msvideo8", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.scp\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pds\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.sor\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\ConsoleTracingMask", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.theme\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.xaml\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.tli\\Content Type", "HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\Upgrade", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}\\WpadDecisionReason", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79623\\Friendly Name", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\WpadLastNetwork", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.swf\\Content Type", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79623\\Validator Clsid", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASAPI32\\FileTracingMask", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.m4a\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocServer32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.rsp\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.stl\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.xsl\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WINMGMTS\\CLSID\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mp4\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocServer32\\ThreadingModel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.diz\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.png\\Content Type", "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\napipsec.dll,-3", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.vob\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocServer32\\InprocServer32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.jav\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\EnableConsoleTracing", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.gz\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.DVR\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\SecurityManager\\NumBlocksPerSegment", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.imc\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.h\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.easmx\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\AutoUpdate_RASMANCS\\EnableFileTracing", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.emf\\Content Type", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79617\\Component Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mv\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ps1xml\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.midi\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.latex\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.prc\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.dsp\\Content Type", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79623\\Registration Date", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wab\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ncb\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\AutoUpdate_RASAPI32\\EnableConsoleTracing", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pml\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Enhanced RSA and AES Cryptographic Provider\\Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ps1\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.htw\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.rct\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.lgn\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.jbf\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\Roaming\\RefreshProcName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.py\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.group\\Content Type", "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\EnableExtensions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wri\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.srf\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.crt\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.asp\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.TTS\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.p7s\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pot\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Enhanced DSS and Diffie-Hellman Cryptographic Provider\\Type", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows Mail\\Store Root", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\AutoUpdate_RASAPI32\\EnableFileTracing", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.com\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pfx\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.sch\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.p7r\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.dib\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.hqx\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.M2V\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mp4v\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.img\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.cxx\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mp3\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.java\\Content Type", "HKEY_CURRENT_USER\\.pdf\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mig\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.der\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.jpe\\Content Type", "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\napipsec.dll,-4", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.crd\\Content Type", "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\napipsec.dll,-2", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.M2T\\Content Type", "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\napipsec.dll,-1", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.c\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.sst\\Content Type", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\Enabled", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language Groups\\1", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.cc\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.xrm-ms\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\EnableFileTracing", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wtx\\Content Type", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79619\\Friendly Name", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79619\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.sbr\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{CD000000-8B95-11D1-82DB-00C04FB1625D}\\1.0\\0\\win32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.msp\\Content Type", "HKEY_CURRENT_USER\\Control Panel\\Mouse\\SwapMouseButtons", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.xsd\\Content Type", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79621\\Version", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\HostedCache\\DoNotUseSSL", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79617\\Version", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\AutoUpdate_RASAPI32\\MaxFileSize", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.odh\\Content Type", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79621\\Config Clsid", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.obj\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{027947E1-D731-11CE-A357-000000000001}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.fon\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wax\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ttf\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.rul\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Drivers32\\msvideo", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{55272A00-42CB-11CE-8135-00AA004BB851}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pyw\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.fif\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.movie\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.asa\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\HostedCache\\MaxSimultaneousDownloads", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.stm\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.m4p\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{BCD1DE7E-2DB1-418B-B047-4A74E101F8C1}\\ProxyStubClsid32\\(Default)", "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\PathCompletionChar", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASAPI32\\FileDirectory", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.x\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pyc\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wm\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Base DSS and Diffie-Hellman Cryptographic Provider\\Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.bcp\\Content Type", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79617\\Vendor Name", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CodePage\\28591", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\DiscoveryManager\\RepubQuorumSize", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.spc\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft DH SChannel Cryptographic Provider\\Type", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79617\\Enabled", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.js\\Content Type", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\LdapClientIntegrity", "HKEY_CURRENT_USER\\.ogv\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.vsscc\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.sy_\\Content Type", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79617\\Registration Date", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.sct\\Content Type", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}\\WpadDecisionTime", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wmx\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ics\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.xbap\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.chk\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.sr_\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Strong Cryptographic Provider\\Type", "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\dhcpqec.dll,-101", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79617\\Config Clsid", "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\dhcpqec.dll,-100", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.vspscc\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\DownloadManager\\CryptoAlgo", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.msc\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.cls\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.psc1\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.UDL\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\DiscoveryManager\\MinBackoffWindow", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.qds\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wvx\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.dic\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mk\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{B691E011-1797-432E-907A-4D8C69339129}\\6.0\\0\\win32\\(Default)", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\ComputerName\\ActiveComputerName\\ComputerName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.H1D\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\(Default)", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79617\\Info Clsid", "HKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System\\BIOS\\BaseBoardProduct", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79623\\Info Clsid", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\LocalConfig\\Enable Tracing", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.MTS\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.cda\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.m4v\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mydocs\\Content Type", "HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\OOBEInProgress", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\AutoUpdate_RASAPI32\\FileDirectory", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79621\\Registration Date", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.evtx\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\MaxFileSize", "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\dnsapi.dll,-103", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.AAC\\Content Type", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79621\\Friendly Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.cat\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.psd\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.p10\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.cs\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.vssscc\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.H1W\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{CD000001-8B95-11D1-82DB-00C04FB1625D}\\InprocServer32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\HostedCache\\TransportDllPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wll\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.rll\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.crl\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.dat\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\Roaming\\ForceRoamingDetect", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ibq\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\MIME\\Database\\Rfc1766\\0409", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.JSE\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.msu\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mcl\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.log\\Content Type", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79619\\Version", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.txt\\(Default)", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79619\\Vendor Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.in_\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.php3\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mp2\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ans\\Content Type", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\StringCacheSettings\\StringCacheGeneration", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CEIPEnable", "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\dhcpqec.dll,-103", "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\dhcpqec.dll,-102", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mpv2\\Content Type", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\WpadExpirationDays", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wmz\\Content Type", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79617\\Validator Clsid", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.hhc\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.chm\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.shtm\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.sit\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.res\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.oc_\\Content Type", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Locale\\00000409", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.bsc\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.cgm\\Content Type", "HKEY_CURRENT_USER\\Software\\Microsoft\\IAM\\Accounts\\PreConfigVerNTDS", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wma\\Content Type" ], "directory_enumerated": [ "C:\\Windows\\System32\\systeminfo.COM", "C:\\Users\\cuck\\AppData\\Roaming\\log\\pass.exe", "C:\\Users\\cuck\\AppData\\Roaming\\log\\04-01-2020_11.53.jpg", "C:\\Users\\cuck\\AppData", "C:\\Python27\\systeminfo", "C:\\Users\\cuck\\AppData\\Local\\Temp\\systeminfo", "C:\\Users\\cuck\\AppData\\Local\\Temp", "C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\rasphone.pbk", "C:\\Users\\cuck\\AppData\\Roaming\\log\\ssfn*", "C:\\Users\\cuck\\AppData\\Local\\Temp\\systeminfo.*", "C:\\Python27\\Scripts\\HOSTNAME", "C:\\Windows\\System32\\ras\\*.pbk", "C:\\Windows\\System32\\netsh.exe", "C:\\Python27\\HOSTNAME", "C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\account*.oeaccount", "C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Mail\\account*.oeaccount", "C:\\Users\\cuck\\AppData\\Local\\Temp\\HOSTNAME.*", "C:\\Users\\cuck\\AppData\\Roaming\\log\\Passwords.txt", "C:\\Windows\\System32\\systeminfo.EXE", "C:\\Users\\cuck\\AppData\\Local", "C:\\Python27\\Scripts\\HOSTNAME.*", "C:\\Windows\\System32\\HOSTNAME.COM", "C:\\Users\\cuck\\AppData\\Local\\Temp\\bozvxpz", "C:\\Python27\\HOSTNAME.*", "C:\\Users\\cuck\\AppData\\Local\\Temp\\netsh", "C:\\Windows\\System32\\netsh.*", "C:\\Windows\\System32\\netsh.COM", "C:\\Users\\cuck\\AppData\\Local\\Temp\\kxpzmdz", "C:\\Users\\cuck\\AppData\\Roaming", "C:\\Users", "C:\\Windows\\System32\\HOSTNAME.EXE", "C:\\ProgramData\\Microsoft\\Network\\Connections\\Pbk\\rasphone.pbk", "C:\\Users\\cuck\\AppData\\Local\\Temp\\netsh.*", "C:\\Windows\\System32\\HOSTNAME.*", "C:\\Windows\\System32\\systeminfo.*", "C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\account*.oeaccount", "C:\\Python27\\Scripts\\netsh.*", "C:\\Python27\\netsh.*", "C:\\Users\\cuck", "C:\\Users\\cuck\\AppData\\Local\\Temp\\HOSTNAME", "C:\\Python27\\Scripts\\systeminfo.*", "C:\\Python27\\Scripts\\systeminfo", "C:\\Python27\\systeminfo.*", "C:\\Users\\cuck\\AppData\\Roaming\\log\\*.htm", "C:\\Users\\cuck\\AppData\\Roaming\\log", "C:\\Python27\\netsh", "C:\\Python27\\Scripts\\netsh", "C:\\Users\\cuck\\AppData\\Roaming\\log\\pass.exe.*", "C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Mail\\*", "C:\\Users\\cuck\\AppData\\Roaming\\log\\AutoUpdate.exe", "C:\\Users\\cuck\\AppData\\Local\\Temp\\web_history.dll", "C:\\ProgramData\\Microsoft\\Network\\Connections\\Pbk\\*.pbk", "C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\*.pbk", "C:\\Users\\cuck\\AppData\\Roaming\\log\\Info.txt", "C:\\Users\\cuck\\AppData\\Roaming\\log\\*.vdf" ], "directory_created": [ "C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Mail", "C:\\Users\\cuck\\AppData\\Roaming\\log" ] }
[ { "yara": [], "sha1": "b82c33981ce537dcf3299f6c78882625fbbe1f6c", "name": "262b1f7f651f5863_bozvxpz", "filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\bozvxpz", "type": "ASCII text, with very long lines, with no line terminators", "sha256": "262b1f7f651f5863ba7c6b8f18564a4a6463a6a342af59f032e4d4ae10d13362", "urls": [], "crc32": "7931D437", "path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/4766\/files\/262b1f7f651f5863_bozvxpz", "ssdeep": null, "size": 6260, "sha512": "755bd28238f94c7688cd8af0e98525f6a9b4911dc20075c78f5452db419a4430f4f7d46f87d7780fd575d692c5d48291472ede18c56a30f311a2d1973a0d687b", "pids": [ 1512 ], "md5": "16bfd8f38cd0115b67788e9ecde56f50" }, { "yara": [], "sha1": "fa7b26fcb2802806c6b6c5e7508d56a70541e30e", "name": "3deee640f885e200_aut578B.tmp", "filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\aut578B.tmp", "type": "PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed", "sha256": "3deee640f885e200cdd5bb9ef7e747f56dff577d5b6eebf73bd20c6ec0c84517", "urls": [], "crc32": "58036846", "path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/4766\/files\/3deee640f885e200_aut578B.tmp", "ssdeep": null, "size": 438784, "sha512": "2c7088e2d87dac7d5efa30d20d40cf0514fc4f1d2a9d5ce11cfb33f0514b28a0e69c3c74884d6e55674fb119035eda194cacb99ccd80958fdbf1ca49e4241cd2", "pids": [ 1512 ], "md5": "4e69f56a7eb39e8d55b600ddce3c5e30" }, { "yara": [], "sha1": "a336349df59e49095b4e994bb376ebb71520c217", "name": "b25872261fc8a9e1_Info.txt", "filepath": "C:\\Users\\cuck\\AppData\\Roaming\\log\\Info.txt", "type": "ASCII text, with CRLF line terminators", "sha256": "b25872261fc8a9e1893b0bd5427d60a6911a5a107237141fbd1507d10ff11676", "urls": [], "crc32": "5A9FDEEF", "path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/4766\/files\/b25872261fc8a9e1_Info.txt", "ssdeep": null, "size": 2369, "sha512": "90752ba3f8adf4258018e6b6a3b8fab7648e0e8879d50576d0d2311c12c93756d59701d45dd2c6b1a0fab1b4ea103ab38d14fee375606f2ac1b1975e902281ad", "pids": [ 1512, 2804 ], "md5": "6870d723344d5370240bc0812de41bb8" }, { "yara": [], "sha1": "4d64633440e92566f7ca9c3211748c0864ee5647", "name": "5f1f5aedc0e8283b_kxpzmdz", "filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\kxpzmdz", "type": "ASCII text, with very long lines, with no line terminators", "sha256": "5f1f5aedc0e8283b61c741fee5f81b0832553889cb020aa862f86e84dc081427", "urls": [], "crc32": "D6FAB275", "path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/4766\/files\/5f1f5aedc0e8283b_kxpzmdz", "ssdeep": null, "size": 28568, "sha512": "35d2b5f540c22bc1802ea5654b8b759c85fc90666b8576fd38c0f01bf2be941eab9ba0ea1919651675748ce470fe812fd7ed6df82c465c4c6064f37eae468541", "pids": [ 2804 ], "md5": "4bfba866bc1e7b6c5be9723dc6886a77" }, { "yara": [], "sha1": "537c226126f648a30fcf2bf034ab19dde41c569f", "name": "6c4d82b17fad0407_aut8197.tmp", "filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\aut8197.tmp", "type": "data", "sha256": "6c4d82b17fad0407ca27c3f6cba04704d4400faf5c5210e446b569e7db96e366", "urls": [], "crc32": "4921EA38", "path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/4766\/files\/6c4d82b17fad0407_aut8197.tmp", "ssdeep": null, "size": 7660, "sha512": "1868cbde5e5e6dd83f5692b73572aaf307f8b6d0310b1a00bf3b76b382d3c481013635280a7274f3a2dcfc865418555219a36ef6c474ee2716ca99166399de73", "pids": [ 2804 ], "md5": "4765c8da6b3c425a66b50515048c842f" }, { "yara": [], "sha1": "6b0c76c1ce0cc04cf542ca8673d0b9d668f12c4e", "name": "7a9c538eb27ade05_logs_04.01.2020.htm", "filepath": "C:\\Users\\cuck\\AppData\\Roaming\\log\\logs_04.01.2020.htm", "type": "HTML document, ASCII text, with very long lines, with CRLF line terminators", "sha256": "7a9c538eb27ade05b376f520725fb45f85292fa811106aac017dbc874a0648e0", "urls": [], "crc32": "A41E71F8", "path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/4766\/files\/7a9c538eb27ade05_logs_04.01.2020.htm", "ssdeep": null, "size": 6879, "sha512": "98aa940b84b4913ceb887b0590f6abdf1440882052053bc7bf727bec8a70c1dd96d7cfda2f4a1976cc37aed7a1afdc91538e07ed7ec2bc49bde882d1320805f1", "pids": [ 2804 ], "md5": "cc4b3d19a3d2d4c45eba346c31c5495e" }, { "yara": [], "sha1": "cb39766d4b9ff64d3f0c2533200be7450d15fa02", "name": "7338b2872d563090_aut572C.tmp", "filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\aut572C.tmp", "type": "data", "sha256": "7338b2872d5630901e256767305aaae30f0fcd2d3ed49fbc6b3aa75bf87fc6e2", "urls": [], "crc32": "B665BD21", "path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/4766\/files\/7338b2872d563090_aut572C.tmp", "ssdeep": null, "size": 3118, "sha512": "9242c4f092f9e81742dda74167510a6db5d3aee64e2d7553393090386752a9418c66205a7be3e6c1e65f239c6af967d9da3a6d510d2ea8c8e0dd49c59556ecce", "pids": [ 1512 ], "md5": "5e78666c11c13bc28f99a16164392560" }, { "yara": [], "sha1": "da39a3ee5e6b4b0d3255bfef95601890afd80709", "name": "e3b0c44298fc1c14_Passwords.txt", "type": "empty", "sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", "urls": [], "crc32": "00000000", "path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/4766\/files\/e3b0c44298fc1c14_Passwords.txt", "ssdeep": null, "size": 0, "sha512": "cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e", "md5": "d41d8cd98f00b204e9800998ecf8427e" } ]
[ { "process_path": "C:\\Windows\\SysWOW64\\cmd.exe", "process_name": "cmd.exe", "pid": 800, "summary": { "dll_loaded": [ "kernel32.dll" ], "file_opened": [ "C:\\Windows\\Globalization\\Sorting\\sortdefault.nls" ], "regkey_opened": [ "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\System", "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Command Processor" ], "file_exists": [ "C:\\Users\\cuck\\AppData\\Local\\Temp" ], "command_line": [ "HOSTNAME" ], "regkey_read": [ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\DefaultColor", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\AutoRun", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\DelayedExpansion", "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DisableUNCCheck", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\EnableExtensions", "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\CompletionChar", "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\EnableExtensions", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\PathCompletionChar", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Locale\\00000409", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language Groups\\1", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles", "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\PathCompletionChar", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\DisableUNCCheck", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\Windows Error Reporting\\WMR\\Disable", "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DelayedExpansion", "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\AutoRun", "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DefaultColor", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\CompletionChar" ], "directory_enumerated": [ "C:\\Users\\cuck\\AppData\\Local\\Temp\\HOSTNAME.*", "C:\\Python27\\HOSTNAME", "C:\\Users\\cuck\\AppData", "C:\\Windows\\System32\\HOSTNAME.*", "C:\\Python27\\Scripts\\HOSTNAME.*", "C:\\Windows\\System32\\HOSTNAME.COM", "C:\\Users\\cuck\\AppData\\Local\\Temp", "C:\\Users\\cuck", "C:\\Users\\cuck\\AppData\\Local\\Temp\\HOSTNAME", "C:\\Python27\\Scripts\\HOSTNAME", "C:\\Users", "C:\\Python27\\HOSTNAME.*", "C:\\Users\\cuck\\AppData\\Local", "C:\\Windows\\System32\\HOSTNAME.EXE" ] }, "first_seen": 1578135197.775499, "ppid": 2804 }, { "process_path": "C:\\Windows\\SysWOW64\\netsh.exe", "process_name": "netsh.exe", "pid": 1576, "summary": { "file_recreated": [ "\\Device\\Http\\Communication", "\\Device\\KsecDD" ], "regkey_written": [ "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\eapqec.dll,-101", "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\napipsec.dll,-4", "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\napipsec.dll,-2", "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\napipsec.dll,-3", "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\eapqec.dll,-103", "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\napipsec.dll,-1", "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\eapqec.dll,-102", "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\LanguageList", "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\dhcpqec.dll,-103", "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\dhcpqec.dll,-102", "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\dhcpqec.dll,-101", "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\dhcpqec.dll,-100", "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\tsgqec.dll,-101", "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\tsgqec.dll,-100", "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\tsgqec.dll,-103", "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\tsgqec.dll,-102", "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\eapqec.dll,-100" ], "dll_loaded": [ "RASMONTR.DLL", "WSHELPER.DLL", "RpcRtRemote.dll", "kernel32.dll", "NSHIPSEC.DLL", "HTTPAPI.dll", "API-MS-WIN-Service-Management-L2-1-0.dll", "HNETMON.DLL", "API-MS-WIN-Service-Management-L1-1-0.dll", "C:\\Windows\\SysWOW64\\bcryptprimitives.dll", "API-MS-Win-Core-LocalRegistry-L1-1-0.dll", "IFMON.DLL", "RPCNSH.DLL", "ole32.dll", "CRYPTSP.dll", "USER32.dll", "NETIOHLP.DLL", "API-MS-WIN-Service-winsvc-L1-1-0.dll", "ADVAPI32.dll", "NSHWFP.DLL", "NAPMONTR.DLL", "NSHHTTP.DLL", "WHHELPER.DLL", "PEERDISTSH.DLL", "GPAPI.dll", "FWCFG.DLL", "AUTHFWCFG.DLL", "P2PNETSH.DLL", "DOT3CFG.DLL", "WLANCFG.DLL", "DHCPCMONITOR.DLL", "userenv.dll" ], "file_opened": [ "C:\\Windows\\System32\\en-US\\napipsec.dll.mui", "C:\\Windows\\System32\\EAPQEC.DLL", "C:\\Windows\\System32\\en-US\\eapqec.dll.mui", "C:\\Windows\\System32\\napipsec.dll", "C:\\Windows\\System32\\DHCPQEC.DLL", "C:\\Windows\\System32\\tsgqec.dll" ], "regkey_opened": [ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Strong Cryptographic Provider", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Base DSS and Diffie-Hellman Cryptographic Provider", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\CacheMgr\\Republication", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.44.3.4!7", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Defaults\\Provider", "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\PeerDist", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Rpc\\Extensions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\HostedCache", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79621", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\OID", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79623", "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\BFE", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\HostedCache\\Connection", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\PolicyProvider", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.64.1.1!7", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\Publisher", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\LocalConfig\\Qecs\\79621", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\LocalConfig\\Qecs\\79623", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\LocalConfig\\Enroll\\HcsGroups\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\DownloadManager\\Discovery", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\DiscoveryManager", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\iphlpsvc\\Config", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.47.1.1!7", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\LocalConfig\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0", "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Tcpip6\\Parameters", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\DownloadManager\\Protocol", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\HostedCache\\Connection", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\HandleMgr", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Base Cryptographic Provider v1.0", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\Publisher", "HKEY_CURRENT_USER\\Interface\\{00000134-0000-0000-C000-000000000046}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\SecurityManager", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\DownloadManager\\Upload", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Base DSS Cryptographic Provider", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\HostedCache", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.64.1.1!7", "HKEY_LOCAL_MACHINE\\System\\Setup", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft RSA SChannel Cryptographic Provider", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\Roaming", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\DiscoveryManager", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\LocalConfig\\UI", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Enhanced DSS and Diffie-Hellman Cryptographic Provider", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\Service", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\DownloadManager\\Peers\\Connection", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\LocalConfig\\Qecs\\79619", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\NapAgent\\LocalConfig", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\LocalConfig\\Qecs\\79617", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Setup", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft DH SChannel Cryptographic Provider", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\DownloadManager\\Protocol", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Enhanced Cryptographic Provider v1.0", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\DownloadManager", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\DownloadManager\\Peers\\Connection", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\CooperativeCaching", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\DownloadManager\\Download", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.47.1.1!7", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\CacheMgr\\Publication", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\CacheMgr\\Publication", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{00000134-0000-0000-C000-000000000046}\\ProxyStubClsid32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\HandleMgr", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\DownloadManager", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Enhanced RSA and AES Cryptographic Provider", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79617", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\DownloadManager\\Download", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\LDAP", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\NetSh", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\SecurityManager\\Restricted", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\LocalConfig\\Enroll\\HcsGroups", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Diagnostics", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\CooperativeCaching", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\SecurityManager", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\DownloadManager\\UtilityIndex", "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\crypt32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\CacheMgr\\Republication", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\DownloadManager\\UtilityIndex", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\Service", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\Roaming", "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\System", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\DownloadManager\\Upload", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79619", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Base Smart Card Crypto Provider", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\SecurityManager\\Restricted", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.44.3.4!7", "HKEY_LOCAL_MACHINE\\SYSTEM\\Setup", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\DownloadManager\\Discovery" ], "file_exists": [ "C:\\Windows\\System32\\napipsec.dll", "C:\\Windows\\System32\\qagentrt.dll", "C:\\Windows\\System32\\EAPQEC.DLL", "C:\\Windows\\System32\\dnsapi.dll", "C:\\Windows\\System32\\DHCPQEC.DLL", "C:\\Windows\\System32\\p2pcollab.dll", "C:\\Windows\\System32\\tsgqec.dll" ], "mutex": [ "Global\\3a886eb8-fe40-4d0a-b78b-9e0bcb683fb7" ], "guid": [ "{432a1da5-3888-4b9a-a734-cff1e448c5b9}", "{00000323-0000-0000-c000-000000000046}", "{00000146-0000-0000-c000-000000000046}", "{07a1127b-18cc-422a-b988-e892600fcc74}", "{ea4a0a43-1c8f-4c7b-a4b1-28ecbd96ba8c}", "{bf0ec44a-c6ae-4bc5-a0ca-d33fa6c9c6c2}", "{eb082ba1-df8a-46be-82f3-35bf9e9be52f}" ], "regkey_read": [ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\Service\\PolicyRefreshInProgress", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\DiscoveryManager\\DiscoveryProviderDllPath", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\UseHostnameAsAlias", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79619\\Component Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Enhanced DSS and Diffie-Hellman Cryptographic Provider\\Type", "HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\SystemSetupInProgress", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.44.3.4!7\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft RSA SChannel Cryptographic Provider\\Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\Service\\Enable", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79623\\Component Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\SourcePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Base Smart Card Crypto Provider\\Type", "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\napipsec.dll,-4", "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\napipsec.dll,-2", "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\napipsec.dll,-3", "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\napipsec.dll,-1", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79619\\Validator Clsid", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\HostedCache\\MaxPendingOffers", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\UseOldHostResolutionOrder", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79623\\Config Clsid", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79623\\Version", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79619\\Enabled", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79617\\Description", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\LocalConfig\\Tracing Level", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\UserenvDebugLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\Roaming\\RefreshDllName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\HostedCache\\DoNotUseSSL", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79621\\Version", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\DownloadManager\\TransportDllPath", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79617\\Version", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\HostedCache\\MaxSimultaneousUploads", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79619\\Registration Date", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.64.1.1!7\\Name", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79617\\Friendly Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Base Cryptographic Provider v1.0\\Type", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79621\\Validator Clsid", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\Extensions\\RemoteRpcDll", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\HostedCache\\ServerRole", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\crypt32\\DebugHeapFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\GpSvcDebugLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\HostedCache\\MaxSimultaneousDownloads", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79621\\Vendor Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\SecurityManager\\BlockSize", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Base DSS Cryptographic Provider\\Type", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79621\\Component Type", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79623\\Vendor Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Base DSS and Diffie-Hellman Cryptographic Provider\\Type", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79617\\Vendor Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\DiscoveryManager\\RepubQuorumSize", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\CurrentBuildNumber", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\HostedCache\\TransportDllPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft DH SChannel Cryptographic Provider\\Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledSessions\\MachineThrottling", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\HostedCache\\MaxPendingDownloads", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79617\\Enabled", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\LdapClientIntegrity", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\DiscoveryManager\\MinBackoffWindow", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79617\\Registration Date", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\SecurityManager\\NumBlocksPerSegment", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79623\\Enabled", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79617\\Component Type", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79621\\Info Clsid", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Strong Cryptographic Provider\\Type", "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\dhcpqec.dll,-101", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79619\\Description", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79617\\Config Clsid", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\DownloadManager\\CryptoAlgo", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79621\\Enabled", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\IPHLPSVC\\config\\Connectivity_Platform_Enabled", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\HostedCache\\ClientAuth", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79619\\Config Clsid", "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\eapqec.dll,-101", "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\eapqec.dll,-100", "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\eapqec.dll,-103", "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\eapqec.dll,-102", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79621\\Config Clsid", "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\p2pcollab.dll,-8042", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Enhanced Cryptographic Provider v1.0\\Type", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79617\\Info Clsid", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79619\\Info Clsid", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79619\\Vendor Name", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79623\\Info Clsid", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\LocalConfig\\Enable Tracing", "HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\Upgrade", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79623\\Friendly Name", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79621\\Registration Date", "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\dnsapi.dll,-103", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79621\\Friendly Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\SecurityManager\\Restricted\\Seed", "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\tsgqec.dll,-101", "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\tsgqec.dll,-100", "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\tsgqec.dll,-103", "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\tsgqec.dll,-102", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\DevicePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{00000134-0000-0000-C000-000000000046}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79619\\Friendly Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\Roaming\\ForceRoamingDetect", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79621\\Description", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79623\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledProcesses\\F6C4EC9A", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79619\\Version", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledSessions\\GlobalSession", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CEIPEnable", "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\dhcpqec.dll,-103", "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\dhcpqec.dll,-102", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79623\\Validator Clsid", "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\dhcpqec.dll,-100", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79617\\Validator Clsid", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79623\\Registration Date", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\Roaming\\RefreshProcName", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\Enabled", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.47.1.1!7\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Enhanced RSA and AES Cryptographic Provider\\Type", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\DisabledComponents", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\StringCacheSettings\\StringCacheGeneration", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\LocalConfig\\PlumbIpsecPolicy" ] }, "first_seen": 1578135188.853626, "ppid": 2584 }, { "process_path": "C:\\Users\\cuck\\AppData\\Local\\Temp\\a9c04c077b2bb66c9f77c1c4fe49210a0972081ebb457194fb493ae9e6a0f20f.bin", "process_name": "a9c04c077b2bb66c9f77c1c4fe49210a0972081ebb457194fb493ae9e6a0f20f.bin", "pid": 1512, "summary": { "file_created": [ "C:\\Users\\cuck\\AppData\\Local\\Temp\\aut572C.tmp", "C:\\Users\\cuck\\AppData\\Roaming\\log\\Info.txt", "C:\\Users\\cuck\\AppData\\Local\\Temp\\aut578B.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\bozvxpz", "C:\\Users\\cuck\\AppData\\Roaming\\log\\Passwords.txt" ], "file_recreated": [ "\\??\\nul", "C:\\Users\\cuck\\AppData\\Local\\Temp\\aut572C.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\aut578B.tmp" ], "directory_created": [ "C:\\Users\\cuck\\AppData\\Roaming\\log" ], "dll_loaded": [ "COMDLG32.dll", "C:\\Windows\\System32\\mswsock.dll", "DNSAPI.dll", "DHCPCSVC.DLL", "kernel32.dll", "UxTheme.dll", "dwmapi.dll", "C:\\Windows\\system32\\napinsp.dll", "API-MS-WIN-Service-Management-L1-1-0.dll", "WININET.dll", "SXS.DLL", "KERNEL32.DLL", "WSOCK32.dll", "RASMAN.DLL", "comctl32", "ole32.dll", "USERENV.dll", "USER32.dll", "IMM32.dll", "MPR.dll", "API-MS-Win-Security-SDDL-L1-1-0.dll", "API-MS-WIN-Service-winsvc-L1-1-0.dll", "rtutils.dll", "IPHLPAPI.DLL", "wininet.dll", "OLEAUT32.dll", "C:\\Windows\\system32\\pnrpnsp.dll", "SHELL32.dll", "C:\\Windows\\System32\\winrnr.dll", "PSAPI.DLL", "comctl32.dll", "COMCTL32.dll", "VERSION.dll", "WINMM.dll", "GDI32.dll", "C:\\Windows\\SysWOW64\\oleaut32.dll", "ADVAPI32.dll", "WS2_32.dll" ], "file_opened": [ "", "C:\\Users\\cuck\\AppData\\Roaming\\", "C:\\Windows\\Globalization\\Sorting\\sortdefault.nls", "C:\\Users\\cuck\\AppData\\Local\\Temp\\bozvxpz", "C:\\Users\\cuck\\AppData\\Local\\Temp", "\\Device\\NamedPipe\\", "C:\\Users\\cuck\\AppData\\Roaming\\log\\AutoUpdate.exe", "C:\\Windows\\System32\\wbem\\wbemdisp.tlb", "C:\\Users\\cuck\\AppData\\Local\\Temp\\aut572C.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\a9c04c077b2bb66c9f77c1c4fe49210a0972081ebb457194fb493ae9e6a0f20f.bin", "C:\\Windows\\SysWOW64\\stdole2.tlb" ], "file_copied": [ [ "C:\\Users\\cuck\\AppData\\Local\\Temp\\aut578B.tmp", "C:\\Users\\cuck\\AppData\\Roaming\\log\\AutoUpdate.exe" ] ], "connects_host": [ "icanhazip.com", "62.108.34.111" ], "regkey_opened": [ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\TreatAs", "HKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\DnsCache\\Parameters", "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\DnsClient", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{2A1C9EB2-DF62-4154-B800-63278FCB8037}\\ProxyStubClsid32", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Tracing", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{26656EAA-54EB-4E6F-8F85-4F0EF901A406}\\ProxyStubClsid32", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\0\\win32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Tracing\\RASMANCS", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0\\0", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0\\0\\win32", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\InprocServer32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winsat", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\Progid", "HKEY_CURRENT_USER\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\OleAut", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\InprocHandler32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}", "HKEY_CURRENT_USER\\Software\\Microsoft\\windows\\CurrentVersion\\Internet Settings\\Connections", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{423EC01E-2E35-11D2-B604-00104B703EFD}\\ProxyStubClsid32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\Compatibility\\a9c04c077b2bb66c9f77c1c4fe49210a0972081ebb457194fb493ae9e6a0f20f.bin", "HKEY_CURRENT_USER\\winmgmts", "HKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System\\BIOS", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList", "HKEY_CURRENT_USER\\Software\\AutoIt v3\\AutoIt", "HKEY_CURRENT_USER\\Interface\\{2A1C9EB2-DF62-4154-B800-63278FCB8037}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\\ProxyStubClsid32", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-699399860-4089948139-3198924279-1001", "HKEY_CURRENT_USER\\Interface\\{1C1C45EE-4395-11D2-B60B-00104B703EFD}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WINMGMTS\\CLSID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\Progid", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{8A40A45D-055C-4B62-ABD7-6D613E2CEAEC}\\ProxyStubClsid32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\InprocHandler", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", "HKEY_CURRENT_USER\\Control Panel\\Mouse", "HKEY_CURRENT_USER\\Software\\Microsoft\\windows\\CurrentVersion\\Internet Settings\\Wpad", "HKEY_CLASSES_ROOT\\HTTP\\shell\\open\\command", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{55272A00-42CB-11CE-8135-00AA004BB851}\\ProxyStubClsid32", "HKEY_CURRENT_USER\\Interface\\{BCD1DE7E-2DB1-418B-B047-4A74E101F8C1}", "HKEY_CURRENT_USER\\Interface\\{26656EAA-54EB-4E6F-8F85-4F0EF901A406}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{BCD1DE7E-2DB1-418B-B047-4A74E101F8C1}\\ProxyStubClsid32", "HKEY_CURRENT_USER\\Interface\\{423EC01E-2E35-11D2-B604-00104B703EFD}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\409", "HKEY_CURRENT_USER\\TypeLib", "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\System\\DNSClient", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\9", "HKEY_CURRENT_USER\\Interface\\{8A40A45D-055C-4B62-ABD7-6D613E2CEAEC}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0", "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\0", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2", "HKEY_CURRENT_USER\\Interface\\{55272A00-42CB-11CE-8135-00AA004BB851}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.0" ], "resolves_host": [ "wpad", "cuckpc", "localhost" ], "file_written": [ "C:\\Users\\cuck\\AppData\\Local\\Temp\\aut572C.tmp", "C:\\Users\\cuck\\AppData\\Roaming\\log\\Info.txt", "C:\\Users\\cuck\\AppData\\Local\\Temp\\aut578B.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\bozvxpz", "C:\\Users\\cuck\\AppData\\Roaming\\log\\Passwords.txt" ], "file_deleted": [ "C:\\Users\\cuck\\AppData\\Local\\Temp\\aut572C.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\aut578B.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\bozvxpz" ], "file_exists": [ "C:\\Users\\cuck\\AppData\\Roaming\\log\\Passwords.txt", "C:\\Users\\cuck\\AppData\\Roaming\\log\\Info.txt", "C:\\Users\\cuck\\AppData\\Local\\Temp\\bozvxpz", "C:\\Users\\cuck\\AppData\\Roaming\\log\\AutoUpdate.exe", "C:\\Users\\cuck\\AppData\\Local\\Temp\\a9c04c077b2bb66c9f77c1c4fe49210a0972081ebb457194fb493ae9e6a0f20f.bin", "C:\\Users\\cuck\\AppData\\Local\\Temp\\web_history.dll", "C:\\Users\\cuck\\AppData\\Local\\Temp", "C:\\Users\\cuck\\AppData\\Roaming\\log", "C:\\Users\\cuck\\AppData\\Local\\Temp\\winmgmts:\\localhost\\root\\SecurityCenter2" ], "mutex": [ "IESQMMUTEX_0_208" ], "file_failed": [ "C:\\Users\\cuck\\AppData\\Local\\Temp\\winmgmts:\\localhost\\root\\SecurityCenter2" ], "guid": [ "{dcb00c01-570f-4a9b-8d69-199fdba5723b}", "{f309ad18-d86a-11d0-a075-00c04fb68820}", "{172bddf8-ceea-11d1-8b05-00600806d9b6}", "{a47979d2-c419-11d9-a5b4-001185ad2b89}", "{4590f811-1d3a-11d0-891f-00aa004b2e24}", "{44aca674-e8fc-11d0-a07c-00c04fb68820}", "{d0074ffd-570f-4a9b-8d69-199fdba5723b}", "{0000011a-0000-0000-c000-000000000046}", "{674b6698-ee92-11d0-ad71-00c04fd8fdff}", "{3bc15af2-736c-477e-9e51-238af8667dcc}", "{d5f569d0-593b-101a-b569-08002b2dbf7a}", "{7c857801-7381-11cf-884d-00aa004b2e24}", "{8bc3f05e-d86b-11d0-a075-00c04fb68820}", "{cf4cc405-e2c5-4ddd-b3ce-5e7582d8c9fa}", "{dcb00000-570f-4a9b-8d69-199fdba5723b}", "{dc12a687-737f-11cf-884d-00aa004b2e24}" ], "wmi_query": [ "Select * from AntiVirusProduct" ], "command_line": [ "C:\\Windows\\system32\\cmd.exe \/k systeminfo", "C:\\Windows\\system32\\cmd.exe \/c netsh firewall add allowedprogram program = STcONaURjstoJeQ(uMqeEfSfaGeNmho(\"yJmAEIBBXdvRXSFRGegUiJnA\")) name = STcONaURjstoJeQ(uMqeEfSfaGeNmho(\"XQ0V1bwVGZ0FQZ==\")) mode = ENABLE", "C:\\Windows\\system32\\cmd.exe \/c C:\\Users\\cuck\\AppData\\Roaming\\log\\pass.exe all", "\"C:\\Windows\\system32\\rundll32.exe\" \"C:\\Windows\\syswow64\\WININET.dll\",DispatchAPICall 1 ", "C:\\Users\\cuck\\AppData\\Roaming\\log\\AutoUpdate.exe" ], "file_read": [ "C:\\Users\\cuck\\AppData\\Local\\Temp\\aut572C.tmp", "C:\\Windows\\SysWOW64\\stdole2.tlb", "C:\\Users\\cuck\\AppData\\Local\\Temp\\bozvxpz", "C:\\Windows\\System32\\wbem\\wbemdisp.tlb" ], "regkey_read": [ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{26656EAA-54EB-4E6F-8F85-4F0EF901A406}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WINMGMTS\\CLSID\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\EnableFileTracing", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\InprocServer32\\ThreadingModel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{423EC01E-2E35-11D2-B604-00104B703EFD}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winsat\\PrimaryAdapterString", "HKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0\\ProcessorNameString", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASAPI32\\EnableConsoleTracing", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\EnableConsoleTracing", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\InprocServer32\\(Default)", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\AppData", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\InprocServer32\\InprocServer32", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{55272A00-42CB-11CE-8135-00AA004BB851}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Hostname", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{BCD1DE7E-2DB1-418B-B047-4A74E101F8C1}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASAPI32\\FileDirectory", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SESSION MANAGER\\Environment\\PROCESSOR_ARCHITECTURE", "HKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System\\BIOS\\BaseBoardProduct", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\ProgramData", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASAPI32\\FileTracingMask", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0\\0\\win32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\0\\win32\\(Default)", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\AutoProxyDetectType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{2A1C9EB2-DF62-4154-B800-63278FCB8037}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{8A40A45D-055C-4B62-ABD7-6D613E2CEAEC}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASAPI32\\MaxFileSize", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Domain", "HKEY_CURRENT_USER\\HTTP\\shell\\open\\command\\(Default)", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language Groups\\1", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\FileTracingMask", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\ConsoleTracingMask", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\FileDirectory", "HKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System\\BIOS\\BaseBoardManufacturer", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\\DefaultConnectionSettings", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASAPI32\\EnableFileTracing", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Locale\\00000409", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-699399860-4089948139-3198924279-1001\\ProfileImagePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\MaxFileSize", "HKEY_CURRENT_USER\\Control Panel\\Mouse\\SwapMouseButtons", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\WpadLastNetwork", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASAPI32\\ConsoleTracingMask", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\(Default)" ], "directory_enumerated": [ "C:\\ProgramData\\Microsoft\\Network\\Connections\\Pbk\\rasphone.pbk", "C:\\Users\\cuck\\AppData\\Roaming\\log\\Passwords.txt", "C:\\Users\\cuck\\AppData", "C:\\Users\\cuck\\AppData\\Roaming\\log\\Info.txt", "C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\*.pbk", "C:\\Users\\cuck\\AppData\\Local\\Temp\\web_history.dll", "C:\\Users\\cuck\\AppData\\Local\\Temp\\bozvxpz", "C:\\Users\\cuck\\AppData\\Local\\Temp", "C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\rasphone.pbk", "C:\\Users\\cuck", "C:\\ProgramData\\Microsoft\\Network\\Connections\\Pbk\\*.pbk", "C:\\Users", "C:\\Windows\\System32\\ras\\*.pbk", "C:\\Users\\cuck\\AppData\\Roaming\\log\\AutoUpdate.exe", "C:\\Users\\cuck\\AppData\\Local" ], "regkey_written": [ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\EnableConsoleTracing", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\AutoUpdate", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}\\WpadDecisionReason", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\TaskbarNoNotification", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}\\WpadDecision", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}\\WpadNetworkName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\EnableFileTracing", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\\DefaultConnectionSettings", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\MaxFileSize", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\FileTracingMask", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}\\WpadDecisionTime", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\WpadLastNetwork", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\ConsentPromptBehaviorAdmin", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\ConsoleTracingMask", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\FileDirectory" ] }, "first_seen": 1578135186.546875, "ppid": 2892 }, { "process_path": "C:\\Windows\\SysWOW64\\HOSTNAME.EXE", "process_name": "HOSTNAME.EXE", "pid": 2680, "summary": { "regkey_opened": [ "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\DnsCache\\Parameters", "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\DnsClient", "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\Rpc", "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\System\\DNSClient", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Rpc", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters" ], "regkey_read": [ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\MaxRpcSize", "HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\SystemSetupInProgress", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Domain", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Hostname", "HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\OOBEInProgress", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\ComputerName\\ActiveComputerName\\ComputerName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CEIPEnable" ], "dll_loaded": [ "API-MS-Win-Security-SDDL-L1-1-0.dll", "C:\\Windows\\system32\\pnrpnsp.dll", "C:\\Windows\\system32\\NLAapi.dll", "C:\\Windows\\System32\\winrnr.dll", "DNSAPI.dll", "C:\\Windows\\System32\\mswsock.dll", "WS2_32.dll", "rpcrt4.dll", "C:\\Windows\\system32\\napinsp.dll" ] }, "first_seen": 1578135197.947374, "ppid": 800 }, { "process_path": "C:\\Windows\\System32\\lsass.exe", "process_name": "lsass.exe", "pid": 476, "summary": {}, "first_seen": 1578135186.3125, "ppid": 376 }, { "process_path": "C:\\Windows\\SysWOW64\\cmd.exe", "process_name": "cmd.exe", "pid": 2360, "summary": { "file_opened": [ "C:\\" ], "file_exists": [ "C:\\Users\\cuck\\AppData\\Local\\Temp" ], "regkey_opened": [ "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\System", "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Command Processor" ], "regkey_read": [ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\DefaultColor", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\AutoRun", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\DelayedExpansion", "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DisableUNCCheck", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\EnableExtensions", "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\CompletionChar", "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\EnableExtensions", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\PathCompletionChar", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Locale\\00000409", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language Groups\\1", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles", "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\PathCompletionChar", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\DisableUNCCheck", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\Windows Error Reporting\\WMR\\Disable", "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DelayedExpansion", "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\AutoRun", "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DefaultColor", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\CompletionChar" ], "directory_enumerated": [ "C:\\Users\\cuck\\AppData\\Roaming\\log\\pass.exe", "C:\\Users\\cuck\\AppData", "C:\\Users\\cuck\\AppData\\Roaming\\log\\pass.exe.*", "C:\\Users\\cuck\\AppData\\Local\\Temp", "C:\\Users\\cuck", "C:\\Users", "C:\\Users\\cuck\\AppData\\Local" ] }, "first_seen": 1578135191.400499, "ppid": 1512 }, { "process_path": "C:\\Users\\cuck\\AppData\\Roaming\\log\\AutoUpdate.exe", "process_name": "AutoUpdate.exe", "pid": 2804, "summary": { "file_created": [ "C:\\Users\\cuck\\AppData\\Local\\Temp\\aut8197.tmp", "C:\\Users\\cuck\\AppData\\Roaming\\log\\logs_04.01.2020.htm", "C:\\Users\\cuck\\AppData\\Local\\Temp\\kxpzmdz" ], "file_recreated": [ "\\??\\nul", "C:\\Users\\cuck\\AppData\\Local\\Temp\\aut8197.tmp" ], "regkey_written": [ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\AutoUpdate_RASMANCS\\ConsoleTracingMask", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\AutoUpdate_RASMANCS\\EnableFileTracing", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\AutoUpdate_RASMANCS\\FileDirectory", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\AutoUpdate_RASMANCS\\EnableConsoleTracing", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\AutoUpdate_RASMANCS\\FileTracingMask", "HKEY_CURRENT_USER\\Software\\Microsoft\\IAM\\Server ID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\AutoUpdate_RASMANCS\\MaxFileSize", "HKEY_CURRENT_USER\\Software\\Microsoft\\IAM\\Default LDAP Account" ], "dll_loaded": [ "COMDLG32.dll", "gdi32.dll", "kernel32.dll", "UxTheme.dll", "dwmapi.dll", "ntdll.dll", "C:\\Windows\\WinSxS\\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\\gdiplus.dll", "API-MS-WIN-Service-Management-L1-1-0.dll", "WININET.dll", "SXS.DLL", "KERNEL32.DLL", "WSOCK32.dll", "RASMAN.DLL", "comctl32", "ole32.dll", "USERENV.dll", "USER32.dll", "IMM32.dll", "gdiplus.dll", "MPR.dll", "API-MS-WIN-Service-winsvc-L1-1-0.dll", "rtutils.dll", "IPHLPAPI.DLL", "WinInet.dll", "Avicap32.dll", "OLEAUT32.dll", "SHELL32.dll", "PSAPI.DLL", "comctl32.dll", "COMCTL32.dll", "VERSION.dll", "WINMM.dll", "GDI32.dll", "MLANG.dll", "C:\\Windows\\SysWOW64\\oleaut32.dll", "ADVAPI32.dll", "WS2_32.dll", "user32.dll" ], "file_opened": [ "", "C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Mail\\account{3F157EAB-C371-449F-8817-DE062D63E39B}.oeaccount", "C:\\Windows\\System32\\netmsg.dll", "C:\\Users\\cuck\\AppData\\Roaming\\log\\Passwords.txt", "C:\\Windows\\Globalization\\Sorting\\sortdefault.nls", "C:\\Users\\cuck\\AppData\\Local\\Temp\\aut8197.tmp", "C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Mail\\account{E8B20193-B324-4F69-85C3-A585C87B3B69}.oeaccount", "C:\\Users\\cuck\\AppData\\Roaming\\log\\AutoUpdate.exe", "C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Mail\\account{9505C2E7-137C-4315-8EBB-D4AE26FFA58D}.oeaccount", "\\Device\\NamedPipe\\", "C:\\Users\\cuck\\AppData\\Local\\Temp\\kxpzmdz", "C:\\Program Files (x86)\\Common Files\\System\\ado\\msado15.dll", "C:\\Users\\cuck\\AppData\\Roaming\\log\\Info.txt", "C:\\Users\\cuck\\AppData\\Roaming\\log\\logs_04.01.2020.htm", "C:\\Windows\\SysWOW64\\cdosys.dll", "C:\\Windows\\SysWOW64\\stdole2.tlb" ], "connects_host": [ "icanhazip.com" ], "regkey_opened": [ "HKEY_CLASSES_ROOT\\.tiff", "HKEY_CLASSES_ROOT\\.avi", "HKEY_CLASSES_ROOT\\.group", "HKEY_CLASSES_ROOT\\.wsc", "HKEY_CLASSES_ROOT\\.vssscc", "HKEY_CLASSES_ROOT\\.ai", "HKEY_CLASSES_ROOT\\.wsz", "HKEY_CLASSES_ROOT\\.au", "HKEY_CLASSES_ROOT\\.wvx", "HKEY_CLASSES_ROOT\\.c2r", "HKEY_CLASSES_ROOT\\.TTS", "HKEY_CLASSES_ROOT\\.mlc", "HKEY_CLASSES_ROOT\\.js", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{55272A00-42CB-11CE-8135-00AA004BB851}\\ProxyStubClsid32", "HKEY_CLASSES_ROOT\\.gmmp", "HKEY_CLASSES_ROOT\\.evt", "HKEY_CLASSES_ROOT\\.xls", "HKEY_CLASSES_ROOT\\.eyb", "HKEY_CLASSES_ROOT\\.cda", "HKEY_CLASSES_ROOT\\.cdx", "HKEY_CLASSES_ROOT\\.xlb", "HKEY_CLASSES_ROOT\\.jbf", "HKEY_CLASSES_ROOT\\.com", "HKEY_CLASSES_ROOT\\.lst", "HKEY_CLASSES_ROOT\\.cod", "HKEY_CLASSES_ROOT\\.dct", "HKEY_CLASSES_ROOT\\.nls", "HKEY_CLASSES_ROOT\\.mov", "HKEY_CLASSES_ROOT\\.H1C", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\VFW", "HKEY_CLASSES_ROOT\\.wm", "HKEY_CLASSES_ROOT\\.rsp", "HKEY_CLASSES_ROOT\\.pch", "HKEY_CLASSES_ROOT\\txtfile", "HKEY_CLASSES_ROOT\\.hpp", "HKEY_CLASSES_ROOT\\.wtx", "HKEY_CLASSES_ROOT\\.rtf", "HKEY_CURRENT_USER\\CLSID\\{00000000-0000-0000-0000-000000000000}", "HKEY_CLASSES_ROOT\\.m4v", "HKEY_CLASSES_ROOT\\.m4p", "HKEY_CLASSES_ROOT\\.art", "HKEY_CLASSES_ROOT\\.bkf", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{CD000001-8B95-11D1-82DB-00C04FB1625D}\\Progid", "HKEY_CLASSES_ROOT\\.m4a", "HKEY_CLASSES_ROOT\\.kci", "HKEY_CLASSES_ROOT\\.qds", "HKEY_CLASSES_ROOT\\.cab", "HKEY_CLASSES_ROOT\\.p12", "HKEY_CLASSES_ROOT\\.p10", "HKEY_CLASSES_ROOT\\.MTS", "HKEY_CLASSES_ROOT\\.cat", "HKEY_CLASSES_ROOT\\.aspx", "HKEY_CLASSES_ROOT\\.psd", "HKEY_CURRENT_USER\\Software\\AutoIt v3\\AutoIt", "HKEY_CURRENT_USER\\Interface\\{2A1C9EB2-DF62-4154-B800-63278FCB8037}", "HKEY_CLASSES_ROOT\\.ibq", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{B691E011-1797-432E-907A-4D8C69339129}\\6.0\\0", "HKEY_CLASSES_ROOT\\.sor", "HKEY_CLASSES_ROOT\\.blg", "HKEY_CLASSES_ROOT\\.chm", "HKEY_CLASSES_ROOT\\.chk", "HKEY_CLASSES_ROOT\\.sol", "HKEY_CLASSES_ROOT\\.vob", "HKEY_CLASSES_ROOT\\.rat", "HKEY_CLASSES_ROOT\\.MOD", "HKEY_CLASSES_ROOT\\.xps", "HKEY_CLASSES_ROOT\\.log", "HKEY_CLASSES_ROOT\\.rc", "HKEY_CLASSES_ROOT\\.faq", "HKEY_CLASSES_ROOT\\.png", "HKEY_CLASSES_ROOT\\.pnf", "HKEY_CLASSES_ROOT\\.doc", "HKEY_CLASSES_ROOT\\.mpv2", "HKEY_CLASSES_ROOT\\.dos", "HKEY_CLASSES_ROOT\\.dot", "HKEY_CLASSES_ROOT\\.jod", "HKEY_CLASSES_ROOT\\.csv", "HKEY_CLASSES_ROOT\\.css", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{CD000000-8B95-11D1-82DB-00C04FB1625D}\\1.0\\409", "HKEY_CLASSES_ROOT\\.mht", "HKEY_CLASSES_ROOT\\.csa", "HKEY_CLASSES_ROOT\\.udt", "HKEY_CLASSES_ROOT\\.htx", "HKEY_CLASSES_ROOT\\.crds", "HKEY_CLASSES_ROOT\\.trg", "HKEY_CLASSES_ROOT\\.htt", "HKEY_CLASSES_ROOT\\.htw", "HKEY_CLASSES_ROOT\\.mcl", "HKEY_CLASSES_ROOT\\.udf", "HKEY_CLASSES_ROOT\\.htm", "HKEY_CLASSES_ROOT\\.shtm", "HKEY_CLASSES_ROOT\\.hta", "HKEY_CLASSES_ROOT\\.htc", "HKEY_CLASSES_ROOT\\.p7s", "HKEY_CLASSES_ROOT\\.txt", "HKEY_CLASSES_ROOT\\.WMS", "HKEY_CLASSES_ROOT\\.WMD", "HKEY_CLASSES_ROOT\\.jfif", "HKEY_CLASSES_ROOT\\.wlt", "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Account Manager", "HKEY_CLASSES_ROOT\\.fon", "HKEY_CLASSES_ROOT\\.wll", "HKEY_CLASSES_ROOT\\.cer", "HKEY_CLASSES_ROOT\\.tab", "HKEY_CLASSES_ROOT\\.nfo", "HKEY_CLASSES_ROOT\\.cls", "HKEY_CLASSES_ROOT\\.ps1xml", "HKEY_CLASSES_ROOT\\.tar", "HKEY_CURRENT_USER\\Control Panel\\Mouse", "HKEY_CLASSES_ROOT\\.sst", "HKEY_CLASSES_ROOT\\.html", "HKEY_CLASSES_ROOT\\.xlt", "HKEY_CLASSES_ROOT\\.reg", "HKEY_CLASSES_ROOT\\.mp2v", "HKEY_CLASSES_ROOT\\.usr", "HKEY_CLASSES_ROOT\\.pif", "HKEY_CLASSES_ROOT\\.pic", "HKEY_CLASSES_ROOT\\.res", "HKEY_CLASSES_ROOT\\.m14", "HKEY_CLASSES_ROOT\\.cpp", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", "HKEY_CLASSES_ROOT\\.cpl", "HKEY_CLASSES_ROOT\\.pbk", "HKEY_CLASSES_ROOT\\.386", "HKEY_CLASSES_ROOT\\.xlc", "HKEY_CLASSES_ROOT\\.AAC", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}", "HKEY_CLASSES_ROOT\\.evtx", "HKEY_CLASSES_ROOT\\.m1v", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\txtfile\\CLSID", "HKEY_CLASSES_ROOT\\.eprtx", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{B691E011-1797-432E-907A-4D8C69339129}", "HKEY_CLASSES_ROOT\\.vcf", "HKEY_CLASSES_ROOT\\.xsd", "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\MediaResources\\msvideo", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Account Manager\\Shared", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows Mail", "HKEY_CLASSES_ROOT\\.ppt", "HKEY_CLASSES_ROOT\\.pps", "HKEY_CLASSES_ROOT\\.tsv", "HKEY_CLASSES_ROOT\\.tsp", "HKEY_CLASSES_ROOT\\.hxx", "HKEY_CLASSES_ROOT\\.ilk", "HKEY_CLASSES_ROOT\\.sed", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{CD000001-8B95-11D1-82DB-00C04FB1625D}\\InprocHandler32", "HKEY_CLASSES_ROOT\\.ics", "HKEY_CLASSES_ROOT\\.mk", "HKEY_CLASSES_ROOT\\.spc", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{2A1C9EB2-DF62-4154-B800-63278FCB8037}\\ProxyStubClsid32", "HKEY_CLASSES_ROOT\\.tdl", "HKEY_CURRENT_USER\\Interface\\{BCD1DE7E-2DB1-418B-B047-4A74E101F8C1}", "HKEY_CLASSES_ROOT\\.icc", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{CD000000-8B95-11D1-82DB-00C04FB1625D}\\1.0\\0\\win32", "HKEY_CLASSES_ROOT\\.mv", "HKEY_CLASSES_ROOT\\.icm", "HKEY_CLASSES_ROOT\\.icl", "HKEY_CLASSES_ROOT\\.ico", "HKEY_CLASSES_ROOT\\.der", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\InprocServer32", "HKEY_CLASSES_ROOT\\.xsl", "HKEY_CLASSES_ROOT\\.def", "HKEY_CLASSES_ROOT\\.ncb", "HKEY_CLASSES_ROOT\\.fky", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\InprocHandler32", "HKEY_CLASSES_ROOT\\.swf", "HKEY_CLASSES_ROOT\\.M2V", "HKEY_CLASSES_ROOT\\.z96", "HKEY_CLASSES_ROOT\\.M2T", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{CD000001-8B95-11D1-82DB-00C04FB1625D}\\InprocHandler", "HKEY_CLASSES_ROOT\\.ttc", "HKEY_CLASSES_ROOT\\.zip", "HKEY_CLASSES_ROOT\\.bsc", "HKEY_CLASSES_ROOT\\.shtml", "HKEY_CLASSES_ROOT\\.psc1", "HKEY_CLASSES_ROOT\\.ghi", "HKEY_CLASSES_ROOT\\.dbg", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{CD000001-8B95-11D1-82DB-00C04FB1625D}\\TreatAs", "HKEY_CLASSES_ROOT\\.pmr", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{BCD1DE7E-2DB1-418B-B047-4A74E101F8C1}\\ProxyStubClsid32", "HKEY_CLASSES_ROOT\\.dbs", "HKEY_CLASSES_ROOT\\.3g2", "HKEY_CLASSES_ROOT\\.pml", "HKEY_CLASSES_ROOT\\.pmc", "HKEY_CLASSES_ROOT\\.pma", "HKEY_CLASSES_ROOT\\.ADTS", "HKEY_CLASSES_ROOT\\.pfx", "HKEY_CLASSES_ROOT\\.mig", "HKEY_CLASSES_ROOT\\.mid", "HKEY_CURRENT_USER\\CDO.Message", "HKEY_CLASSES_ROOT\\.webpnp", "HKEY_CLASSES_ROOT\\.wpl", "HKEY_CLASSES_ROOT\\.pfm", "HKEY_CLASSES_ROOT\\.label", "HKEY_CLASSES_ROOT\\.sbr", "HKEY_CLASSES_ROOT\\.cc", "HKEY_CURRENT_USER\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\OleAut", "HKEY_CLASSES_ROOT\\.bas", "HKEY_CLASSES_ROOT\\.bat", "HKEY_CLASSES_ROOT\\.cs", "HKEY_CLASSES_ROOT\\.VBE", "HKEY_CLASSES_ROOT\\.DVR", "HKEY_CLASSES_ROOT\\.asx", "HKEY_CLASSES_ROOT\\.asp", "HKEY_CLASSES_ROOT\\.osdx", "HKEY_CLASSES_ROOT\\.db", "HKEY_CLASSES_ROOT\\.eps", "HKEY_CLASSES_ROOT\\.asm", "HKEY_CLASSES_ROOT\\.asa", "HKEY_CLASSES_ROOT\\.etp", "HKEY_CLASSES_ROOT\\.asc", "HKEY_CLASSES_ROOT\\.asf", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Tracing\\AutoUpdate_RASMANCS", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{CD000000-8B95-11D1-82DB-00C04FB1625D}\\1.0", "HKEY_CLASSES_ROOT\\.latex", "HKEY_CLASSES_ROOT\\.otf", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Account Manager\\Preconfigured", "HKEY_CLASSES_ROOT\\.vxd", "HKEY_CLASSES_ROOT\\.sit", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\MIME\\Database\\Content Type\\text\/plain", "HKEY_CLASSES_ROOT\\.cmd", "HKEY_CLASSES_ROOT\\.stl", "HKEY_CLASSES_ROOT\\.stm", "HKEY_CLASSES_ROOT\\.theme", "HKEY_CLASSES_ROOT\\.gadget", "HKEY_CLASSES_ROOT\\FirefoxHTML-E7CF176E110C211B", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{26656EAA-54EB-4E6F-8F85-4F0EF901A406}\\ProxyStubClsid32", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows Mail", "HKEY_CLASSES_ROOT\\.tif", "HKEY_CLASSES_ROOT\\.edrwx", "HKEY_CLASSES_ROOT\\.dat", "HKEY_CLASSES_ROOT\\.diz", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}", "HKEY_CURRENT_USER\\CLSID\\{CD000001-8B95-11D1-82DB-00C04FB1625D}", "HKEY_CLASSES_ROOT\\.wdp", "HKEY_CLASSES_ROOT\\.wcx", "HKEY_CLASSES_ROOT\\.lnk", "HKEY_CLASSES_ROOT\\.xslt", "HKEY_CLASSES_ROOT\\.rmi", "HKEY_CLASSES_ROOT\\.psd1", "HKEY_CURRENT_USER\\FirefoxHTML-E7CF176E110C211B\\CLSID", "HKEY_CLASSES_ROOT\\.pl", "HKEY_CLASSES_ROOT\\.midi", "HKEY_CLASSES_ROOT\\.jnt", "HKEY_CLASSES_ROOT\\.lgn", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{CD000000-8B95-11D1-82DB-00C04FB1625D}", "HKEY_CLASSES_ROOT\\.csproj", "HKEY_CLASSES_ROOT\\.vbs", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{CD000000-8B95-11D1-82DB-00C04FB1625D}\\1.0\\0", "HKEY_CLASSES_ROOT\\.vbx", "HKEY_CLASSES_ROOT\\.3gp2", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{CD000000-8B95-11D1-82DB-00C04FB1625D}\\1.0\\9", "HKEY_CLASSES_ROOT\\.psm1", "HKEY_CLASSES_ROOT\\.cxx", "HKEY_CLASSES_ROOT\\.3gp", "HKEY_CLASSES_ROOT\\.JSE", "HKEY_CLASSES_ROOT\\.emf", "HKEY_CLASSES_ROOT\\.rc2", "HKEY_CLASSES_ROOT\\.vbproj", "HKEY_CLASSES_ROOT\\.gz", "HKEY_CLASSES_ROOT\\.img", "HKEY_CLASSES_ROOT\\.imc", "HKEY_CLASSES_ROOT\\.M2TS", "HKEY_CLASSES_ROOT\\.mpeg", "HKEY_CLASSES_ROOT\\.wbcat", "HKEY_CLASSES_ROOT\\.3gpp", "HKEY_CLASSES_ROOT\\.xix", "HKEY_CLASSES_ROOT\\.user", "HKEY_CURRENT_USER\\Software\\Microsoft\\windows\\CurrentVersion\\Internet Settings\\Wpad", "HKEY_CLASSES_ROOT\\.fnd", "HKEY_CLASSES_ROOT\\.rct", "HKEY_CLASSES_ROOT\\.wmv", "HKEY_CLASSES_ROOT\\.idl", "HKEY_CLASSES_ROOT\\.wmp", "HKEY_CLASSES_ROOT\\.ps1", "HKEY_CLASSES_ROOT\\.wmx", "HKEY_CLASSES_ROOT\\.wmz", "HKEY_CLASSES_ROOT\\.fnt", "HKEY_CLASSES_ROOT\\.wmf", "HKEY_CLASSES_ROOT\\.wma", "HKEY_CURRENT_USER\\Interface\\{8A40A45D-055C-4B62-ABD7-6D613E2CEAEC}", "HKEY_CLASSES_ROOT\\.idq", "HKEY_CURRENT_USER\\Interface\\{55272A00-42CB-11CE-8135-00AA004BB851}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\TreatAs", "HKEY_CLASSES_ROOT\\.hqx", "HKEY_CLASSES_ROOT\\.mp4v", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0\\0\\win32", "HKEY_CLASSES_ROOT\\.msi", "HKEY_CLASSES_ROOT\\.lib", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CDO.Message\\CLSID", "HKEY_CLASSES_ROOT\\.msg", "HKEY_CLASSES_ROOT\\.msc", "HKEY_CLASSES_ROOT\\.gif", "HKEY_CLASSES_ROOT\\.msu", "HKEY_CLASSES_ROOT\\.msp", "HKEY_CLASSES_ROOT\\.obj", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\Progid", "HKEY_CLASSES_ROOT\\.webm", "HKEY_CLASSES_ROOT\\.RDP", "HKEY_CLASSES_ROOT\\.IVF", "HKEY_CLASSES_ROOT\\.H1V", "HKEY_CLASSES_ROOT\\.H1W", "HKEY_CLASSES_ROOT\\.H1T", "HKEY_CLASSES_ROOT\\.dsw", "HKEY_CLASSES_ROOT\\.dsp", "HKEY_CLASSES_ROOT\\.H1S", "HKEY_CLASSES_ROOT\\.H1Q", "HKEY_CLASSES_ROOT\\.movie", "HKEY_CLASSES_ROOT\\.H1F", "HKEY_CLASSES_ROOT\\.H1D", "HKEY_CLASSES_ROOT\\.viw", "HKEY_CLASSES_ROOT\\.mmf", "HKEY_CLASSES_ROOT\\.vsscc", "HKEY_CLASSES_ROOT\\.dsn", "HKEY_CLASSES_ROOT\\.H1K", "HKEY_CLASSES_ROOT\\.H1H", "HKEY_CLASSES_ROOT\\.xbap", "HKEY_CLASSES_ROOT\\.ex_", "HKEY_CLASSES_ROOT\\.xrm-ms", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Tracing", "HKEY_CLASSES_ROOT\\.bin", "HKEY_CLASSES_ROOT\\.aps", "HKEY_CLASSES_ROOT\\.jpg", "HKEY_CLASSES_ROOT\\.jpe", "HKEY_CLASSES_ROOT\\.exp", "HKEY_CLASSES_ROOT\\.ext", "HKEY_CLASSES_ROOT\\.mhtml", "HKEY_CURRENT_USER\\Software\\Microsoft\\IAM\\Accounts", "HKEY_CLASSES_ROOT\\.pyo", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{B691E011-1797-432E-907A-4D8C69339129}\\6.0", "HKEY_CLASSES_ROOT\\.text", "HKEY_CLASSES_ROOT\\.exe", "HKEY_CLASSES_ROOT\\.xml", "HKEY_CLASSES_ROOT\\.URL", "HKEY_CLASSES_ROOT\\.sql", "HKEY_CLASSES_ROOT\\.hdp", "HKEY_CLASSES_ROOT\\.tgz", "HKEY_CLASSES_ROOT\\.xaml", "HKEY_CLASSES_ROOT\\.rgs", "HKEY_CLASSES_ROOT\\.grp", "HKEY_CURRENT_USER\\TypeLib", "HKEY_CLASSES_ROOT\\.tli", "HKEY_CLASSES_ROOT\\.tlh", "HKEY_CLASSES_ROOT\\.odt", "HKEY_CLASSES_ROOT\\.tlb", "HKEY_CLASSES_ROOT\\.wmdb", "HKEY_CLASSES_ROOT\\.py", "HKEY_CLASSES_ROOT\\.ogg", "HKEY_CLASSES_ROOT\\.ascx", "HKEY_CLASSES_ROOT\\.aif", "HKEY_CLASSES_ROOT\\.oga", "HKEY_CLASSES_ROOT\\.ps", "HKEY_CLASSES_ROOT\\.dib", "HKEY_CLASSES_ROOT\\.dic", "HKEY_CLASSES_ROOT\\.rll", "HKEY_CLASSES_ROOT\\.docx", "HKEY_CLASSES_ROOT\\.ogv", "HKEY_CLASSES_ROOT\\.rle", "HKEY_CLASSES_ROOT\\.sc2", "HKEY_CLASSES_ROOT\\.local", "HKEY_CLASSES_ROOT\\.rul", "HKEY_CURRENT_USER\\Software\\Microsoft\\IAM", "HKEY_CLASSES_ROOT\\.WSH", "HKEY_CLASSES_ROOT\\.pyc", "HKEY_CLASSES_ROOT\\.in_", "HKEY_CLASSES_ROOT\\.cur", "HKEY_CLASSES_ROOT\\.WSF", "HKEY_CLASSES_ROOT\\.pyw", "HKEY_CLASSES_ROOT\\.inv", "HKEY_CLASSES_ROOT\\.wri", "HKEY_CLASSES_ROOT\\.nvr", "HKEY_CLASSES_ROOT\\.easmx", "HKEY_CLASSES_ROOT\\.sct", "HKEY_CLASSES_ROOT\\.mak", "HKEY_CLASSES_ROOT\\.scr", "HKEY_CLASSES_ROOT\\.inx", "HKEY_CLASSES_ROOT\\.scp", "HKEY_CLASSES_ROOT\\.inf", "HKEY_CLASSES_ROOT\\.inc", "HKEY_CLASSES_ROOT\\.man", "HKEY_CLASSES_ROOT\\.m3u", "HKEY_CLASSES_ROOT\\.scf", "HKEY_CLASSES_ROOT\\.inl", "HKEY_CLASSES_ROOT\\.scd", "HKEY_CLASSES_ROOT\\.scc", "HKEY_CLASSES_ROOT\\.ini", "HKEY_CLASSES_ROOT\\.jpeg", "HKEY_CLASSES_ROOT\\MIME\\Database\\Content Type", "HKEY_CLASSES_ROOT\\.snd", "HKEY_CLASSES_ROOT\\.xht", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0\\0", "HKEY_CLASSES_ROOT\\.bmp", "HKEY_CLASSES_ROOT\\.cgm", "HKEY_CLASSES_ROOT\\.jtx", "HKEY_CLASSES_ROOT\\.m4b", "HKEY_CLASSES_ROOT\\.jtp", "HKEY_CLASSES_ROOT\\.hhc", "HKEY_CLASSES_ROOT\\.sch", "HKEY_CLASSES_ROOT\\.ans", "HKEY_CLASSES_ROOT\\.ani", "HKEY_CLASSES_ROOT\\.dwfx", "HKEY_CLASSES_ROOT\\.p7m", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{8A40A45D-055C-4B62-ABD7-6D613E2CEAEC}\\ProxyStubClsid32", "HKEY_CLASSES_ROOT\\.p7b", "HKEY_CLASSES_ROOT\\.p7c", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0", "HKEY_CLASSES_ROOT\\.p7r", "HKEY_CLASSES_ROOT\\.pko", "HKEY_CLASSES_ROOT\\.vspscc", "HKEY_CLASSES_ROOT\\.pds", "HKEY_CLASSES_ROOT\\.crt", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\Compatibility\\AutoUpdate.exe", "HKEY_CLASSES_ROOT\\.rpc", "HKEY_CLASSES_ROOT\\.java", "HKEY_CLASSES_ROOT\\.pdb", "HKEY_CLASSES_ROOT\\.crd", "HKEY_CLASSES_ROOT\\.pdf", "HKEY_CLASSES_ROOT\\.UDL", "HKEY_CLASSES_ROOT\\.crl", "HKEY_CLASSES_ROOT\\.drv", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\Progid", "HKEY_CLASSES_ROOT\\.ttf", "HKEY_CLASSES_ROOT\\.bcp", "HKEY_CLASSES_ROOT\\.jav", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{CD000001-8B95-11D1-82DB-00C04FB1625D}\\InprocServer32", "HKEY_CLASSES_ROOT\\.TS", "HKEY_CLASSES_ROOT\\.camp", "HKEY_CLASSES_ROOT\\.aiff", "HKEY_CLASSES_ROOT\\.prf", "HKEY_CLASSES_ROOT\\.prc", "HKEY_CLASSES_ROOT\\.aifc", "HKEY_CLASSES_ROOT\\.WTV", "HKEY_CURRENT_USER\\Interface\\{26656EAA-54EB-4E6F-8F85-4F0EF901A406}", "HKEY_CLASSES_ROOT\\.xhtml", "HKEY_CLASSES_ROOT\\.plg", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{B691E011-1797-432E-907A-4D8C69339129}\\6.0\\0\\win32", "HKEY_CLASSES_ROOT\\.mydocs", "HKEY_CLASSES_ROOT\\.php3", "HKEY_CLASSES_ROOT\\.sy_", "HKEY_CLASSES_ROOT\\.srf", "HKEY_CLASSES_ROOT\\.DVR-MS", "HKEY_CLASSES_ROOT\\.fif", "HKEY_CLASSES_ROOT\\.i", "HKEY_CLASSES_ROOT\\.Job", "HKEY_CLASSES_ROOT\\.h", "HKEY_CLASSES_ROOT\\.msdvd", "HKEY_CLASSES_ROOT\\.asmx", "HKEY_CLASSES_ROOT\\.sys", "HKEY_CLASSES_ROOT\\.sym", "HKEY_CLASSES_ROOT\\.hlp", "HKEY_CLASSES_ROOT\\.s", "HKEY_CLASSES_ROOT\\.mp2", "HKEY_CLASSES_ROOT\\.mp3", "HKEY_CLASSES_ROOT\\.mp4", "HKEY_CLASSES_ROOT\\.sr_", "HKEY_CLASSES_ROOT\\.odc", "HKEY_CLASSES_ROOT\\.wav", "HKEY_CLASSES_ROOT\\.wax", "HKEY_CLASSES_ROOT\\.odl", "HKEY_CLASSES_ROOT\\.oc_", "HKEY_CLASSES_ROOT\\.odh", "HKEY_CLASSES_ROOT\\.dl_", "HKEY_CLASSES_ROOT\\.wab", "HKEY_CLASSES_ROOT\\.ADT", "HKEY_CLASSES_ROOT\\.dll", "HKEY_CLASSES_ROOT\\.c", "HKEY_CLASSES_ROOT\\.a", "HKEY_CLASSES_ROOT\\.mpa", "HKEY_CLASSES_ROOT\\.ocx", "HKEY_CLASSES_ROOT\\.mpe", "HKEY_CLASSES_ROOT\\.iso", "HKEY_CLASSES_ROOT\\.mpg", "HKEY_CLASSES_ROOT\\.pot", "HKEY_CLASSES_ROOT\\.cdmp", "HKEY_CLASSES_ROOT\\.x", "HKEY_CLASSES_ROOT\\.vcproj", "HKEY_CLASSES_ROOT\\.z", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\InprocHandler" ], "resolves_host": [ "..localmachine" ], "file_written": [ "C:\\Users\\cuck\\AppData\\Local\\Temp\\aut8197.tmp", "C:\\Users\\cuck\\AppData\\Roaming\\log\\logs_04.01.2020.htm", "C:\\Users\\cuck\\AppData\\Local\\Temp\\kxpzmdz" ], "file_deleted": [ "C:\\Users\\cuck\\AppData\\Local\\Temp\\aut8197.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\kxpzmdz", "C:\\Users\\cuck\\AppData\\Roaming\\log\\Passwords.txt", "C:\\Users\\cuck\\AppData\\Roaming\\log\\Info.txt" ], "file_exists": [ "C:\\Users\\cuck\\AppData\\Roaming\\log\\04-01-2020_11.53.jpg", "C:\\Windows\\System32\\C_28591.NLS", "C:\\Windows\\System32\\C_936.NLS", "C:\\Users\\cuck\\AppData\\Roaming\\log\\Passwords.txt", "C:\\Users\\cuck\\AppData\\Roaming\\log\\AutoUpdate.exe", "C:\\Users\\cuck\\AppData\\Roaming\\log\\logs_04.01.2020.htm", "C:\\Users\\cuck\\AppData\\Roaming\\log\\Info.txt", "C:\\Users\\cuck\\AppData\\Roaming\\log\\ssfn*", "C:\\Users\\cuck\\AppData\\Local\\Temp", "C:\\Windows\\System32\\C_949.NLS", "C:\\Windows\\System32\\C_950.NLS", "C:\\Users\\cuck\\AppData\\Local\\Temp\\kxpzmdz", "C:\\Users\\cuck\\AppData\\Roaming\\log\\*.htm", "C:\\Users\\cuck\\AppData\\Roaming\\log", "C:\\Windows\\System32\\C_932.NLS", "C:\\Users\\cuck\\AppData\\Roaming\\log\\*.vdf" ], "guid": [ "{70b51430-b6ca-11d0-b9b9-00a0c922e750}", "{275c23e2-3747-11d0-9fea-00aa003f8646}", "{dcb00c01-570f-4a9b-8d69-199fdba5723b}", "{a4f96ed0-f829-476e-81c0-cdc7bd2a0802}", "{fd465481-1384-11d0-abbd-0020afdfd10a}", "{275c23e1-3747-11d0-9fea-00aa003f8646}", "{a47979d2-c419-11d9-a5b4-001185ad2b89}", "{cd000001-8b95-11d1-82db-00c04fb1625d}", "{fd853ce6-7f86-11d0-8252-00c04fd85ab4}", "{0df2c7e6-3435-11d0-81d0-00c04fd85ab4}", "{3124c396-fb13-4836-a6ad-1317f1713688}", "{d0074ffd-570f-4a9b-8d69-199fdba5723b}", "{8d4b04e1-1331-11d0-81b8-00c04fd85ab4}", "{00000567-0000-0010-8000-00aa006d2ea4}", "{dccfc164-2b38-11d2-b7ec-00c04f8f5d9a}", "{a9e69610-b80d-11d0-b9b9-00a0c922e750}", "{0df2c7e2-3435-11d0-81d0-00c04fd85ab4}", "{fd853ce8-7f86-11d0-8252-00c04fd85ab4}", "{00020400-0000-0000-c000-000000000046}", "{dcb00000-570f-4a9b-8d69-199fdba5723b}", "{00000560-0000-0010-8000-00aa006d2ea4}" ], "command_line": [ "C:\\Windows\\system32\\cmd.exe \/k HOSTNAME", "\"C:\\Windows\\system32\\rundll32.exe\" \"C:\\Windows\\syswow64\\WININET.dll\",DispatchAPICall 1 " ], "file_read": [ "C:\\Users\\cuck\\AppData\\Local\\Temp\\aut8197.tmp", "C:\\Users\\cuck\\AppData\\Roaming\\log\\Info.txt", "C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Mail\\account{E8B20193-B324-4F69-85C3-A585C87B3B69}.oeaccount", "C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Mail\\account{9505C2E7-137C-4315-8EBB-D4AE26FFA58D}.oeaccount", "C:\\Users\\cuck\\AppData\\Local\\Temp\\kxpzmdz", "C:\\Program Files (x86)\\Common Files\\System\\ado\\msado15.dll", "C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Mail\\account{3F157EAB-C371-449F-8817-DE062D63E39B}.oeaccount", "C:\\Users\\cuck\\AppData\\Roaming\\log\\logs_04.01.2020.htm", "C:\\Windows\\SysWOW64\\cdosys.dll", "C:\\Windows\\SysWOW64\\stdole2.tlb" ], "regkey_read": [ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.nvr\\Content Type", "HKEY_CURRENT_USER\\.html\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.c2r\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.tdl\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.rmi\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.TS\\Content Type", "HKEY_CURRENT_USER\\.htm\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.p12\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pko\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.camp\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.icm\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.rgs\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.bmp\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.inx\\Content Type", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\AutoUpdate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.tlh\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.xlc\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.fnd\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.odl\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mlc\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.msi\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.rat\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.idq\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mmf\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.asmx\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.sql\\Content Type", "HKEY_CURRENT_USER\\.oga\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.gif\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pbk\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.3g2\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.odt\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.exe\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\AutoUpdate_RASMANCS\\FileDirectory", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows Mail\\Disable RFC2646 Wrapping", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.tar\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mp2v\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.bat\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.odc\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.xlb\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.asx\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wmv\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.au\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.p7m\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.H1H\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.xslt\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.hta\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.rpc\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mpeg\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mhtml\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ex_\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.exp\\Content Type", "HKEY_CURRENT_USER\\.htm\\(Default)", "HKEY_CURRENT_USER\\.xhtml\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.cpp\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.inc\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wmp\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ADT\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{26656EAA-54EB-4E6F-8F85-4F0EF901A406}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.a\\Content Type", "HKEY_CURRENT_USER\\Software\\Microsoft\\IAM\\Accounts\\PreConfigVer", "HKEY_CURRENT_USER\\Software\\Microsoft\\IAM\\Default News Account", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.xix\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.sym\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.cdmp\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mid\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{2A1C9EB2-DF62-4154-B800-63278FCB8037}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.fky\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.jpg\\Content Type", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.lst\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.text\\Content Type", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CodePage\\950", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\AutoUpdate_RASAPI32\\ConsoleTracingMask", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.plg\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.sol\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.grp\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.cpl\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.H1F\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pyo\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.H1T\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ascx\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.jtx\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.scf\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pmr\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\InprocServer32\\InprocServer32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.local\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.txt\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mpg\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.snd\\Content Type", "HKEY_CURRENT_USER\\Software\\Microsoft\\IAM\\Default Mail Account", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.aiff\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\AutoUpdate_RASAPI32\\FileTracingMask", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.icc\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{8A40A45D-055C-4B62-ABD7-6D613E2CEAEC}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ghi\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{CD000001-8B95-11D1-82DB-00C04FB1625D}\\ProgID\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.prf\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.z\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wsz\\Content Type", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.aps\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.usr\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.i\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Account Manager\\Preconfigured\\PreConfigVerNTDS", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.css\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.xlt\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.3gpp\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.dct\\Content Type", "HKEY_CURRENT_USER\\.ogg\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.doc\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wmf\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Account Manager\\Preconfigured\\PreConfigVer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.edrwx\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.trg\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.hdp\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ai\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ini\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.bkf\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.psm1\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pl\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pif\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.icl\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.etp\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.dot\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.evt\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.fnt\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CDO.Message\\CLSID\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pic\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.WSH\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.psd1\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.faq\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ppt\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.dl_\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mpe\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.cer\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.MOD\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.DVR-MS\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.lib\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.rtf\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.drv\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.db\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.xml\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mov\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.dsw\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.eyb\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.URL\\Content Type", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}\\WpadDecision", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ttf\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.vxd\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.nls\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.vbproj\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.scc\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.aif\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{CD000001-8B95-11D1-82DB-00C04FB1625D}\\InprocServer32\\ThreadingModel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.osdx\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\InprocServer32\\ThreadingModel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.lnk\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.bas\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.jod\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.eps\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.jpeg\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.sed\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.rle\\Content Type", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Locale\\00000409", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.crds\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.sc2\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wcx\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.386\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.user\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.nfo\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0\\0\\win32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\AutoUpdate_RASMANCS\\EnableConsoleTracing", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.art\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\InprocServer32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.m1v\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.H1Q\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.aifc\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ADTS\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wmdb\\Content Type", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CodePage\\0", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.3gp2\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\AutoUpdate_RASMANCS\\FileTracingMask", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.asc\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mpa\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.jtp\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mak\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.p7b\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.tlb\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.blg\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.jfif\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pfm\\Content Type", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CodePage\\949", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.scr\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.htt\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.cur\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.tif\\Content Type", "HKEY_CURRENT_USER\\.xht\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.p7c\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.htx\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.tsp\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ilk\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.gmmp\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.WMD\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ps\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.docx\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.hpp\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.kci\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.WTV\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ext\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ttc\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.gadget\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.H1V\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.webpnp\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.WSF\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.csa\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.htc\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.aspx\\Content Type", "HKEY_CURRENT_USER\\.webm\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.H1C\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.H1S\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.dbs\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.viw\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.cdx\\Content Type", "HKEY_CURRENT_USER\\Software\\Microsoft\\IAM\\Default LDAP Account", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.xls\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.Job\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.M2TS\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.inf\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.asm\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.VBE\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.iso\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.dbg\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.msdvd\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.tgz\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pdb\\Content Type", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CodePage\\932", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.zip\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.m4b\\Content Type", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CodePage\\936", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.tiff\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows Mail\\Disable RFC2646 Wrapping", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.otf\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ani\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.H1K\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.tsv\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wpl\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.reg\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.jnt\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.avi\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.hlp\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pps\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wlt\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.3gp\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{CD000001-8B95-11D1-82DB-00C04FB1625D}\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.cmd\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mht\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pma\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pnf\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.hxx\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.dwfx\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wbcat\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ocx\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.vbx\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.rc\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.s\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.IVF\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.csv\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.bin\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\AutoUpdate_RASMANCS\\MaxFileSize", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.udf\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.rc2\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wdp\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\AutoUpdate_RASMANCS\\ConsoleTracingMask", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.dos\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.idl\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.inl\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows Mail\\No modify accts", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ico\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.xps\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.label\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.sys\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.m3u\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.vcf\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.msg\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.cod\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.inv\\Content Type", "HKEY_CURRENT_USER\\.shtml\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.scd\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.sch\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pch\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.dsn\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.eprtx\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.cab\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.RDP\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.dll\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.vbs\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.WMS\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pmc\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.tab\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\MIME\\Database\\Content Type\\text\/plain\\Extension", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.csproj\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{CD000001-8B95-11D1-82DB-00C04FB1625D}\\InprocServer32\\InprocServer32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wav\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.udt\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.m14\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wsc\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.z96\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Drivers32\\msvideo5", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Drivers32\\msvideo4", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Drivers32\\msvideo7", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Drivers32\\msvideo6", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Drivers32\\msvideo1", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Drivers32\\msvideo3", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Drivers32\\msvideo2", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.man\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.vcproj\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.def\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Drivers32\\msvideo9", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Drivers32\\msvideo8", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.scp\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pds\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.sor\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.theme\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.xaml\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.tli\\Content Type", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}\\WpadDecisionReason", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.swf\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.m4a\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.rsp\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.stl\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.xsl\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mp4\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.diz\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.png\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.vob\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.jav\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.gz\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.DVR\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.imc\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.h\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.easmx\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\AutoUpdate_RASMANCS\\EnableFileTracing", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.emf\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mv\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ps1xml\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.midi\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.latex\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.prc\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.dsp\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wab\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ncb\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\AutoUpdate_RASAPI32\\EnableConsoleTracing", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pml\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ps1\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.htw\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.rct\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.lgn\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.jbf\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.py\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.group\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wri\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.srf\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.crt\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.asp\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.TTS\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.p7s\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pot\\Content Type", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows Mail\\Store Root", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\AutoUpdate_RASAPI32\\EnableFileTracing", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.com\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pfx\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.p7r\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.dib\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.hqx\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.M2V\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mp4v\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.img\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.cxx\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mp3\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.java\\Content Type", "HKEY_CURRENT_USER\\.pdf\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mig\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.der\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.jpe\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.crd\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.M2T\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.c\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.sst\\Content Type", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language Groups\\1", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.cc\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.xrm-ms\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wtx\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.sbr\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{CD000000-8B95-11D1-82DB-00C04FB1625D}\\1.0\\0\\win32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.msp\\Content Type", "HKEY_CURRENT_USER\\Control Panel\\Mouse\\SwapMouseButtons", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.xsd\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\AutoUpdate_RASAPI32\\MaxFileSize", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.odh\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.obj\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.fon\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wax\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.rul\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Drivers32\\msvideo", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{55272A00-42CB-11CE-8135-00AA004BB851}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pyw\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.fif\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.movie\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.asa\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.stm\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.m4p\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{BCD1DE7E-2DB1-418B-B047-4A74E101F8C1}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.x\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pyc\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wm\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.bcp\\Content Type", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CodePage\\28591", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.spc\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.js\\Content Type", "HKEY_CURRENT_USER\\.ogv\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.vsscc\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.sy_\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.sct\\Content Type", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}\\WpadDecisionTime", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wmx\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ics\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.xbap\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.chk\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.sr_\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.vspscc\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.msc\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.cls\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.psc1\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.UDL\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.qds\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wvx\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.dic\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mk\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{B691E011-1797-432E-907A-4D8C69339129}\\6.0\\0\\win32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.H1D\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.MTS\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.cda\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.m4v\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mydocs\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\AutoUpdate_RASAPI32\\FileDirectory", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.evtx\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.AAC\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.cat\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.psd\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.p10\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.cs\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.vssscc\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.H1W\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{CD000001-8B95-11D1-82DB-00C04FB1625D}\\InprocServer32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wll\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.rll\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.crl\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.dat\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ibq\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.JSE\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.msu\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mcl\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.log\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.txt\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.in_\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.php3\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mp2\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ans\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mpv2\\Content Type", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\WpadExpirationDays", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wmz\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.hhc\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.chm\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.shtm\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.sit\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.res\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.oc_\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.asf\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.bsc\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.cgm\\Content Type", "HKEY_CURRENT_USER\\Software\\Microsoft\\IAM\\Accounts\\PreConfigVerNTDS", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wma\\Content Type" ], "directory_enumerated": [ "C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\account*.oeaccount", "C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Mail\\account*.oeaccount", "C:\\Users\\cuck\\AppData\\Roaming\\log\\04-01-2020_11.53.jpg", "C:\\Users\\cuck\\AppData\\Roaming\\log\\Passwords.txt", "C:\\Users\\cuck\\AppData", "C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\account*.oeaccount", "C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Mail\\*", "C:\\Users\\cuck\\AppData\\Roaming\\log\\ssfn*", "C:\\Users\\cuck\\AppData\\Roaming\\log\\Info.txt", "C:\\Users\\cuck", "C:\\Users\\cuck\\AppData\\Local\\Temp\\kxpzmdz", "C:\\Users\\cuck\\AppData\\Roaming", "C:\\Users", "C:\\Users\\cuck\\AppData\\Roaming\\log\\*.htm", "C:\\Users\\cuck\\AppData\\Roaming\\log", "C:\\Users\\cuck\\AppData\\Roaming\\log\\*.vdf" ], "directory_created": [ "C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Mail" ] }, "first_seen": 1578135197.462999, "ppid": 1512 }, { "process_path": "C:\\Windows\\SysWOW64\\cmd.exe", "process_name": "cmd.exe", "pid": 2584, "summary": { "dll_loaded": [ "kernel32.dll" ], "file_opened": [ "C:\\Windows\\Globalization\\Sorting\\sortdefault.nls" ], "regkey_opened": [ "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\System", "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Command Processor" ], "file_exists": [ "C:\\Users\\cuck\\AppData\\Local\\Temp" ], "command_line": [ "netsh firewall add allowedprogram program = STcONaURjstoJeQ(uMqeEfSfaGeNmho(\"yJmAEIBBXdvRXSFRGegUiJnA\")) name = STcONaURjstoJeQ(uMqeEfSfaGeNmho(\"XQ0V1bwVGZ0FQZ==\")) mode = ENABLE" ], "regkey_read": [ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\DefaultColor", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\AutoRun", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\DelayedExpansion", "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DisableUNCCheck", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\EnableExtensions", "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\CompletionChar", "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\EnableExtensions", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\PathCompletionChar", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Locale\\00000409", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language Groups\\1", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles", "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\PathCompletionChar", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\DisableUNCCheck", "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DelayedExpansion", "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\AutoRun", "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DefaultColor", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\CompletionChar" ], "directory_enumerated": [ "C:\\Users\\cuck\\AppData\\Local\\Temp\\netsh.*", "C:\\Users\\cuck\\AppData", "C:\\Windows\\System32\\netsh.*", "C:\\Python27\\Scripts\\netsh", "C:\\Python27\\Scripts\\netsh.*", "C:\\Python27\\netsh.*", "C:\\Users\\cuck\\AppData\\Local\\Temp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\netsh", "C:\\Users\\cuck", "C:\\Python27\\netsh", "C:\\Windows\\System32\\netsh.COM", "C:\\Users", "C:\\Users\\cuck\\AppData\\Local", "C:\\Windows\\System32\\netsh.exe" ] }, "first_seen": 1578135188.681751, "ppid": 1512 }, { "process_path": "C:\\Windows\\SysWOW64\\systeminfo.exe", "process_name": "systeminfo.exe", "pid": 1564, "summary": { "regkey_written": [ "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\mlang.dll,-4462", "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\LanguageList", "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\mlang.dll,-4386" ], "dll_loaded": [ "OLEAUT32.dll" ], "file_opened": [ "C:\\Windows\\System32\\mlang.dll", "C:\\Windows\\System32\\en-US\\mlang.dll.mui" ], "regkey_opened": [ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\\ProxyStubClsid32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\Progid", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\WBEM\\CIMOM", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocServer32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{027947E1-D731-11CE-A357-000000000001}\\ProxyStubClsid32", "HKEY_CURRENT_USER\\Interface\\{1C1C45EE-4395-11D2-B60B-00104B703EFD}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\TreatAs", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocHandler32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM", "HKEY_CURRENT_USER\\MIME\\Database\\Rfc1766", "HKEY_CURRENT_USER\\Interface\\{423EC01E-2E35-11D2-B604-00104B703EFD}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\Progid", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{423EC01E-2E35-11D2-B604-00104B703EFD}\\ProxyStubClsid32", "HKEY_CURRENT_USER\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}", "HKEY_CURRENT_USER\\Interface\\{027947E1-D731-11CE-A357-000000000001}" ], "guid": [ "{4590f812-1d3a-11d0-891f-00aa004b2e24}", "{00000003-0000-0000-c000-000000000046}", "{4590f811-1d3a-11d0-891f-00aa004b2e24}", "{44aca674-e8fc-11d0-a07c-00c04fb68820}", "{674b6698-ee92-11d0-ad71-00c04fd8fdff}", "{8bc3f05e-d86b-11d0-a075-00c04fb68820}", "{7c857801-7381-11cf-884d-00aa004b2e24}", "{d5f569d0-593b-101a-b569-08002b2dbf7a}", "{f309ad18-d86a-11d0-a075-00c04fb68820}", "{dc12a687-737f-11cf-884d-00aa004b2e24}" ], "regkey_read": [ "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\mlang.dll,-4462", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\WBEM\\CIMOM\\EnableObjectValidation", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{027947E1-D731-11CE-A357-000000000001}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocServer32\\InprocServer32", "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\mlang.dll,-4386", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Domain", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocServer32\\ThreadingModel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{423EC01E-2E35-11D2-B604-00104B703EFD}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Hostname", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\WBEM\\CIMOM\\Logging", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\(Default)", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\StringCacheSettings\\StringCacheGeneration", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\MIME\\Database\\Rfc1766\\041D", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocServer32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\MIME\\Database\\Rfc1766\\0409" ] }, "first_seen": 1578135194.244249, "ppid": 312 }, { "process_path": "C:\\Windows\\SysWOW64\\cmd.exe", "process_name": "cmd.exe", "pid": 312, "summary": { "dll_loaded": [ "kernel32.dll" ], "file_opened": [ "C:\\Windows\\Globalization\\Sorting\\sortdefault.nls" ], "regkey_opened": [ "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\System", "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Command Processor" ], "file_exists": [ "C:\\Users\\cuck\\AppData\\Local\\Temp" ], "command_line": [ "systeminfo" ], "regkey_read": [ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\DefaultColor", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\AutoRun", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\DelayedExpansion", "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DisableUNCCheck", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\EnableExtensions", "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\CompletionChar", "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\EnableExtensions", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\PathCompletionChar", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Locale\\00000409", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language Groups\\1", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles", "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\PathCompletionChar", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\DisableUNCCheck", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\Windows Error Reporting\\WMR\\Disable", "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DelayedExpansion", "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\AutoRun", "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DefaultColor", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\CompletionChar" ], "directory_enumerated": [ "C:\\Windows\\System32\\systeminfo.COM", "C:\\Windows\\System32\\systeminfo.EXE", "C:\\Users\\cuck\\AppData", "C:\\Python27\\Scripts\\systeminfo", "C:\\Python27\\systeminfo", "C:\\Users\\cuck\\AppData\\Local\\Temp\\systeminfo", "C:\\Users\\cuck\\AppData\\Local\\Temp", "C:\\Windows\\System32\\systeminfo.*", "C:\\Users\\cuck", "C:\\Users\\cuck\\AppData\\Local\\Temp\\systeminfo.*", "C:\\Python27\\Scripts\\systeminfo.*", "C:\\Users", "C:\\Python27\\systeminfo.*", "C:\\Users\\cuck\\AppData\\Local" ] }, "first_seen": 1578135194.041124, "ppid": 1512 } ]
[ { "markcount": 4, "families": [], "description": "Queries for the computername", "severity": 1, "marks": [ { "call": { "category": "misc", "status": 1, "stacktrace": [], "api": "GetComputerNameW", "return_value": 1, "arguments": { "computer_name": "CUCKPC" }, "time": 1578135191.593875, "tid": 2732, "flags": {} }, "pid": 1512, "type": "call", "cid": 2462 }, { "call": { "category": "misc", "status": 1, "stacktrace": [], "api": "GetComputerNameW", "return_value": 1, "arguments": { "computer_name": "CUCKPC" }, "time": 1578135191.593875, "tid": 2732, "flags": {} }, "pid": 1512, "type": "call", "cid": 2466 }, { "call": { "category": "misc", "status": 1, "stacktrace": [], "api": "GetComputerNameW", "return_value": 1, "arguments": { "computer_name": "CUCKPC" }, "time": 1578135194.353249, "tid": 1664, "flags": {} }, "pid": 1564, "type": "call", "cid": 129 }, { "call": { "category": "misc", "status": 1, "stacktrace": [], "api": "GetComputerNameW", "return_value": 1, "arguments": { "computer_name": "CUCKPC" }, "time": 1578135195.541249, "tid": 1664, "flags": {} }, "pid": 1564, "type": "call", "cid": 321 } ], "references": [], "name": "antivm_queries_computername" }, { "markcount": 2, "families": [], "description": "Checks if process is being debugged by a debugger", "severity": 1, "marks": [ { "call": { "category": "system", "status": 0, "stacktrace": [], "last_error": 0, "nt_status": -1073741772, "api": "IsDebuggerPresent", "return_value": 0, "arguments": {}, "time": 1578135186.780875, "tid": 2732, "flags": {} }, "pid": 1512, "type": "call", "cid": 610 }, { "call": { "category": "system", "status": 0, "stacktrace": [], "last_error": 0, "nt_status": -1073741772, "api": "IsDebuggerPresent", "return_value": 0, "arguments": {}, "time": 1578135197.602999, "tid": 1616, "flags": {} }, "pid": 2804, "type": "call", "cid": 604 } ], "references": [], "name": "checks_debugger" }, { "markcount": 2, "families": [], "description": "Command line console output was observed", "severity": 1, "marks": [ { "call": { "category": "misc", "status": 1, "stacktrace": [], "api": "WriteConsoleA", "return_value": 1, "arguments": { "buffer": "The syntax supplied for this command is not valid. Check help for the correct syntax.\r\n", "console_handle": "0x00000007" }, "time": 1578135189.884626, "tid": 2248, "flags": {} }, "pid": 1576, "type": "call", "cid": 2626 }, { "call": { "category": "misc", "status": 1, "stacktrace": [], "api": "WriteConsoleA", "return_value": 1, "arguments": { "buffer": "\r\nadd allowedprogram\r\n [ program = ] path\r\n [ name = ] name\r\n [ [ mode = ] ENABLE|DISABLE\r\n [ scope = ] ALL|SUBNET|CUSTOM\r\n [ addresses = ] addresses\r\n [ profile = ] CURRENT|DOMAIN|STANDARD|ALL ]\r\n\r\n Adds firewall allowed program configuration.\r\n\r\n Parameters:\r\n\r\n program - Program path and file name.\r\n\r\n name - Program name.\r\n\r\n mode - Program mode (optional).\r\n ENABLE - Allow through firewall (default).\r\n DISABLE - Do not allow through firewall.\r\n\r\n scope - Program scope (optional).\r\n ALL - Allow all traffic through firewall (default).\r\n SUBNET - Allow only local network (subnet) traffic through firewall.\r\n CUSTOM - Allow only specified traffic through firewall.\r\n\r\n addresses - Custom scope addresses (optional).\r\n This comma-separated scope can contain IPv4 addresses,\r\n IPv6 addresses, subnets, ranges, or the keyword LocalSubnet.\r\n\r\n profile - Configuration profile (optional).\r\n CURRENT - Applies to the active profile. Active profile can be domain,\r\n standard (i.e. private), or public. (default).\r\n DOMAIN - Applies to the domain profile.\r\n STANDARD - Applies to the standard (i.e. private) profile.\r\n ALL - Applies to the domain and standard (i.e. private) profile.\r\n Does not apply to the public profile.\r\n\r\n Remarks: 'scope' must be 'CUSTOM' to specify 'addresses'.\r\n `addresses' can not contain Unspecified or Loopback addresses.\r\n\r\n Examples:\r\n\r\n add allowedprogram C:\\MyApp\\MyApp.exe \"My Application\" ENABLE\r\n add allowedprogram C:\\MyApp\\MyApp.exe \"My Application\" ENABLE CUSTOM\r\n 157.60.0.1,172.16.0.0\/16,10.0.0.0\/255.0.0.0,\r\n 12AB:0000:0000:CD30::\/60,LocalSubnet\r\n add allowedprogram program=C:\\MyApp\\MyApp.exe name=\"My Application\"\r\n mode=DISABLE\r\n add allowedprogram program=C:\\MyApp\\MyApp.exe name=\"My Application\"\r\n mode=ENABLE scope=CUSTOM addresses=157.60.0.1,\r\n 172.16.0.0\/16,10.0.0.0\/255.0.0.0,\r\n 12AB:0000:0000:CD30::\/60,LocalSubnet\r\n\r\n IMPORTANT: \"netsh firewall\" is deprecated;\r\n use \"netsh advfirewall firewall\" instead.\r\n For more information on using \"netsh advfirewall firewall\" commands\r\n instead of \"netsh firewall\", see KB article 947709\r\n at http:\/\/go.microsoft.com\/fwlink\/?linkid=121488 .\r\n", "console_handle": "0x00000007" }, "time": 1578135189.884626, "tid": 2248, "flags": {} }, "pid": 1576, "type": "call", "cid": 2629 } ], "references": [], "name": "console_output" }, { "markcount": 1, "families": [], "description": "Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available", "severity": 1, "marks": [ { "call": { "category": "system", "status": 1, "stacktrace": [], "api": "GlobalMemoryStatusEx", "return_value": 1, "arguments": {}, "time": 1578135198.025374, "tid": 2780, "flags": {} }, "pid": 2680, "type": "call", "cid": 30 } ], "references": [], "name": "antivm_memory_available" }, { "markcount": 1, "families": [], "description": "Allocates read-write-execute memory (usually to unpack itself)", "severity": 2, "marks": [ { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 2804, "region_size": 4096, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "protection": 64, "process_handle": "0xffffffff", "allocation_type": 12288, "base_address": "0x02920000" }, "time": 1578135198.071999, "tid": 1616, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT|MEM_RESERVE" } }, "pid": 2804, "type": "call", "cid": 1031 } ], "references": [], "name": "allocates_rwx" }, { "markcount": 0, "families": [], "description": "Checks whether any human activity is being performed by constantly checking whether the foreground window changed", "severity": 2, "marks": [], "references": [ "https:\/\/www.virusbtn.com\/virusbulletin\/archive\/2015\/09\/vb201509-custom-packer.dkb" ], "name": "antisandbox_foregroundwindows" }, { "markcount": 4, "families": [], "description": "Creates a suspicious process", "severity": 2, "marks": [ { "category": "cmdline", "ioc": "C:\\Windows\\system32\\cmd.exe \/c C:\\Users\\cuck\\AppData\\Roaming\\log\\pass.exe all", "type": "ioc", "description": null }, { "category": "cmdline", "ioc": "C:\\Windows\\system32\\cmd.exe \/k HOSTNAME", "type": "ioc", "description": null }, { "category": "cmdline", "ioc": "C:\\Windows\\system32\\cmd.exe \/k systeminfo", "type": "ioc", "description": null }, { "category": "cmdline", "ioc": "C:\\Windows\\system32\\cmd.exe \/c netsh firewall add allowedprogram program = STcONaURjstoJeQ(uMqeEfSfaGeNmho(\"yJmAEIBBXdvRXSFRGegUiJnA\")) name = STcONaURjstoJeQ(uMqeEfSfaGeNmho(\"XQ0V1bwVGZ0FQZ==\")) mode = ENABLE", "type": "ioc", "description": null } ], "references": [], "name": "suspicious_process" }, { "markcount": 1, "families": [], "description": "Drops an executable to the user AppData folder", "severity": 2, "marks": [ { "category": "file", "ioc": "C:\\Users\\cuck\\AppData\\Local\\Temp\\aut578B.tmp", "type": "ioc", "description": null } ], "references": [], "name": "exe_appdata" }, { "markcount": 4, "families": [], "description": "Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping", "severity": 2, "marks": [ { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "Process32NextW", "return_value": 1, "arguments": { "process_name": "rundll32.exe", "snapshot_handle": "0x000001e0", "process_identifier": 2572 }, "time": 1578135196.702875, "tid": 2732, "flags": {} }, "pid": 1512, "type": "call", "cid": 3380 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "Process32NextW", "return_value": 1, "arguments": { "process_name": "rundll32.exe", "snapshot_handle": "0x000001e0", "process_identifier": 316 }, "time": 1578135196.702875, "tid": 2732, "flags": {} }, "pid": 1512, "type": "call", "cid": 3381 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "Process32NextW", "return_value": 1, "arguments": { "process_name": "TrustedInstaller.exe", "snapshot_handle": "0x000001e0", "process_identifier": 2844 }, "time": 1578135196.702875, "tid": 2732, "flags": {} }, "pid": 1512, "type": "call", "cid": 3384 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "Process32NextW", "return_value": 1, "arguments": { "process_name": "AutoUpdate.exe", "snapshot_handle": "0x00000360", "process_identifier": 2804 }, "time": 1578135200.477999, "tid": 1616, "flags": {} }, "pid": 2804, "type": "call", "cid": 1682 } ], "references": [], "name": "injection_process_search" }, { "markcount": 1, "families": [], "description": "Checks adapter addresses which can be used to detect virtual network interfaces", "severity": 2, "marks": [ { "call": { "category": "network", "status": 0, "stacktrace": [], "last_error": 0, "nt_status": -1073741772, "api": "GetAdaptersAddresses", "return_value": 111, "arguments": { "flags": 0, "family": 0 }, "time": 1578135188.702875, "tid": 2648, "flags": {} }, "pid": 1512, "type": "call", "cid": 1861 } ], "references": [], "name": "antivm_network_adapters" }, { "markcount": 3, "families": [], "description": "The binary likely contains encrypted or compressed data indicative of a packer", "severity": 2, "marks": [ { "entropy": 7.937117581802646, "section": { "size_of_data": "0x00054200", "virtual_address": "0x000fa000", "entropy": 7.937117581802646, "name": "UPX1", "virtual_size": "0x00055000" }, "type": "generic", "description": "A section with a high entropy has been found" }, { "entropy": 7.954625432393596, "section": { "size_of_data": "0x00076200", "virtual_address": "0x0014f000", "entropy": 7.954625432393596, "name": ".rsrc", "virtual_size": "0x00077000" }, "type": "generic", "description": "A section with a high entropy has been found" }, { "entropy": 1, "type": "generic", "description": "Overall entropy of this PE file is high" } ], "references": [ "http:\/\/www.forensickb.com\/2013\/03\/file-entropy-explained.html", "http:\/\/virii.es\/U\/Using%20Entropy%20Analysis%20to%20Find%20Encrypted%20and%20Packed%20Malware.pdf" ], "name": "packer_entropy" }, { "markcount": 1, "families": [], "description": "Expresses interest in specific running processes", "severity": 2, "marks": [ { "category": "process", "ioc": "rundll32.exe", "type": "ioc", "description": null } ], "references": [], "name": "process_interest" }, { "markcount": 4446, "families": [], "description": "Repeatedly searches for a not-found process, you may want to run a web browser during analysis", "severity": 2, "marks": [ { "call": { "category": "process", "status": 0, "stacktrace": [], "last_error": 18, "nt_status": -2147483642, "api": "Process32NextW", "return_value": 0, "arguments": { "process_name": "SearchFilterHost.exe", "snapshot_handle": "0x00000118", "process_identifier": 2816 }, "time": 1578135186.859875, "tid": 2732, "flags": {} }, "pid": 1512, "type": "call", "cid": 926 }, { "call": { "category": "process", "status": 0, "stacktrace": [], "last_error": 18, "nt_status": -2147483642, "api": "Process32NextW", "return_value": 0, "arguments": { "process_name": "SearchFilterHost.exe", "snapshot_handle": "0x00000118", "process_identifier": 2816 }, "time": 1578135186.859875, "tid": 2732, "flags": {} }, "pid": 1512, "type": "call", "cid": 967 }, { "call": { "category": "process", "status": 0, "stacktrace": [], "last_error": 18, "nt_status": -2147483642, "api": "Process32NextW", "return_value": 0, "arguments": { "process_name": "SearchFilterHost.exe", "snapshot_handle": "0x00000118", "process_identifier": 2816 }, "time": 1578135186.859875, "tid": 2732, "flags": {} }, "pid": 1512, "type": "call", "cid": 1008 }, { "call": { "category": "process", "status": 0, "stacktrace": [], "last_error": 18, "nt_status": -2147483642, "api": "Process32NextW", "return_value": 0, "arguments": { "process_name": "SearchFilterHost.exe", "snapshot_handle": "0x00000118", "process_identifier": 2816 }, "time": 1578135186.874875, "tid": 2732, "flags": {} }, "pid": 1512, "type": "call", "cid": 1049 }, { "call": { "category": "process", "status": 0, "stacktrace": [], "last_error": 18, "nt_status": -2147483642, "api": "Process32NextW", "return_value": 0, "arguments": { "process_name": "SearchFilterHost.exe", "snapshot_handle": "0x00000118", "process_identifier": 2816 }, "time": 1578135186.874875, "tid": 2732, "flags": {} }, "pid": 1512, "type": "call", "cid": 1090 }, { "call": { "category": "process", "status": 0, "stacktrace": [], "last_error": 18, "nt_status": -2147483642, "api": "Process32NextW", "return_value": 0, "arguments": { "process_name": "SearchFilterHost.exe", "snapshot_handle": "0x00000118", "process_identifier": 2816 }, "time": 1578135186.874875, "tid": 2732, "flags": {} }, "pid": 1512, "type": "call", "cid": 1131 }, { "call": { "category": "process", "status": 0, "stacktrace": [], "last_error": 18, "nt_status": -2147483642, "api": "Process32NextW", "return_value": 0, "arguments": { "process_name": "SearchFilterHost.exe", "snapshot_handle": "0x00000118", "process_identifier": 2816 }, "time": 1578135186.874875, "tid": 2732, "flags": {} }, "pid": 1512, "type": "call", "cid": 1172 }, { "call": { "category": "process", "status": 0, "stacktrace": [], "last_error": 18, "nt_status": -2147483642, "api": "Process32NextW", "return_value": 0, "arguments": { "process_name": "TrustedInstaller.exe", "snapshot_handle": "0x000001e0", "process_identifier": 2844 }, "time": 1578135196.702875, "tid": 2732, "flags": {} }, "pid": 1512, "type": "call", "cid": 3385 }, { "call": { "category": "process", "status": 0, "stacktrace": [], "last_error": 18, "nt_status": -2147483642, "api": "Process32NextW", "return_value": 0, "arguments": { "process_name": "TrustedInstaller.exe", "snapshot_handle": "0x000001e0", "process_identifier": 2844 }, "time": 1578135196.718875, "tid": 2732, "flags": {} }, "pid": 1512, "type": "call", "cid": 3431 }, { "call": { "category": "process", "status": 0, "stacktrace": [], "last_error": 18, "nt_status": -2147483642, "api": "Process32NextW", "return_value": 0, "arguments": { "process_name": "TrustedInstaller.exe", "snapshot_handle": "0x000001e0", "process_identifier": 2844 }, "time": 1578135196.718875, "tid": 2732, "flags": {} }, "pid": 1512, "type": "call", "cid": 3477 }, { "call": { "category": "process", "status": 0, "stacktrace": [], "last_error": 18, "nt_status": -2147483642, "api": "Process32NextW", "return_value": 0, "arguments": { "process_name": "TrustedInstaller.exe", "snapshot_handle": "0x000001e0", "process_identifier": 2844 }, "time": 1578135196.718875, "tid": 2732, "flags": {} }, "pid": 1512, "type": "call", "cid": 3523 }, { "call": { "category": "process", "status": 0, "stacktrace": [], "last_error": 18, "nt_status": -2147483642, "api": "Process32NextW", "return_value": 0, "arguments": { "process_name": "TrustedInstaller.exe", "snapshot_handle": "0x000001e0", "process_identifier": 2844 }, "time": 1578135196.718875, "tid": 2732, "flags": {} }, "pid": 1512, "type": "call", "cid": 3569 }, { "call": { "category": "process", "status": 0, "stacktrace": [], "last_error": 18, "nt_status": -2147483642, "api": "Process32NextW", "return_value": 0, "arguments": { "process_name": "TrustedInstaller.exe", "snapshot_handle": "0x000001e0", "process_identifier": 2844 }, "time": 1578135196.718875, "tid": 2732, "flags": {} }, "pid": 1512, "type": "call", "cid": 3615 }, { "call": { "category": "process", "status": 0, "stacktrace": [], "last_error": 18, "nt_status": -2147483642, "api": "Process32NextW", "return_value": 0, "arguments": { "process_name": "TrustedInstaller.exe", "snapshot_handle": "0x000001e0", "process_identifier": 2844 }, "time": 1578135196.734875, "tid": 2732, "flags": {} }, "pid": 1512, "type": "call", "cid": 3661 }, { "call": { "category": "process", "status": 0, "stacktrace": [], "last_error": 18, "nt_status": -2147483642, "api": "Process32NextW", "return_value": 0, "arguments": { "process_name": "TrustedInstaller.exe", "snapshot_handle": "0x000001e0", "process_identifier": 2844 }, "time": 1578135196.734875, "tid": 2732, "flags": {} }, "pid": 1512, "type": "call", "cid": 3707 }, { "call": { "category": "process", "status": 0, "stacktrace": [], "last_error": 18, "nt_status": -2147483642, "api": "Process32NextW", "return_value": 0, "arguments": { "process_name": "TrustedInstaller.exe", "snapshot_handle": "0x000001e0", "process_identifier": 2844 }, "time": 1578135196.734875, "tid": 2732, "flags": {} }, "pid": 1512, "type": "call", "cid": 3753 }, { "call": { "category": "process", "status": 0, "stacktrace": [], "last_error": 18, "nt_status": -2147483642, "api": "Process32NextW", "return_value": 0, "arguments": { "process_name": "TrustedInstaller.exe", "snapshot_handle": "0x000001e0", "process_identifier": 2844 }, "time": 1578135196.734875, "tid": 2732, "flags": {} }, "pid": 1512, "type": "call", "cid": 3799 }, { "call": { "category": "process", "status": 0, "stacktrace": [], "last_error": 18, "nt_status": -2147483642, "api": "Process32NextW", "return_value": 0, "arguments": { "process_name": "TrustedInstaller.exe", "snapshot_handle": "0x000001e0", "process_identifier": 2844 }, "time": 1578135196.749875, "tid": 2732, "flags": {} }, "pid": 1512, "type": "call", "cid": 3845 }, { "call": { "category": "process", "status": 0, "stacktrace": [], "last_error": 18, "nt_status": -2147483642, "api": "Process32NextW", "return_value": 0, "arguments": { "process_name": "TrustedInstaller.exe", "snapshot_handle": "0x000001e0", "process_identifier": 2844 }, "time": 1578135196.749875, "tid": 2732, "flags": {} }, "pid": 1512, "type": "call", "cid": 3891 }, { "call": { "category": "process", "status": 0, "stacktrace": [], "last_error": 18, "nt_status": -2147483642, "api": "Process32NextW", "return_value": 0, "arguments": { "process_name": "TrustedInstaller.exe", "snapshot_handle": "0x000001e0", "process_identifier": 2844 }, "time": 1578135196.749875, "tid": 2732, "flags": {} }, "pid": 1512, "type": "call", "cid": 3937 }, { "call": { "category": "process", "status": 0, "stacktrace": [], "last_error": 18, "nt_status": -2147483642, "api": "Process32NextW", "return_value": 0, "arguments": { "process_name": "TrustedInstaller.exe", "snapshot_handle": "0x000001e0", "process_identifier": 2844 }, "time": 1578135196.749875, "tid": 2732, "flags": {} }, "pid": 1512, "type": "call", "cid": 3983 }, { "call": { "category": "process", "status": 0, "stacktrace": [], "last_error": 18, "nt_status": -2147483642, "api": "Process32NextW", "return_value": 0, "arguments": { "process_name": "TrustedInstaller.exe", "snapshot_handle": "0x000001e0", "process_identifier": 2844 }, "time": 1578135196.765875, "tid": 2732, "flags": {} }, "pid": 1512, "type": "call", "cid": 4029 }, { "call": { "category": "process", "status": 0, "stacktrace": [], "last_error": 18, "nt_status": -2147483642, "api": "Process32NextW", "return_value": 0, "arguments": { "process_name": "TrustedInstaller.exe", "snapshot_handle": "0x000001e0", "process_identifier": 2844 }, "time": 1578135196.765875, "tid": 2732, "flags": {} }, "pid": 1512, "type": "call", "cid": 4075 }, { "call": { "category": "process", "status": 0, "stacktrace": [], "last_error": 18, "nt_status": -2147483642, "api": "Process32NextW", "return_value": 0, "arguments": { "process_name": "TrustedInstaller.exe", "snapshot_handle": "0x000001e0", "process_identifier": 2844 }, "time": 1578135196.765875, "tid": 2732, "flags": {} }, "pid": 1512, "type": "call", "cid": 4121 }, { "call": { "category": "process", "status": 0, "stacktrace": [], "last_error": 18, "nt_status": -2147483642, "api": "Process32NextW", "return_value": 0, "arguments": { "process_name": "TrustedInstaller.exe", "snapshot_handle": "0x000001e0", "process_identifier": 2844 }, "time": 1578135196.765875, "tid": 2732, "flags": {} }, "pid": 1512, "type": "call", "cid": 4167 }, { "call": { "category": "process", "status": 0, "stacktrace": [], "last_error": 18, "nt_status": -2147483642, "api": "Process32NextW", "return_value": 0, "arguments": { "process_name": "TrustedInstaller.exe", "snapshot_handle": "0x000001e0", "process_identifier": 2844 }, "time": 1578135196.765875, "tid": 2732, "flags": {} }, "pid": 1512, "type": "call", "cid": 4213 }, { "call": { "category": "process", "status": 0, "stacktrace": [], "last_error": 18, "nt_status": -2147483642, "api": "Process32NextW", "return_value": 0, "arguments": { "process_name": "TrustedInstaller.exe", "snapshot_handle": "0x000001e0", "process_identifier": 2844 }, "time": 1578135196.780875, "tid": 2732, "flags": {} }, "pid": 1512, "type": "call", "cid": 4259 }, { "call": { "category": "process", "status": 0, "stacktrace": [], "last_error": 18, "nt_status": -2147483642, "api": "Process32NextW", "return_value": 0, "arguments": { "process_name": "TrustedInstaller.exe", "snapshot_handle": "0x000001e0", "process_identifier": 2844 }, "time": 1578135196.780875, "tid": 2732, "flags": {} }, "pid": 1512, "type": "call", "cid": 4305 }, { "call": { "category": "process", "status": 0, "stacktrace": [], "last_error": 18, "nt_status": -2147483642, "api": "Process32NextW", "return_value": 0, "arguments": { "process_name": "TrustedInstaller.exe", "snapshot_handle": "0x000001e0", "process_identifier": 2844 }, "time": 1578135196.780875, "tid": 2732, "flags": {} }, "pid": 1512, "type": "call", "cid": 4351 }, { "call": { "category": "process", "status": 0, "stacktrace": [], "last_error": 18, "nt_status": -2147483642, "api": "Process32NextW", "return_value": 0, "arguments": { "process_name": "TrustedInstaller.exe", "snapshot_handle": "0x000001e0", "process_identifier": 2844 }, "time": 1578135196.780875, "tid": 2732, "flags": {} }, "pid": 1512, "type": "call", "cid": 4397 }, { "call": { "category": "process", "status": 0, "stacktrace": [], "last_error": 18, "nt_status": -2147483642, "api": "Process32NextW", "return_value": 0, "arguments": { "process_name": "TrustedInstaller.exe", "snapshot_handle": "0x000001e0", "process_identifier": 2844 }, "time": 1578135196.796875, "tid": 2732, "flags": {} }, "pid": 1512, "type": "call", "cid": 4443 }, { "call": { "category": "process", "status": 0, "stacktrace": [], "last_error": 18, "nt_status": -2147483642, "api": "Process32NextW", "return_value": 0, "arguments": { "process_name": "TrustedInstaller.exe", "snapshot_handle": "0x000001e0", "process_identifier": 2844 }, "time": 1578135196.796875, "tid": 2732, "flags": {} }, "pid": 1512, "type": "call", "cid": 4489 }, { "call": { "category": "process", "status": 0, "stacktrace": [], "last_error": 18, "nt_status": -2147483642, "api": "Process32NextW", "return_value": 0, "arguments": { "process_name": "TrustedInstaller.exe", "snapshot_handle": "0x000001e0", "process_identifier": 2844 }, "time": 1578135196.796875, "tid": 2732, "flags": {} }, "pid": 1512, "type": "call", "cid": 4535 }, { "call": { "category": "process", "status": 0, "stacktrace": [], "last_error": 18, "nt_status": -2147483642, "api": "Process32NextW", "return_value": 0, "arguments": { "process_name": "TrustedInstaller.exe", "snapshot_handle": "0x000001e0", "process_identifier": 2844 }, "time": 1578135196.796875, "tid": 2732, "flags": {} }, "pid": 1512, "type": "call", "cid": 4581 }, { "call": { "category": "process", "status": 0, "stacktrace": [], "last_error": 18, "nt_status": -2147483642, "api": "Process32NextW", "return_value": 0, "arguments": { "process_name": "TrustedInstaller.exe", "snapshot_handle": "0x000001e0", "process_identifier": 2844 }, "time": 1578135196.796875, "tid": 2732, "flags": {} }, "pid": 1512, "type": "call", "cid": 4627 }, { "call": { "category": "process", "status": 0, "stacktrace": [], "last_error": 18, "nt_status": -2147483642, "api": "Process32NextW", "return_value": 0, "arguments": { "process_name": "TrustedInstaller.exe", "snapshot_handle": "0x000001e0", "process_identifier": 2844 }, "time": 1578135196.812875, "tid": 2732, "flags": {} }, "pid": 1512, "type": "call", "cid": 4673 }, { "call": { "category": "process", "status": 0, "stacktrace": [], "last_error": 18, "nt_status": -2147483642, "api": "Process32NextW", "return_value": 0, "arguments": { "process_name": "TrustedInstaller.exe", "snapshot_handle": "0x000001e0", "process_identifier": 2844 }, "time": 1578135196.812875, "tid": 2732, "flags": {} }, "pid": 1512, "type": "call", "cid": 4719 }, { "call": { "category": "process", "status": 0, "stacktrace": [], "last_error": 18, "nt_status": -2147483642, "api": "Process32NextW", "return_value": 0, "arguments": { "process_name": "TrustedInstaller.exe", "snapshot_handle": "0x000001e0", "process_identifier": 2844 }, "time": 1578135196.812875, "tid": 2732, "flags": {} }, "pid": 1512, "type": "call", "cid": 4765 }, { "call": { "category": "process", "status": 0, "stacktrace": [], "last_error": 18, "nt_status": -2147483642, "api": "Process32NextW", "return_value": 0, "arguments": { "process_name": "TrustedInstaller.exe", "snapshot_handle": "0x000001e0", "process_identifier": 2844 }, "time": 1578135196.812875, "tid": 2732, "flags": {} }, "pid": 1512, "type": "call", "cid": 4811 }, { "call": { "category": "process", "status": 0, "stacktrace": [], "last_error": 18, "nt_status": -2147483642, "api": "Process32NextW", "return_value": 0, "arguments": { "process_name": "TrustedInstaller.exe", "snapshot_handle": "0x000001e0", "process_identifier": 2844 }, "time": 1578135196.812875, "tid": 2732, "flags": {} }, "pid": 1512, "type": "call", "cid": 4857 }, { "call": { "category": "process", "status": 0, "stacktrace": [], "last_error": 18, "nt_status": -2147483642, "api": "Process32NextW", "return_value": 0, "arguments": { "process_name": "TrustedInstaller.exe", "snapshot_handle": "0x000001e0", "process_identifier": 2844 }, "time": 1578135196.827875, "tid": 2732, "flags": {} }, "pid": 1512, "type": "call", "cid": 4903 }, { "call": { "category": "process", "status": 0, "stacktrace": [], "last_error": 18, "nt_status": -2147483642, "api": "Process32NextW", "return_value": 0, "arguments": { "process_name": "TrustedInstaller.exe", "snapshot_handle": "0x000001e0", "process_identifier": 2844 }, "time": 1578135196.827875, "tid": 2732, "flags": {} }, "pid": 1512, "type": "call", "cid": 4949 }, { "call": { "category": "process", "status": 0, "stacktrace": [], "last_error": 18, "nt_status": -2147483642, "api": "Process32NextW", "return_value": 0, "arguments": { "process_name": "TrustedInstaller.exe", "snapshot_handle": "0x000001e0", "process_identifier": 2844 }, "time": 1578135196.827875, "tid": 2732, "flags": {} }, "pid": 1512, "type": "call", "cid": 4995 }, { "call": { "category": "process", "status": 0, "stacktrace": [], "last_error": 18, "nt_status": -2147483642, "api": "Process32NextW", "return_value": 0, "arguments": { "process_name": "TrustedInstaller.exe", "snapshot_handle": "0x000001e0", "process_identifier": 2844 }, "time": 1578135196.827875, "tid": 2732, "flags": {} }, "pid": 1512, "type": "call", "cid": 5041 }, { "call": { "category": "process", "status": 0, "stacktrace": [], "last_error": 18, "nt_status": -2147483642, "api": "Process32NextW", "return_value": 0, "arguments": { "process_name": "TrustedInstaller.exe", "snapshot_handle": "0x000001e0", "process_identifier": 2844 }, "time": 1578135196.843875, "tid": 2732, "flags": {} }, "pid": 1512, "type": "call", "cid": 5087 }, { "call": { "category": "process", "status": 0, "stacktrace": [], "last_error": 18, "nt_status": -2147483642, "api": "Process32NextW", "return_value": 0, "arguments": { "process_name": "TrustedInstaller.exe", "snapshot_handle": "0x000001e0", "process_identifier": 2844 }, "time": 1578135196.843875, "tid": 2732, "flags": {} }, "pid": 1512, "type": "call", "cid": 5133 }, { "call": { "category": "process", "status": 0, "stacktrace": [], "last_error": 18, "nt_status": -2147483642, "api": "Process32NextW", "return_value": 0, "arguments": { "process_name": "TrustedInstaller.exe", "snapshot_handle": "0x000001e0", "process_identifier": 2844 }, "time": 1578135196.843875, "tid": 2732, "flags": {} }, "pid": 1512, "type": "call", "cid": 5179 }, { "call": { "category": "process", "status": 0, "stacktrace": [], "last_error": 18, "nt_status": -2147483642, "api": "Process32NextW", "return_value": 0, "arguments": { "process_name": "TrustedInstaller.exe", "snapshot_handle": "0x000001e0", "process_identifier": 2844 }, "time": 1578135196.843875, "tid": 2732, "flags": {} }, "pid": 1512, "type": "call", "cid": 5225 }, { "call": { "category": "process", "status": 0, "stacktrace": [], "last_error": 18, "nt_status": -2147483642, "api": "Process32NextW", "return_value": 0, "arguments": { "process_name": "TrustedInstaller.exe", "snapshot_handle": "0x000001e0", "process_identifier": 2844 }, "time": 1578135196.859875, "tid": 2732, "flags": {} }, "pid": 1512, "type": "call", "cid": 5271 }, { "call": { "category": "process", "status": 0, "stacktrace": [], "last_error": 18, "nt_status": -2147483642, "api": "Process32NextW", "return_value": 0, "arguments": { "process_name": "TrustedInstaller.exe", "snapshot_handle": "0x000001e0", "process_identifier": 2844 }, "time": 1578135196.859875, "tid": 2732, "flags": {} }, "pid": 1512, "type": "call", "cid": 5317 } ], "references": [], "name": "process_needed" }, { "markcount": 2, "families": [], "description": "The executable is compressed using UPX", "severity": 2, "marks": [ { "section": "UPX0", "type": "generic", "description": "Section name indicates UPX" }, { "section": "UPX1", "type": "generic", "description": "Section name indicates UPX" } ], "references": [], "name": "packer_upx" }, { "markcount": 4, "families": [], "description": "Uses Windows utilities for basic Windows functionality", "severity": 2, "marks": [ { "category": "cmdline", "ioc": "systeminfo", "type": "ioc", "description": null }, { "category": "cmdline", "ioc": "netsh firewall add allowedprogram program = STcONaURjstoJeQ(uMqeEfSfaGeNmho(\"yJmAEIBBXdvRXSFRGegUiJnA\")) name = STcONaURjstoJeQ(uMqeEfSfaGeNmho(\"XQ0V1bwVGZ0FQZ==\")) mode = ENABLE", "type": "ioc", "description": null }, { "category": "cmdline", "ioc": "C:\\Windows\\system32\\cmd.exe \/k systeminfo", "type": "ioc", "description": null }, { "category": "cmdline", "ioc": "C:\\Windows\\system32\\cmd.exe \/c netsh firewall add allowedprogram program = STcONaURjstoJeQ(uMqeEfSfaGeNmho(\"yJmAEIBBXdvRXSFRGegUiJnA\")) name = STcONaURjstoJeQ(uMqeEfSfaGeNmho(\"XQ0V1bwVGZ0FQZ==\")) mode = ENABLE", "type": "ioc", "description": null } ], "references": [ "http:\/\/blog.jpcert.or.jp\/2016\/01\/windows-commands-abused-by-attackers.html" ], "name": "uses_windows_utilities" }, { "markcount": 1, "families": [], "description": "Checks the CPU name from registry, possibly for anti-virtualization", "severity": 3, "marks": [ { "category": "registry", "ioc": "HKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0\\ProcessorNameString", "type": "ioc", "description": null } ], "references": [], "name": "antivm_generic_cpu" }, { "markcount": 1, "families": [], "description": "Installs itself for autorun at Windows startup", "severity": 3, "marks": [ { "type": "generic", "reg_key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\AutoUpdate", "reg_value": "C:\\Users\\cuck\\AppData\\Roaming\\log\\AutoUpdate.exe" } ], "references": [], "name": "persistence_autorun" }, { "markcount": 1, "families": [], "description": "Executes one or more WMI queries", "severity": 3, "marks": [ { "category": "wmi", "ioc": "Select * from AntiVirusProduct", "type": "ioc", "description": null } ], "references": [], "name": "has_wmi" }, { "markcount": 1, "families": [], "description": "Creates a windows hook that monitors keyboard input (keylogger)", "severity": 3, "marks": [ { "call": { "category": "system", "status": 1, "stacktrace": [], "api": "SetWindowsHookExA", "return_value": 48694077, "arguments": { "thread_identifier": 0, "callback_function": "0x02920000", "module_address": "0x003e0000", "hook_identifier": 13 }, "time": 1578135198.071999, "tid": 1616, "flags": { "hook_identifier": "WH_KEYBOARD_LL" } }, "pid": 2804, "type": "call", "cid": 1039 } ], "references": [], "name": "infostealer_keylogger" }, { "markcount": 2, "families": [], "description": "Harvests credentials from local email clients", "severity": 3, "marks": [ { "category": "registry", "ioc": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows Mail\\Store Root", "type": "ioc", "description": null }, { "category": "registry", "ioc": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Account Manager\\Shared", "type": "ioc", "description": null } ], "references": [], "name": "infostealer_mail" }, { "markcount": 5, "families": [], "description": "Sets or modifies WPAD proxy autoconfiguration file for traffic interception", "severity": 3, "marks": [ { "call": { "category": "registry", "status": 1, "stacktrace": [], "api": "RegSetValueExA", "return_value": 0, "arguments": { "key_handle": "0x00000384", "value": 1, "regkey_r": "WpadDecisionReason", "reg_type": 4, "regkey": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}\\WpadDecisionReason" }, "time": 1578135191.280875, "tid": 2648, "flags": { "reg_type": "REG_DWORD" } }, "pid": 1512, "type": "call", "cid": 2229 }, { "call": { "category": "registry", "status": 1, "stacktrace": [], "api": "RegSetValueExA", "return_value": 0, "arguments": { "key_handle": "0x00000384", "value": "\u00b0r\u00f9\u00978\u00c3\u00d5\u0001", "regkey_r": "WpadDecisionTime", "reg_type": 3, "regkey": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}\\WpadDecisionTime" }, "time": 1578135191.280875, "tid": 2648, "flags": { "reg_type": "REG_BINARY" } }, "pid": 1512, "type": "call", "cid": 2230 }, { "call": { "category": "registry", "status": 1, "stacktrace": [], "api": "RegSetValueExA", "return_value": 0, "arguments": { "key_handle": "0x00000384", "value": 3, "regkey_r": "WpadDecision", "reg_type": 4, "regkey": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}\\WpadDecision" }, "time": 1578135191.280875, "tid": 2648, "flags": { "reg_type": "REG_DWORD" } }, "pid": 1512, "type": "call", "cid": 2231 }, { "call": { "category": "registry", "status": 1, "stacktrace": [], "api": "RegSetValueExW", "return_value": 0, "arguments": { "key_handle": "0x00000384", "value": "Unidentified network", "regkey_r": "WpadNetworkName", "reg_type": 1, "regkey": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}\\WpadNetworkName" }, "time": 1578135191.280875, "tid": 2648, "flags": { "reg_type": "REG_SZ" } }, "pid": 1512, "type": "call", "cid": 2232 }, { "call": { "category": "registry", "status": 1, "stacktrace": [], "api": "RegSetValueExW", "return_value": 0, "arguments": { "key_handle": "0x00000380", "value": "{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}", "regkey_r": "WpadLastNetwork", "reg_type": 1, "regkey": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\WpadLastNetwork" }, "time": 1578135191.296875, "tid": 2648, "flags": { "reg_type": "REG_SZ" } }, "pid": 1512, "type": "call", "cid": 2302 } ], "references": [], "name": "modifies_proxy_wpad" }, { "markcount": 1, "families": [], "description": "Attempts to modify UAC prompt behavior", "severity": 3, "marks": [ { "category": "registry", "ioc": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\ConsentPromptBehaviorAdmin", "type": "ioc", "description": null } ], "references": [], "name": "modify_uac_prompt" } ]
The Yara rules did not detect anything in the file.
{ "tls": [], "udp": [ { "src": "192.168.56.101", "dst": "192.168.56.255", "offset": 662, "time": 6.208668947219849, "dport": 137, "sport": 137 }, { "src": "192.168.56.101", "dst": "192.168.56.255", "offset": 7286, "time": 12.211493015289307, "dport": 138, "sport": 138 }, { "src": "192.168.56.101", "dst": "224.0.0.252", "offset": 9130, "time": 6.168194055557251, "dport": 5355, "sport": 51001 }, { "src": "192.168.56.101", "dst": "224.0.0.252", "offset": 9458, "time": 4.1440229415893555, "dport": 5355, "sport": 53595 }, { "src": "192.168.56.101", "dst": "224.0.0.252", "offset": 9786, "time": 6.179533958435059, "dport": 5355, "sport": 53848 }, { "src": "192.168.56.101", "dst": "224.0.0.252", "offset": 10114, "time": 4.648414134979248, "dport": 5355, "sport": 54255 }, { "src": "192.168.56.101", "dst": "224.0.0.252", "offset": 10442, "time": 3.0303750038146973, "dport": 5355, "sport": 55314 }, { "src": "192.168.56.101", "dst": "224.0.0.252", "offset": 10770, "time": 7.016266107559204, "dport": 5355, "sport": 55880 }, { "src": "192.168.56.101", "dst": "239.255.255.250", "offset": 11090, "time": 4.677428960800171, "dport": 1900, "sport": 1900 }, { "src": "192.168.56.101", "dst": "239.255.255.250", "offset": 30500, "time": 4.179117918014526, "dport": 3702, "sport": 49152 }, { "src": "192.168.56.101", "dst": "239.255.255.250", "offset": 38884, "time": 6.240189075469971, "dport": 1900, "sport": 53598 } ], "dns_servers": [], "http": [], "icmp": [], "smtp": [], "tcp": [], "smtp_ex": [], "mitm": [], "hosts": [], "pcap_sha256": "e410601430483432b9bc7b2300aadbe261cd29113990c3dd26efcd05566d5aef", "dns": [], "http_ex": [], "domains": [], "dead_hosts": [], "sorted_pcap_sha256": "ba4ca1e7ce0b6c5d78dacf27e3d888e0ffe0756224027568abcda658b973e674", "irc": [], "https_ex": [] }
The instructions below shows how to remove stub.exe with help from the FreeFixer removal tool. Basically, you install FreeFixer, scan your computer, check the stub.exe file for removal, restart your computer and scan it again to verify that stub.exe has been successfully removed. Here are the removal instructions in more detail:
stub.exe (102 votes)
Property | Value |
---|---|
MD5 | 53d9a23a2edaeb04400549556553f5e7 |
SHA256 | a9c04c077b2bb66c9f77c1c4fe49210a0972081ebb457194fb493ae9e6a0f20f |
These are some of the error messages that can appear related to stub.exe:
stub.exe has encountered a problem and needs to close. We are sorry for the inconvenience.
stub.exe - Application Error. The instruction at "0xXXXXXXXX" referenced memory at "0xXXXXXXXX". The memory could not be "read/written". Click on OK to terminate the program.
stub.exe has stopped working.
End Program - stub.exe. This program is not responding.
stub.exe is not a valid Win32 application.
stub.exe - Application Error. The application failed to initialize properly (0xXXXXXXXX). Click OK to terminate the application.
To help other users, please let us know what you will do with stub.exe:
Please share with the other users what you think about this file. What does this file do? Is it legitimate or something that your computer is better without? Do you know how it was installed on your system? Did you install it yourself or did it come bundled with some other software? Is it running smoothly or do you get some error message? Any information that will help to document this file is welcome. Thank you for your contributions.
I'm reading all new comments so don't hesitate to post a question about the file. If I don't have the answer perhaps another user can help you.
No comments posted yet.