What is stub.exe?

stub.exe is usually located in the 'c:\downloads\' folder.

Some of the anti-virus scanners at VirusTotal detected stub.exe.

If you have additional information about the file, please share it with the FreeFixer users by posting a comment at the bottom of this page.

Vendor and version information [?]

The following is the available information on stub.exe:

PropertyValue
Legal copyright© Microsoft Corporation. All rights reserved
File version1.2.0.1

Here's a screenshot of the file properties when displayed by Windows Explorer:

Legal copyright© Microsoft Corporation. All rights..
File version1.2.0.1

Digital signatures [?]

stub.exe is not signed.

VirusTotal report

49 of the 69 anti-virus programs at VirusTotal detected the stub.exe file. That's a 71% detection rate.

ScannerDetection Name
Acronis suspicious
Ad-Aware AIT:Trojan.GenericTKA.16
AegisLab Trojan.Win32.AutoIt.4!c
Alibaba TrojanSpy:Win32/AutoIt.b954b653
ALYac AIT:Trojan.GenericTKA.16
Antiy-AVL Trojan/Generic.ASVCS3S.1E5
Arcabit AIT:Trojan.GenericTKA.16
Avast Win32:Evo-gen [Susp]
AVG Win32:Evo-gen [Susp]
Avira HEUR/AGEN.1026171
Baidu Win32.Trojan-Spy.Autoit.b
BitDefender AIT:Trojan.GenericTKA.16
ClamAV Win.Malware.Autoit-6887871-0
CrowdStrike win/malicious_confidence_100% (W)
Cybereason malicious.a2edae
Cylance Unsafe
Cyren W32/AutoIt.GQ.gen!Eldorado
DrWeb Trojan.AutoIt.276
Emsisoft AIT:Trojan.GenericTKA.16 (B)
Endgame malicious (moderate confidence)
ESET-NOD32 a variant of Win32/Spy.Autoit.BY
F-Prot W32/AutoIt.GQ.gen!Eldorado
F-Secure Heuristic.HEUR/AGEN.1026171
FireEye Generic.mg.53d9a23a2edaeb04
Fortinet W32/Autoit.BY!tr.spy
GData AIT:Trojan.AutoIT.Agent.MR (2x)
Ikarus Dropper.AutoIt
Jiangmin TrojanSpy.AutoIt.ho
K7AntiVirus Spyware ( 004d8c0a1 )
K7GW Spyware ( 004d8c0a1 )
Kaspersky Trojan-Spy.Win32.AutoIt.cv
MAX malware (ai score=100)
McAfee Artemis!53D9A23A2EDA
McAfee-GW-Edition BehavesLike.Win32.Generic.cc
Microsoft PWS:AutoIt/Passup.A
MicroWorld-eScan AIT:Trojan.GenericTKA.16
NANO-Antivirus Trojan.Win32.AutoIt.fpbuvb
Paloalto generic.ml
Panda Trj/Genetic.gen
Qihoo-360 HEUR/QVM11.1.9029.Malware.Gen
SentinelOne DFI - Suspicious PE
Sophos Mal/Generic-S
Symantec ML.Attribute.HighConfidence
Tencent Win32.Trojan-spy.Autoit.Swuz
Trapmine malicious.moderate.ml.score
TrendMicro TROJ_GEN.R002C0DDG19
TrendMicro-HouseCall TROJ_GEN.R002C0DDG19
VBA32 Trojan.Autoit.F
ZoneAlarm Trojan-Spy.Win32.AutoIt.cv
49 of the 69 anti-virus programs detected the stub.exe file.

Sandbox Report

The following information was gathered by executing the file inside Cuckoo Sandbox.

Summary

Successfully executed process in sandbox.

Summary

{
    "file_created": [
        "C:\\Users\\cuck\\AppData\\Roaming\\log\\Passwords.txt",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\aut8197.tmp",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\bozvxpz",
        "C:\\Users\\cuck\\AppData\\Roaming\\log\\Info.txt",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\kxpzmdz",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\aut578B.tmp",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\aut572C.tmp",
        "C:\\Users\\cuck\\AppData\\Roaming\\log\\logs_04.01.2020.htm"
    ],
    "file_recreated": [
        "\\??\\nul",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\aut8197.tmp",
        "\\Device\\KsecDD",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\aut578B.tmp",
        "\\Device\\Http\\Communication",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\aut572C.tmp"
    ],
    "regkey_written": [
        "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\mlang.dll,-4462",
        "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\napipsec.dll,-1",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\EnableFileTracing",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\\DefaultConnectionSettings",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\IAM\\Server ID",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\ConsentPromptBehaviorAdmin",
        "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\mlang.dll,-4386",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\AutoUpdate_RASMANCS\\ConsoleTracingMask",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\EnableConsoleTracing",
        "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\eapqec.dll,-101",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\AutoUpdate_RASMANCS\\FileDirectory",
        "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\eapqec.dll,-103",
        "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\eapqec.dll,-102",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\AutoUpdate_RASMANCS\\FileTracingMask",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\TaskbarNoNotification",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}\\WpadNetworkName",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}\\WpadDecisionTime",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\AutoUpdate_RASMANCS\\EnableFileTracing",
        "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\napipsec.dll,-4",
        "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\napipsec.dll,-2",
        "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\napipsec.dll,-3",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\AutoUpdate_RASMANCS\\EnableConsoleTracing",
        "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\LanguageList",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\FileTracingMask",
        "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\dhcpqec.dll,-103",
        "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\dhcpqec.dll,-102",
        "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\dhcpqec.dll,-101",
        "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\dhcpqec.dll,-100",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\ConsoleTracingMask",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\FileDirectory",
        "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\eapqec.dll,-100",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\AutoUpdate",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}\\WpadDecisionReason",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}\\WpadDecision",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\MaxFileSize",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\AutoUpdate_RASMANCS\\MaxFileSize",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\WpadLastNetwork",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\IAM\\Default LDAP Account",
        "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\tsgqec.dll,-101",
        "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\tsgqec.dll,-100",
        "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\tsgqec.dll,-103",
        "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\tsgqec.dll,-102"
    ],
    "dll_loaded": [
        "COMDLG32.dll",
        "RASMONTR.DLL",
        "C:\\Windows\\System32\\mswsock.dll",
        "API-MS-Win-Core-LocalRegistry-L1-1-0.dll",
        "WSHELPER.DLL",
        "RpcRtRemote.dll",
        "API-MS-WIN-Service-Management-L2-1-0.dll",
        "gdi32.dll",
        "DNSAPI.dll",
        "DHCPCSVC.DLL",
        "kernel32.dll",
        "UxTheme.dll",
        "NSHIPSEC.DLL",
        "dwmapi.dll",
        "ntdll.dll",
        "C:\\Windows\\WinSxS\\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\\gdiplus.dll",
        "HTTPAPI.dll",
        "WHHELPER.DLL",
        "HNETMON.DLL",
        "API-MS-WIN-Service-Management-L1-1-0.dll",
        "WININET.dll",
        "SXS.DLL",
        "C:\\Windows\\SysWOW64\\bcryptprimitives.dll",
        "KERNEL32.DLL",
        "DOT3CFG.DLL",
        "WSOCK32.dll",
        "RASMAN.DLL",
        "RPCNSH.DLL",
        "comctl32",
        "ole32.dll",
        "USERENV.dll",
        "NSHWFP.DLL",
        "USER32.dll",
        "IMM32.dll",
        "gdiplus.dll",
        "MPR.dll",
        "API-MS-Win-Security-SDDL-L1-1-0.dll",
        "API-MS-WIN-Service-winsvc-L1-1-0.dll",
        "rtutils.dll",
        "IPHLPAPI.DLL",
        "GPAPI.dll",
        "WLANCFG.DLL",
        "WinInet.dll",
        "Avicap32.dll",
        "DHCPCMONITOR.DLL",
        "C:\\Windows\\system32\\napinsp.dll",
        "OLEAUT32.dll",
        "C:\\Windows\\system32\\pnrpnsp.dll",
        "SHELL32.dll",
        "NAPMONTR.DLL",
        "NSHHTTP.DLL",
        "CRYPTSP.dll",
        "C:\\Windows\\System32\\winrnr.dll",
        "PSAPI.DLL",
        "comctl32.dll",
        "PEERDISTSH.DLL",
        "NETIOHLP.DLL",
        "COMCTL32.dll",
        "C:\\Windows\\system32\\NLAapi.dll",
        "VERSION.dll",
        "wininet.dll",
        "WINMM.dll",
        "AUTHFWCFG.DLL",
        "GDI32.dll",
        "MLANG.dll",
        "P2PNETSH.DLL",
        "IFMON.DLL",
        "C:\\Windows\\SysWOW64\\oleaut32.dll",
        "ADVAPI32.dll",
        "rpcrt4.dll",
        "WS2_32.dll",
        "FWCFG.DLL",
        "user32.dll",
        "userenv.dll"
    ],
    "file_opened": [
        "",
        "C:\\Windows\\System32\\en-US\\mlang.dll.mui",
        "C:\\",
        "C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Mail\\account{E8B20193-B324-4F69-85C3-A585C87B3B69}.oeaccount",
        "C:\\Users\\cuck\\AppData\\Roaming\\log\\Info.txt",
        "\\Device\\NamedPipe\\",
        "C:\\Windows\\System32\\en-US\\eapqec.dll.mui",
        "C:\\Users\\cuck\\AppData\\Roaming\\",
        "C:\\Windows\\System32\\wbem\\wbemdisp.tlb",
        "C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Mail\\account{3F157EAB-C371-449F-8817-DE062D63E39B}.oeaccount",
        "C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Mail\\account{9505C2E7-137C-4315-8EBB-D4AE26FFA58D}.oeaccount",
        "C:\\Windows\\System32\\netmsg.dll",
        "C:\\Users\\cuck\\AppData\\Roaming\\log\\Passwords.txt",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\bozvxpz",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\a9c04c077b2bb66c9f77c1c4fe49210a0972081ebb457194fb493ae9e6a0f20f.bin",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\kxpzmdz",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\aut572C.tmp",
        "C:\\Windows\\SysWOW64\\stdole2.tlb",
        "C:\\Windows\\System32\\tsgqec.dll",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\aut8197.tmp",
        "C:\\Windows\\System32\\EAPQEC.DLL",
        "C:\\Program Files (x86)\\Common Files\\System\\ado\\msado15.dll",
        "C:\\Windows\\System32\\mlang.dll",
        "C:\\Users\\cuck\\AppData\\Local\\Temp",
        "C:\\Users\\cuck\\AppData\\Roaming\\log\\logs_04.01.2020.htm",
        "C:\\Windows\\Globalization\\Sorting\\sortdefault.nls",
        "C:\\Windows\\System32\\en-US\\napipsec.dll.mui",
        "C:\\Users\\cuck\\AppData\\Roaming\\log\\AutoUpdate.exe",
        "C:\\Windows\\System32\\napipsec.dll",
        "C:\\Windows\\SysWOW64\\cdosys.dll",
        "C:\\Windows\\System32\\DHCPQEC.DLL"
    ],
    "file_copied": [
        [
            "C:\\Users\\cuck\\AppData\\Local\\Temp\\aut578B.tmp",
            "C:\\Users\\cuck\\AppData\\Roaming\\log\\AutoUpdate.exe"
        ]
    ],
    "connects_host": [
        "icanhazip.com",
        "62.108.34.111"
    ],
    "regkey_opened": [
        "HKEY_CLASSES_ROOT\\.tiff",
        "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\DnsClient",
        "HKEY_CLASSES_ROOT\\.avi",
        "HKEY_CLASSES_ROOT\\.group",
        "HKEY_CLASSES_ROOT\\.wsc",
        "HKEY_CLASSES_ROOT\\.vssscc",
        "HKEY_CLASSES_ROOT\\.ai",
        "HKEY_CLASSES_ROOT\\.wsz",
        "HKEY_CLASSES_ROOT\\.au",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.64.1.1!7",
        "HKEY_CLASSES_ROOT\\.wvx",
        "HKEY_CLASSES_ROOT\\.c2r",
        "HKEY_CLASSES_ROOT\\.TTS",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.44.3.4!7",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\Roaming",
        "HKEY_CLASSES_ROOT\\.mlc",
        "HKEY_CLASSES_ROOT\\.js",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{55272A00-42CB-11CE-8135-00AA004BB851}\\ProxyStubClsid32",
        "HKEY_CLASSES_ROOT\\.gmmp",
        "HKEY_CLASSES_ROOT\\.evt",
        "HKEY_CLASSES_ROOT\\.xls",
        "HKEY_CLASSES_ROOT\\.eyb",
        "HKEY_CLASSES_ROOT\\.cda",
        "HKEY_CLASSES_ROOT\\.cdx",
        "HKEY_CLASSES_ROOT\\.xlb",
        "HKEY_CLASSES_ROOT\\.jbf",
        "HKEY_CLASSES_ROOT\\.com",
        "HKEY_CLASSES_ROOT\\.lst",
        "HKEY_CLASSES_ROOT\\.cod",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\Publisher",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion",
        "HKEY_CLASSES_ROOT\\.dct",
        "HKEY_CLASSES_ROOT\\.nls",
        "HKEY_CLASSES_ROOT\\.mov",
        "HKEY_CLASSES_ROOT\\.H1C",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\9",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\VFW",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\Roaming",
        "HKEY_CLASSES_ROOT\\.wm",
        "HKEY_CLASSES_ROOT\\.rsp",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Defaults\\Provider",
        "HKEY_CLASSES_ROOT\\.pch",
        "HKEY_CLASSES_ROOT\\txtfile",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\LocalConfig\\UI",
        "HKEY_CLASSES_ROOT\\.hpp",
        "HKEY_CLASSES_ROOT\\.wtx",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\Service",
        "HKEY_CLASSES_ROOT\\.rtf",
        "HKEY_CURRENT_USER\\CLSID\\{00000000-0000-0000-0000-000000000000}",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.0",
        "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\System\\DNSClient",
        "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\Rpc",
        "HKEY_CLASSES_ROOT\\.m4v",
        "HKEY_CLASSES_ROOT\\.m4p",
        "HKEY_CLASSES_ROOT\\.art",
        "HKEY_CLASSES_ROOT\\.bkf",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{CD000001-8B95-11D1-82DB-00C04FB1625D}\\Progid",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocHandler",
        "HKEY_CLASSES_ROOT\\.m4a",
        "HKEY_CLASSES_ROOT\\.kci",
        "HKEY_CLASSES_ROOT\\.qds",
        "HKEY_CLASSES_ROOT\\.cab",
        "HKEY_CLASSES_ROOT\\.p12",
        "HKEY_CLASSES_ROOT\\.p10",
        "HKEY_CLASSES_ROOT\\.MTS",
        "HKEY_CLASSES_ROOT\\.cat",
        "HKEY_CLASSES_ROOT\\.aspx",
        "HKEY_CLASSES_ROOT\\.psd",
        "HKEY_CURRENT_USER\\Software\\AutoIt v3\\AutoIt",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\SecurityManager\\Restricted",
        "HKEY_CURRENT_USER\\Interface\\{2A1C9EB2-DF62-4154-B800-63278FCB8037}",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\\ProxyStubClsid32",
        "HKEY_CLASSES_ROOT\\.ibq",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{B691E011-1797-432E-907A-4D8C69339129}\\6.0\\0",
        "HKEY_CLASSES_ROOT\\.sor",
        "HKEY_CLASSES_ROOT\\.blg",
        "HKEY_CLASSES_ROOT\\.chm",
        "HKEY_CLASSES_ROOT\\.chk",
        "HKEY_CLASSES_ROOT\\.sol",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Enhanced DSS and Diffie-Hellman Cryptographic Provider",
        "HKEY_CLASSES_ROOT\\.vob",
        "HKEY_CLASSES_ROOT\\.rat",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\DownloadManager\\Download",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0",
        "HKEY_CLASSES_ROOT\\.MOD",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\HostedCache\\Connection",
        "HKEY_CLASSES_ROOT\\.xps",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Rpc",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\LocalConfig\\Enroll\\HcsGroups",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\0",
        "HKEY_CLASSES_ROOT\\.log",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\Progid",
        "HKEY_CLASSES_ROOT\\.rc",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\CooperativeCaching",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\SecurityManager",
        "HKEY_CLASSES_ROOT\\.mpv2",
        "HKEY_CLASSES_ROOT\\.png",
        "HKEY_CLASSES_ROOT\\.pnf",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\DownloadManager\\Discovery",
        "HKEY_CLASSES_ROOT\\.doc",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\CacheMgr\\Republication",
        "HKEY_CLASSES_ROOT\\.faq",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\DownloadManager\\UtilityIndex",
        "HKEY_CLASSES_ROOT\\.dos",
        "HKEY_CLASSES_ROOT\\.dot",
        "HKEY_CLASSES_ROOT\\.jod",
        "HKEY_CLASSES_ROOT\\.csv",
        "HKEY_CLASSES_ROOT\\.css",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.64.1.1!7",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{CD000000-8B95-11D1-82DB-00C04FB1625D}\\1.0\\409",
        "HKEY_CLASSES_ROOT\\.mht",
        "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\SecurityManager\\Restricted",
        "HKEY_CLASSES_ROOT\\.csa",
        "HKEY_CLASSES_ROOT\\.udt",
        "HKEY_CLASSES_ROOT\\.htx",
        "HKEY_CLASSES_ROOT\\.crds",
        "HKEY_CLASSES_ROOT\\.trg",
        "HKEY_CLASSES_ROOT\\.htt",
        "HKEY_CLASSES_ROOT\\.htw",
        "HKEY_CLASSES_ROOT\\.mcl",
        "HKEY_CLASSES_ROOT\\.udf",
        "HKEY_CLASSES_ROOT\\.htm",
        "HKEY_CLASSES_ROOT\\.shtm",
        "HKEY_CLASSES_ROOT\\.hta",
        "HKEY_CLASSES_ROOT\\.htc",
        "HKEY_CLASSES_ROOT\\.p7s",
        "HKEY_CLASSES_ROOT\\.txt",
        "HKEY_CLASSES_ROOT\\.WMS",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\CacheMgr\\Republication",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\PolicyProvider",
        "HKEY_CLASSES_ROOT\\.WMD",
        "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\System",
        "HKEY_CLASSES_ROOT\\.jfif",
        "HKEY_CLASSES_ROOT\\.wlt",
        "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\NapAgent\\LocalConfig",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Account Manager",
        "HKEY_CLASSES_ROOT\\.fon",
        "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\PeerDist",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Rpc\\Extensions",
        "HKEY_CLASSES_ROOT\\.wll",
        "HKEY_CLASSES_ROOT\\.cer",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\BFE",
        "HKEY_CLASSES_ROOT\\.tab",
        "HKEY_CLASSES_ROOT\\.nfo",
        "HKEY_CLASSES_ROOT\\.cls",
        "HKEY_CLASSES_ROOT\\.ps1xml",
        "HKEY_CLASSES_ROOT\\.tar",
        "HKEY_CURRENT_USER\\Control Panel\\Mouse",
        "HKEY_CLASSES_ROOT\\.sst",
        "HKEY_CLASSES_ROOT\\.html",
        "HKEY_CLASSES_ROOT\\.xlt",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo",
        "HKEY_CLASSES_ROOT\\.reg",
        "HKEY_CLASSES_ROOT\\.mp2v",
        "HKEY_CLASSES_ROOT\\.usr",
        "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\iphlpsvc\\Config",
        "HKEY_CLASSES_ROOT\\.pif",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Command Processor",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Setup",
        "HKEY_CLASSES_ROOT\\.pic",
        "HKEY_CLASSES_ROOT\\.res",
        "HKEY_CLASSES_ROOT\\.m14",
        "HKEY_CLASSES_ROOT\\.cpp",
        "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run",
        "HKEY_CLASSES_ROOT\\.cpl",
        "HKEY_CLASSES_ROOT\\.pbk",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\DownloadManager\\Upload",
        "HKEY_CLASSES_ROOT\\.386",
        "HKEY_CLASSES_ROOT\\.xlc",
        "HKEY_CLASSES_ROOT\\.AAC",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}",
        "HKEY_CLASSES_ROOT\\.evtx",
        "HKEY_LOCAL_MACHINE\\System\\Setup",
        "HKEY_CLASSES_ROOT\\.m1v",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\txtfile\\CLSID",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft RSA SChannel Cryptographic Provider",
        "HKEY_CLASSES_ROOT\\.eprtx",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{B691E011-1797-432E-907A-4D8C69339129}",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\NetSh",
        "HKEY_CLASSES_ROOT\\.vcf",
        "HKEY_CLASSES_ROOT\\.xsd",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\MediaResources\\msvideo",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Account Manager\\Shared",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{00000134-0000-0000-C000-000000000046}\\ProxyStubClsid32",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows Mail",
        "HKEY_CLASSES_ROOT\\.ppt",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM",
        "HKEY_CLASSES_ROOT\\.pps",
        "HKEY_CLASSES_ROOT\\.tsv",
        "HKEY_CLASSES_ROOT\\.tsp",
        "HKEY_CLASSES_ROOT\\.hxx",
        "HKEY_CLASSES_ROOT\\.ilk",
        "HKEY_CURRENT_USER\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}",
        "HKEY_CLASSES_ROOT\\.sed",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{CD000001-8B95-11D1-82DB-00C04FB1625D}\\InprocHandler32",
        "HKEY_CLASSES_ROOT\\.ics",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\DownloadManager",
        "HKEY_CLASSES_ROOT\\.mk",
        "HKEY_CLASSES_ROOT\\.spc",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{2A1C9EB2-DF62-4154-B800-63278FCB8037}\\ProxyStubClsid32",
        "HKEY_CLASSES_ROOT\\.tdl",
        "HKEY_CURRENT_USER\\Interface\\{BCD1DE7E-2DB1-418B-B047-4A74E101F8C1}",
        "HKEY_CLASSES_ROOT\\.icc",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WINMGMTS\\CLSID",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{CD000000-8B95-11D1-82DB-00C04FB1625D}\\1.0\\0\\win32",
        "HKEY_CLASSES_ROOT\\.mv",
        "HKEY_CLASSES_ROOT\\.icm",
        "HKEY_CLASSES_ROOT\\.icl",
        "HKEY_CLASSES_ROOT\\.ico",
        "HKEY_CLASSES_ROOT\\.der",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\InprocServer32",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.44.3.4!7",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{027947E1-D731-11CE-A357-000000000001}\\ProxyStubClsid32",
        "HKEY_CLASSES_ROOT\\.xsl",
        "HKEY_CLASSES_ROOT\\.def",
        "HKEY_CLASSES_ROOT\\.ncb",
        "HKEY_CLASSES_ROOT\\.fky",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\InprocHandler32",
        "HKEY_CLASSES_ROOT\\.swf",
        "HKEY_CLASSES_ROOT\\.M2V",
        "HKEY_CLASSES_ROOT\\.z96",
        "HKEY_CLASSES_ROOT\\.M2T",
        "HKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System\\BIOS",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\DownloadManager\\Download",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{CD000001-8B95-11D1-82DB-00C04FB1625D}\\InprocHandler",
        "HKEY_CLASSES_ROOT\\.ttc",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.47.1.1!7",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\CacheMgr\\Publication",
        "HKEY_CURRENT_USER\\Interface\\{1C1C45EE-4395-11D2-B60B-00104B703EFD}",
        "HKEY_CLASSES_ROOT\\.zip",
        "HKEY_CLASSES_ROOT\\.bsc",
        "HKEY_CLASSES_ROOT\\.shtml",
        "HKEY_CLASSES_ROOT\\.psc1",
        "HKEY_CLASSES_ROOT\\.ghi",
        "HKEY_CLASSES_ROOT\\.dbg",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79617",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{CD000001-8B95-11D1-82DB-00C04FB1625D}\\TreatAs",
        "HKEY_CLASSES_ROOT\\.pmr",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{BCD1DE7E-2DB1-418B-B047-4A74E101F8C1}\\ProxyStubClsid32",
        "HKEY_CLASSES_ROOT\\.dbs",
        "HKEY_CLASSES_ROOT\\.3g2",
        "HKEY_CLASSES_ROOT\\.pml",
        "HKEY_CLASSES_ROOT\\.pmc",
        "HKEY_CLASSES_ROOT\\.pma",
        "HKEY_CLASSES_ROOT\\.ADTS",
        "HKEY_CLASSES_ROOT\\.pfx",
        "HKEY_CLASSES_ROOT\\.mig",
        "HKEY_CLASSES_ROOT\\.mid",
        "HKEY_CURRENT_USER\\CDO.Message",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Tcpip6\\Parameters",
        "HKEY_CLASSES_ROOT\\.webpnp",
        "HKEY_CLASSES_ROOT\\.wpl",
        "HKEY_CLASSES_ROOT\\.pfm",
        "HKEY_CLASSES_ROOT\\.label",
        "HKEY_CLASSES_ROOT\\.sbr",
        "HKEY_CURRENT_USER\\Interface\\{00000134-0000-0000-C000-000000000046}",
        "HKEY_CLASSES_ROOT\\.cc",
        "HKEY_CURRENT_USER\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\OleAut",
        "HKEY_CLASSES_ROOT\\.bas",
        "HKEY_CLASSES_ROOT\\.bat",
        "HKEY_CLASSES_ROOT\\.cs",
        "HKEY_CLASSES_ROOT\\.VBE",
        "HKEY_CLASSES_ROOT\\.DVR",
        "HKEY_CLASSES_ROOT\\.asx",
        "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\System",
        "HKEY_CLASSES_ROOT\\.asp",
        "HKEY_CLASSES_ROOT\\.osdx",
        "HKEY_CLASSES_ROOT\\.db",
        "HKEY_CLASSES_ROOT\\.eps",
        "HKEY_CLASSES_ROOT\\.asm",
        "HKEY_CLASSES_ROOT\\.asa",
        "HKEY_CLASSES_ROOT\\.etp",
        "HKEY_CLASSES_ROOT\\.asc",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\Setup",
        "HKEY_CLASSES_ROOT\\.asf",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Tracing\\AutoUpdate_RASMANCS",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{CD000000-8B95-11D1-82DB-00C04FB1625D}\\1.0",
        "HKEY_CLASSES_ROOT\\.latex",
        "HKEY_CLASSES_ROOT\\.otf",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Account Manager\\Preconfigured",
        "HKEY_CLASSES_ROOT\\.vxd",
        "HKEY_CLASSES_ROOT\\.sit",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\MIME\\Database\\Content Type\\text\/plain",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\DownloadManager",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Strong Cryptographic Provider",
        "HKEY_CLASSES_ROOT\\.cmd",
        "HKEY_CLASSES_ROOT\\.stl",
        "HKEY_CLASSES_ROOT\\.stm",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList",
        "HKEY_CLASSES_ROOT\\.theme",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local",
        "HKEY_CLASSES_ROOT\\.gadget",
        "HKEY_CLASSES_ROOT\\FirefoxHTML-E7CF176E110C211B",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{26656EAA-54EB-4E6F-8F85-4F0EF901A406}\\ProxyStubClsid32",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows Mail",
        "HKEY_CLASSES_ROOT\\.tif",
        "HKEY_CLASSES_ROOT\\.edrwx",
        "HKEY_CLASSES_ROOT\\.dat",
        "HKEY_CLASSES_ROOT\\.diz",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79621",
        "HKEY_CURRENT_USER\\CLSID\\{CD000001-8B95-11D1-82DB-00C04FB1625D}",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79623",
        "HKEY_CLASSES_ROOT\\.wdp",
        "HKEY_CLASSES_ROOT\\.wcx",
        "HKEY_CLASSES_ROOT\\.lnk",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-699399860-4089948139-3198924279-1001",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Enhanced RSA and AES Cryptographic Provider",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocServer32",
        "HKEY_CLASSES_ROOT\\.xslt",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\Publisher",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\LocalConfig\\Qecs\\79621",
        "HKEY_CLASSES_ROOT\\.rmi",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\LocalConfig\\Qecs\\79623",
        "HKEY_CLASSES_ROOT\\.psd1",
        "HKEY_CURRENT_USER\\FirefoxHTML-E7CF176E110C211B\\CLSID",
        "HKEY_CLASSES_ROOT\\.pl",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\DownloadManager\\Discovery",
        "HKEY_CURRENT_USER\\winmgmts",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Base DSS and Diffie-Hellman Cryptographic Provider",
        "HKEY_CLASSES_ROOT\\.midi",
        "HKEY_CLASSES_ROOT\\.jnt",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79619",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\WBEM\\CIMOM",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\LocalConfig\\(Default)",
        "HKEY_CLASSES_ROOT\\.lgn",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{CD000000-8B95-11D1-82DB-00C04FB1625D}",
        "HKEY_CLASSES_ROOT\\.csproj",
        "HKEY_CLASSES_ROOT\\.vbs",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{CD000000-8B95-11D1-82DB-00C04FB1625D}\\1.0\\0",
        "HKEY_CLASSES_ROOT\\.vbx",
        "HKEY_CLASSES_ROOT\\.3gp2",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{CD000000-8B95-11D1-82DB-00C04FB1625D}\\1.0\\9",
        "HKEY_CLASSES_ROOT\\.psm1",
        "HKEY_CLASSES_ROOT\\.cxx",
        "HKEY_CLASSES_ROOT\\.3gp",
        "HKEY_CLASSES_ROOT\\.JSE",
        "HKEY_CLASSES_ROOT\\.emf",
        "HKEY_CLASSES_ROOT\\.rc2",
        "HKEY_CLASSES_ROOT\\.vbproj",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\HostedCache",
        "HKEY_CLASSES_ROOT\\.gz",
        "HKEY_CLASSES_ROOT\\.img",
        "HKEY_CLASSES_ROOT\\.imc",
        "HKEY_CLASSES_ROOT\\.M2TS",
        "HKEY_CLASSES_ROOT\\.mpeg",
        "HKEY_CLASSES_ROOT\\.wbcat",
        "HKEY_CLASSES_ROOT\\.3gpp",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\HandleMgr",
        "HKEY_CLASSES_ROOT\\.xix",
        "HKEY_CLASSES_ROOT\\.user",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\windows\\CurrentVersion\\Internet Settings\\Wpad",
        "HKEY_CLASSES_ROOT\\.fnd",
        "HKEY_CLASSES_ROOT\\.rct",
        "HKEY_CLASSES_ROOT\\.wmv",
        "HKEY_CLASSES_ROOT\\.idl",
        "HKEY_CLASSES_ROOT\\.wmp",
        "HKEY_CLASSES_ROOT\\.ps1",
        "HKEY_CLASSES_ROOT\\.wmx",
        "HKEY_CLASSES_ROOT\\.wmz",
        "HKEY_CLASSES_ROOT\\.fnt",
        "HKEY_CLASSES_ROOT\\.wmf",
        "HKEY_CLASSES_ROOT\\.wma",
        "HKEY_CURRENT_USER\\Interface\\{8A40A45D-055C-4B62-ABD7-6D613E2CEAEC}",
        "HKEY_CLASSES_ROOT\\.idq",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment",
        "HKEY_CURRENT_USER\\Interface\\{55272A00-42CB-11CE-8135-00AA004BB851}",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\TreatAs",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\LocalConfig\\Qecs\\79619",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\LocalConfig\\Qecs\\79617",
        "HKEY_CURRENT_USER\\Interface\\{423EC01E-2E35-11D2-B604-00104B703EFD}",
        "HKEY_CLASSES_ROOT\\.hqx",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Tracing\\RASMANCS",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft DH SChannel Cryptographic Provider",
        "HKEY_CLASSES_ROOT\\.mp4v",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0\\0\\win32",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon",
        "HKEY_CLASSES_ROOT\\.msi",
        "HKEY_CLASSES_ROOT\\.lib",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CDO.Message\\CLSID",
        "HKEY_CLASSES_ROOT\\.msg",
        "HKEY_CLASSES_ROOT\\.msc",
        "HKEY_CLASSES_ROOT\\.gif",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\DownloadManager\\Peers\\Connection",
        "HKEY_CLASSES_ROOT\\.msu",
        "HKEY_CLASSES_ROOT\\.msp",
        "HKEY_CLASSES_ROOT\\.obj",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\DiscoveryManager",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\Progid",
        "HKEY_CLASSES_ROOT\\.webm",
        "HKEY_CLASSES_ROOT\\.RDP",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\SecurityManager",
        "HKEY_CLASSES_ROOT\\.IVF",
        "HKEY_CLASSES_ROOT\\.H1V",
        "HKEY_CLASSES_ROOT\\.H1W",
        "HKEY_CLASSES_ROOT\\.H1T",
        "HKEY_CLASSES_ROOT\\.dsw",
        "HKEY_CLASSES_ROOT\\.dsp",
        "HKEY_CLASSES_ROOT\\.H1S",
        "HKEY_CLASSES_ROOT\\.H1Q",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.47.1.1!7",
        "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\LDAP",
        "HKEY_CLASSES_ROOT\\.movie",
        "HKEY_CLASSES_ROOT\\.H1F",
        "HKEY_CLASSES_ROOT\\.H1D",
        "HKEY_CLASSES_ROOT\\.viw",
        "HKEY_CLASSES_ROOT\\.mmf",
        "HKEY_CLASSES_ROOT\\.vsscc",
        "HKEY_CLASSES_ROOT\\.dsn",
        "HKEY_CLASSES_ROOT\\.H1K",
        "HKEY_CLASSES_ROOT\\.H1H",
        "HKEY_CLASSES_ROOT\\.xbap",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Diagnostics",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders",
        "HKEY_CLASSES_ROOT\\.ex_",
        "HKEY_CLASSES_ROOT\\.xrm-ms",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Tracing",
        "HKEY_CLASSES_ROOT\\.WSH",
        "HKEY_CLASSES_ROOT\\.bin",
        "HKEY_CLASSES_ROOT\\.aps",
        "HKEY_CLASSES_ROOT\\.jpg",
        "HKEY_CLASSES_ROOT\\.jpe",
        "HKEY_CLASSES_ROOT\\.exp",
        "HKEY_CLASSES_ROOT\\.ext",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\Compatibility\\a9c04c077b2bb66c9f77c1c4fe49210a0972081ebb457194fb493ae9e6a0f20f.bin",
        "HKEY_CLASSES_ROOT\\.mhtml",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\IAM\\Accounts",
        "HKEY_CLASSES_ROOT\\.pyo",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{B691E011-1797-432E-907A-4D8C69339129}\\6.0",
        "HKEY_CLASSES_ROOT\\.text",
        "HKEY_CLASSES_ROOT\\.exe",
        "HKEY_CLASSES_ROOT\\.xml",
        "HKEY_CLASSES_ROOT\\.URL",
        "HKEY_CLASSES_ROOT\\.sql",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\DownloadManager\\Peers\\Connection",
        "HKEY_CLASSES_ROOT\\.hdp",
        "HKEY_CLASSES_ROOT\\.tgz",
        "HKEY_CLASSES_ROOT\\.xaml",
        "HKEY_CLASSES_ROOT\\.rgs",
        "HKEY_CLASSES_ROOT\\.grp",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\TreatAs",
        "HKEY_CURRENT_USER\\TypeLib",
        "HKEY_CLASSES_ROOT\\.tli",
        "HKEY_CLASSES_ROOT\\.tlh",
        "HKEY_CLASSES_ROOT\\.odt",
        "HKEY_CLASSES_ROOT\\.tlb",
        "HKEY_CLASSES_ROOT\\.wmdb",
        "HKEY_CLASSES_ROOT\\.py",
        "HKEY_CLASSES_ROOT\\.ogg",
        "HKEY_CLASSES_ROOT\\.ascx",
        "HKEY_CLASSES_ROOT\\.aif",
        "HKEY_CLASSES_ROOT\\.oga",
        "HKEY_CLASSES_ROOT\\.ps",
        "HKEY_CLASSES_ROOT\\.dib",
        "HKEY_CLASSES_ROOT\\.dic",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\0\\win32",
        "HKEY_CLASSES_ROOT\\.rll",
        "HKEY_CLASSES_ROOT\\.docx",
        "HKEY_CLASSES_ROOT\\.ogv",
        "HKEY_CLASSES_ROOT\\.rle",
        "HKEY_CLASSES_ROOT\\.sc2",
        "HKEY_CLASSES_ROOT\\.local",
        "HKEY_CLASSES_ROOT\\HTTP\\shell\\open\\command",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\HostedCache",
        "HKEY_CLASSES_ROOT\\.rul",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\IAM",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\OID",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\LocalConfig\\Enroll\\HcsGroups\\(Default)",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor",
        "HKEY_CLASSES_ROOT\\.pyc",
        "HKEY_CLASSES_ROOT\\.in_",
        "HKEY_CLASSES_ROOT\\.cur",
        "HKEY_CLASSES_ROOT\\.WSF",
        "HKEY_CLASSES_ROOT\\.pyw",
        "HKEY_CURRENT_USER\\MIME\\Database\\Rfc1766",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\Progid",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion",
        "HKEY_CLASSES_ROOT\\.inv",
        "HKEY_CLASSES_ROOT\\.wri",
        "HKEY_CLASSES_ROOT\\.nvr",
        "HKEY_CLASSES_ROOT\\.easmx",
        "HKEY_CLASSES_ROOT\\.sct",
        "HKEY_CLASSES_ROOT\\.mak",
        "HKEY_CLASSES_ROOT\\.scr",
        "HKEY_CLASSES_ROOT\\.inx",
        "HKEY_CLASSES_ROOT\\.scp",
        "HKEY_CLASSES_ROOT\\.inf",
        "HKEY_CLASSES_ROOT\\.inc",
        "HKEY_CLASSES_ROOT\\.man",
        "HKEY_CLASSES_ROOT\\.m3u",
        "HKEY_CLASSES_ROOT\\.scf",
        "HKEY_CLASSES_ROOT\\.inl",
        "HKEY_CLASSES_ROOT\\.scd",
        "HKEY_CLASSES_ROOT\\.scc",
        "HKEY_CLASSES_ROOT\\.ini",
        "HKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\DiscoveryManager",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\DownloadManager\\Protocol",
        "HKEY_CLASSES_ROOT\\.jpeg",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\HandleMgr",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Base Cryptographic Provider v1.0",
        "HKEY_CLASSES_ROOT\\MIME\\Database\\Content Type",
        "HKEY_CLASSES_ROOT\\.snd",
        "HKEY_CLASSES_ROOT\\.xht",
        "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\DnsCache\\Parameters",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0\\0",
        "HKEY_CLASSES_ROOT\\.bmp",
        "HKEY_CLASSES_ROOT\\.cgm",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Base DSS Cryptographic Provider",
        "HKEY_CLASSES_ROOT\\.jtx",
        "HKEY_CLASSES_ROOT\\.m4b",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\windows\\CurrentVersion\\Internet Settings\\Connections",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{423EC01E-2E35-11D2-B604-00104B703EFD}\\ProxyStubClsid32",
        "HKEY_CLASSES_ROOT\\.jtp",
        "HKEY_CLASSES_ROOT\\.hhc",
        "HKEY_CLASSES_ROOT\\.sch",
        "HKEY_CLASSES_ROOT\\.ans",
        "HKEY_CLASSES_ROOT\\.ani",
        "HKEY_CLASSES_ROOT\\.dwfx",
        "HKEY_CLASSES_ROOT\\.p7m",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\409",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Enhanced Cryptographic Provider v1.0",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{8A40A45D-055C-4B62-ABD7-6D613E2CEAEC}\\ProxyStubClsid32",
        "HKEY_CLASSES_ROOT\\.p7b",
        "HKEY_CLASSES_ROOT\\.p7c",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Base Smart Card Crypto Provider",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winsat",
        "HKEY_CLASSES_ROOT\\.p7r",
        "HKEY_CLASSES_ROOT\\.pko",
        "HKEY_CLASSES_ROOT\\.vspscc",
        "HKEY_CLASSES_ROOT\\.pds",
        "HKEY_CLASSES_ROOT\\.crt",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\Compatibility\\AutoUpdate.exe",
        "HKEY_CLASSES_ROOT\\.rpc",
        "HKEY_CLASSES_ROOT\\.java",
        "HKEY_CLASSES_ROOT\\.pdb",
        "HKEY_CLASSES_ROOT\\.crd",
        "HKEY_CLASSES_ROOT\\.pdf",
        "HKEY_CLASSES_ROOT\\.UDL",
        "HKEY_CLASSES_ROOT\\.crl",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\DownloadManager\\Protocol",
        "HKEY_CLASSES_ROOT\\.drv",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\Progid",
        "HKEY_CLASSES_ROOT\\.ttf",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\CooperativeCaching",
        "HKEY_CLASSES_ROOT\\.bcp",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\HostedCache\\Connection",
        "HKEY_CLASSES_ROOT\\.jav",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{CD000001-8B95-11D1-82DB-00C04FB1625D}\\InprocServer32",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\CacheMgr\\Publication",
        "HKEY_CLASSES_ROOT\\.TS",
        "HKEY_CLASSES_ROOT\\.camp",
        "HKEY_CLASSES_ROOT\\.aiff",
        "HKEY_CLASSES_ROOT\\.prf",
        "HKEY_CLASSES_ROOT\\.prc",
        "HKEY_CLASSES_ROOT\\.aifc",
        "HKEY_CLASSES_ROOT\\.WTV",
        "HKEY_CURRENT_USER\\Interface\\{26656EAA-54EB-4E6F-8F85-4F0EF901A406}",
        "HKEY_CLASSES_ROOT\\.xhtml",
        "HKEY_CLASSES_ROOT\\.plg",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{B691E011-1797-432E-907A-4D8C69339129}\\6.0\\0\\win32",
        "HKEY_CLASSES_ROOT\\.mydocs",
        "HKEY_CLASSES_ROOT\\.php3",
        "HKEY_CURRENT_USER\\Interface\\{027947E1-D731-11CE-A357-000000000001}",
        "HKEY_CLASSES_ROOT\\.sy_",
        "HKEY_CLASSES_ROOT\\.srf",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocHandler32",
        "HKEY_CLASSES_ROOT\\.DVR-MS",
        "HKEY_CLASSES_ROOT\\.fif",
        "HKEY_CLASSES_ROOT\\.i",
        "HKEY_CLASSES_ROOT\\.Job",
        "HKEY_CLASSES_ROOT\\.h",
        "HKEY_CLASSES_ROOT\\.msdvd",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\DownloadManager\\Upload",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\DownloadManager\\UtilityIndex",
        "HKEY_CLASSES_ROOT\\.asmx",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\crypt32",
        "HKEY_CLASSES_ROOT\\.sys",
        "HKEY_CLASSES_ROOT\\.sym",
        "HKEY_CLASSES_ROOT\\.hlp",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\Service",
        "HKEY_CLASSES_ROOT\\.s",
        "HKEY_CLASSES_ROOT\\.mp2",
        "HKEY_CLASSES_ROOT\\.mp3",
        "HKEY_CLASSES_ROOT\\.mp4",
        "HKEY_CLASSES_ROOT\\.sr_",
        "HKEY_CLASSES_ROOT\\.odc",
        "HKEY_CLASSES_ROOT\\.wav",
        "HKEY_CLASSES_ROOT\\.wax",
        "HKEY_CLASSES_ROOT\\.odl",
        "HKEY_CLASSES_ROOT\\.oc_",
        "HKEY_CLASSES_ROOT\\.odh",
        "HKEY_CLASSES_ROOT\\.dl_",
        "HKEY_CLASSES_ROOT\\.wab",
        "HKEY_CLASSES_ROOT\\.ADT",
        "HKEY_CLASSES_ROOT\\.dll",
        "HKEY_CLASSES_ROOT\\.c",
        "HKEY_CLASSES_ROOT\\.a",
        "HKEY_CLASSES_ROOT\\.mpa",
        "HKEY_CLASSES_ROOT\\.ocx",
        "HKEY_CLASSES_ROOT\\.mpe",
        "HKEY_CLASSES_ROOT\\.iso",
        "HKEY_CLASSES_ROOT\\.mpg",
        "HKEY_CLASSES_ROOT\\.pot",
        "HKEY_CLASSES_ROOT\\.cdmp",
        "HKEY_CLASSES_ROOT\\.x",
        "HKEY_CLASSES_ROOT\\.vcproj",
        "HKEY_CLASSES_ROOT\\.z",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\InprocHandler"
    ],
    "resolves_host": [
        "..localmachine",
        "cuckpc",
        "wpad",
        "localhost"
    ],
    "file_written": [
        "C:\\Users\\cuck\\AppData\\Roaming\\log\\Passwords.txt",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\aut8197.tmp",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\bozvxpz",
        "C:\\Users\\cuck\\AppData\\Roaming\\log\\Info.txt",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\kxpzmdz",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\aut578B.tmp",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\aut572C.tmp",
        "C:\\Users\\cuck\\AppData\\Roaming\\log\\logs_04.01.2020.htm"
    ],
    "file_deleted": [
        "C:\\Users\\cuck\\AppData\\Roaming\\log\\Passwords.txt",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\aut8197.tmp",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\bozvxpz",
        "C:\\Users\\cuck\\AppData\\Roaming\\log\\Info.txt",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\kxpzmdz",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\aut578B.tmp",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\aut572C.tmp"
    ],
    "file_exists": [
        "C:\\Users\\cuck\\AppData\\Roaming\\log\\04-01-2020_11.53.jpg",
        "C:\\Users\\cuck\\AppData\\Roaming\\log\\Info.txt",
        "C:\\Users\\cuck\\AppData\\Roaming\\log\\ssfn*",
        "C:\\Users\\cuck\\AppData\\Roaming\\log\\*.htm",
        "C:\\Users\\cuck\\AppData\\Roaming\\log\\Passwords.txt",
        "C:\\Users\\cuck\\AppData\\Roaming\\log",
        "C:\\Windows\\System32\\C_932.NLS",
        "C:\\Windows\\System32\\qagentrt.dll",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\bozvxpz",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\a9c04c077b2bb66c9f77c1c4fe49210a0972081ebb457194fb493ae9e6a0f20f.bin",
        "C:\\Windows\\System32\\C_950.NLS",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\kxpzmdz",
        "C:\\Windows\\System32\\C_28591.NLS",
        "C:\\Windows\\System32\\tsgqec.dll",
        "C:\\Windows\\System32\\C_936.NLS",
        "C:\\Windows\\System32\\EAPQEC.DLL",
        "C:\\Windows\\System32\\dnsapi.dll",
        "C:\\Users\\cuck\\AppData\\Local\\Temp",
        "C:\\Users\\cuck\\AppData\\Roaming\\log\\logs_04.01.2020.htm",
        "C:\\Windows\\System32\\p2pcollab.dll",
        "C:\\Users\\cuck\\AppData\\Roaming\\log\\AutoUpdate.exe",
        "C:\\Windows\\System32\\C_949.NLS",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\web_history.dll",
        "C:\\Windows\\System32\\napipsec.dll",
        "C:\\Users\\cuck\\AppData\\Roaming\\log\\*.vdf",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\winmgmts:\\localhost\\root\\SecurityCenter2",
        "C:\\Windows\\System32\\DHCPQEC.DLL"
    ],
    "mutex": [
        "IESQMMUTEX_0_208",
        "Global\\3a886eb8-fe40-4d0a-b78b-9e0bcb683fb7"
    ],
    "file_failed": [
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\winmgmts:\\localhost\\root\\SecurityCenter2"
    ],
    "guid": [
        "{70b51430-b6ca-11d0-b9b9-00a0c922e750}",
        "{432a1da5-3888-4b9a-a734-cff1e448c5b9}",
        "{275c23e2-3747-11d0-9fea-00aa003f8646}",
        "{00000003-0000-0000-c000-000000000046}",
        "{00000146-0000-0000-c000-000000000046}",
        "{44aca674-e8fc-11d0-a07c-00c04fb68820}",
        "{ea4a0a43-1c8f-4c7b-a4b1-28ecbd96ba8c}",
        "{dccfc164-2b38-11d2-b7ec-00c04f8f5d9a}",
        "{00020400-0000-0000-c000-000000000046}",
        "{fd853ce8-7f86-11d0-8252-00c04fd85ab4}",
        "{dcb00c01-570f-4a9b-8d69-199fdba5723b}",
        "{fd465481-1384-11d0-abbd-0020afdfd10a}",
        "{0000011a-0000-0000-c000-000000000046}",
        "{cd000001-8b95-11d1-82db-00c04fb1625d}",
        "{0df2c7e6-3435-11d0-81d0-00c04fd85ab4}",
        "{bf0ec44a-c6ae-4bc5-a0ca-d33fa6c9c6c2}",
        "{d0074ffd-570f-4a9b-8d69-199fdba5723b}",
        "{674b6698-ee92-11d0-ad71-00c04fd8fdff}",
        "{3bc15af2-736c-477e-9e51-238af8667dcc}",
        "{0df2c7e2-3435-11d0-81d0-00c04fd85ab4}",
        "{d5f569d0-593b-101a-b569-08002b2dbf7a}",
        "{dc12a687-737f-11cf-884d-00aa004b2e24}",
        "{00000323-0000-0000-c000-000000000046}",
        "{a4f96ed0-f829-476e-81c0-cdc7bd2a0802}",
        "{172bddf8-ceea-11d1-8b05-00600806d9b6}",
        "{07a1127b-18cc-422a-b988-e892600fcc74}",
        "{cf4cc405-e2c5-4ddd-b3ce-5e7582d8c9fa}",
        "{f309ad18-d86a-11d0-a075-00c04fb68820}",
        "{dcb00000-570f-4a9b-8d69-199fdba5723b}",
        "{00000560-0000-0010-8000-00aa006d2ea4}",
        "{00000567-0000-0010-8000-00aa006d2ea4}",
        "{eb082ba1-df8a-46be-82f3-35bf9e9be52f}",
        "{a47979d2-c419-11d9-a5b4-001185ad2b89}",
        "{fd853ce6-7f86-11d0-8252-00c04fd85ab4}",
        "{3124c396-fb13-4836-a6ad-1317f1713688}",
        "{8d4b04e1-1331-11d0-81b8-00c04fd85ab4}",
        "{275c23e1-3747-11d0-9fea-00aa003f8646}",
        "{a9e69610-b80d-11d0-b9b9-00a0c922e750}",
        "{7c857801-7381-11cf-884d-00aa004b2e24}",
        "{8bc3f05e-d86b-11d0-a075-00c04fb68820}",
        "{4590f811-1d3a-11d0-891f-00aa004b2e24}",
        "{4590f812-1d3a-11d0-891f-00aa004b2e24}"
    ],
    "wmi_query": [
        "Select * from AntiVirusProduct"
    ],
    "command_line": [
        "C:\\Windows\\system32\\cmd.exe \/c C:\\Users\\cuck\\AppData\\Roaming\\log\\pass.exe all",
        "systeminfo",
        "HOSTNAME",
        "netsh  firewall add allowedprogram program = STcONaURjstoJeQ(uMqeEfSfaGeNmho(\"yJmAEIBBXdvRXSFRGegUiJnA\")) name = STcONaURjstoJeQ(uMqeEfSfaGeNmho(\"XQ0V1bwVGZ0FQZ==\")) mode = ENABLE",
        "C:\\Users\\cuck\\AppData\\Roaming\\log\\AutoUpdate.exe",
        "C:\\Windows\\system32\\cmd.exe \/k HOSTNAME",
        "C:\\Windows\\system32\\cmd.exe \/k systeminfo",
        "C:\\Windows\\system32\\cmd.exe \/c netsh firewall add allowedprogram program = STcONaURjstoJeQ(uMqeEfSfaGeNmho(\"yJmAEIBBXdvRXSFRGegUiJnA\")) name = STcONaURjstoJeQ(uMqeEfSfaGeNmho(\"XQ0V1bwVGZ0FQZ==\")) mode = ENABLE",
        "\"C:\\Windows\\system32\\rundll32.exe\" \"C:\\Windows\\syswow64\\WININET.dll\",DispatchAPICall 1 "
    ],
    "file_read": [
        "C:\\Windows\\System32\\wbem\\wbemdisp.tlb",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\aut8197.tmp",
        "C:\\Users\\cuck\\AppData\\Roaming\\log\\Info.txt",
        "C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Mail\\account{E8B20193-B324-4F69-85C3-A585C87B3B69}.oeaccount",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\bozvxpz",
        "C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Mail\\account{9505C2E7-137C-4315-8EBB-D4AE26FFA58D}.oeaccount",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\kxpzmdz",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\aut572C.tmp",
        "C:\\Program Files (x86)\\Common Files\\System\\ado\\msado15.dll",
        "C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Mail\\account{3F157EAB-C371-449F-8817-DE062D63E39B}.oeaccount",
        "C:\\Users\\cuck\\AppData\\Roaming\\log\\logs_04.01.2020.htm",
        "C:\\Windows\\SysWOW64\\cdosys.dll",
        "C:\\Windows\\SysWOW64\\stdole2.tlb"
    ],
    "regkey_read": [
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.nvr\\Content Type",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DisableUNCCheck",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\Service\\PolicyRefreshInProgress",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\MaxRpcSize",
        "HKEY_CURRENT_USER\\.html\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.c2r\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\DiscoveryManager\\DiscoveryProviderDllPath",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.tdl\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-699399860-4089948139-3198924279-1001\\ProfileImagePath",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.rmi\\Content Type",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79623\\Component Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.TS\\Content Type",
        "HKEY_CURRENT_USER\\.htm\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\Extensions\\RemoteRpcDll",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.p12\\Content Type",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79619\\Validator Clsid",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pko\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.camp\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.icm\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.rgs\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.bmp\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\SourcePath",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.inx\\Content Type",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79617\\Description",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\AutoUpdate",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.tlh\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.xlc\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.fnd\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.odl\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mlc\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.msi\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.rat\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.idq\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mmf\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.asmx\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.sql\\Content Type",
        "HKEY_CURRENT_USER\\.oga\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.gif\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pbk\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.3g2\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\HostedCache\\ServerRole",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.odt\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.exe\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\AutoUpdate_RASMANCS\\FileDirectory",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows Mail\\Disable RFC2646 Wrapping",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.44.3.4!7\\Name",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79621\\Vendor Name",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.tar\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mp2v\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.bat\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.odc\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.xlb\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\EnableExtensions",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\CurrentBuildNumber",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.asx\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wmv\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\HostedCache\\MaxPendingDownloads",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.au\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.p7m\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.H1H\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.xslt\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledSessions\\MachineThrottling",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASAPI32\\EnableFileTracing",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.hta\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.rpc\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mpeg\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mhtml\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ex_\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.exp\\Content Type",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79623\\Enabled",
        "HKEY_CURRENT_USER\\.htm\\(Default)",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DefaultColor",
        "HKEY_CURRENT_USER\\.xhtml\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.cpp\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.inc\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wmp\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ADT\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{26656EAA-54EB-4E6F-8F85-4F0EF901A406}\\ProxyStubClsid32\\(Default)",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.a\\Content Type",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79621\\Enabled",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winsat\\PrimaryAdapterString",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\DownloadManager\\TransportDllPath",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\IAM\\Accounts\\PreConfigVer",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\HostedCache\\ClientAuth",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\IAM\\Default News Account",
        "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\eapqec.dll,-101",
        "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\eapqec.dll,-100",
        "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\eapqec.dll,-103",
        "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\eapqec.dll,-102",
        "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\p2pcollab.dll,-8042",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.xix\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Enhanced Cryptographic Provider v1.0\\Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.sym\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.cdmp\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mid\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\Roaming\\RefreshDllName",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft RSA SChannel Cryptographic Provider\\Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{2A1C9EB2-DF62-4154-B800-63278FCB8037}\\ProxyStubClsid32\\(Default)",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.fky\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.jpg\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\FileDirectory",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\FileTracingMask",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.lst\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.text\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wmdb\\Content Type",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CodePage\\950",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\AutoUpdate_RASAPI32\\ConsoleTracingMask",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.plg\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.sol\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.grp\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\DisableUNCCheck",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.cpl\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.H1F\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pyo\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.H1T\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\DevicePath",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ascx\\Content Type",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.jtx\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.scf\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\MIME\\Database\\Rfc1766\\041D",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pmr\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\InprocServer32\\InprocServer32",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.local\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.txt\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mpg\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.snd\\Content Type",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\IAM\\Default Mail Account",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.aiff\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledProcesses\\F6C4EC9A",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\AutoUpdate_RASAPI32\\FileTracingMask",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.icc\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{8A40A45D-055C-4B62-ABD7-6D613E2CEAEC}\\ProxyStubClsid32\\(Default)",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ghi\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{CD000001-8B95-11D1-82DB-00C04FB1625D}\\ProgID\\(Default)",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.prf\\Content Type",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Domain",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.z\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wsz\\Content Type",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.aps\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.usr\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.47.1.1!7\\Name",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.i\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Account Manager\\Preconfigured\\PreConfigVerNTDS",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.css\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.xlt\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.3gpp\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.dct\\Content Type",
        "HKEY_CURRENT_USER\\.ogg\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.doc\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wmf\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Account Manager\\Preconfigured\\PreConfigVer",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.edrwx\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\Service\\Enable",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.trg\\Content Type",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\AutoRun",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.hdp\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ai\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ini\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.bkf\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.psm1\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pl\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pif\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.icl\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.etp\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.dot\\Content Type",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79619\\Component Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.evt\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.fnt\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CDO.Message\\CLSID\\(Default)",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\SystemSetupInProgress",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pic\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.WSH\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.psd1\\Content Type",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SESSION MANAGER\\Environment\\PROCESSOR_ARCHITECTURE",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.faq\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ppt\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.dl_\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mpe\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.cer\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.MOD\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.DVR-MS\\Content Type",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\UseOldHostResolutionOrder",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\ProgramData",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79623\\Config Clsid",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.lib\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.rtf\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.drv\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.db\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.xml\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mov\\Content Type",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79619\\Enabled",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Base Smart Card Crypto Provider\\Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.dsw\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.eyb\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.URL\\Content Type",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}\\WpadDecision",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\PathCompletionChar",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79623\\Description",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\LocalConfig\\Tracing Level",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.vxd\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.nls\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.vbproj\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.scc\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.aif\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\(Default)",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79619\\Registration Date",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{CD000001-8B95-11D1-82DB-00C04FB1625D}\\InprocServer32\\ThreadingModel",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.osdx\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\InprocServer32\\ThreadingModel",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.lnk\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.bas\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.jod\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.eps\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledSessions\\GlobalSession",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.jpeg\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.sed\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.rle\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.asf\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\GpSvcDebugLevel",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79619\\Config Clsid",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.crds\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.sc2\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wcx\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.386\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.user\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.nfo\\Content Type",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79623\\Vendor Name",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\WBEM\\CIMOM\\EnableObjectValidation",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0\\0\\win32\\(Default)",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\HostedCache\\MaxSimultaneousUploads",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\AutoUpdate_RASMANCS\\EnableConsoleTracing",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.art\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\InprocServer32\\(Default)",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.m1v\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.H1Q\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\WBEM\\CIMOM\\Logging",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.aifc\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ADTS\\Content Type",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\UseHostnameAsAlias",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\DelayedExpansion",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CodePage\\0",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.3gp2\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\AutoUpdate_RASMANCS\\FileTracingMask",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79621\\Info Clsid",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.asc\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mpa\\Content Type",
        "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\mlang.dll,-4462",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{423EC01E-2E35-11D2-B604-00104B703EFD}\\ProxyStubClsid32\\(Default)",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.jtp\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mak\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.p7b\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.tlb\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.blg\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.jfif\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pfm\\Content Type",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\AppData",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.64.1.1!7\\Name",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CodePage\\949",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.scr\\Content Type",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Hostname",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.htt\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.cur\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.tif\\Content Type",
        "HKEY_CURRENT_USER\\.xht\\Content Type",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79619\\Info Clsid",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Base Cryptographic Provider v1.0\\Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.p7c\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.htx\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.tsp\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ilk\\Content Type",
        "HKEY_CURRENT_USER\\HTTP\\shell\\open\\command\\(Default)",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.gmmp\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.WMD\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ps\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.docx\\Content Type",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79621\\Validator Clsid",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.hpp\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.kci\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.WTV\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ext\\Content Type",
        "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\tsgqec.dll,-101",
        "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\tsgqec.dll,-100",
        "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\tsgqec.dll,-103",
        "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\tsgqec.dll,-102",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ttc\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.gadget\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.H1V\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.webpnp\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.WSF\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.csa\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.htc\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.aspx\\Content Type",
        "HKEY_CURRENT_USER\\.webm\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.H1C\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.H1S\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.dbs\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.viw\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.cdx\\Content Type",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79621\\Description",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\IAM\\Default LDAP Account",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.xls\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\0\\win32\\(Default)",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.Job\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.M2TS\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.inf\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.asm\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.VBE\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.iso\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.dbg\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.msdvd\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.tgz\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{00000134-0000-0000-C000-000000000046}\\ProxyStubClsid32\\(Default)",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pdb\\Content Type",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CodePage\\932",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.zip\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.m4b\\Content Type",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CodePage\\936",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.tiff\\Content Type",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\LocalConfig\\PlumbIpsecPolicy",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows Mail\\Disable RFC2646 Wrapping",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.otf\\Content Type",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DelayedExpansion",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASAPI32\\EnableConsoleTracing",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ani\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\CompletionChar",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.H1K\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.tsv\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wpl\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.reg\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.jnt\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.avi\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.hlp\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pps\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Base DSS Cryptographic Provider\\Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wlt\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.3gp\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{CD000001-8B95-11D1-82DB-00C04FB1625D}\\(Default)",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\HostedCache\\MaxPendingOffers",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.cmd\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mht\\Content Type",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79623\\Version",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pma\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pnf\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.hxx\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.dwfx\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wbcat\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ocx\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.vbx\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\UserenvDebugLevel",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.rc\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.s\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.IVF\\Content Type",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79617\\Friendly Name",
        "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\mlang.dll,-4386",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.csv\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.bin\\Content Type",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\\DefaultConnectionSettings",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\AutoUpdate_RASMANCS\\MaxFileSize",
        "HKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0\\ProcessorNameString",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.udf\\Content Type",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\AutoProxyDetectType",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.rc2\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wdp\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\AutoUpdate_RASMANCS\\ConsoleTracingMask",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.dos\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\DefaultColor",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\crypt32\\DebugHeapFlags",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.idl\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.inl\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\SecurityManager\\BlockSize",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79621\\Component Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\Windows Error Reporting\\WMR\\Disable",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\DisabledComponents",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows Mail\\No modify accts",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ico\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\SecurityManager\\Restricted\\Seed",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASAPI32\\MaxFileSize",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.xps\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.label\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.sys\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.m3u\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.vcf\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.msg\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.cod\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASAPI32\\ConsoleTracingMask",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.inv\\Content Type",
        "HKEY_CURRENT_USER\\.shtml\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.scd\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\AutoRun",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pch\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.dsn\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.eprtx\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.cab\\Content Type",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\IPHLPSVC\\config\\Connectivity_Platform_Enabled",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.RDP\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.dll\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.vbs\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.WMS\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pmc\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.tab\\Content Type",
        "HKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System\\BIOS\\BaseBoardManufacturer",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\MIME\\Database\\Content Type\\text\/plain\\Extension",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.csproj\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{CD000001-8B95-11D1-82DB-00C04FB1625D}\\InprocServer32\\InprocServer32",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wav\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.udt\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.m14\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wsc\\Content Type",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\CompletionChar",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.z96\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Drivers32\\msvideo5",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Drivers32\\msvideo4",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Drivers32\\msvideo7",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Drivers32\\msvideo6",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Drivers32\\msvideo1",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Drivers32\\msvideo3",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Drivers32\\msvideo2",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.man\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.vcproj\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.def\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Drivers32\\msvideo9",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Drivers32\\msvideo8",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.scp\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pds\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.sor\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\ConsoleTracingMask",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.theme\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.xaml\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.tli\\Content Type",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\Upgrade",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}\\WpadDecisionReason",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79623\\Friendly Name",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\WpadLastNetwork",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.swf\\Content Type",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79623\\Validator Clsid",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASAPI32\\FileTracingMask",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.m4a\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocServer32\\(Default)",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.rsp\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.stl\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.xsl\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WINMGMTS\\CLSID\\(Default)",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mp4\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocServer32\\ThreadingModel",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.diz\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.png\\Content Type",
        "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\napipsec.dll,-3",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.vob\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocServer32\\InprocServer32",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.jav\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\EnableConsoleTracing",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.gz\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.DVR\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\SecurityManager\\NumBlocksPerSegment",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.imc\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.h\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.easmx\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\AutoUpdate_RASMANCS\\EnableFileTracing",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.emf\\Content Type",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79617\\Component Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mv\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ps1xml\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.midi\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.latex\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.prc\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.dsp\\Content Type",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79623\\Registration Date",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wab\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ncb\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\AutoUpdate_RASAPI32\\EnableConsoleTracing",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pml\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Enhanced RSA and AES Cryptographic Provider\\Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ps1\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.htw\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.rct\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.lgn\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.jbf\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\Roaming\\RefreshProcName",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.py\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.group\\Content Type",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\EnableExtensions",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wri\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.srf\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.crt\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.asp\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.TTS\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.p7s\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pot\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Enhanced DSS and Diffie-Hellman Cryptographic Provider\\Type",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows Mail\\Store Root",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\AutoUpdate_RASAPI32\\EnableFileTracing",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.com\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pfx\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.sch\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.p7r\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.dib\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.hqx\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.M2V\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mp4v\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.img\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.cxx\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mp3\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.java\\Content Type",
        "HKEY_CURRENT_USER\\.pdf\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mig\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.der\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.jpe\\Content Type",
        "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\napipsec.dll,-4",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.crd\\Content Type",
        "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\napipsec.dll,-2",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.M2T\\Content Type",
        "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\napipsec.dll,-1",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.c\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.sst\\Content Type",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\Enabled",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language Groups\\1",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.cc\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.xrm-ms\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\EnableFileTracing",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wtx\\Content Type",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79619\\Friendly Name",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79619\\Description",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.sbr\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{CD000000-8B95-11D1-82DB-00C04FB1625D}\\1.0\\0\\win32\\(Default)",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.msp\\Content Type",
        "HKEY_CURRENT_USER\\Control Panel\\Mouse\\SwapMouseButtons",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.xsd\\Content Type",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79621\\Version",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\HostedCache\\DoNotUseSSL",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79617\\Version",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\AutoUpdate_RASAPI32\\MaxFileSize",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.odh\\Content Type",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79621\\Config Clsid",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.obj\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{027947E1-D731-11CE-A357-000000000001}\\ProxyStubClsid32\\(Default)",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.fon\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wax\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ttf\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.rul\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Drivers32\\msvideo",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{55272A00-42CB-11CE-8135-00AA004BB851}\\ProxyStubClsid32\\(Default)",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pyw\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.fif\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.movie\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.asa\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\HostedCache\\MaxSimultaneousDownloads",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.stm\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.m4p\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{BCD1DE7E-2DB1-418B-B047-4A74E101F8C1}\\ProxyStubClsid32\\(Default)",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\PathCompletionChar",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASAPI32\\FileDirectory",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.x\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pyc\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wm\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Base DSS and Diffie-Hellman Cryptographic Provider\\Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.bcp\\Content Type",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79617\\Vendor Name",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CodePage\\28591",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\DiscoveryManager\\RepubQuorumSize",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.spc\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft DH SChannel Cryptographic Provider\\Type",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79617\\Enabled",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.js\\Content Type",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\LdapClientIntegrity",
        "HKEY_CURRENT_USER\\.ogv\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.vsscc\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.sy_\\Content Type",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79617\\Registration Date",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.sct\\Content Type",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}\\WpadDecisionTime",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wmx\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ics\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.xbap\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.chk\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.sr_\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Strong Cryptographic Provider\\Type",
        "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\dhcpqec.dll,-101",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79617\\Config Clsid",
        "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\dhcpqec.dll,-100",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.vspscc\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\DownloadManager\\CryptoAlgo",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.msc\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.cls\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\\ProxyStubClsid32\\(Default)",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.psc1\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.UDL\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\DiscoveryManager\\MinBackoffWindow",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.qds\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wvx\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.dic\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mk\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{B691E011-1797-432E-907A-4D8C69339129}\\6.0\\0\\win32\\(Default)",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\ComputerName\\ActiveComputerName\\ComputerName",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.H1D\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\(Default)",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79617\\Info Clsid",
        "HKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System\\BIOS\\BaseBoardProduct",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79623\\Info Clsid",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\LocalConfig\\Enable Tracing",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.MTS\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.cda\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.m4v\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mydocs\\Content Type",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\OOBEInProgress",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\AutoUpdate_RASAPI32\\FileDirectory",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79621\\Registration Date",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.evtx\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\MaxFileSize",
        "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\dnsapi.dll,-103",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.AAC\\Content Type",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79621\\Friendly Name",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.cat\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.psd\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.p10\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.cs\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.vssscc\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.H1W\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{CD000001-8B95-11D1-82DB-00C04FB1625D}\\InprocServer32\\(Default)",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\HostedCache\\TransportDllPath",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wll\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.rll\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.crl\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.dat\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\Roaming\\ForceRoamingDetect",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ibq\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\MIME\\Database\\Rfc1766\\0409",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.JSE\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.msu\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mcl\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.log\\Content Type",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79619\\Version",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.txt\\(Default)",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79619\\Vendor Name",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.in_\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.php3\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mp2\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ans\\Content Type",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\StringCacheSettings\\StringCacheGeneration",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CEIPEnable",
        "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\dhcpqec.dll,-103",
        "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\dhcpqec.dll,-102",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mpv2\\Content Type",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\WpadExpirationDays",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wmz\\Content Type",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79617\\Validator Clsid",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.hhc\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.chm\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.shtm\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.sit\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.res\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.oc_\\Content Type",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Locale\\00000409",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.bsc\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.cgm\\Content Type",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\IAM\\Accounts\\PreConfigVerNTDS",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wma\\Content Type"
    ],
    "directory_enumerated": [
        "C:\\Windows\\System32\\systeminfo.COM",
        "C:\\Users\\cuck\\AppData\\Roaming\\log\\pass.exe",
        "C:\\Users\\cuck\\AppData\\Roaming\\log\\04-01-2020_11.53.jpg",
        "C:\\Users\\cuck\\AppData",
        "C:\\Python27\\systeminfo",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\systeminfo",
        "C:\\Users\\cuck\\AppData\\Local\\Temp",
        "C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\rasphone.pbk",
        "C:\\Users\\cuck\\AppData\\Roaming\\log\\ssfn*",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\systeminfo.*",
        "C:\\Python27\\Scripts\\HOSTNAME",
        "C:\\Windows\\System32\\ras\\*.pbk",
        "C:\\Windows\\System32\\netsh.exe",
        "C:\\Python27\\HOSTNAME",
        "C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\account*.oeaccount",
        "C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Mail\\account*.oeaccount",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\HOSTNAME.*",
        "C:\\Users\\cuck\\AppData\\Roaming\\log\\Passwords.txt",
        "C:\\Windows\\System32\\systeminfo.EXE",
        "C:\\Users\\cuck\\AppData\\Local",
        "C:\\Python27\\Scripts\\HOSTNAME.*",
        "C:\\Windows\\System32\\HOSTNAME.COM",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\bozvxpz",
        "C:\\Python27\\HOSTNAME.*",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\netsh",
        "C:\\Windows\\System32\\netsh.*",
        "C:\\Windows\\System32\\netsh.COM",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\kxpzmdz",
        "C:\\Users\\cuck\\AppData\\Roaming",
        "C:\\Users",
        "C:\\Windows\\System32\\HOSTNAME.EXE",
        "C:\\ProgramData\\Microsoft\\Network\\Connections\\Pbk\\rasphone.pbk",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\netsh.*",
        "C:\\Windows\\System32\\HOSTNAME.*",
        "C:\\Windows\\System32\\systeminfo.*",
        "C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\account*.oeaccount",
        "C:\\Python27\\Scripts\\netsh.*",
        "C:\\Python27\\netsh.*",
        "C:\\Users\\cuck",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\HOSTNAME",
        "C:\\Python27\\Scripts\\systeminfo.*",
        "C:\\Python27\\Scripts\\systeminfo",
        "C:\\Python27\\systeminfo.*",
        "C:\\Users\\cuck\\AppData\\Roaming\\log\\*.htm",
        "C:\\Users\\cuck\\AppData\\Roaming\\log",
        "C:\\Python27\\netsh",
        "C:\\Python27\\Scripts\\netsh",
        "C:\\Users\\cuck\\AppData\\Roaming\\log\\pass.exe.*",
        "C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Mail\\*",
        "C:\\Users\\cuck\\AppData\\Roaming\\log\\AutoUpdate.exe",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\web_history.dll",
        "C:\\ProgramData\\Microsoft\\Network\\Connections\\Pbk\\*.pbk",
        "C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\*.pbk",
        "C:\\Users\\cuck\\AppData\\Roaming\\log\\Info.txt",
        "C:\\Users\\cuck\\AppData\\Roaming\\log\\*.vdf"
    ],
    "directory_created": [
        "C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Mail",
        "C:\\Users\\cuck\\AppData\\Roaming\\log"
    ]
}

Dropped

[
    {
        "yara": [],
        "sha1": "b82c33981ce537dcf3299f6c78882625fbbe1f6c",
        "name": "262b1f7f651f5863_bozvxpz",
        "filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\bozvxpz",
        "type": "ASCII text, with very long lines, with no line terminators",
        "sha256": "262b1f7f651f5863ba7c6b8f18564a4a6463a6a342af59f032e4d4ae10d13362",
        "urls": [],
        "crc32": "7931D437",
        "path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/4766\/files\/262b1f7f651f5863_bozvxpz",
        "ssdeep": null,
        "size": 6260,
        "sha512": "755bd28238f94c7688cd8af0e98525f6a9b4911dc20075c78f5452db419a4430f4f7d46f87d7780fd575d692c5d48291472ede18c56a30f311a2d1973a0d687b",
        "pids": [
            1512
        ],
        "md5": "16bfd8f38cd0115b67788e9ecde56f50"
    },
    {
        "yara": [],
        "sha1": "fa7b26fcb2802806c6b6c5e7508d56a70541e30e",
        "name": "3deee640f885e200_aut578B.tmp",
        "filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\aut578B.tmp",
        "type": "PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed",
        "sha256": "3deee640f885e200cdd5bb9ef7e747f56dff577d5b6eebf73bd20c6ec0c84517",
        "urls": [],
        "crc32": "58036846",
        "path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/4766\/files\/3deee640f885e200_aut578B.tmp",
        "ssdeep": null,
        "size": 438784,
        "sha512": "2c7088e2d87dac7d5efa30d20d40cf0514fc4f1d2a9d5ce11cfb33f0514b28a0e69c3c74884d6e55674fb119035eda194cacb99ccd80958fdbf1ca49e4241cd2",
        "pids": [
            1512
        ],
        "md5": "4e69f56a7eb39e8d55b600ddce3c5e30"
    },
    {
        "yara": [],
        "sha1": "a336349df59e49095b4e994bb376ebb71520c217",
        "name": "b25872261fc8a9e1_Info.txt",
        "filepath": "C:\\Users\\cuck\\AppData\\Roaming\\log\\Info.txt",
        "type": "ASCII text, with CRLF line terminators",
        "sha256": "b25872261fc8a9e1893b0bd5427d60a6911a5a107237141fbd1507d10ff11676",
        "urls": [],
        "crc32": "5A9FDEEF",
        "path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/4766\/files\/b25872261fc8a9e1_Info.txt",
        "ssdeep": null,
        "size": 2369,
        "sha512": "90752ba3f8adf4258018e6b6a3b8fab7648e0e8879d50576d0d2311c12c93756d59701d45dd2c6b1a0fab1b4ea103ab38d14fee375606f2ac1b1975e902281ad",
        "pids": [
            1512,
            2804
        ],
        "md5": "6870d723344d5370240bc0812de41bb8"
    },
    {
        "yara": [],
        "sha1": "4d64633440e92566f7ca9c3211748c0864ee5647",
        "name": "5f1f5aedc0e8283b_kxpzmdz",
        "filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\kxpzmdz",
        "type": "ASCII text, with very long lines, with no line terminators",
        "sha256": "5f1f5aedc0e8283b61c741fee5f81b0832553889cb020aa862f86e84dc081427",
        "urls": [],
        "crc32": "D6FAB275",
        "path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/4766\/files\/5f1f5aedc0e8283b_kxpzmdz",
        "ssdeep": null,
        "size": 28568,
        "sha512": "35d2b5f540c22bc1802ea5654b8b759c85fc90666b8576fd38c0f01bf2be941eab9ba0ea1919651675748ce470fe812fd7ed6df82c465c4c6064f37eae468541",
        "pids": [
            2804
        ],
        "md5": "4bfba866bc1e7b6c5be9723dc6886a77"
    },
    {
        "yara": [],
        "sha1": "537c226126f648a30fcf2bf034ab19dde41c569f",
        "name": "6c4d82b17fad0407_aut8197.tmp",
        "filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\aut8197.tmp",
        "type": "data",
        "sha256": "6c4d82b17fad0407ca27c3f6cba04704d4400faf5c5210e446b569e7db96e366",
        "urls": [],
        "crc32": "4921EA38",
        "path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/4766\/files\/6c4d82b17fad0407_aut8197.tmp",
        "ssdeep": null,
        "size": 7660,
        "sha512": "1868cbde5e5e6dd83f5692b73572aaf307f8b6d0310b1a00bf3b76b382d3c481013635280a7274f3a2dcfc865418555219a36ef6c474ee2716ca99166399de73",
        "pids": [
            2804
        ],
        "md5": "4765c8da6b3c425a66b50515048c842f"
    },
    {
        "yara": [],
        "sha1": "6b0c76c1ce0cc04cf542ca8673d0b9d668f12c4e",
        "name": "7a9c538eb27ade05_logs_04.01.2020.htm",
        "filepath": "C:\\Users\\cuck\\AppData\\Roaming\\log\\logs_04.01.2020.htm",
        "type": "HTML document, ASCII text, with very long lines, with CRLF line terminators",
        "sha256": "7a9c538eb27ade05b376f520725fb45f85292fa811106aac017dbc874a0648e0",
        "urls": [],
        "crc32": "A41E71F8",
        "path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/4766\/files\/7a9c538eb27ade05_logs_04.01.2020.htm",
        "ssdeep": null,
        "size": 6879,
        "sha512": "98aa940b84b4913ceb887b0590f6abdf1440882052053bc7bf727bec8a70c1dd96d7cfda2f4a1976cc37aed7a1afdc91538e07ed7ec2bc49bde882d1320805f1",
        "pids": [
            2804
        ],
        "md5": "cc4b3d19a3d2d4c45eba346c31c5495e"
    },
    {
        "yara": [],
        "sha1": "cb39766d4b9ff64d3f0c2533200be7450d15fa02",
        "name": "7338b2872d563090_aut572C.tmp",
        "filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\aut572C.tmp",
        "type": "data",
        "sha256": "7338b2872d5630901e256767305aaae30f0fcd2d3ed49fbc6b3aa75bf87fc6e2",
        "urls": [],
        "crc32": "B665BD21",
        "path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/4766\/files\/7338b2872d563090_aut572C.tmp",
        "ssdeep": null,
        "size": 3118,
        "sha512": "9242c4f092f9e81742dda74167510a6db5d3aee64e2d7553393090386752a9418c66205a7be3e6c1e65f239c6af967d9da3a6d510d2ea8c8e0dd49c59556ecce",
        "pids": [
            1512
        ],
        "md5": "5e78666c11c13bc28f99a16164392560"
    },
    {
        "yara": [],
        "sha1": "da39a3ee5e6b4b0d3255bfef95601890afd80709",
        "name": "e3b0c44298fc1c14_Passwords.txt",
        "type": "empty",
        "sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
        "urls": [],
        "crc32": "00000000",
        "path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/4766\/files\/e3b0c44298fc1c14_Passwords.txt",
        "ssdeep": null,
        "size": 0,
        "sha512": "cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e",
        "md5": "d41d8cd98f00b204e9800998ecf8427e"
    }
]

Generic

[
    {
        "process_path": "C:\\Windows\\SysWOW64\\cmd.exe",
        "process_name": "cmd.exe",
        "pid": 800,
        "summary": {
            "dll_loaded": [
                "kernel32.dll"
            ],
            "file_opened": [
                "C:\\Windows\\Globalization\\Sorting\\sortdefault.nls"
            ],
            "regkey_opened": [
                "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\System",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor",
                "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Command Processor"
            ],
            "file_exists": [
                "C:\\Users\\cuck\\AppData\\Local\\Temp"
            ],
            "command_line": [
                "HOSTNAME"
            ],
            "regkey_read": [
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\DefaultColor",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\AutoRun",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\DelayedExpansion",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DisableUNCCheck",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\EnableExtensions",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\CompletionChar",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\EnableExtensions",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\PathCompletionChar",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Locale\\00000409",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language Groups\\1",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\PathCompletionChar",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\DisableUNCCheck",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\Windows Error Reporting\\WMR\\Disable",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DelayedExpansion",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\AutoRun",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DefaultColor",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\CompletionChar"
            ],
            "directory_enumerated": [
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\HOSTNAME.*",
                "C:\\Python27\\HOSTNAME",
                "C:\\Users\\cuck\\AppData",
                "C:\\Windows\\System32\\HOSTNAME.*",
                "C:\\Python27\\Scripts\\HOSTNAME.*",
                "C:\\Windows\\System32\\HOSTNAME.COM",
                "C:\\Users\\cuck\\AppData\\Local\\Temp",
                "C:\\Users\\cuck",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\HOSTNAME",
                "C:\\Python27\\Scripts\\HOSTNAME",
                "C:\\Users",
                "C:\\Python27\\HOSTNAME.*",
                "C:\\Users\\cuck\\AppData\\Local",
                "C:\\Windows\\System32\\HOSTNAME.EXE"
            ]
        },
        "first_seen": 1578135197.775499,
        "ppid": 2804
    },
    {
        "process_path": "C:\\Windows\\SysWOW64\\netsh.exe",
        "process_name": "netsh.exe",
        "pid": 1576,
        "summary": {
            "file_recreated": [
                "\\Device\\Http\\Communication",
                "\\Device\\KsecDD"
            ],
            "regkey_written": [
                "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\eapqec.dll,-101",
                "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\napipsec.dll,-4",
                "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\napipsec.dll,-2",
                "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\napipsec.dll,-3",
                "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\eapqec.dll,-103",
                "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\napipsec.dll,-1",
                "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\eapqec.dll,-102",
                "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\LanguageList",
                "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\dhcpqec.dll,-103",
                "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\dhcpqec.dll,-102",
                "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\dhcpqec.dll,-101",
                "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\dhcpqec.dll,-100",
                "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\tsgqec.dll,-101",
                "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\tsgqec.dll,-100",
                "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\tsgqec.dll,-103",
                "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\tsgqec.dll,-102",
                "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\eapqec.dll,-100"
            ],
            "dll_loaded": [
                "RASMONTR.DLL",
                "WSHELPER.DLL",
                "RpcRtRemote.dll",
                "kernel32.dll",
                "NSHIPSEC.DLL",
                "HTTPAPI.dll",
                "API-MS-WIN-Service-Management-L2-1-0.dll",
                "HNETMON.DLL",
                "API-MS-WIN-Service-Management-L1-1-0.dll",
                "C:\\Windows\\SysWOW64\\bcryptprimitives.dll",
                "API-MS-Win-Core-LocalRegistry-L1-1-0.dll",
                "IFMON.DLL",
                "RPCNSH.DLL",
                "ole32.dll",
                "CRYPTSP.dll",
                "USER32.dll",
                "NETIOHLP.DLL",
                "API-MS-WIN-Service-winsvc-L1-1-0.dll",
                "ADVAPI32.dll",
                "NSHWFP.DLL",
                "NAPMONTR.DLL",
                "NSHHTTP.DLL",
                "WHHELPER.DLL",
                "PEERDISTSH.DLL",
                "GPAPI.dll",
                "FWCFG.DLL",
                "AUTHFWCFG.DLL",
                "P2PNETSH.DLL",
                "DOT3CFG.DLL",
                "WLANCFG.DLL",
                "DHCPCMONITOR.DLL",
                "userenv.dll"
            ],
            "file_opened": [
                "C:\\Windows\\System32\\en-US\\napipsec.dll.mui",
                "C:\\Windows\\System32\\EAPQEC.DLL",
                "C:\\Windows\\System32\\en-US\\eapqec.dll.mui",
                "C:\\Windows\\System32\\napipsec.dll",
                "C:\\Windows\\System32\\DHCPQEC.DLL",
                "C:\\Windows\\System32\\tsgqec.dll"
            ],
            "regkey_opened": [
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Strong Cryptographic Provider",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Base DSS and Diffie-Hellman Cryptographic Provider",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\CacheMgr\\Republication",
                "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.44.3.4!7",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Defaults\\Provider",
                "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\PeerDist",
                "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Rpc\\Extensions",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\HostedCache",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79621",
                "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\OID",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79623",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\BFE",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\HostedCache\\Connection",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\PolicyProvider",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.64.1.1!7",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\Publisher",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\LocalConfig\\Qecs\\79621",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\LocalConfig\\Qecs\\79623",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\LocalConfig\\Enroll\\HcsGroups\\(Default)",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\DownloadManager\\Discovery",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\DiscoveryManager",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion",
                "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\iphlpsvc\\Config",
                "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.47.1.1!7",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\LocalConfig\\(Default)",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Tcpip6\\Parameters",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\DownloadManager\\Protocol",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\HostedCache\\Connection",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\HandleMgr",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Base Cryptographic Provider v1.0",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\Publisher",
                "HKEY_CURRENT_USER\\Interface\\{00000134-0000-0000-C000-000000000046}",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\SecurityManager",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\DownloadManager\\Upload",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Base DSS Cryptographic Provider",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\HostedCache",
                "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.64.1.1!7",
                "HKEY_LOCAL_MACHINE\\System\\Setup",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft RSA SChannel Cryptographic Provider",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\Roaming",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\DiscoveryManager",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\LocalConfig\\UI",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Enhanced DSS and Diffie-Hellman Cryptographic Provider",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\Service",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\DownloadManager\\Peers\\Connection",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\LocalConfig\\Qecs\\79619",
                "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\NapAgent\\LocalConfig",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\LocalConfig\\Qecs\\79617",
                "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Setup",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft DH SChannel Cryptographic Provider",
                "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\DownloadManager\\Protocol",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Enhanced Cryptographic Provider v1.0",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\DownloadManager",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\DownloadManager\\Peers\\Connection",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\CooperativeCaching",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\DownloadManager\\Download",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.47.1.1!7",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\CacheMgr\\Publication",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\CacheMgr\\Publication",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{00000134-0000-0000-C000-000000000046}\\ProxyStubClsid32",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\HandleMgr",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\DownloadManager",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Enhanced RSA and AES Cryptographic Provider",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79617",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\DownloadManager\\Download",
                "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\LDAP",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\NetSh",
                "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\SecurityManager\\Restricted",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\LocalConfig\\Enroll\\HcsGroups",
                "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Diagnostics",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\CooperativeCaching",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\SecurityManager",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\DownloadManager\\UtilityIndex",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\crypt32",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\CacheMgr\\Republication",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\DownloadManager\\UtilityIndex",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\Service",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\Roaming",
                "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\System",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\DownloadManager\\Upload",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79619",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Base Smart Card Crypto Provider",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PeerDist\\SecurityManager\\Restricted",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.44.3.4!7",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\Setup",
                "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\DownloadManager\\Discovery"
            ],
            "file_exists": [
                "C:\\Windows\\System32\\napipsec.dll",
                "C:\\Windows\\System32\\qagentrt.dll",
                "C:\\Windows\\System32\\EAPQEC.DLL",
                "C:\\Windows\\System32\\dnsapi.dll",
                "C:\\Windows\\System32\\DHCPQEC.DLL",
                "C:\\Windows\\System32\\p2pcollab.dll",
                "C:\\Windows\\System32\\tsgqec.dll"
            ],
            "mutex": [
                "Global\\3a886eb8-fe40-4d0a-b78b-9e0bcb683fb7"
            ],
            "guid": [
                "{432a1da5-3888-4b9a-a734-cff1e448c5b9}",
                "{00000323-0000-0000-c000-000000000046}",
                "{00000146-0000-0000-c000-000000000046}",
                "{07a1127b-18cc-422a-b988-e892600fcc74}",
                "{ea4a0a43-1c8f-4c7b-a4b1-28ecbd96ba8c}",
                "{bf0ec44a-c6ae-4bc5-a0ca-d33fa6c9c6c2}",
                "{eb082ba1-df8a-46be-82f3-35bf9e9be52f}"
            ],
            "regkey_read": [
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\Service\\PolicyRefreshInProgress",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\DiscoveryManager\\DiscoveryProviderDllPath",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\UseHostnameAsAlias",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79619\\Component Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Enhanced DSS and Diffie-Hellman Cryptographic Provider\\Type",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\SystemSetupInProgress",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.44.3.4!7\\Name",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft RSA SChannel Cryptographic Provider\\Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\Service\\Enable",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79623\\Component Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\SourcePath",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Base Smart Card Crypto Provider\\Type",
                "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\napipsec.dll,-4",
                "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\napipsec.dll,-2",
                "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\napipsec.dll,-3",
                "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\napipsec.dll,-1",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79619\\Validator Clsid",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\HostedCache\\MaxPendingOffers",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\UseOldHostResolutionOrder",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79623\\Config Clsid",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79623\\Version",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79619\\Enabled",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79617\\Description",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\LocalConfig\\Tracing Level",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\UserenvDebugLevel",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\Roaming\\RefreshDllName",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\HostedCache\\DoNotUseSSL",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79621\\Version",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\DownloadManager\\TransportDllPath",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79617\\Version",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\HostedCache\\MaxSimultaneousUploads",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79619\\Registration Date",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.64.1.1!7\\Name",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79617\\Friendly Name",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Base Cryptographic Provider v1.0\\Type",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79621\\Validator Clsid",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\Extensions\\RemoteRpcDll",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\HostedCache\\ServerRole",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\crypt32\\DebugHeapFlags",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\GpSvcDebugLevel",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\HostedCache\\MaxSimultaneousDownloads",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79621\\Vendor Name",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\SecurityManager\\BlockSize",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Base DSS Cryptographic Provider\\Type",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79621\\Component Type",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79623\\Vendor Name",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Base DSS and Diffie-Hellman Cryptographic Provider\\Type",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79617\\Vendor Name",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\DiscoveryManager\\RepubQuorumSize",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\CurrentBuildNumber",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\HostedCache\\TransportDllPath",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft DH SChannel Cryptographic Provider\\Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledSessions\\MachineThrottling",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\HostedCache\\MaxPendingDownloads",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79617\\Enabled",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\LdapClientIntegrity",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\DiscoveryManager\\MinBackoffWindow",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79617\\Registration Date",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\SecurityManager\\NumBlocksPerSegment",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79623\\Enabled",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79617\\Component Type",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79621\\Info Clsid",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Strong Cryptographic Provider\\Type",
                "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\dhcpqec.dll,-101",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79619\\Description",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79617\\Config Clsid",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\DownloadManager\\CryptoAlgo",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79621\\Enabled",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\IPHLPSVC\\config\\Connectivity_Platform_Enabled",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\HostedCache\\ClientAuth",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79619\\Config Clsid",
                "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\eapqec.dll,-101",
                "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\eapqec.dll,-100",
                "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\eapqec.dll,-103",
                "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\eapqec.dll,-102",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79621\\Config Clsid",
                "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\p2pcollab.dll,-8042",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Enhanced Cryptographic Provider v1.0\\Type",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79617\\Info Clsid",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79619\\Info Clsid",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79619\\Vendor Name",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79623\\Info Clsid",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\LocalConfig\\Enable Tracing",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\Upgrade",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79623\\Friendly Name",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79621\\Registration Date",
                "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\dnsapi.dll,-103",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79621\\Friendly Name",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\SecurityManager\\Restricted\\Seed",
                "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\tsgqec.dll,-101",
                "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\tsgqec.dll,-100",
                "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\tsgqec.dll,-103",
                "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\tsgqec.dll,-102",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\DevicePath",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{00000134-0000-0000-C000-000000000046}\\ProxyStubClsid32\\(Default)",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79619\\Friendly Name",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\Roaming\\ForceRoamingDetect",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79621\\Description",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79623\\Description",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledProcesses\\F6C4EC9A",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79619\\Version",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledSessions\\GlobalSession",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CEIPEnable",
                "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\dhcpqec.dll,-103",
                "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\dhcpqec.dll,-102",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79623\\Validator Clsid",
                "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\dhcpqec.dll,-100",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79617\\Validator Clsid",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\Qecs\\79623\\Registration Date",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PeerDist\\Roaming\\RefreshProcName",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\Enabled",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.47.1.1!7\\Name",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Enhanced RSA and AES Cryptographic Provider\\Type",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\DisabledComponents",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\StringCacheSettings\\StringCacheGeneration",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\napagent\\LocalConfig\\PlumbIpsecPolicy"
            ]
        },
        "first_seen": 1578135188.853626,
        "ppid": 2584
    },
    {
        "process_path": "C:\\Users\\cuck\\AppData\\Local\\Temp\\a9c04c077b2bb66c9f77c1c4fe49210a0972081ebb457194fb493ae9e6a0f20f.bin",
        "process_name": "a9c04c077b2bb66c9f77c1c4fe49210a0972081ebb457194fb493ae9e6a0f20f.bin",
        "pid": 1512,
        "summary": {
            "file_created": [
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\aut572C.tmp",
                "C:\\Users\\cuck\\AppData\\Roaming\\log\\Info.txt",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\aut578B.tmp",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\bozvxpz",
                "C:\\Users\\cuck\\AppData\\Roaming\\log\\Passwords.txt"
            ],
            "file_recreated": [
                "\\??\\nul",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\aut572C.tmp",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\aut578B.tmp"
            ],
            "directory_created": [
                "C:\\Users\\cuck\\AppData\\Roaming\\log"
            ],
            "dll_loaded": [
                "COMDLG32.dll",
                "C:\\Windows\\System32\\mswsock.dll",
                "DNSAPI.dll",
                "DHCPCSVC.DLL",
                "kernel32.dll",
                "UxTheme.dll",
                "dwmapi.dll",
                "C:\\Windows\\system32\\napinsp.dll",
                "API-MS-WIN-Service-Management-L1-1-0.dll",
                "WININET.dll",
                "SXS.DLL",
                "KERNEL32.DLL",
                "WSOCK32.dll",
                "RASMAN.DLL",
                "comctl32",
                "ole32.dll",
                "USERENV.dll",
                "USER32.dll",
                "IMM32.dll",
                "MPR.dll",
                "API-MS-Win-Security-SDDL-L1-1-0.dll",
                "API-MS-WIN-Service-winsvc-L1-1-0.dll",
                "rtutils.dll",
                "IPHLPAPI.DLL",
                "wininet.dll",
                "OLEAUT32.dll",
                "C:\\Windows\\system32\\pnrpnsp.dll",
                "SHELL32.dll",
                "C:\\Windows\\System32\\winrnr.dll",
                "PSAPI.DLL",
                "comctl32.dll",
                "COMCTL32.dll",
                "VERSION.dll",
                "WINMM.dll",
                "GDI32.dll",
                "C:\\Windows\\SysWOW64\\oleaut32.dll",
                "ADVAPI32.dll",
                "WS2_32.dll"
            ],
            "file_opened": [
                "",
                "C:\\Users\\cuck\\AppData\\Roaming\\",
                "C:\\Windows\\Globalization\\Sorting\\sortdefault.nls",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\bozvxpz",
                "C:\\Users\\cuck\\AppData\\Local\\Temp",
                "\\Device\\NamedPipe\\",
                "C:\\Users\\cuck\\AppData\\Roaming\\log\\AutoUpdate.exe",
                "C:\\Windows\\System32\\wbem\\wbemdisp.tlb",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\aut572C.tmp",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\a9c04c077b2bb66c9f77c1c4fe49210a0972081ebb457194fb493ae9e6a0f20f.bin",
                "C:\\Windows\\SysWOW64\\stdole2.tlb"
            ],
            "file_copied": [
                [
                    "C:\\Users\\cuck\\AppData\\Local\\Temp\\aut578B.tmp",
                    "C:\\Users\\cuck\\AppData\\Roaming\\log\\AutoUpdate.exe"
                ]
            ],
            "connects_host": [
                "icanhazip.com",
                "62.108.34.111"
            ],
            "regkey_opened": [
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\TreatAs",
                "HKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0",
                "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\DnsCache\\Parameters",
                "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\DnsClient",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{2A1C9EB2-DF62-4154-B800-63278FCB8037}\\ProxyStubClsid32",
                "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run",
                "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Tracing",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{26656EAA-54EB-4E6F-8F85-4F0EF901A406}\\ProxyStubClsid32",
                "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\0\\win32",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System",
                "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Tracing\\RASMANCS",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0\\0",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0\\0\\win32",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\InprocServer32",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winsat",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\Progid",
                "HKEY_CURRENT_USER\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}",
                "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\OleAut",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\InprocHandler32",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\windows\\CurrentVersion\\Internet Settings\\Connections",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{423EC01E-2E35-11D2-B604-00104B703EFD}\\ProxyStubClsid32",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\Compatibility\\a9c04c077b2bb66c9f77c1c4fe49210a0972081ebb457194fb493ae9e6a0f20f.bin",
                "HKEY_CURRENT_USER\\winmgmts",
                "HKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System\\BIOS",
                "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList",
                "HKEY_CURRENT_USER\\Software\\AutoIt v3\\AutoIt",
                "HKEY_CURRENT_USER\\Interface\\{2A1C9EB2-DF62-4154-B800-63278FCB8037}",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\\ProxyStubClsid32",
                "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-699399860-4089948139-3198924279-1001",
                "HKEY_CURRENT_USER\\Interface\\{1C1C45EE-4395-11D2-B60B-00104B703EFD}",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WINMGMTS\\CLSID",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\Progid",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{8A40A45D-055C-4B62-ABD7-6D613E2CEAEC}\\ProxyStubClsid32",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\InprocHandler",
                "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters",
                "HKEY_CURRENT_USER\\Control Panel\\Mouse",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\windows\\CurrentVersion\\Internet Settings\\Wpad",
                "HKEY_CLASSES_ROOT\\HTTP\\shell\\open\\command",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{55272A00-42CB-11CE-8135-00AA004BB851}\\ProxyStubClsid32",
                "HKEY_CURRENT_USER\\Interface\\{BCD1DE7E-2DB1-418B-B047-4A74E101F8C1}",
                "HKEY_CURRENT_USER\\Interface\\{26656EAA-54EB-4E6F-8F85-4F0EF901A406}",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{BCD1DE7E-2DB1-418B-B047-4A74E101F8C1}\\ProxyStubClsid32",
                "HKEY_CURRENT_USER\\Interface\\{423EC01E-2E35-11D2-B604-00104B703EFD}",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\409",
                "HKEY_CURRENT_USER\\TypeLib",
                "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\System\\DNSClient",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\9",
                "HKEY_CURRENT_USER\\Interface\\{8A40A45D-055C-4B62-ABD7-6D613E2CEAEC}",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\0",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2",
                "HKEY_CURRENT_USER\\Interface\\{55272A00-42CB-11CE-8135-00AA004BB851}",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.0"
            ],
            "resolves_host": [
                "wpad",
                "cuckpc",
                "localhost"
            ],
            "file_written": [
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\aut572C.tmp",
                "C:\\Users\\cuck\\AppData\\Roaming\\log\\Info.txt",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\aut578B.tmp",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\bozvxpz",
                "C:\\Users\\cuck\\AppData\\Roaming\\log\\Passwords.txt"
            ],
            "file_deleted": [
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\aut572C.tmp",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\aut578B.tmp",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\bozvxpz"
            ],
            "file_exists": [
                "C:\\Users\\cuck\\AppData\\Roaming\\log\\Passwords.txt",
                "C:\\Users\\cuck\\AppData\\Roaming\\log\\Info.txt",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\bozvxpz",
                "C:\\Users\\cuck\\AppData\\Roaming\\log\\AutoUpdate.exe",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\a9c04c077b2bb66c9f77c1c4fe49210a0972081ebb457194fb493ae9e6a0f20f.bin",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\web_history.dll",
                "C:\\Users\\cuck\\AppData\\Local\\Temp",
                "C:\\Users\\cuck\\AppData\\Roaming\\log",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\winmgmts:\\localhost\\root\\SecurityCenter2"
            ],
            "mutex": [
                "IESQMMUTEX_0_208"
            ],
            "file_failed": [
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\winmgmts:\\localhost\\root\\SecurityCenter2"
            ],
            "guid": [
                "{dcb00c01-570f-4a9b-8d69-199fdba5723b}",
                "{f309ad18-d86a-11d0-a075-00c04fb68820}",
                "{172bddf8-ceea-11d1-8b05-00600806d9b6}",
                "{a47979d2-c419-11d9-a5b4-001185ad2b89}",
                "{4590f811-1d3a-11d0-891f-00aa004b2e24}",
                "{44aca674-e8fc-11d0-a07c-00c04fb68820}",
                "{d0074ffd-570f-4a9b-8d69-199fdba5723b}",
                "{0000011a-0000-0000-c000-000000000046}",
                "{674b6698-ee92-11d0-ad71-00c04fd8fdff}",
                "{3bc15af2-736c-477e-9e51-238af8667dcc}",
                "{d5f569d0-593b-101a-b569-08002b2dbf7a}",
                "{7c857801-7381-11cf-884d-00aa004b2e24}",
                "{8bc3f05e-d86b-11d0-a075-00c04fb68820}",
                "{cf4cc405-e2c5-4ddd-b3ce-5e7582d8c9fa}",
                "{dcb00000-570f-4a9b-8d69-199fdba5723b}",
                "{dc12a687-737f-11cf-884d-00aa004b2e24}"
            ],
            "wmi_query": [
                "Select * from AntiVirusProduct"
            ],
            "command_line": [
                "C:\\Windows\\system32\\cmd.exe \/k systeminfo",
                "C:\\Windows\\system32\\cmd.exe \/c netsh firewall add allowedprogram program = STcONaURjstoJeQ(uMqeEfSfaGeNmho(\"yJmAEIBBXdvRXSFRGegUiJnA\")) name = STcONaURjstoJeQ(uMqeEfSfaGeNmho(\"XQ0V1bwVGZ0FQZ==\")) mode = ENABLE",
                "C:\\Windows\\system32\\cmd.exe \/c C:\\Users\\cuck\\AppData\\Roaming\\log\\pass.exe all",
                "\"C:\\Windows\\system32\\rundll32.exe\" \"C:\\Windows\\syswow64\\WININET.dll\",DispatchAPICall 1 ",
                "C:\\Users\\cuck\\AppData\\Roaming\\log\\AutoUpdate.exe"
            ],
            "file_read": [
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\aut572C.tmp",
                "C:\\Windows\\SysWOW64\\stdole2.tlb",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\bozvxpz",
                "C:\\Windows\\System32\\wbem\\wbemdisp.tlb"
            ],
            "regkey_read": [
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{26656EAA-54EB-4E6F-8F85-4F0EF901A406}\\ProxyStubClsid32\\(Default)",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WINMGMTS\\CLSID\\(Default)",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\EnableFileTracing",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\InprocServer32\\ThreadingModel",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{423EC01E-2E35-11D2-B604-00104B703EFD}\\ProxyStubClsid32\\(Default)",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winsat\\PrimaryAdapterString",
                "HKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0\\ProcessorNameString",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASAPI32\\EnableConsoleTracing",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\\ProxyStubClsid32\\(Default)",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\EnableConsoleTracing",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\InprocServer32\\(Default)",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\AppData",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\InprocServer32\\InprocServer32",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{55272A00-42CB-11CE-8135-00AA004BB851}\\ProxyStubClsid32\\(Default)",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Hostname",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{BCD1DE7E-2DB1-418B-B047-4A74E101F8C1}\\ProxyStubClsid32\\(Default)",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASAPI32\\FileDirectory",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SESSION MANAGER\\Environment\\PROCESSOR_ARCHITECTURE",
                "HKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System\\BIOS\\BaseBoardProduct",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\ProgramData",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASAPI32\\FileTracingMask",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0\\0\\win32\\(Default)",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\0\\win32\\(Default)",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\AutoProxyDetectType",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{2A1C9EB2-DF62-4154-B800-63278FCB8037}\\ProxyStubClsid32\\(Default)",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{8A40A45D-055C-4B62-ABD7-6D613E2CEAEC}\\ProxyStubClsid32\\(Default)",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASAPI32\\MaxFileSize",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Domain",
                "HKEY_CURRENT_USER\\HTTP\\shell\\open\\command\\(Default)",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language Groups\\1",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\FileTracingMask",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\ConsoleTracingMask",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\FileDirectory",
                "HKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System\\BIOS\\BaseBoardManufacturer",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\\DefaultConnectionSettings",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASAPI32\\EnableFileTracing",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Locale\\00000409",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-699399860-4089948139-3198924279-1001\\ProfileImagePath",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\MaxFileSize",
                "HKEY_CURRENT_USER\\Control Panel\\Mouse\\SwapMouseButtons",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\WpadLastNetwork",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASAPI32\\ConsoleTracingMask",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\(Default)"
            ],
            "directory_enumerated": [
                "C:\\ProgramData\\Microsoft\\Network\\Connections\\Pbk\\rasphone.pbk",
                "C:\\Users\\cuck\\AppData\\Roaming\\log\\Passwords.txt",
                "C:\\Users\\cuck\\AppData",
                "C:\\Users\\cuck\\AppData\\Roaming\\log\\Info.txt",
                "C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\*.pbk",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\web_history.dll",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\bozvxpz",
                "C:\\Users\\cuck\\AppData\\Local\\Temp",
                "C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\rasphone.pbk",
                "C:\\Users\\cuck",
                "C:\\ProgramData\\Microsoft\\Network\\Connections\\Pbk\\*.pbk",
                "C:\\Users",
                "C:\\Windows\\System32\\ras\\*.pbk",
                "C:\\Users\\cuck\\AppData\\Roaming\\log\\AutoUpdate.exe",
                "C:\\Users\\cuck\\AppData\\Local"
            ],
            "regkey_written": [
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\EnableConsoleTracing",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\AutoUpdate",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}\\WpadDecisionReason",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\TaskbarNoNotification",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}\\WpadDecision",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}\\WpadNetworkName",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\EnableFileTracing",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\\DefaultConnectionSettings",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\MaxFileSize",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\FileTracingMask",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}\\WpadDecisionTime",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\WpadLastNetwork",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\ConsentPromptBehaviorAdmin",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\ConsoleTracingMask",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\FileDirectory"
            ]
        },
        "first_seen": 1578135186.546875,
        "ppid": 2892
    },
    {
        "process_path": "C:\\Windows\\SysWOW64\\HOSTNAME.EXE",
        "process_name": "HOSTNAME.EXE",
        "pid": 2680,
        "summary": {
            "regkey_opened": [
                "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\DnsCache\\Parameters",
                "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\DnsClient",
                "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\Rpc",
                "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\System\\DNSClient",
                "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Rpc",
                "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters"
            ],
            "regkey_read": [
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\MaxRpcSize",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\SystemSetupInProgress",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Domain",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Hostname",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\OOBEInProgress",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\ComputerName\\ActiveComputerName\\ComputerName",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CEIPEnable"
            ],
            "dll_loaded": [
                "API-MS-Win-Security-SDDL-L1-1-0.dll",
                "C:\\Windows\\system32\\pnrpnsp.dll",
                "C:\\Windows\\system32\\NLAapi.dll",
                "C:\\Windows\\System32\\winrnr.dll",
                "DNSAPI.dll",
                "C:\\Windows\\System32\\mswsock.dll",
                "WS2_32.dll",
                "rpcrt4.dll",
                "C:\\Windows\\system32\\napinsp.dll"
            ]
        },
        "first_seen": 1578135197.947374,
        "ppid": 800
    },
    {
        "process_path": "C:\\Windows\\System32\\lsass.exe",
        "process_name": "lsass.exe",
        "pid": 476,
        "summary": {},
        "first_seen": 1578135186.3125,
        "ppid": 376
    },
    {
        "process_path": "C:\\Windows\\SysWOW64\\cmd.exe",
        "process_name": "cmd.exe",
        "pid": 2360,
        "summary": {
            "file_opened": [
                "C:\\"
            ],
            "file_exists": [
                "C:\\Users\\cuck\\AppData\\Local\\Temp"
            ],
            "regkey_opened": [
                "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\System",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor",
                "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Command Processor"
            ],
            "regkey_read": [
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\DefaultColor",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\AutoRun",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\DelayedExpansion",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DisableUNCCheck",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\EnableExtensions",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\CompletionChar",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\EnableExtensions",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\PathCompletionChar",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Locale\\00000409",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language Groups\\1",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\PathCompletionChar",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\DisableUNCCheck",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\Windows Error Reporting\\WMR\\Disable",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DelayedExpansion",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\AutoRun",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DefaultColor",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\CompletionChar"
            ],
            "directory_enumerated": [
                "C:\\Users\\cuck\\AppData\\Roaming\\log\\pass.exe",
                "C:\\Users\\cuck\\AppData",
                "C:\\Users\\cuck\\AppData\\Roaming\\log\\pass.exe.*",
                "C:\\Users\\cuck\\AppData\\Local\\Temp",
                "C:\\Users\\cuck",
                "C:\\Users",
                "C:\\Users\\cuck\\AppData\\Local"
            ]
        },
        "first_seen": 1578135191.400499,
        "ppid": 1512
    },
    {
        "process_path": "C:\\Users\\cuck\\AppData\\Roaming\\log\\AutoUpdate.exe",
        "process_name": "AutoUpdate.exe",
        "pid": 2804,
        "summary": {
            "file_created": [
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\aut8197.tmp",
                "C:\\Users\\cuck\\AppData\\Roaming\\log\\logs_04.01.2020.htm",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\kxpzmdz"
            ],
            "file_recreated": [
                "\\??\\nul",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\aut8197.tmp"
            ],
            "regkey_written": [
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\AutoUpdate_RASMANCS\\ConsoleTracingMask",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\AutoUpdate_RASMANCS\\EnableFileTracing",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\AutoUpdate_RASMANCS\\FileDirectory",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\AutoUpdate_RASMANCS\\EnableConsoleTracing",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\AutoUpdate_RASMANCS\\FileTracingMask",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\IAM\\Server ID",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\AutoUpdate_RASMANCS\\MaxFileSize",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\IAM\\Default LDAP Account"
            ],
            "dll_loaded": [
                "COMDLG32.dll",
                "gdi32.dll",
                "kernel32.dll",
                "UxTheme.dll",
                "dwmapi.dll",
                "ntdll.dll",
                "C:\\Windows\\WinSxS\\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\\gdiplus.dll",
                "API-MS-WIN-Service-Management-L1-1-0.dll",
                "WININET.dll",
                "SXS.DLL",
                "KERNEL32.DLL",
                "WSOCK32.dll",
                "RASMAN.DLL",
                "comctl32",
                "ole32.dll",
                "USERENV.dll",
                "USER32.dll",
                "IMM32.dll",
                "gdiplus.dll",
                "MPR.dll",
                "API-MS-WIN-Service-winsvc-L1-1-0.dll",
                "rtutils.dll",
                "IPHLPAPI.DLL",
                "WinInet.dll",
                "Avicap32.dll",
                "OLEAUT32.dll",
                "SHELL32.dll",
                "PSAPI.DLL",
                "comctl32.dll",
                "COMCTL32.dll",
                "VERSION.dll",
                "WINMM.dll",
                "GDI32.dll",
                "MLANG.dll",
                "C:\\Windows\\SysWOW64\\oleaut32.dll",
                "ADVAPI32.dll",
                "WS2_32.dll",
                "user32.dll"
            ],
            "file_opened": [
                "",
                "C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Mail\\account{3F157EAB-C371-449F-8817-DE062D63E39B}.oeaccount",
                "C:\\Windows\\System32\\netmsg.dll",
                "C:\\Users\\cuck\\AppData\\Roaming\\log\\Passwords.txt",
                "C:\\Windows\\Globalization\\Sorting\\sortdefault.nls",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\aut8197.tmp",
                "C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Mail\\account{E8B20193-B324-4F69-85C3-A585C87B3B69}.oeaccount",
                "C:\\Users\\cuck\\AppData\\Roaming\\log\\AutoUpdate.exe",
                "C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Mail\\account{9505C2E7-137C-4315-8EBB-D4AE26FFA58D}.oeaccount",
                "\\Device\\NamedPipe\\",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\kxpzmdz",
                "C:\\Program Files (x86)\\Common Files\\System\\ado\\msado15.dll",
                "C:\\Users\\cuck\\AppData\\Roaming\\log\\Info.txt",
                "C:\\Users\\cuck\\AppData\\Roaming\\log\\logs_04.01.2020.htm",
                "C:\\Windows\\SysWOW64\\cdosys.dll",
                "C:\\Windows\\SysWOW64\\stdole2.tlb"
            ],
            "connects_host": [
                "icanhazip.com"
            ],
            "regkey_opened": [
                "HKEY_CLASSES_ROOT\\.tiff",
                "HKEY_CLASSES_ROOT\\.avi",
                "HKEY_CLASSES_ROOT\\.group",
                "HKEY_CLASSES_ROOT\\.wsc",
                "HKEY_CLASSES_ROOT\\.vssscc",
                "HKEY_CLASSES_ROOT\\.ai",
                "HKEY_CLASSES_ROOT\\.wsz",
                "HKEY_CLASSES_ROOT\\.au",
                "HKEY_CLASSES_ROOT\\.wvx",
                "HKEY_CLASSES_ROOT\\.c2r",
                "HKEY_CLASSES_ROOT\\.TTS",
                "HKEY_CLASSES_ROOT\\.mlc",
                "HKEY_CLASSES_ROOT\\.js",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{55272A00-42CB-11CE-8135-00AA004BB851}\\ProxyStubClsid32",
                "HKEY_CLASSES_ROOT\\.gmmp",
                "HKEY_CLASSES_ROOT\\.evt",
                "HKEY_CLASSES_ROOT\\.xls",
                "HKEY_CLASSES_ROOT\\.eyb",
                "HKEY_CLASSES_ROOT\\.cda",
                "HKEY_CLASSES_ROOT\\.cdx",
                "HKEY_CLASSES_ROOT\\.xlb",
                "HKEY_CLASSES_ROOT\\.jbf",
                "HKEY_CLASSES_ROOT\\.com",
                "HKEY_CLASSES_ROOT\\.lst",
                "HKEY_CLASSES_ROOT\\.cod",
                "HKEY_CLASSES_ROOT\\.dct",
                "HKEY_CLASSES_ROOT\\.nls",
                "HKEY_CLASSES_ROOT\\.mov",
                "HKEY_CLASSES_ROOT\\.H1C",
                "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\VFW",
                "HKEY_CLASSES_ROOT\\.wm",
                "HKEY_CLASSES_ROOT\\.rsp",
                "HKEY_CLASSES_ROOT\\.pch",
                "HKEY_CLASSES_ROOT\\txtfile",
                "HKEY_CLASSES_ROOT\\.hpp",
                "HKEY_CLASSES_ROOT\\.wtx",
                "HKEY_CLASSES_ROOT\\.rtf",
                "HKEY_CURRENT_USER\\CLSID\\{00000000-0000-0000-0000-000000000000}",
                "HKEY_CLASSES_ROOT\\.m4v",
                "HKEY_CLASSES_ROOT\\.m4p",
                "HKEY_CLASSES_ROOT\\.art",
                "HKEY_CLASSES_ROOT\\.bkf",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{CD000001-8B95-11D1-82DB-00C04FB1625D}\\Progid",
                "HKEY_CLASSES_ROOT\\.m4a",
                "HKEY_CLASSES_ROOT\\.kci",
                "HKEY_CLASSES_ROOT\\.qds",
                "HKEY_CLASSES_ROOT\\.cab",
                "HKEY_CLASSES_ROOT\\.p12",
                "HKEY_CLASSES_ROOT\\.p10",
                "HKEY_CLASSES_ROOT\\.MTS",
                "HKEY_CLASSES_ROOT\\.cat",
                "HKEY_CLASSES_ROOT\\.aspx",
                "HKEY_CLASSES_ROOT\\.psd",
                "HKEY_CURRENT_USER\\Software\\AutoIt v3\\AutoIt",
                "HKEY_CURRENT_USER\\Interface\\{2A1C9EB2-DF62-4154-B800-63278FCB8037}",
                "HKEY_CLASSES_ROOT\\.ibq",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{B691E011-1797-432E-907A-4D8C69339129}\\6.0\\0",
                "HKEY_CLASSES_ROOT\\.sor",
                "HKEY_CLASSES_ROOT\\.blg",
                "HKEY_CLASSES_ROOT\\.chm",
                "HKEY_CLASSES_ROOT\\.chk",
                "HKEY_CLASSES_ROOT\\.sol",
                "HKEY_CLASSES_ROOT\\.vob",
                "HKEY_CLASSES_ROOT\\.rat",
                "HKEY_CLASSES_ROOT\\.MOD",
                "HKEY_CLASSES_ROOT\\.xps",
                "HKEY_CLASSES_ROOT\\.log",
                "HKEY_CLASSES_ROOT\\.rc",
                "HKEY_CLASSES_ROOT\\.faq",
                "HKEY_CLASSES_ROOT\\.png",
                "HKEY_CLASSES_ROOT\\.pnf",
                "HKEY_CLASSES_ROOT\\.doc",
                "HKEY_CLASSES_ROOT\\.mpv2",
                "HKEY_CLASSES_ROOT\\.dos",
                "HKEY_CLASSES_ROOT\\.dot",
                "HKEY_CLASSES_ROOT\\.jod",
                "HKEY_CLASSES_ROOT\\.csv",
                "HKEY_CLASSES_ROOT\\.css",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{CD000000-8B95-11D1-82DB-00C04FB1625D}\\1.0\\409",
                "HKEY_CLASSES_ROOT\\.mht",
                "HKEY_CLASSES_ROOT\\.csa",
                "HKEY_CLASSES_ROOT\\.udt",
                "HKEY_CLASSES_ROOT\\.htx",
                "HKEY_CLASSES_ROOT\\.crds",
                "HKEY_CLASSES_ROOT\\.trg",
                "HKEY_CLASSES_ROOT\\.htt",
                "HKEY_CLASSES_ROOT\\.htw",
                "HKEY_CLASSES_ROOT\\.mcl",
                "HKEY_CLASSES_ROOT\\.udf",
                "HKEY_CLASSES_ROOT\\.htm",
                "HKEY_CLASSES_ROOT\\.shtm",
                "HKEY_CLASSES_ROOT\\.hta",
                "HKEY_CLASSES_ROOT\\.htc",
                "HKEY_CLASSES_ROOT\\.p7s",
                "HKEY_CLASSES_ROOT\\.txt",
                "HKEY_CLASSES_ROOT\\.WMS",
                "HKEY_CLASSES_ROOT\\.WMD",
                "HKEY_CLASSES_ROOT\\.jfif",
                "HKEY_CLASSES_ROOT\\.wlt",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Account Manager",
                "HKEY_CLASSES_ROOT\\.fon",
                "HKEY_CLASSES_ROOT\\.wll",
                "HKEY_CLASSES_ROOT\\.cer",
                "HKEY_CLASSES_ROOT\\.tab",
                "HKEY_CLASSES_ROOT\\.nfo",
                "HKEY_CLASSES_ROOT\\.cls",
                "HKEY_CLASSES_ROOT\\.ps1xml",
                "HKEY_CLASSES_ROOT\\.tar",
                "HKEY_CURRENT_USER\\Control Panel\\Mouse",
                "HKEY_CLASSES_ROOT\\.sst",
                "HKEY_CLASSES_ROOT\\.html",
                "HKEY_CLASSES_ROOT\\.xlt",
                "HKEY_CLASSES_ROOT\\.reg",
                "HKEY_CLASSES_ROOT\\.mp2v",
                "HKEY_CLASSES_ROOT\\.usr",
                "HKEY_CLASSES_ROOT\\.pif",
                "HKEY_CLASSES_ROOT\\.pic",
                "HKEY_CLASSES_ROOT\\.res",
                "HKEY_CLASSES_ROOT\\.m14",
                "HKEY_CLASSES_ROOT\\.cpp",
                "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run",
                "HKEY_CLASSES_ROOT\\.cpl",
                "HKEY_CLASSES_ROOT\\.pbk",
                "HKEY_CLASSES_ROOT\\.386",
                "HKEY_CLASSES_ROOT\\.xlc",
                "HKEY_CLASSES_ROOT\\.AAC",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}",
                "HKEY_CLASSES_ROOT\\.evtx",
                "HKEY_CLASSES_ROOT\\.m1v",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\txtfile\\CLSID",
                "HKEY_CLASSES_ROOT\\.eprtx",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{B691E011-1797-432E-907A-4D8C69339129}",
                "HKEY_CLASSES_ROOT\\.vcf",
                "HKEY_CLASSES_ROOT\\.xsd",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\MediaResources\\msvideo",
                "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Account Manager\\Shared",
                "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows Mail",
                "HKEY_CLASSES_ROOT\\.ppt",
                "HKEY_CLASSES_ROOT\\.pps",
                "HKEY_CLASSES_ROOT\\.tsv",
                "HKEY_CLASSES_ROOT\\.tsp",
                "HKEY_CLASSES_ROOT\\.hxx",
                "HKEY_CLASSES_ROOT\\.ilk",
                "HKEY_CLASSES_ROOT\\.sed",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{CD000001-8B95-11D1-82DB-00C04FB1625D}\\InprocHandler32",
                "HKEY_CLASSES_ROOT\\.ics",
                "HKEY_CLASSES_ROOT\\.mk",
                "HKEY_CLASSES_ROOT\\.spc",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{2A1C9EB2-DF62-4154-B800-63278FCB8037}\\ProxyStubClsid32",
                "HKEY_CLASSES_ROOT\\.tdl",
                "HKEY_CURRENT_USER\\Interface\\{BCD1DE7E-2DB1-418B-B047-4A74E101F8C1}",
                "HKEY_CLASSES_ROOT\\.icc",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{CD000000-8B95-11D1-82DB-00C04FB1625D}\\1.0\\0\\win32",
                "HKEY_CLASSES_ROOT\\.mv",
                "HKEY_CLASSES_ROOT\\.icm",
                "HKEY_CLASSES_ROOT\\.icl",
                "HKEY_CLASSES_ROOT\\.ico",
                "HKEY_CLASSES_ROOT\\.der",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\InprocServer32",
                "HKEY_CLASSES_ROOT\\.xsl",
                "HKEY_CLASSES_ROOT\\.def",
                "HKEY_CLASSES_ROOT\\.ncb",
                "HKEY_CLASSES_ROOT\\.fky",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\InprocHandler32",
                "HKEY_CLASSES_ROOT\\.swf",
                "HKEY_CLASSES_ROOT\\.M2V",
                "HKEY_CLASSES_ROOT\\.z96",
                "HKEY_CLASSES_ROOT\\.M2T",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{CD000001-8B95-11D1-82DB-00C04FB1625D}\\InprocHandler",
                "HKEY_CLASSES_ROOT\\.ttc",
                "HKEY_CLASSES_ROOT\\.zip",
                "HKEY_CLASSES_ROOT\\.bsc",
                "HKEY_CLASSES_ROOT\\.shtml",
                "HKEY_CLASSES_ROOT\\.psc1",
                "HKEY_CLASSES_ROOT\\.ghi",
                "HKEY_CLASSES_ROOT\\.dbg",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{CD000001-8B95-11D1-82DB-00C04FB1625D}\\TreatAs",
                "HKEY_CLASSES_ROOT\\.pmr",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{BCD1DE7E-2DB1-418B-B047-4A74E101F8C1}\\ProxyStubClsid32",
                "HKEY_CLASSES_ROOT\\.dbs",
                "HKEY_CLASSES_ROOT\\.3g2",
                "HKEY_CLASSES_ROOT\\.pml",
                "HKEY_CLASSES_ROOT\\.pmc",
                "HKEY_CLASSES_ROOT\\.pma",
                "HKEY_CLASSES_ROOT\\.ADTS",
                "HKEY_CLASSES_ROOT\\.pfx",
                "HKEY_CLASSES_ROOT\\.mig",
                "HKEY_CLASSES_ROOT\\.mid",
                "HKEY_CURRENT_USER\\CDO.Message",
                "HKEY_CLASSES_ROOT\\.webpnp",
                "HKEY_CLASSES_ROOT\\.wpl",
                "HKEY_CLASSES_ROOT\\.pfm",
                "HKEY_CLASSES_ROOT\\.label",
                "HKEY_CLASSES_ROOT\\.sbr",
                "HKEY_CLASSES_ROOT\\.cc",
                "HKEY_CURRENT_USER\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}",
                "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\OleAut",
                "HKEY_CLASSES_ROOT\\.bas",
                "HKEY_CLASSES_ROOT\\.bat",
                "HKEY_CLASSES_ROOT\\.cs",
                "HKEY_CLASSES_ROOT\\.VBE",
                "HKEY_CLASSES_ROOT\\.DVR",
                "HKEY_CLASSES_ROOT\\.asx",
                "HKEY_CLASSES_ROOT\\.asp",
                "HKEY_CLASSES_ROOT\\.osdx",
                "HKEY_CLASSES_ROOT\\.db",
                "HKEY_CLASSES_ROOT\\.eps",
                "HKEY_CLASSES_ROOT\\.asm",
                "HKEY_CLASSES_ROOT\\.asa",
                "HKEY_CLASSES_ROOT\\.etp",
                "HKEY_CLASSES_ROOT\\.asc",
                "HKEY_CLASSES_ROOT\\.asf",
                "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Tracing\\AutoUpdate_RASMANCS",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{CD000000-8B95-11D1-82DB-00C04FB1625D}\\1.0",
                "HKEY_CLASSES_ROOT\\.latex",
                "HKEY_CLASSES_ROOT\\.otf",
                "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Account Manager\\Preconfigured",
                "HKEY_CLASSES_ROOT\\.vxd",
                "HKEY_CLASSES_ROOT\\.sit",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\MIME\\Database\\Content Type\\text\/plain",
                "HKEY_CLASSES_ROOT\\.cmd",
                "HKEY_CLASSES_ROOT\\.stl",
                "HKEY_CLASSES_ROOT\\.stm",
                "HKEY_CLASSES_ROOT\\.theme",
                "HKEY_CLASSES_ROOT\\.gadget",
                "HKEY_CLASSES_ROOT\\FirefoxHTML-E7CF176E110C211B",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{26656EAA-54EB-4E6F-8F85-4F0EF901A406}\\ProxyStubClsid32",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows Mail",
                "HKEY_CLASSES_ROOT\\.tif",
                "HKEY_CLASSES_ROOT\\.edrwx",
                "HKEY_CLASSES_ROOT\\.dat",
                "HKEY_CLASSES_ROOT\\.diz",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}",
                "HKEY_CURRENT_USER\\CLSID\\{CD000001-8B95-11D1-82DB-00C04FB1625D}",
                "HKEY_CLASSES_ROOT\\.wdp",
                "HKEY_CLASSES_ROOT\\.wcx",
                "HKEY_CLASSES_ROOT\\.lnk",
                "HKEY_CLASSES_ROOT\\.xslt",
                "HKEY_CLASSES_ROOT\\.rmi",
                "HKEY_CLASSES_ROOT\\.psd1",
                "HKEY_CURRENT_USER\\FirefoxHTML-E7CF176E110C211B\\CLSID",
                "HKEY_CLASSES_ROOT\\.pl",
                "HKEY_CLASSES_ROOT\\.midi",
                "HKEY_CLASSES_ROOT\\.jnt",
                "HKEY_CLASSES_ROOT\\.lgn",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{CD000000-8B95-11D1-82DB-00C04FB1625D}",
                "HKEY_CLASSES_ROOT\\.csproj",
                "HKEY_CLASSES_ROOT\\.vbs",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{CD000000-8B95-11D1-82DB-00C04FB1625D}\\1.0\\0",
                "HKEY_CLASSES_ROOT\\.vbx",
                "HKEY_CLASSES_ROOT\\.3gp2",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{CD000000-8B95-11D1-82DB-00C04FB1625D}\\1.0\\9",
                "HKEY_CLASSES_ROOT\\.psm1",
                "HKEY_CLASSES_ROOT\\.cxx",
                "HKEY_CLASSES_ROOT\\.3gp",
                "HKEY_CLASSES_ROOT\\.JSE",
                "HKEY_CLASSES_ROOT\\.emf",
                "HKEY_CLASSES_ROOT\\.rc2",
                "HKEY_CLASSES_ROOT\\.vbproj",
                "HKEY_CLASSES_ROOT\\.gz",
                "HKEY_CLASSES_ROOT\\.img",
                "HKEY_CLASSES_ROOT\\.imc",
                "HKEY_CLASSES_ROOT\\.M2TS",
                "HKEY_CLASSES_ROOT\\.mpeg",
                "HKEY_CLASSES_ROOT\\.wbcat",
                "HKEY_CLASSES_ROOT\\.3gpp",
                "HKEY_CLASSES_ROOT\\.xix",
                "HKEY_CLASSES_ROOT\\.user",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\windows\\CurrentVersion\\Internet Settings\\Wpad",
                "HKEY_CLASSES_ROOT\\.fnd",
                "HKEY_CLASSES_ROOT\\.rct",
                "HKEY_CLASSES_ROOT\\.wmv",
                "HKEY_CLASSES_ROOT\\.idl",
                "HKEY_CLASSES_ROOT\\.wmp",
                "HKEY_CLASSES_ROOT\\.ps1",
                "HKEY_CLASSES_ROOT\\.wmx",
                "HKEY_CLASSES_ROOT\\.wmz",
                "HKEY_CLASSES_ROOT\\.fnt",
                "HKEY_CLASSES_ROOT\\.wmf",
                "HKEY_CLASSES_ROOT\\.wma",
                "HKEY_CURRENT_USER\\Interface\\{8A40A45D-055C-4B62-ABD7-6D613E2CEAEC}",
                "HKEY_CLASSES_ROOT\\.idq",
                "HKEY_CURRENT_USER\\Interface\\{55272A00-42CB-11CE-8135-00AA004BB851}",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\TreatAs",
                "HKEY_CLASSES_ROOT\\.hqx",
                "HKEY_CLASSES_ROOT\\.mp4v",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0\\0\\win32",
                "HKEY_CLASSES_ROOT\\.msi",
                "HKEY_CLASSES_ROOT\\.lib",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CDO.Message\\CLSID",
                "HKEY_CLASSES_ROOT\\.msg",
                "HKEY_CLASSES_ROOT\\.msc",
                "HKEY_CLASSES_ROOT\\.gif",
                "HKEY_CLASSES_ROOT\\.msu",
                "HKEY_CLASSES_ROOT\\.msp",
                "HKEY_CLASSES_ROOT\\.obj",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\Progid",
                "HKEY_CLASSES_ROOT\\.webm",
                "HKEY_CLASSES_ROOT\\.RDP",
                "HKEY_CLASSES_ROOT\\.IVF",
                "HKEY_CLASSES_ROOT\\.H1V",
                "HKEY_CLASSES_ROOT\\.H1W",
                "HKEY_CLASSES_ROOT\\.H1T",
                "HKEY_CLASSES_ROOT\\.dsw",
                "HKEY_CLASSES_ROOT\\.dsp",
                "HKEY_CLASSES_ROOT\\.H1S",
                "HKEY_CLASSES_ROOT\\.H1Q",
                "HKEY_CLASSES_ROOT\\.movie",
                "HKEY_CLASSES_ROOT\\.H1F",
                "HKEY_CLASSES_ROOT\\.H1D",
                "HKEY_CLASSES_ROOT\\.viw",
                "HKEY_CLASSES_ROOT\\.mmf",
                "HKEY_CLASSES_ROOT\\.vsscc",
                "HKEY_CLASSES_ROOT\\.dsn",
                "HKEY_CLASSES_ROOT\\.H1K",
                "HKEY_CLASSES_ROOT\\.H1H",
                "HKEY_CLASSES_ROOT\\.xbap",
                "HKEY_CLASSES_ROOT\\.ex_",
                "HKEY_CLASSES_ROOT\\.xrm-ms",
                "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Tracing",
                "HKEY_CLASSES_ROOT\\.bin",
                "HKEY_CLASSES_ROOT\\.aps",
                "HKEY_CLASSES_ROOT\\.jpg",
                "HKEY_CLASSES_ROOT\\.jpe",
                "HKEY_CLASSES_ROOT\\.exp",
                "HKEY_CLASSES_ROOT\\.ext",
                "HKEY_CLASSES_ROOT\\.mhtml",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\IAM\\Accounts",
                "HKEY_CLASSES_ROOT\\.pyo",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{B691E011-1797-432E-907A-4D8C69339129}\\6.0",
                "HKEY_CLASSES_ROOT\\.text",
                "HKEY_CLASSES_ROOT\\.exe",
                "HKEY_CLASSES_ROOT\\.xml",
                "HKEY_CLASSES_ROOT\\.URL",
                "HKEY_CLASSES_ROOT\\.sql",
                "HKEY_CLASSES_ROOT\\.hdp",
                "HKEY_CLASSES_ROOT\\.tgz",
                "HKEY_CLASSES_ROOT\\.xaml",
                "HKEY_CLASSES_ROOT\\.rgs",
                "HKEY_CLASSES_ROOT\\.grp",
                "HKEY_CURRENT_USER\\TypeLib",
                "HKEY_CLASSES_ROOT\\.tli",
                "HKEY_CLASSES_ROOT\\.tlh",
                "HKEY_CLASSES_ROOT\\.odt",
                "HKEY_CLASSES_ROOT\\.tlb",
                "HKEY_CLASSES_ROOT\\.wmdb",
                "HKEY_CLASSES_ROOT\\.py",
                "HKEY_CLASSES_ROOT\\.ogg",
                "HKEY_CLASSES_ROOT\\.ascx",
                "HKEY_CLASSES_ROOT\\.aif",
                "HKEY_CLASSES_ROOT\\.oga",
                "HKEY_CLASSES_ROOT\\.ps",
                "HKEY_CLASSES_ROOT\\.dib",
                "HKEY_CLASSES_ROOT\\.dic",
                "HKEY_CLASSES_ROOT\\.rll",
                "HKEY_CLASSES_ROOT\\.docx",
                "HKEY_CLASSES_ROOT\\.ogv",
                "HKEY_CLASSES_ROOT\\.rle",
                "HKEY_CLASSES_ROOT\\.sc2",
                "HKEY_CLASSES_ROOT\\.local",
                "HKEY_CLASSES_ROOT\\.rul",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\IAM",
                "HKEY_CLASSES_ROOT\\.WSH",
                "HKEY_CLASSES_ROOT\\.pyc",
                "HKEY_CLASSES_ROOT\\.in_",
                "HKEY_CLASSES_ROOT\\.cur",
                "HKEY_CLASSES_ROOT\\.WSF",
                "HKEY_CLASSES_ROOT\\.pyw",
                "HKEY_CLASSES_ROOT\\.inv",
                "HKEY_CLASSES_ROOT\\.wri",
                "HKEY_CLASSES_ROOT\\.nvr",
                "HKEY_CLASSES_ROOT\\.easmx",
                "HKEY_CLASSES_ROOT\\.sct",
                "HKEY_CLASSES_ROOT\\.mak",
                "HKEY_CLASSES_ROOT\\.scr",
                "HKEY_CLASSES_ROOT\\.inx",
                "HKEY_CLASSES_ROOT\\.scp",
                "HKEY_CLASSES_ROOT\\.inf",
                "HKEY_CLASSES_ROOT\\.inc",
                "HKEY_CLASSES_ROOT\\.man",
                "HKEY_CLASSES_ROOT\\.m3u",
                "HKEY_CLASSES_ROOT\\.scf",
                "HKEY_CLASSES_ROOT\\.inl",
                "HKEY_CLASSES_ROOT\\.scd",
                "HKEY_CLASSES_ROOT\\.scc",
                "HKEY_CLASSES_ROOT\\.ini",
                "HKEY_CLASSES_ROOT\\.jpeg",
                "HKEY_CLASSES_ROOT\\MIME\\Database\\Content Type",
                "HKEY_CLASSES_ROOT\\.snd",
                "HKEY_CLASSES_ROOT\\.xht",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0\\0",
                "HKEY_CLASSES_ROOT\\.bmp",
                "HKEY_CLASSES_ROOT\\.cgm",
                "HKEY_CLASSES_ROOT\\.jtx",
                "HKEY_CLASSES_ROOT\\.m4b",
                "HKEY_CLASSES_ROOT\\.jtp",
                "HKEY_CLASSES_ROOT\\.hhc",
                "HKEY_CLASSES_ROOT\\.sch",
                "HKEY_CLASSES_ROOT\\.ans",
                "HKEY_CLASSES_ROOT\\.ani",
                "HKEY_CLASSES_ROOT\\.dwfx",
                "HKEY_CLASSES_ROOT\\.p7m",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{8A40A45D-055C-4B62-ABD7-6D613E2CEAEC}\\ProxyStubClsid32",
                "HKEY_CLASSES_ROOT\\.p7b",
                "HKEY_CLASSES_ROOT\\.p7c",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0",
                "HKEY_CLASSES_ROOT\\.p7r",
                "HKEY_CLASSES_ROOT\\.pko",
                "HKEY_CLASSES_ROOT\\.vspscc",
                "HKEY_CLASSES_ROOT\\.pds",
                "HKEY_CLASSES_ROOT\\.crt",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\Compatibility\\AutoUpdate.exe",
                "HKEY_CLASSES_ROOT\\.rpc",
                "HKEY_CLASSES_ROOT\\.java",
                "HKEY_CLASSES_ROOT\\.pdb",
                "HKEY_CLASSES_ROOT\\.crd",
                "HKEY_CLASSES_ROOT\\.pdf",
                "HKEY_CLASSES_ROOT\\.UDL",
                "HKEY_CLASSES_ROOT\\.crl",
                "HKEY_CLASSES_ROOT\\.drv",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\Progid",
                "HKEY_CLASSES_ROOT\\.ttf",
                "HKEY_CLASSES_ROOT\\.bcp",
                "HKEY_CLASSES_ROOT\\.jav",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{CD000001-8B95-11D1-82DB-00C04FB1625D}\\InprocServer32",
                "HKEY_CLASSES_ROOT\\.TS",
                "HKEY_CLASSES_ROOT\\.camp",
                "HKEY_CLASSES_ROOT\\.aiff",
                "HKEY_CLASSES_ROOT\\.prf",
                "HKEY_CLASSES_ROOT\\.prc",
                "HKEY_CLASSES_ROOT\\.aifc",
                "HKEY_CLASSES_ROOT\\.WTV",
                "HKEY_CURRENT_USER\\Interface\\{26656EAA-54EB-4E6F-8F85-4F0EF901A406}",
                "HKEY_CLASSES_ROOT\\.xhtml",
                "HKEY_CLASSES_ROOT\\.plg",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{B691E011-1797-432E-907A-4D8C69339129}\\6.0\\0\\win32",
                "HKEY_CLASSES_ROOT\\.mydocs",
                "HKEY_CLASSES_ROOT\\.php3",
                "HKEY_CLASSES_ROOT\\.sy_",
                "HKEY_CLASSES_ROOT\\.srf",
                "HKEY_CLASSES_ROOT\\.DVR-MS",
                "HKEY_CLASSES_ROOT\\.fif",
                "HKEY_CLASSES_ROOT\\.i",
                "HKEY_CLASSES_ROOT\\.Job",
                "HKEY_CLASSES_ROOT\\.h",
                "HKEY_CLASSES_ROOT\\.msdvd",
                "HKEY_CLASSES_ROOT\\.asmx",
                "HKEY_CLASSES_ROOT\\.sys",
                "HKEY_CLASSES_ROOT\\.sym",
                "HKEY_CLASSES_ROOT\\.hlp",
                "HKEY_CLASSES_ROOT\\.s",
                "HKEY_CLASSES_ROOT\\.mp2",
                "HKEY_CLASSES_ROOT\\.mp3",
                "HKEY_CLASSES_ROOT\\.mp4",
                "HKEY_CLASSES_ROOT\\.sr_",
                "HKEY_CLASSES_ROOT\\.odc",
                "HKEY_CLASSES_ROOT\\.wav",
                "HKEY_CLASSES_ROOT\\.wax",
                "HKEY_CLASSES_ROOT\\.odl",
                "HKEY_CLASSES_ROOT\\.oc_",
                "HKEY_CLASSES_ROOT\\.odh",
                "HKEY_CLASSES_ROOT\\.dl_",
                "HKEY_CLASSES_ROOT\\.wab",
                "HKEY_CLASSES_ROOT\\.ADT",
                "HKEY_CLASSES_ROOT\\.dll",
                "HKEY_CLASSES_ROOT\\.c",
                "HKEY_CLASSES_ROOT\\.a",
                "HKEY_CLASSES_ROOT\\.mpa",
                "HKEY_CLASSES_ROOT\\.ocx",
                "HKEY_CLASSES_ROOT\\.mpe",
                "HKEY_CLASSES_ROOT\\.iso",
                "HKEY_CLASSES_ROOT\\.mpg",
                "HKEY_CLASSES_ROOT\\.pot",
                "HKEY_CLASSES_ROOT\\.cdmp",
                "HKEY_CLASSES_ROOT\\.x",
                "HKEY_CLASSES_ROOT\\.vcproj",
                "HKEY_CLASSES_ROOT\\.z",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\InprocHandler"
            ],
            "resolves_host": [
                "..localmachine"
            ],
            "file_written": [
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\aut8197.tmp",
                "C:\\Users\\cuck\\AppData\\Roaming\\log\\logs_04.01.2020.htm",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\kxpzmdz"
            ],
            "file_deleted": [
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\aut8197.tmp",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\kxpzmdz",
                "C:\\Users\\cuck\\AppData\\Roaming\\log\\Passwords.txt",
                "C:\\Users\\cuck\\AppData\\Roaming\\log\\Info.txt"
            ],
            "file_exists": [
                "C:\\Users\\cuck\\AppData\\Roaming\\log\\04-01-2020_11.53.jpg",
                "C:\\Windows\\System32\\C_28591.NLS",
                "C:\\Windows\\System32\\C_936.NLS",
                "C:\\Users\\cuck\\AppData\\Roaming\\log\\Passwords.txt",
                "C:\\Users\\cuck\\AppData\\Roaming\\log\\AutoUpdate.exe",
                "C:\\Users\\cuck\\AppData\\Roaming\\log\\logs_04.01.2020.htm",
                "C:\\Users\\cuck\\AppData\\Roaming\\log\\Info.txt",
                "C:\\Users\\cuck\\AppData\\Roaming\\log\\ssfn*",
                "C:\\Users\\cuck\\AppData\\Local\\Temp",
                "C:\\Windows\\System32\\C_949.NLS",
                "C:\\Windows\\System32\\C_950.NLS",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\kxpzmdz",
                "C:\\Users\\cuck\\AppData\\Roaming\\log\\*.htm",
                "C:\\Users\\cuck\\AppData\\Roaming\\log",
                "C:\\Windows\\System32\\C_932.NLS",
                "C:\\Users\\cuck\\AppData\\Roaming\\log\\*.vdf"
            ],
            "guid": [
                "{70b51430-b6ca-11d0-b9b9-00a0c922e750}",
                "{275c23e2-3747-11d0-9fea-00aa003f8646}",
                "{dcb00c01-570f-4a9b-8d69-199fdba5723b}",
                "{a4f96ed0-f829-476e-81c0-cdc7bd2a0802}",
                "{fd465481-1384-11d0-abbd-0020afdfd10a}",
                "{275c23e1-3747-11d0-9fea-00aa003f8646}",
                "{a47979d2-c419-11d9-a5b4-001185ad2b89}",
                "{cd000001-8b95-11d1-82db-00c04fb1625d}",
                "{fd853ce6-7f86-11d0-8252-00c04fd85ab4}",
                "{0df2c7e6-3435-11d0-81d0-00c04fd85ab4}",
                "{3124c396-fb13-4836-a6ad-1317f1713688}",
                "{d0074ffd-570f-4a9b-8d69-199fdba5723b}",
                "{8d4b04e1-1331-11d0-81b8-00c04fd85ab4}",
                "{00000567-0000-0010-8000-00aa006d2ea4}",
                "{dccfc164-2b38-11d2-b7ec-00c04f8f5d9a}",
                "{a9e69610-b80d-11d0-b9b9-00a0c922e750}",
                "{0df2c7e2-3435-11d0-81d0-00c04fd85ab4}",
                "{fd853ce8-7f86-11d0-8252-00c04fd85ab4}",
                "{00020400-0000-0000-c000-000000000046}",
                "{dcb00000-570f-4a9b-8d69-199fdba5723b}",
                "{00000560-0000-0010-8000-00aa006d2ea4}"
            ],
            "command_line": [
                "C:\\Windows\\system32\\cmd.exe \/k HOSTNAME",
                "\"C:\\Windows\\system32\\rundll32.exe\" \"C:\\Windows\\syswow64\\WININET.dll\",DispatchAPICall 1 "
            ],
            "file_read": [
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\aut8197.tmp",
                "C:\\Users\\cuck\\AppData\\Roaming\\log\\Info.txt",
                "C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Mail\\account{E8B20193-B324-4F69-85C3-A585C87B3B69}.oeaccount",
                "C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Mail\\account{9505C2E7-137C-4315-8EBB-D4AE26FFA58D}.oeaccount",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\kxpzmdz",
                "C:\\Program Files (x86)\\Common Files\\System\\ado\\msado15.dll",
                "C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Mail\\account{3F157EAB-C371-449F-8817-DE062D63E39B}.oeaccount",
                "C:\\Users\\cuck\\AppData\\Roaming\\log\\logs_04.01.2020.htm",
                "C:\\Windows\\SysWOW64\\cdosys.dll",
                "C:\\Windows\\SysWOW64\\stdole2.tlb"
            ],
            "regkey_read": [
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.nvr\\Content Type",
                "HKEY_CURRENT_USER\\.html\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.c2r\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.tdl\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.rmi\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.TS\\Content Type",
                "HKEY_CURRENT_USER\\.htm\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.p12\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pko\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.camp\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.icm\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.rgs\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.bmp\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.inx\\Content Type",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\AutoUpdate",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.tlh\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.xlc\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.fnd\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.odl\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mlc\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.msi\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.rat\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.idq\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mmf\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.asmx\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.sql\\Content Type",
                "HKEY_CURRENT_USER\\.oga\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.gif\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pbk\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.3g2\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.odt\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.exe\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\AutoUpdate_RASMANCS\\FileDirectory",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows Mail\\Disable RFC2646 Wrapping",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.tar\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mp2v\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.bat\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.odc\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.xlb\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.asx\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wmv\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.au\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.p7m\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.H1H\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.xslt\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.hta\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.rpc\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mpeg\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mhtml\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ex_\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.exp\\Content Type",
                "HKEY_CURRENT_USER\\.htm\\(Default)",
                "HKEY_CURRENT_USER\\.xhtml\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.cpp\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.inc\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wmp\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ADT\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{26656EAA-54EB-4E6F-8F85-4F0EF901A406}\\ProxyStubClsid32\\(Default)",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.a\\Content Type",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\IAM\\Accounts\\PreConfigVer",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\IAM\\Default News Account",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.xix\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.sym\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.cdmp\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mid\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{2A1C9EB2-DF62-4154-B800-63278FCB8037}\\ProxyStubClsid32\\(Default)",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.fky\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.jpg\\Content Type",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.lst\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.text\\Content Type",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CodePage\\950",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\AutoUpdate_RASAPI32\\ConsoleTracingMask",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.plg\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.sol\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.grp\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.cpl\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.H1F\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pyo\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.H1T\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ascx\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.jtx\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.scf\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pmr\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\InprocServer32\\InprocServer32",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.local\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.txt\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mpg\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.snd\\Content Type",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\IAM\\Default Mail Account",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.aiff\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\AutoUpdate_RASAPI32\\FileTracingMask",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.icc\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{8A40A45D-055C-4B62-ABD7-6D613E2CEAEC}\\ProxyStubClsid32\\(Default)",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ghi\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{CD000001-8B95-11D1-82DB-00C04FB1625D}\\ProgID\\(Default)",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.prf\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.z\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wsz\\Content Type",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.aps\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.usr\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.i\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Account Manager\\Preconfigured\\PreConfigVerNTDS",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.css\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.xlt\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.3gpp\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.dct\\Content Type",
                "HKEY_CURRENT_USER\\.ogg\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.doc\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wmf\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Account Manager\\Preconfigured\\PreConfigVer",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.edrwx\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.trg\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.hdp\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ai\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ini\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.bkf\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.psm1\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pl\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pif\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.icl\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.etp\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.dot\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.evt\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.fnt\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CDO.Message\\CLSID\\(Default)",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pic\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.WSH\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.psd1\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.faq\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ppt\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.dl_\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mpe\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.cer\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.MOD\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.DVR-MS\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.lib\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.rtf\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.drv\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.db\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.xml\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mov\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.dsw\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.eyb\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.URL\\Content Type",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}\\WpadDecision",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ttf\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.vxd\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.nls\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.vbproj\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.scc\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.aif\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\(Default)",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{CD000001-8B95-11D1-82DB-00C04FB1625D}\\InprocServer32\\ThreadingModel",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.osdx\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\InprocServer32\\ThreadingModel",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.lnk\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.bas\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.jod\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.eps\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.jpeg\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.sed\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.rle\\Content Type",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Locale\\00000409",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.crds\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.sc2\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wcx\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.386\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.user\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.nfo\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0\\0\\win32\\(Default)",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\AutoUpdate_RASMANCS\\EnableConsoleTracing",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.art\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\InprocServer32\\(Default)",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.m1v\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.H1Q\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.aifc\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ADTS\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wmdb\\Content Type",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CodePage\\0",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.3gp2\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\AutoUpdate_RASMANCS\\FileTracingMask",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.asc\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mpa\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.jtp\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mak\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.p7b\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.tlb\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.blg\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.jfif\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pfm\\Content Type",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CodePage\\949",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.scr\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.htt\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.cur\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.tif\\Content Type",
                "HKEY_CURRENT_USER\\.xht\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.p7c\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.htx\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.tsp\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ilk\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.gmmp\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.WMD\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ps\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.docx\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.hpp\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.kci\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.WTV\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ext\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ttc\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.gadget\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.H1V\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.webpnp\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.WSF\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.csa\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.htc\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.aspx\\Content Type",
                "HKEY_CURRENT_USER\\.webm\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.H1C\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.H1S\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.dbs\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.viw\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.cdx\\Content Type",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\IAM\\Default LDAP Account",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.xls\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.Job\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.M2TS\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.inf\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.asm\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.VBE\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.iso\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.dbg\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.msdvd\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.tgz\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pdb\\Content Type",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CodePage\\932",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.zip\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.m4b\\Content Type",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CodePage\\936",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.tiff\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows Mail\\Disable RFC2646 Wrapping",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.otf\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ani\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.H1K\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.tsv\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wpl\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.reg\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.jnt\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.avi\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.hlp\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pps\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wlt\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.3gp\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{CD000001-8B95-11D1-82DB-00C04FB1625D}\\(Default)",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.cmd\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mht\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pma\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pnf\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.hxx\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.dwfx\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wbcat\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ocx\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.vbx\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.rc\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.s\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.IVF\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.csv\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.bin\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\AutoUpdate_RASMANCS\\MaxFileSize",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.udf\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.rc2\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wdp\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\AutoUpdate_RASMANCS\\ConsoleTracingMask",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.dos\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.idl\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.inl\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows Mail\\No modify accts",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ico\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.xps\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.label\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.sys\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.m3u\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.vcf\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.msg\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.cod\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.inv\\Content Type",
                "HKEY_CURRENT_USER\\.shtml\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.scd\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.sch\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pch\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.dsn\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.eprtx\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.cab\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.RDP\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.dll\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.vbs\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.WMS\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pmc\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.tab\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\MIME\\Database\\Content Type\\text\/plain\\Extension",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.csproj\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{CD000001-8B95-11D1-82DB-00C04FB1625D}\\InprocServer32\\InprocServer32",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wav\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.udt\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.m14\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wsc\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.z96\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Drivers32\\msvideo5",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Drivers32\\msvideo4",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Drivers32\\msvideo7",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Drivers32\\msvideo6",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Drivers32\\msvideo1",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Drivers32\\msvideo3",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Drivers32\\msvideo2",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.man\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.vcproj\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.def\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Drivers32\\msvideo9",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Drivers32\\msvideo8",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.scp\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pds\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.sor\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.theme\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.xaml\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.tli\\Content Type",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}\\WpadDecisionReason",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.swf\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.m4a\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.rsp\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.stl\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.xsl\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mp4\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.diz\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.png\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.vob\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.jav\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.gz\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.DVR\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.imc\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.h\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.easmx\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\AutoUpdate_RASMANCS\\EnableFileTracing",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.emf\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mv\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ps1xml\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.midi\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.latex\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.prc\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.dsp\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wab\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ncb\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\AutoUpdate_RASAPI32\\EnableConsoleTracing",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pml\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ps1\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.htw\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.rct\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.lgn\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.jbf\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.py\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.group\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wri\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.srf\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.crt\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.asp\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.TTS\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.p7s\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pot\\Content Type",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows Mail\\Store Root",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\AutoUpdate_RASAPI32\\EnableFileTracing",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.com\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pfx\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.p7r\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.dib\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.hqx\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.M2V\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mp4v\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.img\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.cxx\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mp3\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.java\\Content Type",
                "HKEY_CURRENT_USER\\.pdf\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mig\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.der\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.jpe\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.crd\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.M2T\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.c\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.sst\\Content Type",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language Groups\\1",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.cc\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.xrm-ms\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wtx\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.sbr\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{CD000000-8B95-11D1-82DB-00C04FB1625D}\\1.0\\0\\win32\\(Default)",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.msp\\Content Type",
                "HKEY_CURRENT_USER\\Control Panel\\Mouse\\SwapMouseButtons",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.xsd\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\AutoUpdate_RASAPI32\\MaxFileSize",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.odh\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.obj\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.fon\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wax\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.rul\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Drivers32\\msvideo",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{55272A00-42CB-11CE-8135-00AA004BB851}\\ProxyStubClsid32\\(Default)",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pyw\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.fif\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.movie\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.asa\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.stm\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.m4p\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{BCD1DE7E-2DB1-418B-B047-4A74E101F8C1}\\ProxyStubClsid32\\(Default)",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.x\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.pyc\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wm\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.bcp\\Content Type",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CodePage\\28591",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.spc\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.js\\Content Type",
                "HKEY_CURRENT_USER\\.ogv\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.vsscc\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.sy_\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.sct\\Content Type",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}\\WpadDecisionTime",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wmx\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ics\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.xbap\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.chk\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.sr_\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.vspscc\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.msc\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.cls\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.psc1\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.UDL\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.qds\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wvx\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.dic\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mk\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{B691E011-1797-432E-907A-4D8C69339129}\\6.0\\0\\win32\\(Default)",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.H1D\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.MTS\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.cda\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.m4v\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mydocs\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\AutoUpdate_RASAPI32\\FileDirectory",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.evtx\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.AAC\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.cat\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.psd\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.p10\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.cs\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.vssscc\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.H1W\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{CD000001-8B95-11D1-82DB-00C04FB1625D}\\InprocServer32\\(Default)",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wll\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.rll\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.crl\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.dat\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ibq\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.JSE\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.msu\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mcl\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.log\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.txt\\(Default)",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.in_\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.php3\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mp2\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.ans\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.mpv2\\Content Type",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\WpadExpirationDays",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wmz\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.hhc\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.chm\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.shtm\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.sit\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.res\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.oc_\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.asf\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.bsc\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.cgm\\Content Type",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\IAM\\Accounts\\PreConfigVerNTDS",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.wma\\Content Type"
            ],
            "directory_enumerated": [
                "C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\account*.oeaccount",
                "C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Mail\\account*.oeaccount",
                "C:\\Users\\cuck\\AppData\\Roaming\\log\\04-01-2020_11.53.jpg",
                "C:\\Users\\cuck\\AppData\\Roaming\\log\\Passwords.txt",
                "C:\\Users\\cuck\\AppData",
                "C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\account*.oeaccount",
                "C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Mail\\*",
                "C:\\Users\\cuck\\AppData\\Roaming\\log\\ssfn*",
                "C:\\Users\\cuck\\AppData\\Roaming\\log\\Info.txt",
                "C:\\Users\\cuck",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\kxpzmdz",
                "C:\\Users\\cuck\\AppData\\Roaming",
                "C:\\Users",
                "C:\\Users\\cuck\\AppData\\Roaming\\log\\*.htm",
                "C:\\Users\\cuck\\AppData\\Roaming\\log",
                "C:\\Users\\cuck\\AppData\\Roaming\\log\\*.vdf"
            ],
            "directory_created": [
                "C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows Mail"
            ]
        },
        "first_seen": 1578135197.462999,
        "ppid": 1512
    },
    {
        "process_path": "C:\\Windows\\SysWOW64\\cmd.exe",
        "process_name": "cmd.exe",
        "pid": 2584,
        "summary": {
            "dll_loaded": [
                "kernel32.dll"
            ],
            "file_opened": [
                "C:\\Windows\\Globalization\\Sorting\\sortdefault.nls"
            ],
            "regkey_opened": [
                "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\System",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor",
                "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Command Processor"
            ],
            "file_exists": [
                "C:\\Users\\cuck\\AppData\\Local\\Temp"
            ],
            "command_line": [
                "netsh  firewall add allowedprogram program = STcONaURjstoJeQ(uMqeEfSfaGeNmho(\"yJmAEIBBXdvRXSFRGegUiJnA\")) name = STcONaURjstoJeQ(uMqeEfSfaGeNmho(\"XQ0V1bwVGZ0FQZ==\")) mode = ENABLE"
            ],
            "regkey_read": [
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\DefaultColor",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\AutoRun",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\DelayedExpansion",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DisableUNCCheck",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\EnableExtensions",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\CompletionChar",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\EnableExtensions",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\PathCompletionChar",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Locale\\00000409",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language Groups\\1",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\PathCompletionChar",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\DisableUNCCheck",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DelayedExpansion",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\AutoRun",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DefaultColor",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\CompletionChar"
            ],
            "directory_enumerated": [
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\netsh.*",
                "C:\\Users\\cuck\\AppData",
                "C:\\Windows\\System32\\netsh.*",
                "C:\\Python27\\Scripts\\netsh",
                "C:\\Python27\\Scripts\\netsh.*",
                "C:\\Python27\\netsh.*",
                "C:\\Users\\cuck\\AppData\\Local\\Temp",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\netsh",
                "C:\\Users\\cuck",
                "C:\\Python27\\netsh",
                "C:\\Windows\\System32\\netsh.COM",
                "C:\\Users",
                "C:\\Users\\cuck\\AppData\\Local",
                "C:\\Windows\\System32\\netsh.exe"
            ]
        },
        "first_seen": 1578135188.681751,
        "ppid": 1512
    },
    {
        "process_path": "C:\\Windows\\SysWOW64\\systeminfo.exe",
        "process_name": "systeminfo.exe",
        "pid": 1564,
        "summary": {
            "regkey_written": [
                "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\mlang.dll,-4462",
                "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\LanguageList",
                "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\mlang.dll,-4386"
            ],
            "dll_loaded": [
                "OLEAUT32.dll"
            ],
            "file_opened": [
                "C:\\Windows\\System32\\mlang.dll",
                "C:\\Windows\\System32\\en-US\\mlang.dll.mui"
            ],
            "regkey_opened": [
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\\ProxyStubClsid32",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\Progid",
                "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\WBEM\\CIMOM",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocServer32",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{027947E1-D731-11CE-A357-000000000001}\\ProxyStubClsid32",
                "HKEY_CURRENT_USER\\Interface\\{1C1C45EE-4395-11D2-B60B-00104B703EFD}",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\TreatAs",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocHandler32",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM",
                "HKEY_CURRENT_USER\\MIME\\Database\\Rfc1766",
                "HKEY_CURRENT_USER\\Interface\\{423EC01E-2E35-11D2-B604-00104B703EFD}",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\Progid",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocHandler",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{423EC01E-2E35-11D2-B604-00104B703EFD}\\ProxyStubClsid32",
                "HKEY_CURRENT_USER\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}",
                "HKEY_CURRENT_USER\\Interface\\{027947E1-D731-11CE-A357-000000000001}"
            ],
            "guid": [
                "{4590f812-1d3a-11d0-891f-00aa004b2e24}",
                "{00000003-0000-0000-c000-000000000046}",
                "{4590f811-1d3a-11d0-891f-00aa004b2e24}",
                "{44aca674-e8fc-11d0-a07c-00c04fb68820}",
                "{674b6698-ee92-11d0-ad71-00c04fd8fdff}",
                "{8bc3f05e-d86b-11d0-a075-00c04fb68820}",
                "{7c857801-7381-11cf-884d-00aa004b2e24}",
                "{d5f569d0-593b-101a-b569-08002b2dbf7a}",
                "{f309ad18-d86a-11d0-a075-00c04fb68820}",
                "{dc12a687-737f-11cf-884d-00aa004b2e24}"
            ],
            "regkey_read": [
                "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\mlang.dll,-4462",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\WBEM\\CIMOM\\EnableObjectValidation",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{027947E1-D731-11CE-A357-000000000001}\\ProxyStubClsid32\\(Default)",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocServer32\\InprocServer32",
                "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\mlang.dll,-4386",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Domain",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocServer32\\ThreadingModel",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{423EC01E-2E35-11D2-B604-00104B703EFD}\\ProxyStubClsid32\\(Default)",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Hostname",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\WBEM\\CIMOM\\Logging",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\(Default)",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\StringCacheSettings\\StringCacheGeneration",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\MIME\\Database\\Rfc1766\\041D",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\\ProxyStubClsid32\\(Default)",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocServer32\\(Default)",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\MIME\\Database\\Rfc1766\\0409"
            ]
        },
        "first_seen": 1578135194.244249,
        "ppid": 312
    },
    {
        "process_path": "C:\\Windows\\SysWOW64\\cmd.exe",
        "process_name": "cmd.exe",
        "pid": 312,
        "summary": {
            "dll_loaded": [
                "kernel32.dll"
            ],
            "file_opened": [
                "C:\\Windows\\Globalization\\Sorting\\sortdefault.nls"
            ],
            "regkey_opened": [
                "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\System",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor",
                "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Command Processor"
            ],
            "file_exists": [
                "C:\\Users\\cuck\\AppData\\Local\\Temp"
            ],
            "command_line": [
                "systeminfo"
            ],
            "regkey_read": [
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\DefaultColor",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\AutoRun",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\DelayedExpansion",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DisableUNCCheck",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\EnableExtensions",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\CompletionChar",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\EnableExtensions",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\PathCompletionChar",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Locale\\00000409",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language Groups\\1",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\PathCompletionChar",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\DisableUNCCheck",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\Windows Error Reporting\\WMR\\Disable",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DelayedExpansion",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\AutoRun",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DefaultColor",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\CompletionChar"
            ],
            "directory_enumerated": [
                "C:\\Windows\\System32\\systeminfo.COM",
                "C:\\Windows\\System32\\systeminfo.EXE",
                "C:\\Users\\cuck\\AppData",
                "C:\\Python27\\Scripts\\systeminfo",
                "C:\\Python27\\systeminfo",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\systeminfo",
                "C:\\Users\\cuck\\AppData\\Local\\Temp",
                "C:\\Windows\\System32\\systeminfo.*",
                "C:\\Users\\cuck",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\systeminfo.*",
                "C:\\Python27\\Scripts\\systeminfo.*",
                "C:\\Users",
                "C:\\Python27\\systeminfo.*",
                "C:\\Users\\cuck\\AppData\\Local"
            ]
        },
        "first_seen": 1578135194.041124,
        "ppid": 1512
    }
]

Signatures

[
    {
        "markcount": 4,
        "families": [],
        "description": "Queries for the computername",
        "severity": 1,
        "marks": [
            {
                "call": {
                    "category": "misc",
                    "status": 1,
                    "stacktrace": [],
                    "api": "GetComputerNameW",
                    "return_value": 1,
                    "arguments": {
                        "computer_name": "CUCKPC"
                    },
                    "time": 1578135191.593875,
                    "tid": 2732,
                    "flags": {}
                },
                "pid": 1512,
                "type": "call",
                "cid": 2462
            },
            {
                "call": {
                    "category": "misc",
                    "status": 1,
                    "stacktrace": [],
                    "api": "GetComputerNameW",
                    "return_value": 1,
                    "arguments": {
                        "computer_name": "CUCKPC"
                    },
                    "time": 1578135191.593875,
                    "tid": 2732,
                    "flags": {}
                },
                "pid": 1512,
                "type": "call",
                "cid": 2466
            },
            {
                "call": {
                    "category": "misc",
                    "status": 1,
                    "stacktrace": [],
                    "api": "GetComputerNameW",
                    "return_value": 1,
                    "arguments": {
                        "computer_name": "CUCKPC"
                    },
                    "time": 1578135194.353249,
                    "tid": 1664,
                    "flags": {}
                },
                "pid": 1564,
                "type": "call",
                "cid": 129
            },
            {
                "call": {
                    "category": "misc",
                    "status": 1,
                    "stacktrace": [],
                    "api": "GetComputerNameW",
                    "return_value": 1,
                    "arguments": {
                        "computer_name": "CUCKPC"
                    },
                    "time": 1578135195.541249,
                    "tid": 1664,
                    "flags": {}
                },
                "pid": 1564,
                "type": "call",
                "cid": 321
            }
        ],
        "references": [],
        "name": "antivm_queries_computername"
    },
    {
        "markcount": 2,
        "families": [],
        "description": "Checks if process is being debugged by a debugger",
        "severity": 1,
        "marks": [
            {
                "call": {
                    "category": "system",
                    "status": 0,
                    "stacktrace": [],
                    "last_error": 0,
                    "nt_status": -1073741772,
                    "api": "IsDebuggerPresent",
                    "return_value": 0,
                    "arguments": {},
                    "time": 1578135186.780875,
                    "tid": 2732,
                    "flags": {}
                },
                "pid": 1512,
                "type": "call",
                "cid": 610
            },
            {
                "call": {
                    "category": "system",
                    "status": 0,
                    "stacktrace": [],
                    "last_error": 0,
                    "nt_status": -1073741772,
                    "api": "IsDebuggerPresent",
                    "return_value": 0,
                    "arguments": {},
                    "time": 1578135197.602999,
                    "tid": 1616,
                    "flags": {}
                },
                "pid": 2804,
                "type": "call",
                "cid": 604
            }
        ],
        "references": [],
        "name": "checks_debugger"
    },
    {
        "markcount": 2,
        "families": [],
        "description": "Command line console output was observed",
        "severity": 1,
        "marks": [
            {
                "call": {
                    "category": "misc",
                    "status": 1,
                    "stacktrace": [],
                    "api": "WriteConsoleA",
                    "return_value": 1,
                    "arguments": {
                        "buffer": "The syntax supplied for this command is not valid. Check help for the correct syntax.\r\n",
                        "console_handle": "0x00000007"
                    },
                    "time": 1578135189.884626,
                    "tid": 2248,
                    "flags": {}
                },
                "pid": 1576,
                "type": "call",
                "cid": 2626
            },
            {
                "call": {
                    "category": "misc",
                    "status": 1,
                    "stacktrace": [],
                    "api": "WriteConsoleA",
                    "return_value": 1,
                    "arguments": {
                        "buffer": "\r\nadd allowedprogram\r\n      [ program = ] path\r\n      [ name = ] name\r\n      [ [ mode = ] ENABLE|DISABLE\r\n        [ scope = ] ALL|SUBNET|CUSTOM\r\n        [ addresses = ] addresses\r\n        [ profile = ] CURRENT|DOMAIN|STANDARD|ALL ]\r\n\r\n  Adds firewall allowed program configuration.\r\n\r\n  Parameters:\r\n\r\n  program - Program path and file name.\r\n\r\n  name - Program name.\r\n\r\n  mode - Program mode (optional).\r\n      ENABLE  - Allow through firewall (default).\r\n      DISABLE - Do not allow through firewall.\r\n\r\n  scope - Program scope (optional).\r\n      ALL    - Allow all traffic through firewall (default).\r\n      SUBNET - Allow only local network (subnet) traffic through firewall.\r\n      CUSTOM - Allow only specified traffic through firewall.\r\n\r\n  addresses - Custom scope addresses (optional).\r\n              This comma-separated scope can contain IPv4 addresses,\r\n              IPv6 addresses, subnets, ranges, or the keyword LocalSubnet.\r\n\r\n  profile - Configuration profile (optional).\r\n      CURRENT  - Applies to the active profile.  Active profile can be domain,\r\n                 standard (i.e. private), or public. (default).\r\n      DOMAIN   - Applies to the domain profile.\r\n      STANDARD - Applies to the standard (i.e. private) profile.\r\n      ALL      - Applies to the domain and standard (i.e. private) profile.\r\n                 Does not apply to the public profile.\r\n\r\n  Remarks: 'scope' must be 'CUSTOM' to specify 'addresses'.\r\n           `addresses' can not contain Unspecified or Loopback addresses.\r\n\r\n  Examples:\r\n\r\n      add allowedprogram C:\\MyApp\\MyApp.exe \"My Application\" ENABLE\r\n      add allowedprogram C:\\MyApp\\MyApp.exe \"My Application\" ENABLE CUSTOM\r\n          157.60.0.1,172.16.0.0\/16,10.0.0.0\/255.0.0.0,\r\n          12AB:0000:0000:CD30::\/60,LocalSubnet\r\n      add allowedprogram program=C:\\MyApp\\MyApp.exe name=\"My Application\"\r\n          mode=DISABLE\r\n      add allowedprogram program=C:\\MyApp\\MyApp.exe name=\"My Application\"\r\n          mode=ENABLE scope=CUSTOM addresses=157.60.0.1,\r\n          172.16.0.0\/16,10.0.0.0\/255.0.0.0,\r\n          12AB:0000:0000:CD30::\/60,LocalSubnet\r\n\r\n      IMPORTANT: \"netsh firewall\" is deprecated;\r\n      use \"netsh advfirewall firewall\" instead.\r\n      For more information on using \"netsh advfirewall firewall\" commands\r\n      instead of \"netsh firewall\", see KB article 947709\r\n      at http:\/\/go.microsoft.com\/fwlink\/?linkid=121488 .\r\n",
                        "console_handle": "0x00000007"
                    },
                    "time": 1578135189.884626,
                    "tid": 2248,
                    "flags": {}
                },
                "pid": 1576,
                "type": "call",
                "cid": 2629
            }
        ],
        "references": [],
        "name": "console_output"
    },
    {
        "markcount": 1,
        "families": [],
        "description": "Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available",
        "severity": 1,
        "marks": [
            {
                "call": {
                    "category": "system",
                    "status": 1,
                    "stacktrace": [],
                    "api": "GlobalMemoryStatusEx",
                    "return_value": 1,
                    "arguments": {},
                    "time": 1578135198.025374,
                    "tid": 2780,
                    "flags": {}
                },
                "pid": 2680,
                "type": "call",
                "cid": 30
            }
        ],
        "references": [],
        "name": "antivm_memory_available"
    },
    {
        "markcount": 1,
        "families": [],
        "description": "Allocates read-write-execute memory (usually to unpack itself)",
        "severity": 2,
        "marks": [
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 2804,
                        "region_size": 4096,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "protection": 64,
                        "process_handle": "0xffffffff",
                        "allocation_type": 12288,
                        "base_address": "0x02920000"
                    },
                    "time": 1578135198.071999,
                    "tid": 1616,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT|MEM_RESERVE"
                    }
                },
                "pid": 2804,
                "type": "call",
                "cid": 1031
            }
        ],
        "references": [],
        "name": "allocates_rwx"
    },
    {
        "markcount": 0,
        "families": [],
        "description": "Checks whether any human activity is being performed by constantly checking whether the foreground window changed",
        "severity": 2,
        "marks": [],
        "references": [
            "https:\/\/www.virusbtn.com\/virusbulletin\/archive\/2015\/09\/vb201509-custom-packer.dkb"
        ],
        "name": "antisandbox_foregroundwindows"
    },
    {
        "markcount": 4,
        "families": [],
        "description": "Creates a suspicious process",
        "severity": 2,
        "marks": [
            {
                "category": "cmdline",
                "ioc": "C:\\Windows\\system32\\cmd.exe \/c C:\\Users\\cuck\\AppData\\Roaming\\log\\pass.exe all",
                "type": "ioc",
                "description": null
            },
            {
                "category": "cmdline",
                "ioc": "C:\\Windows\\system32\\cmd.exe \/k HOSTNAME",
                "type": "ioc",
                "description": null
            },
            {
                "category": "cmdline",
                "ioc": "C:\\Windows\\system32\\cmd.exe \/k systeminfo",
                "type": "ioc",
                "description": null
            },
            {
                "category": "cmdline",
                "ioc": "C:\\Windows\\system32\\cmd.exe \/c netsh firewall add allowedprogram program = STcONaURjstoJeQ(uMqeEfSfaGeNmho(\"yJmAEIBBXdvRXSFRGegUiJnA\")) name = STcONaURjstoJeQ(uMqeEfSfaGeNmho(\"XQ0V1bwVGZ0FQZ==\")) mode = ENABLE",
                "type": "ioc",
                "description": null
            }
        ],
        "references": [],
        "name": "suspicious_process"
    },
    {
        "markcount": 1,
        "families": [],
        "description": "Drops an executable to the user AppData folder",
        "severity": 2,
        "marks": [
            {
                "category": "file",
                "ioc": "C:\\Users\\cuck\\AppData\\Local\\Temp\\aut578B.tmp",
                "type": "ioc",
                "description": null
            }
        ],
        "references": [],
        "name": "exe_appdata"
    },
    {
        "markcount": 4,
        "families": [],
        "description": "Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping",
        "severity": 2,
        "marks": [
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "Process32NextW",
                    "return_value": 1,
                    "arguments": {
                        "process_name": "rundll32.exe",
                        "snapshot_handle": "0x000001e0",
                        "process_identifier": 2572
                    },
                    "time": 1578135196.702875,
                    "tid": 2732,
                    "flags": {}
                },
                "pid": 1512,
                "type": "call",
                "cid": 3380
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "Process32NextW",
                    "return_value": 1,
                    "arguments": {
                        "process_name": "rundll32.exe",
                        "snapshot_handle": "0x000001e0",
                        "process_identifier": 316
                    },
                    "time": 1578135196.702875,
                    "tid": 2732,
                    "flags": {}
                },
                "pid": 1512,
                "type": "call",
                "cid": 3381
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "Process32NextW",
                    "return_value": 1,
                    "arguments": {
                        "process_name": "TrustedInstaller.exe",
                        "snapshot_handle": "0x000001e0",
                        "process_identifier": 2844
                    },
                    "time": 1578135196.702875,
                    "tid": 2732,
                    "flags": {}
                },
                "pid": 1512,
                "type": "call",
                "cid": 3384
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "Process32NextW",
                    "return_value": 1,
                    "arguments": {
                        "process_name": "AutoUpdate.exe",
                        "snapshot_handle": "0x00000360",
                        "process_identifier": 2804
                    },
                    "time": 1578135200.477999,
                    "tid": 1616,
                    "flags": {}
                },
                "pid": 2804,
                "type": "call",
                "cid": 1682
            }
        ],
        "references": [],
        "name": "injection_process_search"
    },
    {
        "markcount": 1,
        "families": [],
        "description": "Checks adapter addresses which can be used to detect virtual network interfaces",
        "severity": 2,
        "marks": [
            {
                "call": {
                    "category": "network",
                    "status": 0,
                    "stacktrace": [],
                    "last_error": 0,
                    "nt_status": -1073741772,
                    "api": "GetAdaptersAddresses",
                    "return_value": 111,
                    "arguments": {
                        "flags": 0,
                        "family": 0
                    },
                    "time": 1578135188.702875,
                    "tid": 2648,
                    "flags": {}
                },
                "pid": 1512,
                "type": "call",
                "cid": 1861
            }
        ],
        "references": [],
        "name": "antivm_network_adapters"
    },
    {
        "markcount": 3,
        "families": [],
        "description": "The binary likely contains encrypted or compressed data indicative of a packer",
        "severity": 2,
        "marks": [
            {
                "entropy": 7.937117581802646,
                "section": {
                    "size_of_data": "0x00054200",
                    "virtual_address": "0x000fa000",
                    "entropy": 7.937117581802646,
                    "name": "UPX1",
                    "virtual_size": "0x00055000"
                },
                "type": "generic",
                "description": "A section with a high entropy has been found"
            },
            {
                "entropy": 7.954625432393596,
                "section": {
                    "size_of_data": "0x00076200",
                    "virtual_address": "0x0014f000",
                    "entropy": 7.954625432393596,
                    "name": ".rsrc",
                    "virtual_size": "0x00077000"
                },
                "type": "generic",
                "description": "A section with a high entropy has been found"
            },
            {
                "entropy": 1,
                "type": "generic",
                "description": "Overall entropy of this PE file is high"
            }
        ],
        "references": [
            "http:\/\/www.forensickb.com\/2013\/03\/file-entropy-explained.html",
            "http:\/\/virii.es\/U\/Using%20Entropy%20Analysis%20to%20Find%20Encrypted%20and%20Packed%20Malware.pdf"
        ],
        "name": "packer_entropy"
    },
    {
        "markcount": 1,
        "families": [],
        "description": "Expresses interest in specific running processes",
        "severity": 2,
        "marks": [
            {
                "category": "process",
                "ioc": "rundll32.exe",
                "type": "ioc",
                "description": null
            }
        ],
        "references": [],
        "name": "process_interest"
    },
    {
        "markcount": 4446,
        "families": [],
        "description": "Repeatedly searches for a not-found process, you may want to run a web browser during analysis",
        "severity": 2,
        "marks": [
            {
                "call": {
                    "category": "process",
                    "status": 0,
                    "stacktrace": [],
                    "last_error": 18,
                    "nt_status": -2147483642,
                    "api": "Process32NextW",
                    "return_value": 0,
                    "arguments": {
                        "process_name": "SearchFilterHost.exe",
                        "snapshot_handle": "0x00000118",
                        "process_identifier": 2816
                    },
                    "time": 1578135186.859875,
                    "tid": 2732,
                    "flags": {}
                },
                "pid": 1512,
                "type": "call",
                "cid": 926
            },
            {
                "call": {
                    "category": "process",
                    "status": 0,
                    "stacktrace": [],
                    "last_error": 18,
                    "nt_status": -2147483642,
                    "api": "Process32NextW",
                    "return_value": 0,
                    "arguments": {
                        "process_name": "SearchFilterHost.exe",
                        "snapshot_handle": "0x00000118",
                        "process_identifier": 2816
                    },
                    "time": 1578135186.859875,
                    "tid": 2732,
                    "flags": {}
                },
                "pid": 1512,
                "type": "call",
                "cid": 967
            },
            {
                "call": {
                    "category": "process",
                    "status": 0,
                    "stacktrace": [],
                    "last_error": 18,
                    "nt_status": -2147483642,
                    "api": "Process32NextW",
                    "return_value": 0,
                    "arguments": {
                        "process_name": "SearchFilterHost.exe",
                        "snapshot_handle": "0x00000118",
                        "process_identifier": 2816
                    },
                    "time": 1578135186.859875,
                    "tid": 2732,
                    "flags": {}
                },
                "pid": 1512,
                "type": "call",
                "cid": 1008
            },
            {
                "call": {
                    "category": "process",
                    "status": 0,
                    "stacktrace": [],
                    "last_error": 18,
                    "nt_status": -2147483642,
                    "api": "Process32NextW",
                    "return_value": 0,
                    "arguments": {
                        "process_name": "SearchFilterHost.exe",
                        "snapshot_handle": "0x00000118",
                        "process_identifier": 2816
                    },
                    "time": 1578135186.874875,
                    "tid": 2732,
                    "flags": {}
                },
                "pid": 1512,
                "type": "call",
                "cid": 1049
            },
            {
                "call": {
                    "category": "process",
                    "status": 0,
                    "stacktrace": [],
                    "last_error": 18,
                    "nt_status": -2147483642,
                    "api": "Process32NextW",
                    "return_value": 0,
                    "arguments": {
                        "process_name": "SearchFilterHost.exe",
                        "snapshot_handle": "0x00000118",
                        "process_identifier": 2816
                    },
                    "time": 1578135186.874875,
                    "tid": 2732,
                    "flags": {}
                },
                "pid": 1512,
                "type": "call",
                "cid": 1090
            },
            {
                "call": {
                    "category": "process",
                    "status": 0,
                    "stacktrace": [],
                    "last_error": 18,
                    "nt_status": -2147483642,
                    "api": "Process32NextW",
                    "return_value": 0,
                    "arguments": {
                        "process_name": "SearchFilterHost.exe",
                        "snapshot_handle": "0x00000118",
                        "process_identifier": 2816
                    },
                    "time": 1578135186.874875,
                    "tid": 2732,
                    "flags": {}
                },
                "pid": 1512,
                "type": "call",
                "cid": 1131
            },
            {
                "call": {
                    "category": "process",
                    "status": 0,
                    "stacktrace": [],
                    "last_error": 18,
                    "nt_status": -2147483642,
                    "api": "Process32NextW",
                    "return_value": 0,
                    "arguments": {
                        "process_name": "SearchFilterHost.exe",
                        "snapshot_handle": "0x00000118",
                        "process_identifier": 2816
                    },
                    "time": 1578135186.874875,
                    "tid": 2732,
                    "flags": {}
                },
                "pid": 1512,
                "type": "call",
                "cid": 1172
            },
            {
                "call": {
                    "category": "process",
                    "status": 0,
                    "stacktrace": [],
                    "last_error": 18,
                    "nt_status": -2147483642,
                    "api": "Process32NextW",
                    "return_value": 0,
                    "arguments": {
                        "process_name": "TrustedInstaller.exe",
                        "snapshot_handle": "0x000001e0",
                        "process_identifier": 2844
                    },
                    "time": 1578135196.702875,
                    "tid": 2732,
                    "flags": {}
                },
                "pid": 1512,
                "type": "call",
                "cid": 3385
            },
            {
                "call": {
                    "category": "process",
                    "status": 0,
                    "stacktrace": [],
                    "last_error": 18,
                    "nt_status": -2147483642,
                    "api": "Process32NextW",
                    "return_value": 0,
                    "arguments": {
                        "process_name": "TrustedInstaller.exe",
                        "snapshot_handle": "0x000001e0",
                        "process_identifier": 2844
                    },
                    "time": 1578135196.718875,
                    "tid": 2732,
                    "flags": {}
                },
                "pid": 1512,
                "type": "call",
                "cid": 3431
            },
            {
                "call": {
                    "category": "process",
                    "status": 0,
                    "stacktrace": [],
                    "last_error": 18,
                    "nt_status": -2147483642,
                    "api": "Process32NextW",
                    "return_value": 0,
                    "arguments": {
                        "process_name": "TrustedInstaller.exe",
                        "snapshot_handle": "0x000001e0",
                        "process_identifier": 2844
                    },
                    "time": 1578135196.718875,
                    "tid": 2732,
                    "flags": {}
                },
                "pid": 1512,
                "type": "call",
                "cid": 3477
            },
            {
                "call": {
                    "category": "process",
                    "status": 0,
                    "stacktrace": [],
                    "last_error": 18,
                    "nt_status": -2147483642,
                    "api": "Process32NextW",
                    "return_value": 0,
                    "arguments": {
                        "process_name": "TrustedInstaller.exe",
                        "snapshot_handle": "0x000001e0",
                        "process_identifier": 2844
                    },
                    "time": 1578135196.718875,
                    "tid": 2732,
                    "flags": {}
                },
                "pid": 1512,
                "type": "call",
                "cid": 3523
            },
            {
                "call": {
                    "category": "process",
                    "status": 0,
                    "stacktrace": [],
                    "last_error": 18,
                    "nt_status": -2147483642,
                    "api": "Process32NextW",
                    "return_value": 0,
                    "arguments": {
                        "process_name": "TrustedInstaller.exe",
                        "snapshot_handle": "0x000001e0",
                        "process_identifier": 2844
                    },
                    "time": 1578135196.718875,
                    "tid": 2732,
                    "flags": {}
                },
                "pid": 1512,
                "type": "call",
                "cid": 3569
            },
            {
                "call": {
                    "category": "process",
                    "status": 0,
                    "stacktrace": [],
                    "last_error": 18,
                    "nt_status": -2147483642,
                    "api": "Process32NextW",
                    "return_value": 0,
                    "arguments": {
                        "process_name": "TrustedInstaller.exe",
                        "snapshot_handle": "0x000001e0",
                        "process_identifier": 2844
                    },
                    "time": 1578135196.718875,
                    "tid": 2732,
                    "flags": {}
                },
                "pid": 1512,
                "type": "call",
                "cid": 3615
            },
            {
                "call": {
                    "category": "process",
                    "status": 0,
                    "stacktrace": [],
                    "last_error": 18,
                    "nt_status": -2147483642,
                    "api": "Process32NextW",
                    "return_value": 0,
                    "arguments": {
                        "process_name": "TrustedInstaller.exe",
                        "snapshot_handle": "0x000001e0",
                        "process_identifier": 2844
                    },
                    "time": 1578135196.734875,
                    "tid": 2732,
                    "flags": {}
                },
                "pid": 1512,
                "type": "call",
                "cid": 3661
            },
            {
                "call": {
                    "category": "process",
                    "status": 0,
                    "stacktrace": [],
                    "last_error": 18,
                    "nt_status": -2147483642,
                    "api": "Process32NextW",
                    "return_value": 0,
                    "arguments": {
                        "process_name": "TrustedInstaller.exe",
                        "snapshot_handle": "0x000001e0",
                        "process_identifier": 2844
                    },
                    "time": 1578135196.734875,
                    "tid": 2732,
                    "flags": {}
                },
                "pid": 1512,
                "type": "call",
                "cid": 3707
            },
            {
                "call": {
                    "category": "process",
                    "status": 0,
                    "stacktrace": [],
                    "last_error": 18,
                    "nt_status": -2147483642,
                    "api": "Process32NextW",
                    "return_value": 0,
                    "arguments": {
                        "process_name": "TrustedInstaller.exe",
                        "snapshot_handle": "0x000001e0",
                        "process_identifier": 2844
                    },
                    "time": 1578135196.734875,
                    "tid": 2732,
                    "flags": {}
                },
                "pid": 1512,
                "type": "call",
                "cid": 3753
            },
            {
                "call": {
                    "category": "process",
                    "status": 0,
                    "stacktrace": [],
                    "last_error": 18,
                    "nt_status": -2147483642,
                    "api": "Process32NextW",
                    "return_value": 0,
                    "arguments": {
                        "process_name": "TrustedInstaller.exe",
                        "snapshot_handle": "0x000001e0",
                        "process_identifier": 2844
                    },
                    "time": 1578135196.734875,
                    "tid": 2732,
                    "flags": {}
                },
                "pid": 1512,
                "type": "call",
                "cid": 3799
            },
            {
                "call": {
                    "category": "process",
                    "status": 0,
                    "stacktrace": [],
                    "last_error": 18,
                    "nt_status": -2147483642,
                    "api": "Process32NextW",
                    "return_value": 0,
                    "arguments": {
                        "process_name": "TrustedInstaller.exe",
                        "snapshot_handle": "0x000001e0",
                        "process_identifier": 2844
                    },
                    "time": 1578135196.749875,
                    "tid": 2732,
                    "flags": {}
                },
                "pid": 1512,
                "type": "call",
                "cid": 3845
            },
            {
                "call": {
                    "category": "process",
                    "status": 0,
                    "stacktrace": [],
                    "last_error": 18,
                    "nt_status": -2147483642,
                    "api": "Process32NextW",
                    "return_value": 0,
                    "arguments": {
                        "process_name": "TrustedInstaller.exe",
                        "snapshot_handle": "0x000001e0",
                        "process_identifier": 2844
                    },
                    "time": 1578135196.749875,
                    "tid": 2732,
                    "flags": {}
                },
                "pid": 1512,
                "type": "call",
                "cid": 3891
            },
            {
                "call": {
                    "category": "process",
                    "status": 0,
                    "stacktrace": [],
                    "last_error": 18,
                    "nt_status": -2147483642,
                    "api": "Process32NextW",
                    "return_value": 0,
                    "arguments": {
                        "process_name": "TrustedInstaller.exe",
                        "snapshot_handle": "0x000001e0",
                        "process_identifier": 2844
                    },
                    "time": 1578135196.749875,
                    "tid": 2732,
                    "flags": {}
                },
                "pid": 1512,
                "type": "call",
                "cid": 3937
            },
            {
                "call": {
                    "category": "process",
                    "status": 0,
                    "stacktrace": [],
                    "last_error": 18,
                    "nt_status": -2147483642,
                    "api": "Process32NextW",
                    "return_value": 0,
                    "arguments": {
                        "process_name": "TrustedInstaller.exe",
                        "snapshot_handle": "0x000001e0",
                        "process_identifier": 2844
                    },
                    "time": 1578135196.749875,
                    "tid": 2732,
                    "flags": {}
                },
                "pid": 1512,
                "type": "call",
                "cid": 3983
            },
            {
                "call": {
                    "category": "process",
                    "status": 0,
                    "stacktrace": [],
                    "last_error": 18,
                    "nt_status": -2147483642,
                    "api": "Process32NextW",
                    "return_value": 0,
                    "arguments": {
                        "process_name": "TrustedInstaller.exe",
                        "snapshot_handle": "0x000001e0",
                        "process_identifier": 2844
                    },
                    "time": 1578135196.765875,
                    "tid": 2732,
                    "flags": {}
                },
                "pid": 1512,
                "type": "call",
                "cid": 4029
            },
            {
                "call": {
                    "category": "process",
                    "status": 0,
                    "stacktrace": [],
                    "last_error": 18,
                    "nt_status": -2147483642,
                    "api": "Process32NextW",
                    "return_value": 0,
                    "arguments": {
                        "process_name": "TrustedInstaller.exe",
                        "snapshot_handle": "0x000001e0",
                        "process_identifier": 2844
                    },
                    "time": 1578135196.765875,
                    "tid": 2732,
                    "flags": {}
                },
                "pid": 1512,
                "type": "call",
                "cid": 4075
            },
            {
                "call": {
                    "category": "process",
                    "status": 0,
                    "stacktrace": [],
                    "last_error": 18,
                    "nt_status": -2147483642,
                    "api": "Process32NextW",
                    "return_value": 0,
                    "arguments": {
                        "process_name": "TrustedInstaller.exe",
                        "snapshot_handle": "0x000001e0",
                        "process_identifier": 2844
                    },
                    "time": 1578135196.765875,
                    "tid": 2732,
                    "flags": {}
                },
                "pid": 1512,
                "type": "call",
                "cid": 4121
            },
            {
                "call": {
                    "category": "process",
                    "status": 0,
                    "stacktrace": [],
                    "last_error": 18,
                    "nt_status": -2147483642,
                    "api": "Process32NextW",
                    "return_value": 0,
                    "arguments": {
                        "process_name": "TrustedInstaller.exe",
                        "snapshot_handle": "0x000001e0",
                        "process_identifier": 2844
                    },
                    "time": 1578135196.765875,
                    "tid": 2732,
                    "flags": {}
                },
                "pid": 1512,
                "type": "call",
                "cid": 4167
            },
            {
                "call": {
                    "category": "process",
                    "status": 0,
                    "stacktrace": [],
                    "last_error": 18,
                    "nt_status": -2147483642,
                    "api": "Process32NextW",
                    "return_value": 0,
                    "arguments": {
                        "process_name": "TrustedInstaller.exe",
                        "snapshot_handle": "0x000001e0",
                        "process_identifier": 2844
                    },
                    "time": 1578135196.765875,
                    "tid": 2732,
                    "flags": {}
                },
                "pid": 1512,
                "type": "call",
                "cid": 4213
            },
            {
                "call": {
                    "category": "process",
                    "status": 0,
                    "stacktrace": [],
                    "last_error": 18,
                    "nt_status": -2147483642,
                    "api": "Process32NextW",
                    "return_value": 0,
                    "arguments": {
                        "process_name": "TrustedInstaller.exe",
                        "snapshot_handle": "0x000001e0",
                        "process_identifier": 2844
                    },
                    "time": 1578135196.780875,
                    "tid": 2732,
                    "flags": {}
                },
                "pid": 1512,
                "type": "call",
                "cid": 4259
            },
            {
                "call": {
                    "category": "process",
                    "status": 0,
                    "stacktrace": [],
                    "last_error": 18,
                    "nt_status": -2147483642,
                    "api": "Process32NextW",
                    "return_value": 0,
                    "arguments": {
                        "process_name": "TrustedInstaller.exe",
                        "snapshot_handle": "0x000001e0",
                        "process_identifier": 2844
                    },
                    "time": 1578135196.780875,
                    "tid": 2732,
                    "flags": {}
                },
                "pid": 1512,
                "type": "call",
                "cid": 4305
            },
            {
                "call": {
                    "category": "process",
                    "status": 0,
                    "stacktrace": [],
                    "last_error": 18,
                    "nt_status": -2147483642,
                    "api": "Process32NextW",
                    "return_value": 0,
                    "arguments": {
                        "process_name": "TrustedInstaller.exe",
                        "snapshot_handle": "0x000001e0",
                        "process_identifier": 2844
                    },
                    "time": 1578135196.780875,
                    "tid": 2732,
                    "flags": {}
                },
                "pid": 1512,
                "type": "call",
                "cid": 4351
            },
            {
                "call": {
                    "category": "process",
                    "status": 0,
                    "stacktrace": [],
                    "last_error": 18,
                    "nt_status": -2147483642,
                    "api": "Process32NextW",
                    "return_value": 0,
                    "arguments": {
                        "process_name": "TrustedInstaller.exe",
                        "snapshot_handle": "0x000001e0",
                        "process_identifier": 2844
                    },
                    "time": 1578135196.780875,
                    "tid": 2732,
                    "flags": {}
                },
                "pid": 1512,
                "type": "call",
                "cid": 4397
            },
            {
                "call": {
                    "category": "process",
                    "status": 0,
                    "stacktrace": [],
                    "last_error": 18,
                    "nt_status": -2147483642,
                    "api": "Process32NextW",
                    "return_value": 0,
                    "arguments": {
                        "process_name": "TrustedInstaller.exe",
                        "snapshot_handle": "0x000001e0",
                        "process_identifier": 2844
                    },
                    "time": 1578135196.796875,
                    "tid": 2732,
                    "flags": {}
                },
                "pid": 1512,
                "type": "call",
                "cid": 4443
            },
            {
                "call": {
                    "category": "process",
                    "status": 0,
                    "stacktrace": [],
                    "last_error": 18,
                    "nt_status": -2147483642,
                    "api": "Process32NextW",
                    "return_value": 0,
                    "arguments": {
                        "process_name": "TrustedInstaller.exe",
                        "snapshot_handle": "0x000001e0",
                        "process_identifier": 2844
                    },
                    "time": 1578135196.796875,
                    "tid": 2732,
                    "flags": {}
                },
                "pid": 1512,
                "type": "call",
                "cid": 4489
            },
            {
                "call": {
                    "category": "process",
                    "status": 0,
                    "stacktrace": [],
                    "last_error": 18,
                    "nt_status": -2147483642,
                    "api": "Process32NextW",
                    "return_value": 0,
                    "arguments": {
                        "process_name": "TrustedInstaller.exe",
                        "snapshot_handle": "0x000001e0",
                        "process_identifier": 2844
                    },
                    "time": 1578135196.796875,
                    "tid": 2732,
                    "flags": {}
                },
                "pid": 1512,
                "type": "call",
                "cid": 4535
            },
            {
                "call": {
                    "category": "process",
                    "status": 0,
                    "stacktrace": [],
                    "last_error": 18,
                    "nt_status": -2147483642,
                    "api": "Process32NextW",
                    "return_value": 0,
                    "arguments": {
                        "process_name": "TrustedInstaller.exe",
                        "snapshot_handle": "0x000001e0",
                        "process_identifier": 2844
                    },
                    "time": 1578135196.796875,
                    "tid": 2732,
                    "flags": {}
                },
                "pid": 1512,
                "type": "call",
                "cid": 4581
            },
            {
                "call": {
                    "category": "process",
                    "status": 0,
                    "stacktrace": [],
                    "last_error": 18,
                    "nt_status": -2147483642,
                    "api": "Process32NextW",
                    "return_value": 0,
                    "arguments": {
                        "process_name": "TrustedInstaller.exe",
                        "snapshot_handle": "0x000001e0",
                        "process_identifier": 2844
                    },
                    "time": 1578135196.796875,
                    "tid": 2732,
                    "flags": {}
                },
                "pid": 1512,
                "type": "call",
                "cid": 4627
            },
            {
                "call": {
                    "category": "process",
                    "status": 0,
                    "stacktrace": [],
                    "last_error": 18,
                    "nt_status": -2147483642,
                    "api": "Process32NextW",
                    "return_value": 0,
                    "arguments": {
                        "process_name": "TrustedInstaller.exe",
                        "snapshot_handle": "0x000001e0",
                        "process_identifier": 2844
                    },
                    "time": 1578135196.812875,
                    "tid": 2732,
                    "flags": {}
                },
                "pid": 1512,
                "type": "call",
                "cid": 4673
            },
            {
                "call": {
                    "category": "process",
                    "status": 0,
                    "stacktrace": [],
                    "last_error": 18,
                    "nt_status": -2147483642,
                    "api": "Process32NextW",
                    "return_value": 0,
                    "arguments": {
                        "process_name": "TrustedInstaller.exe",
                        "snapshot_handle": "0x000001e0",
                        "process_identifier": 2844
                    },
                    "time": 1578135196.812875,
                    "tid": 2732,
                    "flags": {}
                },
                "pid": 1512,
                "type": "call",
                "cid": 4719
            },
            {
                "call": {
                    "category": "process",
                    "status": 0,
                    "stacktrace": [],
                    "last_error": 18,
                    "nt_status": -2147483642,
                    "api": "Process32NextW",
                    "return_value": 0,
                    "arguments": {
                        "process_name": "TrustedInstaller.exe",
                        "snapshot_handle": "0x000001e0",
                        "process_identifier": 2844
                    },
                    "time": 1578135196.812875,
                    "tid": 2732,
                    "flags": {}
                },
                "pid": 1512,
                "type": "call",
                "cid": 4765
            },
            {
                "call": {
                    "category": "process",
                    "status": 0,
                    "stacktrace": [],
                    "last_error": 18,
                    "nt_status": -2147483642,
                    "api": "Process32NextW",
                    "return_value": 0,
                    "arguments": {
                        "process_name": "TrustedInstaller.exe",
                        "snapshot_handle": "0x000001e0",
                        "process_identifier": 2844
                    },
                    "time": 1578135196.812875,
                    "tid": 2732,
                    "flags": {}
                },
                "pid": 1512,
                "type": "call",
                "cid": 4811
            },
            {
                "call": {
                    "category": "process",
                    "status": 0,
                    "stacktrace": [],
                    "last_error": 18,
                    "nt_status": -2147483642,
                    "api": "Process32NextW",
                    "return_value": 0,
                    "arguments": {
                        "process_name": "TrustedInstaller.exe",
                        "snapshot_handle": "0x000001e0",
                        "process_identifier": 2844
                    },
                    "time": 1578135196.812875,
                    "tid": 2732,
                    "flags": {}
                },
                "pid": 1512,
                "type": "call",
                "cid": 4857
            },
            {
                "call": {
                    "category": "process",
                    "status": 0,
                    "stacktrace": [],
                    "last_error": 18,
                    "nt_status": -2147483642,
                    "api": "Process32NextW",
                    "return_value": 0,
                    "arguments": {
                        "process_name": "TrustedInstaller.exe",
                        "snapshot_handle": "0x000001e0",
                        "process_identifier": 2844
                    },
                    "time": 1578135196.827875,
                    "tid": 2732,
                    "flags": {}
                },
                "pid": 1512,
                "type": "call",
                "cid": 4903
            },
            {
                "call": {
                    "category": "process",
                    "status": 0,
                    "stacktrace": [],
                    "last_error": 18,
                    "nt_status": -2147483642,
                    "api": "Process32NextW",
                    "return_value": 0,
                    "arguments": {
                        "process_name": "TrustedInstaller.exe",
                        "snapshot_handle": "0x000001e0",
                        "process_identifier": 2844
                    },
                    "time": 1578135196.827875,
                    "tid": 2732,
                    "flags": {}
                },
                "pid": 1512,
                "type": "call",
                "cid": 4949
            },
            {
                "call": {
                    "category": "process",
                    "status": 0,
                    "stacktrace": [],
                    "last_error": 18,
                    "nt_status": -2147483642,
                    "api": "Process32NextW",
                    "return_value": 0,
                    "arguments": {
                        "process_name": "TrustedInstaller.exe",
                        "snapshot_handle": "0x000001e0",
                        "process_identifier": 2844
                    },
                    "time": 1578135196.827875,
                    "tid": 2732,
                    "flags": {}
                },
                "pid": 1512,
                "type": "call",
                "cid": 4995
            },
            {
                "call": {
                    "category": "process",
                    "status": 0,
                    "stacktrace": [],
                    "last_error": 18,
                    "nt_status": -2147483642,
                    "api": "Process32NextW",
                    "return_value": 0,
                    "arguments": {
                        "process_name": "TrustedInstaller.exe",
                        "snapshot_handle": "0x000001e0",
                        "process_identifier": 2844
                    },
                    "time": 1578135196.827875,
                    "tid": 2732,
                    "flags": {}
                },
                "pid": 1512,
                "type": "call",
                "cid": 5041
            },
            {
                "call": {
                    "category": "process",
                    "status": 0,
                    "stacktrace": [],
                    "last_error": 18,
                    "nt_status": -2147483642,
                    "api": "Process32NextW",
                    "return_value": 0,
                    "arguments": {
                        "process_name": "TrustedInstaller.exe",
                        "snapshot_handle": "0x000001e0",
                        "process_identifier": 2844
                    },
                    "time": 1578135196.843875,
                    "tid": 2732,
                    "flags": {}
                },
                "pid": 1512,
                "type": "call",
                "cid": 5087
            },
            {
                "call": {
                    "category": "process",
                    "status": 0,
                    "stacktrace": [],
                    "last_error": 18,
                    "nt_status": -2147483642,
                    "api": "Process32NextW",
                    "return_value": 0,
                    "arguments": {
                        "process_name": "TrustedInstaller.exe",
                        "snapshot_handle": "0x000001e0",
                        "process_identifier": 2844
                    },
                    "time": 1578135196.843875,
                    "tid": 2732,
                    "flags": {}
                },
                "pid": 1512,
                "type": "call",
                "cid": 5133
            },
            {
                "call": {
                    "category": "process",
                    "status": 0,
                    "stacktrace": [],
                    "last_error": 18,
                    "nt_status": -2147483642,
                    "api": "Process32NextW",
                    "return_value": 0,
                    "arguments": {
                        "process_name": "TrustedInstaller.exe",
                        "snapshot_handle": "0x000001e0",
                        "process_identifier": 2844
                    },
                    "time": 1578135196.843875,
                    "tid": 2732,
                    "flags": {}
                },
                "pid": 1512,
                "type": "call",
                "cid": 5179
            },
            {
                "call": {
                    "category": "process",
                    "status": 0,
                    "stacktrace": [],
                    "last_error": 18,
                    "nt_status": -2147483642,
                    "api": "Process32NextW",
                    "return_value": 0,
                    "arguments": {
                        "process_name": "TrustedInstaller.exe",
                        "snapshot_handle": "0x000001e0",
                        "process_identifier": 2844
                    },
                    "time": 1578135196.843875,
                    "tid": 2732,
                    "flags": {}
                },
                "pid": 1512,
                "type": "call",
                "cid": 5225
            },
            {
                "call": {
                    "category": "process",
                    "status": 0,
                    "stacktrace": [],
                    "last_error": 18,
                    "nt_status": -2147483642,
                    "api": "Process32NextW",
                    "return_value": 0,
                    "arguments": {
                        "process_name": "TrustedInstaller.exe",
                        "snapshot_handle": "0x000001e0",
                        "process_identifier": 2844
                    },
                    "time": 1578135196.859875,
                    "tid": 2732,
                    "flags": {}
                },
                "pid": 1512,
                "type": "call",
                "cid": 5271
            },
            {
                "call": {
                    "category": "process",
                    "status": 0,
                    "stacktrace": [],
                    "last_error": 18,
                    "nt_status": -2147483642,
                    "api": "Process32NextW",
                    "return_value": 0,
                    "arguments": {
                        "process_name": "TrustedInstaller.exe",
                        "snapshot_handle": "0x000001e0",
                        "process_identifier": 2844
                    },
                    "time": 1578135196.859875,
                    "tid": 2732,
                    "flags": {}
                },
                "pid": 1512,
                "type": "call",
                "cid": 5317
            }
        ],
        "references": [],
        "name": "process_needed"
    },
    {
        "markcount": 2,
        "families": [],
        "description": "The executable is compressed using UPX",
        "severity": 2,
        "marks": [
            {
                "section": "UPX0",
                "type": "generic",
                "description": "Section name indicates UPX"
            },
            {
                "section": "UPX1",
                "type": "generic",
                "description": "Section name indicates UPX"
            }
        ],
        "references": [],
        "name": "packer_upx"
    },
    {
        "markcount": 4,
        "families": [],
        "description": "Uses Windows utilities for basic Windows functionality",
        "severity": 2,
        "marks": [
            {
                "category": "cmdline",
                "ioc": "systeminfo",
                "type": "ioc",
                "description": null
            },
            {
                "category": "cmdline",
                "ioc": "netsh  firewall add allowedprogram program = STcONaURjstoJeQ(uMqeEfSfaGeNmho(\"yJmAEIBBXdvRXSFRGegUiJnA\")) name = STcONaURjstoJeQ(uMqeEfSfaGeNmho(\"XQ0V1bwVGZ0FQZ==\")) mode = ENABLE",
                "type": "ioc",
                "description": null
            },
            {
                "category": "cmdline",
                "ioc": "C:\\Windows\\system32\\cmd.exe \/k systeminfo",
                "type": "ioc",
                "description": null
            },
            {
                "category": "cmdline",
                "ioc": "C:\\Windows\\system32\\cmd.exe \/c netsh firewall add allowedprogram program = STcONaURjstoJeQ(uMqeEfSfaGeNmho(\"yJmAEIBBXdvRXSFRGegUiJnA\")) name = STcONaURjstoJeQ(uMqeEfSfaGeNmho(\"XQ0V1bwVGZ0FQZ==\")) mode = ENABLE",
                "type": "ioc",
                "description": null
            }
        ],
        "references": [
            "http:\/\/blog.jpcert.or.jp\/2016\/01\/windows-commands-abused-by-attackers.html"
        ],
        "name": "uses_windows_utilities"
    },
    {
        "markcount": 1,
        "families": [],
        "description": "Checks the CPU name from registry, possibly for anti-virtualization",
        "severity": 3,
        "marks": [
            {
                "category": "registry",
                "ioc": "HKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0\\ProcessorNameString",
                "type": "ioc",
                "description": null
            }
        ],
        "references": [],
        "name": "antivm_generic_cpu"
    },
    {
        "markcount": 1,
        "families": [],
        "description": "Installs itself for autorun at Windows startup",
        "severity": 3,
        "marks": [
            {
                "type": "generic",
                "reg_key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\AutoUpdate",
                "reg_value": "C:\\Users\\cuck\\AppData\\Roaming\\log\\AutoUpdate.exe"
            }
        ],
        "references": [],
        "name": "persistence_autorun"
    },
    {
        "markcount": 1,
        "families": [],
        "description": "Executes one or more WMI queries",
        "severity": 3,
        "marks": [
            {
                "category": "wmi",
                "ioc": "Select * from AntiVirusProduct",
                "type": "ioc",
                "description": null
            }
        ],
        "references": [],
        "name": "has_wmi"
    },
    {
        "markcount": 1,
        "families": [],
        "description": "Creates a windows hook that monitors keyboard input (keylogger)",
        "severity": 3,
        "marks": [
            {
                "call": {
                    "category": "system",
                    "status": 1,
                    "stacktrace": [],
                    "api": "SetWindowsHookExA",
                    "return_value": 48694077,
                    "arguments": {
                        "thread_identifier": 0,
                        "callback_function": "0x02920000",
                        "module_address": "0x003e0000",
                        "hook_identifier": 13
                    },
                    "time": 1578135198.071999,
                    "tid": 1616,
                    "flags": {
                        "hook_identifier": "WH_KEYBOARD_LL"
                    }
                },
                "pid": 2804,
                "type": "call",
                "cid": 1039
            }
        ],
        "references": [],
        "name": "infostealer_keylogger"
    },
    {
        "markcount": 2,
        "families": [],
        "description": "Harvests credentials from local email clients",
        "severity": 3,
        "marks": [
            {
                "category": "registry",
                "ioc": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows Mail\\Store Root",
                "type": "ioc",
                "description": null
            },
            {
                "category": "registry",
                "ioc": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Account Manager\\Shared",
                "type": "ioc",
                "description": null
            }
        ],
        "references": [],
        "name": "infostealer_mail"
    },
    {
        "markcount": 5,
        "families": [],
        "description": "Sets or modifies WPAD proxy autoconfiguration file for traffic interception",
        "severity": 3,
        "marks": [
            {
                "call": {
                    "category": "registry",
                    "status": 1,
                    "stacktrace": [],
                    "api": "RegSetValueExA",
                    "return_value": 0,
                    "arguments": {
                        "key_handle": "0x00000384",
                        "value": 1,
                        "regkey_r": "WpadDecisionReason",
                        "reg_type": 4,
                        "regkey": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}\\WpadDecisionReason"
                    },
                    "time": 1578135191.280875,
                    "tid": 2648,
                    "flags": {
                        "reg_type": "REG_DWORD"
                    }
                },
                "pid": 1512,
                "type": "call",
                "cid": 2229
            },
            {
                "call": {
                    "category": "registry",
                    "status": 1,
                    "stacktrace": [],
                    "api": "RegSetValueExA",
                    "return_value": 0,
                    "arguments": {
                        "key_handle": "0x00000384",
                        "value": "\u00b0r\u00f9\u00978\u00c3\u00d5\u0001",
                        "regkey_r": "WpadDecisionTime",
                        "reg_type": 3,
                        "regkey": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}\\WpadDecisionTime"
                    },
                    "time": 1578135191.280875,
                    "tid": 2648,
                    "flags": {
                        "reg_type": "REG_BINARY"
                    }
                },
                "pid": 1512,
                "type": "call",
                "cid": 2230
            },
            {
                "call": {
                    "category": "registry",
                    "status": 1,
                    "stacktrace": [],
                    "api": "RegSetValueExA",
                    "return_value": 0,
                    "arguments": {
                        "key_handle": "0x00000384",
                        "value": 3,
                        "regkey_r": "WpadDecision",
                        "reg_type": 4,
                        "regkey": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}\\WpadDecision"
                    },
                    "time": 1578135191.280875,
                    "tid": 2648,
                    "flags": {
                        "reg_type": "REG_DWORD"
                    }
                },
                "pid": 1512,
                "type": "call",
                "cid": 2231
            },
            {
                "call": {
                    "category": "registry",
                    "status": 1,
                    "stacktrace": [],
                    "api": "RegSetValueExW",
                    "return_value": 0,
                    "arguments": {
                        "key_handle": "0x00000384",
                        "value": "Unidentified network",
                        "regkey_r": "WpadNetworkName",
                        "reg_type": 1,
                        "regkey": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}\\WpadNetworkName"
                    },
                    "time": 1578135191.280875,
                    "tid": 2648,
                    "flags": {
                        "reg_type": "REG_SZ"
                    }
                },
                "pid": 1512,
                "type": "call",
                "cid": 2232
            },
            {
                "call": {
                    "category": "registry",
                    "status": 1,
                    "stacktrace": [],
                    "api": "RegSetValueExW",
                    "return_value": 0,
                    "arguments": {
                        "key_handle": "0x00000380",
                        "value": "{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}",
                        "regkey_r": "WpadLastNetwork",
                        "reg_type": 1,
                        "regkey": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\WpadLastNetwork"
                    },
                    "time": 1578135191.296875,
                    "tid": 2648,
                    "flags": {
                        "reg_type": "REG_SZ"
                    }
                },
                "pid": 1512,
                "type": "call",
                "cid": 2302
            }
        ],
        "references": [],
        "name": "modifies_proxy_wpad"
    },
    {
        "markcount": 1,
        "families": [],
        "description": "Attempts to modify UAC prompt behavior",
        "severity": 3,
        "marks": [
            {
                "category": "registry",
                "ioc": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\ConsentPromptBehaviorAdmin",
                "type": "ioc",
                "description": null
            }
        ],
        "references": [],
        "name": "modify_uac_prompt"
    }
]

Yara

The Yara rules did not detect anything in the file.

Network

{
    "tls": [],
    "udp": [
        {
            "src": "192.168.56.101",
            "dst": "192.168.56.255",
            "offset": 662,
            "time": 6.208668947219849,
            "dport": 137,
            "sport": 137
        },
        {
            "src": "192.168.56.101",
            "dst": "192.168.56.255",
            "offset": 7286,
            "time": 12.211493015289307,
            "dport": 138,
            "sport": 138
        },
        {
            "src": "192.168.56.101",
            "dst": "224.0.0.252",
            "offset": 9130,
            "time": 6.168194055557251,
            "dport": 5355,
            "sport": 51001
        },
        {
            "src": "192.168.56.101",
            "dst": "224.0.0.252",
            "offset": 9458,
            "time": 4.1440229415893555,
            "dport": 5355,
            "sport": 53595
        },
        {
            "src": "192.168.56.101",
            "dst": "224.0.0.252",
            "offset": 9786,
            "time": 6.179533958435059,
            "dport": 5355,
            "sport": 53848
        },
        {
            "src": "192.168.56.101",
            "dst": "224.0.0.252",
            "offset": 10114,
            "time": 4.648414134979248,
            "dport": 5355,
            "sport": 54255
        },
        {
            "src": "192.168.56.101",
            "dst": "224.0.0.252",
            "offset": 10442,
            "time": 3.0303750038146973,
            "dport": 5355,
            "sport": 55314
        },
        {
            "src": "192.168.56.101",
            "dst": "224.0.0.252",
            "offset": 10770,
            "time": 7.016266107559204,
            "dport": 5355,
            "sport": 55880
        },
        {
            "src": "192.168.56.101",
            "dst": "239.255.255.250",
            "offset": 11090,
            "time": 4.677428960800171,
            "dport": 1900,
            "sport": 1900
        },
        {
            "src": "192.168.56.101",
            "dst": "239.255.255.250",
            "offset": 30500,
            "time": 4.179117918014526,
            "dport": 3702,
            "sport": 49152
        },
        {
            "src": "192.168.56.101",
            "dst": "239.255.255.250",
            "offset": 38884,
            "time": 6.240189075469971,
            "dport": 1900,
            "sport": 53598
        }
    ],
    "dns_servers": [],
    "http": [],
    "icmp": [],
    "smtp": [],
    "tcp": [],
    "smtp_ex": [],
    "mitm": [],
    "hosts": [],
    "pcap_sha256": "e410601430483432b9bc7b2300aadbe261cd29113990c3dd26efcd05566d5aef",
    "dns": [],
    "http_ex": [],
    "domains": [],
    "dead_hosts": [],
    "sorted_pcap_sha256": "ba4ca1e7ce0b6c5d78dacf27e3d888e0ffe0756224027568abcda658b973e674",
    "irc": [],
    "https_ex": []
}

Screenshots

Screenshot from the sandboxScreenshot from the sandboxScreenshot from the sandboxScreenshot from the sandbox

stub.exe removal instructions

The instructions below shows how to remove stub.exe with help from the FreeFixer removal tool. Basically, you install FreeFixer, scan your computer, check the stub.exe file for removal, restart your computer and scan it again to verify that stub.exe has been successfully removed. Here are the removal instructions in more detail:

  1. Download and install FreeFixer: http://www.freefixer.com/download.html
  2. Start FreeFixer and press the Start Scan button. The scan will finish in approximately five minutes.
    Screenshot of Start Scan button
  3. When the scan is finished, locate stub.exe in the scan result and tick the checkbox next to the stub.exe file. Do not check any other file for removal unless you are 100% sure you want to delete it. Tip: Press CTRL-F to open up FreeFixer's search dialog to quickly locate stub.exe in the scan result.
    Red arrow point on the unwanted file
    c:\downloads\stub.exe
  4. Scroll down to the bottom of the scan result and press the Fix button. FreeFixer will now delete the stub.exe file.
    Screenshot of Fix button
  5. Restart your computer.
  6. Start FreeFixer and scan your computer again. If stub.exe still remains in the scan result, proceed with the next step. If stub.exe is gone from the scan result you're done.
  7. If stub.exe still remains in the scan result, check its checkbox again in the scan result and click Fix.
  8. Restart your computer.
  9. Start FreeFixer and scan your computer again. Verify that stub.exe no longer appear in the scan result.
Please select the option that best describe your thoughts on the removal instructions given above








Free Questionnaires

Other files also named stub.exe

stub.exe (102 votes)

Hashes [?]

PropertyValue
MD553d9a23a2edaeb04400549556553f5e7
SHA256a9c04c077b2bb66c9f77c1c4fe49210a0972081ebb457194fb493ae9e6a0f20f

Error Messages

These are some of the error messages that can appear related to stub.exe:

stub.exe has encountered a problem and needs to close. We are sorry for the inconvenience.

stub.exe - Application Error. The instruction at "0xXXXXXXXX" referenced memory at "0xXXXXXXXX". The memory could not be "read/written". Click on OK to terminate the program.

stub.exe has stopped working.

End Program - stub.exe. This program is not responding.

stub.exe is not a valid Win32 application.

stub.exe - Application Error. The application failed to initialize properly (0xXXXXXXXX). Click OK to terminate the application.

What will you do with stub.exe?

To help other users, please let us know what you will do with stub.exe:



Comments

Please share with the other users what you think about this file. What does this file do? Is it legitimate or something that your computer is better without? Do you know how it was installed on your system? Did you install it yourself or did it come bundled with some other software? Is it running smoothly or do you get some error message? Any information that will help to document this file is welcome. Thank you for your contributions.

I'm reading all new comments so don't hesitate to post a question about the file. If I don't have the answer perhaps another user can help you.

No comments posted yet.

Leave a reply