What is AIRecoveryRemind.exe?

AIRecoveryRemind.exe is part of AI Recovery and developed by ASUSTek Computer Inc. according to the AIRecoveryRemind.exe version information.

AIRecoveryRemind.exe's description is "AIRecoveryRemind"

AIRecoveryRemind.exe is digitally signed by ASUSTeK Computer Inc..

AIRecoveryRemind.exe is usually located in the 'C:\Program Files (x86)\ASUS\AI Recovery\' folder.

None of the anti-virus scanners at VirusTotal reports anything malicious about AIRecoveryRemind.exe.

If you have additional information about the file, please share it with the FreeFixer users by posting a comment at the bottom of this page.

Vendor and version information [?]

The following is the available information on AIRecoveryRemind.exe:

PropertyValue
Product nameAI Recovery
Company nameASUSTek Computer Inc.
File descriptionAIRecoveryRemind
Internal nameAIRecoveryRemind.exe
Original filenameAIRecoveryRemind.exe
Legal copyrightCopyright (C) AsusTek
Product version1.0.19.0
File version1.0.19.0

Here's a screenshot of the file properties when displayed by Windows Explorer:

Product nameAI Recovery
Company nameASUSTek Computer Inc.
File descriptionAIRecoveryRemind
Internal nameAIRecoveryRemind.exe
Original filenameAIRecoveryRemind.exe
Legal copyrightCopyright (C) AsusTek
Product version1.0.19.0
File version1.0.19.0

Digital signatures [?]

AIRecoveryRemind.exe has a valid digital signature.

PropertyValue
Signer nameASUSTeK Computer Inc.
Certificate issuer nameVeriSign Class 3 Code Signing 2009-2 CA
Certificate serial number12d5c9e2949d48abaccd3514f0fb22ad

VirusTotal report

None of the 73 anti-virus programs at VirusTotal detected the AIRecoveryRemind.exe file.

None of the 73 anti-virus programs detected the AIRecoveryRemind.exe file.

Sandbox Report

The following information was gathered by executing the file inside Cuckoo Sandbox.

Summary

Successfully executed process in sandbox.

Summary

{
    "file_created": [
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab57EA.tmp",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar57EB.tmp",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\CabA001.tmp",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab57C8.tmp",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\CabA041.tmp",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\TarA042.tmp",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar57D9.tmp",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\TarA002.tmp"
    ],
    "file_recreated": [
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab57EA.tmp",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar57EB.tmp",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\CabA001.tmp",
        "\\Device\\KsecDD",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab57C8.tmp",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\CabA041.tmp",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\TarA042.tmp",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar57D9.tmp",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\TarA002.tmp"
    ],
    "regkey_written": [
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\8F43288AD272F3103B6FB1428485EA3014C0BCFE\\Blob",
        "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\LanguageList",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Direct3D\\MostRecentApplication\\Name"
    ],
    "dll_loaded": [
        "imagehlp.dll",
        "API-MS-Win-Security-LSALookup-L1-1-0.dll",
        "DNSAPI.dll",
        "icm32.dll",
        "dwmapi.dll",
        "cryptsp.dll",
        "C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Configuration\\bc09ad2d49d8535371845cd7532f9271\\System.Configuration.ni.dll",
        "ncrypt.dll",
        "API-MS-WIN-Service-Management-L2-1-0.dll",
        "C:\\Windows\\assembly\\GAC_MSIL\\WindowsBase\\3.0.0.0__31bf3856ad364e35\\uxtheme.dll",
        "C:\\Windows\\SysWOW64\\bcryptprimitives.dll",
        "WtsApi32.dll",
        "SspiCli.dll",
        "C:\\Windows\\assembly\\GAC_32\\PresentationCore\\3.0.0.0__31bf3856ad364e35\\WindowsCodecs.dll",
        "advapi32.dll",
        "ole32.dll",
        "SHLWAPI.dll",
        "USER32.dll",
        "C:\\Windows\\syswow64\\CRYPT32.dll",
        "C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\psapi.dll",
        "C:\\Windows\\assembly\\GAC_MSIL\\WindowsBase\\3.0.0.0__31bf3856ad364e35\\msctf.dll",
        "WindowsCodecs.dll",
        "C:\\Windows\\System32\\wship6.dll",
        "setupapi.dll",
        "C:\\Windows\\assembly\\GAC_32\\PresentationCore\\3.0.0.0__31bf3856ad364e35\\MSVCR80.dll",
        "WINMM.dll",
        "WindowsCodecsExt.dll",
        "C:\\Windows\\assembly\\GAC_32\\PresentationCore\\3.0.0.0__31bf3856ad364e35\\PresentationNative_v0300.dll",
        "C:\\Windows\\System32\\wshtcpip.dll",
        "C:\\Windows\\assembly\\GAC_32\\PresentationCore\\3.0.0.0__31bf3856ad364e35\\ntdll.dll",
        "C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Xml\\461d3b6b3f43e6fbe6c897d5936e17e4\\System.Xml.ni.dll",
        "urlmon.dll",
        "ntdll",
        "WINSTA.dll",
        "CFGMGR32.dll",
        "kernel32.dll",
        "C:\\Windows\\system32\\IMM32.DLL",
        "C:\\Windows\\Microsoft.NET\\Framework\\v3.0\\WPF\\wpfgfx_v0300.dll",
        "SensApi.dll",
        "ntdll.dll",
        "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\ole32.dll",
        "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\culture.dll",
        "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\VERSION.dll",
        "API-MS-Win-Core-LocalRegistry-L1-1-0.dll",
        "C:\\Windows\\assembly\\GAC_MSIL\\WindowsBase\\3.0.0.0__31bf3856ad364e35\\shell32.dll",
        "C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\WindowsBase\\cf293040f3a93afa1ea782487acae816\\WindowsBase.ni.dll",
        "IPHLPAPI.DLL",
        "RichEd20.dll",
        "uxtheme.dll",
        "winhttp.dll",
        "C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\PresentationCore\\2ad23de8284d4594aa658dfb5e667d97\\PresentationCore.ni.dll",
        "profapi.dll",
        "d3d9.dll",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\DiskInfo.dll",
        "VERSION.dll",
        "RpcRtRemote.dll",
        "WINTRUST.DLL",
        "C:\\Windows\\system32\\cryptnet.dll",
        "DEVRTL.dll",
        "C:\\Windows\\assembly\\GAC_MSIL\\WindowsBase\\3.0.0.0__31bf3856ad364e35\\WtsApi32.dll",
        "Cabinet.dll",
        "user32.dll",
        "WINHTTP.dll",
        "C:\\Windows\\assembly\\GAC_32\\PresentationCore\\3.0.0.0__31bf3856ad364e35\\WindowsCodecsExt.dll",
        "gdi32.dll",
        "C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\PresentationFramewo#\\299d0b38053fd7cbd84bac2178c3703b\\PresentationFramework.Aero.ni.dll",
        "KERNEL32.dll",
        "DWMAPI.dll",
        "bcrypt.dll",
        "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorjit.dll",
        "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorsec.dll",
        "mscms.dll",
        "CRYPTSP.dll",
        "C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\PresentationFramewo#\\bfaf8f86e69928fb2f67987c0203f603\\PresentationFramework.ni.dll",
        "credssp.dll",
        "API-MS-WIN-Service-winsvc-L1-1-0.dll",
        "msctf.dll",
        "MSVCR80.dll",
        "psapi.dll",
        "NSI.dll",
        "mscorsec.dll",
        "ADVAPI32.dll",
        "advapi32",
        "WS2_32.dll",
        "C:\\Windows\\assembly\\GAC_32\\PresentationCore\\3.0.0.0__31bf3856ad364e35\\wpfgfx_v0300.dll",
        "DiskInfo.dll",
        "C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System\\9e0a3b9b9f457233a335d7fba8f95419\\System.ni.dll",
        "C:\\Windows\\assembly\\GAC_32\\PresentationCore\\3.0.0.0__31bf3856ad364e35\\mscms.dll",
        "imm32.dll",
        "API-MS-WIN-Service-Management-L1-1-0.dll",
        "cryptnet.dll",
        "PresentationNative_v0300.dll",
        "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorwks.dll",
        "API-MS-Win-Security-SDDL-L1-1-0.dll",
        "shell32.dll",
        "RPCRT4.dll",
        "C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\mscorlib\\62a0b3e4b40ec0e8c5cfaa0c8848e64a\\mscorlib.ni.dll",
        "mscoree.dll",
        "C:\\Windows\\system32\\mswsock.dll",
        "AdvApi32.dll",
        "C:\\Windows\\assembly\\GAC_32\\PresentationCore\\3.0.0.0__31bf3856ad364e35\\urlmon.dll"
    ],
    "file_failed": [
        "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\enterprisesec.config.cch",
        "C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\D47DBD2F9E3365FBBE008D71FB06716F_BBB35F3D100606CE5776FB7E4248C8F3",
        "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\security.config.cch",
        "C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\4DD39726D4B55AC3B4119B35A893323C_A9B67992415C7278B802A8719047D9A9",
        "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\enterprisesec.config",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\a0baca93efc59dcf46ab738db278815c26f18caa6ddabbe50e9db8921fa23bc6.bin.config",
        "C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\D47DBD2F9E3365FBBE008D71FB06716F_4DD1053BCC726DA41115FFF4C7D6E9CC",
        "C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\60E31627FDA0A46932B0E5948949F2A5",
        "C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\4DD39726D4B55AC3B4119B35A893323C_B1CB1333D42495D9A10D2CAA47E4B14A",
        "C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\security.config.cch",
        "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\security.config",
        "C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\security.config",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\a0baca93efc59dcf46ab738db278815c26f18caa6ddabbe50e9db8921fa23bc6.config",
        "C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\0797C381B2F87EB5A1D5573BD15BA4F4"
    ],
    "regkey_opened": [
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.Accessibility__b03f5f7f11d50a3a",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\46b91004\\77ccecdd\\77",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Deployment__b03f5f7f11d50a3a",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.3.0.UIAutomationProvider__31bf3856ad364e35",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7f3aad1e\\165f8aa0\\7d",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets\\LocalIntranet",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\index127",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.3.0.ReachFramework__31bf3856ad364e35",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Installer\\Assemblies\\Global",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PCHealth\\ErrorReporting\\ExclusionList",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Fusion",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\Standards\\v2.0.50727",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-699399860-4089948139-3198924279-1001",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Avalon.Graphics",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\6f1da7aa\\88",
        "HKEY_CLASSES_ROOT\\Interface\\{C247F616-BBEB-406A-AED3-F75E656599AE}",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\27899ac4\\2944bd3e\\65",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\Upgrades",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\68fb5015\\1b89bb32\\7a",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\Policy\\Standards",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.3.0.System.Printing__31bf3856ad364e35",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\1c83327b\\86",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Fonts",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\Policy\\",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\43fd4348\\4eab5f0e\\74",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\Managed\\S-1-5-21-699399860-4089948139-3198924279-1001\\Installer\\Assemblies\\C:|Users|cuck|AppData|Local|Temp|a0baca93efc59dcf46ab738db278815c26f18caa6ddabbe50e9db8921fa23bc6.bin",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PCHealth\\ErrorReporting\\InclusionList",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.3.0.WindowsBase__31bf3856ad364e35",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PCHealth\\ErrorReporting\\ExclusionList",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\163e1f5e\\80",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32",
        "HKEY_CURRENT_USER\\SOFTWARE\\Policies\\Microsoft\\PCHealth\\ErrorReporting\\InclusionList",
        "HKEY_LOCAL_MACHINE\\SoftWare\\Wow6432Node\\ASUS\\AI RECOVERY",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Security__b03f5f7f11d50a3a",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\LanguageProfile",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\46b91004\\77ccecdd",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\2708d9ec\\27899ac4\\65",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\v2.0.50727\\Security\\Policy",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System__b77a5c561934e089",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\StrongName",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Xml__b77a5c561934e089",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Net Framework Setup\\NDP\\v3.0\\Setup\\Windows Presentation Foundation",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Wisp\\Pen\\SysEventParameters",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6e35940e\\1639fec2\\81",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\75638fee\\7566cac\\84",
        "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\PCHealth\\ErrorReporting\\ExclusionList",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8\\87",
        "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\PCHealth\\ErrorReporting\\InclusionList",
        "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Class\\{4d36e972-e325-11ce-bfc1-08002be10318}",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\a0baca93efc59dcf46ab738db278815c26f18caa6ddabbe50e9db8921fa23bc6.bin",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88",
        "HKEY_LOCAL_MACHINE\\SoftWare\\ASUS\\AI RECOVERY",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\LanguageProfile\\0x00000000",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.3.0.PresentationUI__31bf3856ad364e35",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\1bd7b0d8\\87",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.3.0.PresentationCFFRasterizer__31bf3856ad364e35",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\LanguageProfile\\0x00000000\\{0001bea3-ed56-483d-a2e2-aeae25577436}",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3d590c3f\\59f3b67b\\82",
        "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Video\\{6FABAC3A-B3E4-4C2F-82E9-AA53D01C5093}\\0000",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.3.0.PresentationFramework.Aero__31bf3856ad364e35",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2ffb0c52\\13250b76\\7f",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\CTF",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Avalon.Graphics",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\a5cd4db\\7e",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\Managed\\S-1-5-21-699399860-4089948139-3198924279-1001\\Installer\\Assemblies\\Global",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\1b2590b1\\7c",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PCHealth\\ErrorReporting",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\55d78379\\2ffb0c52\\80",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\2568d43a\\5aa3a8ee",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Installer\\Assemblies\\Global",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.3.0.UIAutomationTypes__31bf3856ad364e35",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\77ccecdd\\1a2c19d\\77",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\5b43ba09\\48ffecdd\\76",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\Standards",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Installer\\Assemblies\\C:|Users|cuck|AppData|Local|Temp|a0baca93efc59dcf46ab738db278815c26f18caa6ddabbe50e9db8921fa23bc6.bin",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Drawing__b03f5f7f11d50a3a",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Installer\\Assemblies\\C:|Users|cuck|AppData|Local|Temp|a0baca93efc59dcf46ab738db278815c26f18caa6ddabbe50e9db8921fa23bc6.bin",
        "HKEY_CLASSES_ROOT\\CLSID\\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\\Instance\\Disabled",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion\\GACChangeNotification\\Default",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\Windows Presentation Foundation\\Features",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\.NETFramework",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3d67735\\6e35940e\\81",
        "HKEY_CLASSES_ROOT\\CLSID\\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\\Instance",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.8.0.Microsoft.VisualC__b03f5f7f11d50a3a",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PCHealth\\ErrorReporting\\InclusionList",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Tracing\\WPF",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6b2ef2ae\\3270cb54\\75",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\Policy\\APTCA",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\v2.0",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2d485ce4\\6944285d\\73",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\18c31e23\\77858a0e",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Data.SqlXml__b77a5c561934e089",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\2568d43a\\608e407e",
        "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\PCHealth\\ErrorReporting",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\AppPatch",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\2d382ce6\\85",
        "HKEY_CLASSES_ROOT\\.png",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\.NETFramework\\Policy\\Standards",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets\\Internet",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\2708d9ec\\27899ac4",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\528efda8\\3dbff305\\7b",
        "HKEY_CLASSES_ROOT\\CLSID\\{7ED96837-96F0-4812-B211-F13C24117ED3}\\Instance",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Configuration__b03f5f7f11d50a3a",
        "HKEY_CURRENT_USER\\SOFTWARE\\Policies\\Microsoft\\PCHealth\\ErrorReporting\\ExclusionList",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion\\PublisherPolicy\\Default",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.3.0.PresentationCore__31bf3856ad364e35",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Data__b77a5c561934e089",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PCHealth\\ErrorReporting",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\WinSAT",
        "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\LanguageProfile",
        "HKEY_CLASSES_ROOT\\CLSID\\{2B46E70F-CDA7-473E-89F6-DC9630A2390B}\\Instance",
        "HKEY_CURRENT_USER\\SOFTWARE\\Policies\\Microsoft\\PCHealth\\ErrorReporting",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.3.0.PresentationFramework__31bf3856ad364e35"
    ],
    "resolves_host": [
        "www.download.windowsupdate.com",
        "ocsp.verisign.com",
        "crl.verisign.com",
        "csc3-2009-2-crl.verisign.com"
    ],
    "file_written": [
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab57EA.tmp",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar57EB.tmp",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\CabA001.tmp",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab57C8.tmp",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\CabA041.tmp",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\TarA042.tmp",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar57D9.tmp",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\TarA002.tmp"
    ],
    "regkey_deleted": [
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\8F43288AD272F3103B6FB1428485EA3014C0BCFE"
    ],
    "file_deleted": [
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab57EA.tmp",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar57EB.tmp",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\CabA001.tmp",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab57C8.tmp",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\CabA041.tmp",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\TarA042.tmp",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar57D9.tmp",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\TarA002.tmp"
    ],
    "file_exists": [
        "C:\\Windows\\Globalization\\fi-fi.nlp",
        "C:\\Windows\\Globalization\\da-dk.nlp",
        "C:\\Users\\cuck\\AppData\\LocalLow",
        "C:\\Windows\\Globalization\\en-us.nlp",
        "C:\\Windows\\Globalization\\de.nlp",
        "C:\\Users\\cuck\\AppData\\Local\\Temp",
        "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\machine.config",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\en-US\\AIRecoveryRemind.resources\\AIRecoveryRemind.resources.exe",
        "C:\\Windows\\Globalization\\it-it.nlp",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\en\\AIRecoveryRemind.resources.exe",
        "C:\\Windows\\Globalization\\de-de.nlp",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\en\\AIRecoveryRemind.resources.dll",
        "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\fusion.localgac",
        "C:\\Windows\\Globalization\\ru-ru.nlp",
        "C:\\Windows\\Globalization\\nb-no.nlp",
        "C:\\Windows\\System32\\qagentrt.dll",
        "C:\\Windows\\Globalization\\sk-sk.nlp",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\en-US\\AIRecoveryRemind.resources.exe",
        "C:\\Windows\\Globalization\\es-mx.nlp",
        "C:\\Windows\\Globalization\\hu-hu.nlp",
        "C:\\Windows\\Globalization\\fr-fr.nlp",
        "C:\\Windows\\inf\\",
        "C:\\Windows\\Globalization\\ca-es.nlp",
        "C:\\Windows\\System32\\MSCOREE.DLL.local",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\en\\AIRecoveryRemind.resources\\AIRecoveryRemind.resources.dll",
        "C:\\Windows\\Globalization\\fr-ca.nlp",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\a0baca93efc59dcf46ab738db278815c26f18caa6ddabbe50e9db8921fa23bc6.config",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\en-US\\AIRecoveryRemind.resources.dll",
        "C:\\Windows\\Globalization\\en.nlp",
        "C:\\Windows\\Globalization\\ja.nlp",
        "C:\\Windows\\Globalization\\el-gr.nlp",
        "C:\\Windows\\Globalization\\cs-cz.nlp",
        "C:\\Windows\\Globalization\\pt-br.nlp",
        "C:\\Windows\\System32\\p2pcollab.dll",
        "C:\\Windows\\Globalization\\sl-si.nlp",
        "C:\\Windows\\Globalization\\pl-pl.nlp",
        "C:\\Windows\\Globalization\\es-es.nlp",
        "C:\\Windows\\Globalization\\sv-se.nlp",
        "C:\\Windows\\Globalization\\eu-es.nlp",
        "C:\\Windows\\winsxs\\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\\msvcr80.dll",
        "C:\\Windows\\Globalization\\tr-tr.nlp",
        "C:\\Windows\\Globalization\\nl-nl.nlp",
        "C:\\Windows\\System32\\dnsapi.dll",
        "C:\\Windows\\assembly\\GAC\\PublisherPolicy.tme",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\a0baca93efc59dcf46ab738db278815c26f18caa6ddabbe50e9db8921fa23bc6.bin",
        "C:\\Windows\\Globalization\\pt-pt.nlp",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\en-US\\AIRecoveryRemind.resources\\AIRecoveryRemind.resources.dll",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\en\\AIRecoveryRemind.resources\\AIRecoveryRemind.resources.exe",
        "C:\\Windows\\Fonts\\"
    ],
    "mutex": [
        "Local\\__DDrawExclMode__",
        "Local\\__DDrawCheckExclMode__"
    ],
    "file_opened": [
        "C:\\Users\\cuck\\AppData\\LocalLow",
        "C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\index127.dat",
        "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\machine.config",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab57EA.tmp",
        "C:\\Windows\\assembly\\pubpol4.dat",
        "C:\\Windows\\Fonts\\verdanab.ttf",
        "C:\\Windows\\System32\\l_intl.nls",
        "C:\\Windows\\System32\\en-US\\WINHTTP.dll.mui",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab57C8.tmp",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\TarA042.tmp",
        "C:\\Windows\\Fonts\\verdana.ttf",
        "C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\sorttbls.nlp",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\CabA001.tmp",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\TarA002.tmp",
        "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorrc.dll",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar57EB.tmp",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar57D9.tmp",
        "C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\sortkey.nlp",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\CabA041.tmp",
        "C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\94308059B57B3142E455B38A6EB92015",
        "C:\\Windows\\System32\\spool\\drivers\\color\\sRGB Color Space Profile.icm",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\a0baca93efc59dcf46ab738db278815c26f18caa6ddabbe50e9db8921fa23bc6.bin",
        "C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\94308059B57B3142E455B38A6EB92015"
    ],
    "command_line": [
        "dw20.exe -x -s 1460"
    ],
    "file_read": [
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab57EA.tmp",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar57EB.tmp",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar57D9.tmp",
        "C:\\Windows\\System32\\spool\\drivers\\color\\sRGB Color Space Profile.icm",
        "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\machine.config",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\TarA042.tmp",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab57C8.tmp",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\CabA041.tmp",
        "C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\94308059B57B3142E455B38A6EB92015",
        "C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\94308059B57B3142E455B38A6EB92015",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\CabA001.tmp",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\TarA002.tmp"
    ],
    "regkey_read": [
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Initialization\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$Function",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\WinSock2\\Parameters\\Protocol_Catalog9\\Serial_Access_Num",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Wisp\\Pen\\SysEventParameters\\DblTime",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2d485ce4\\6944285d\\73\\Status",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SecurityProviders\\SecurityProviders",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-699399860-4089948139-3198924279-1001\\ProfileImagePath",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.44.3.4!7\\Name",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\crypt32\\DiagMatchAnyMask",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\77ccecdd\\1a2c19d\\77\\DisplayName",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\75638fee\\7566cac\\84\\Status",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2ffb0c52\\13250b76\\7f\\DisplayName",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\Extensions\\RemoteRpcDll",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\2708d9ec\\27899ac4\\65\\Status",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86\\EvalationData",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\DisableImprovedZoneCheck",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\a5cd4db\\7e\\LastModTime",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\2d382ce6\\85\\LastModTime",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\77ccecdd\\1a2c19d\\77\\Status",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\DevOverrideEnable",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\CertCheck\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$DLL",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86\\DisplayName",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NoClientChecks",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\1b2590b1\\7c\\Modules",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\DownloadCacheQuotaInKB",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8\\87\\EvalationData",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.64.1.1!7\\Name",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\6f1da7aa\\88\\LastModTime",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\5b43ba09\\48ffecdd\\76\\Modules",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86\\MVID",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\Status",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\UIAutomationTypes,3.0.0.0,,31bf3856ad364e35,MSIL",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\MaxAIAUrlRetrievalCertCount",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Video\\{6FABAC3A-B3E4-4C2F-82E9-AA53D01C5093}\\0000\\HardwareInformation.MemorySize",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3d67735\\6e35940e\\81\\Status",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\2708d9ec\\27899ac4\\65\\MVID",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7f3aad1e\\165f8aa0\\7d\\Modules",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8\\87\\ConfigString",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Signature\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$DLL",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\crypt32\\DebugFlags",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Comment",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\DisableUnsupportedCriticalExtensions",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\46b91004\\77ccecdd\\77\\MissingDependencies",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2d485ce4\\6944285d\\73\\SIG",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\FinalPolicy\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$Function",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3d590c3f\\59f3b67b\\82\\LastModTime",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\46b91004\\77ccecdd\\77\\Status",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\index127\\NIUsageMask",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\2708d9ec\\27899ac4\\65\\MissingDependencies",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\1c83327b\\86\\SIG",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\Status",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Type",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Video\\{6FABAC3A-B3E4-4C2F-82E9-AA53D01C5093}\\0000\\InstalledDisplayDrivers",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\46b91004\\77ccecdd\\77\\ConfigMask",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\2708d9ec\\27899ac4\\65\\ConfigString",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8\\87\\NIDependencies",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\MVID",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\CTF\\Disable Thread Input Manager",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\SIG",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Data,2.0.0.0,,b77a5c561934e089,x86",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86\\ConfigMask",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\DisplayName",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\LegacyPolicyTimeStamp",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\6f1da7aa\\88\\SIG",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\68fb5015\\1b89bb32\\7a\\LastModTime",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\43fd4348\\4eab5f0e\\74\\DisplayName",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\mscorlib,2.0.0.0,,b77a5c561934e089,x86",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\27899ac4\\2944bd3e\\65\\DisplayName",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\MaxSockaddrLength",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\55d78379\\2ffb0c52\\80\\ConfigString",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\Latest",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\1b2590b1\\7c\\SIG",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2ffb0c52\\13250b76\\7f\\Status",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\DevicePath",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\TokenSize",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Winsat\\VideoMemoryBandwidth",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3d67735\\6e35940e\\81\\DisplayName",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\PresentationCore,3.0.0.0,,31bf3856ad364e35,x86",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Initialization\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$DLL",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\CertCheck\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$Function",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ICM\\RegisteredProfiles\\sRGB",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\EnableLog",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\crypt32\\DiagLevel",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8\\87\\MVID",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\2708d9ec\\27899ac4\\65\\ConfigMask",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\163e1f5e\\80\\Status",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\PresentationFramework,3.0.0.0,,31bf3856ad364e35,MSIL",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\DisplayName",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6e35940e\\1639fec2\\81\\LastModTime",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\VersioningLog",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\DisableMSIPeek",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.47.1.1!7\\Name",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE\\MaximumAllowedAllocationSize",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7f3aad1e\\165f8aa0\\7d\\DisplayName",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\1b2590b1\\7c\\LastModTime",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\55d78379\\2ffb0c52\\80\\ILDependencies",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\43fd4348\\4eab5f0e\\74\\Modules",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\LanguageProfile\\0x00000000\\{0001bea3-ed56-483d-a2e2-aeae25577436}\\Enable",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\46b91004\\77ccecdd\\77\\EvalationData",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\46b91004\\77ccecdd\\77\\DisplayName",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\CryptnetCachedOcspSwitchToCrlCount",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\SystemSetupInProgress",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\5b43ba09\\48ffecdd\\76\\LastModTime",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Message\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$Function",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Data.SqlXml,2.0.0.0,,b77a5c561934e089,MSIL",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3d67735\\6e35940e\\81\\MissingDependencies",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\ReachFramework,3.0.0.0,,31bf3856ad364e35,MSIL",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\SourcePath",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\1c83327b\\86\\DisplayName",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\UseOldHostResolutionOrder",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\CLRLoadLogDir",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\a5cd4db\\7e\\Modules",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2ffb0c52\\13250b76\\7f\\SIG",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3d67735\\6e35940e\\81\\EvalationData",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8\\87\\ConfigMask",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\ChainCacheResyncFiletime",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Certificate\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$DLL",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\CertCheck\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$DLL",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\crypt32\\DebugHeapFlags",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\WpadOverride",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86\\ILDependencies",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Initialization\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$Function",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledProcesses\\2FDE6D39",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86\\MissingDependencies",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\1bd7b0d8\\87\\SIG",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\Microsoft.VisualC,8.0.0.0,,b03f5f7f11d50a3a,MSIL",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledSessions\\MachineThrottling",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3d590c3f\\59f3b67b\\82\\DisplayName",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\ConfigString",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6e35940e\\1639fec2\\81\\SIG",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\2d382ce6\\85\\SIG",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Direct3D\\Drivers\\RGB Emulation\\Name",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\163e1f5e\\80\\LastModTime",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8\\87\\DisplayName",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Direct3D\\Drivers\\Size",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Direct3D\\Drivers\\SoftwareOnly",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\5b43ba09\\48ffecdd\\76\\Status",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\8F43288AD272F3103B6FB1428485EA3014C0BCFE",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\1c83327b\\86\\Modules",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\LastModTime",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\55d78379\\2ffb0c52\\80\\MVID",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ShareCredsWithWinHttp",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Direct3D\\LoadDebugRuntime",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\1bd7b0d8\\87\\Status",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\528efda8\\3dbff305\\7b\\LastModTime",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Name",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\1b2590b1\\7c\\Status",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\75638fee\\7566cac\\84\\SIG",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\2708d9ec\\27899ac4\\65\\DisplayName",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\ConfigMask",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\MVID",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing\\State",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\27899ac4\\2944bd3e\\65\\Status",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\528efda8\\3dbff305\\7b\\Status",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Security,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Printing,3.0.0.0,,31bf3856ad364e35,x86",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\InstallRoot",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\MaxSockaddrLength",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\MaxAIAUrlCountInCert",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\Status",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6e35940e\\1639fec2\\81\\Status",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86\\Status",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winsock\\Setup Migration\\Providers\\Tcpip\\WinSock 2.0 Provider ID",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8\\87\\ILDependencies",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Cleanup\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$Function",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Configuration,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3d67735\\6e35940e\\81\\MVID",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\ILDependencies",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\ForceLog",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\GCStressStart",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\46b91004\\77ccecdd\\77\\ConfigString",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86\\ConfigString",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\LogMaxFileSize",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Version",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Direct3D\\DisableD3DXPSGP",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\68fb5015\\1b89bb32\\7a\\Status",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3d67735\\6e35940e\\81\\ConfigMask",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{00000134-0000-0000-C000-000000000046}\\ProxyStubClsid32\\(Default)",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Security\\Safety Warning Level",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\StringCacheSettings\\StringCacheGeneration",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\RpcId",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\a5cd4db\\7e\\Status",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\Modules",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6b2ef2ae\\3270cb54\\75\\Status",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2d485ce4\\6944285d\\73\\LastModTime",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6b2ef2ae\\3270cb54\\75\\Modules",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\NIDependencies",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\FinalPolicy\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$DLL",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8\\87\\MissingDependencies",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\NET Framework Setup\\NDP\\v3.0\\Setup\\Windows Presentation Foundation\\InstallRoot",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\CryptnetPreFetchTriggerPeriodSeconds",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\75638fee\\7566cac\\84\\LastModTime",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\Extensions\\NdrOleExtDLL",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\55d78379\\2ffb0c52\\80\\ConfigMask",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Direct3D\\Drivers\\Direct3D HAL\\Name",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\MaxAIAUrlRetrievalCountPerChain",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ProxySettingsPerUser",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winsock\\Parameters\\Transports",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2ffb0c52\\13250b76\\7f\\Modules",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\LoggingLevel",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\46b91004\\77ccecdd\\77\\NIDependencies",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Signature\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$Function",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\\DefaultConnectionSettings",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3d590c3f\\59f3b67b\\82\\Status",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\163e1f5e\\80\\DisplayName",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\MissingDependencies",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3d590c3f\\59f3b67b\\82\\SIG",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\Enabled",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Direct3D\\ForceDriverFlagsOff",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\55d78379\\2ffb0c52\\80\\NIDependencies",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\2708d9ec\\27899ac4\\65\\ILDependencies",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Local AppData",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\index127\\ILUsageMask",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\27899ac4\\2944bd3e\\65\\LastModTime",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\OnlyUseLatestCLR",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\2d382ce6\\85\\Status",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\HelperDllName",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Xml,2.0.0.0,,b77a5c561934e089,MSIL",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\46b91004\\77ccecdd\\77\\MVID",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\Mapping",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\528efda8\\3dbff305\\7b\\DisplayName",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Winsat\\VideoMemorySize",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\528efda8\\3dbff305\\7b\\SIG",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\UIAutomationProvider,3.0.0.0,,31bf3856ad364e35,MSIL",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Direct3D\\DisablePSGP",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6b2ef2ae\\3270cb54\\75\\LastModTime",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\55d78379\\2ffb0c52\\80\\DisplayName",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\528efda8\\3dbff305\\7b\\Modules",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\LsaExtensionConfig\\SspiCli\\CheckSignatureRoutine",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\27899ac4\\2944bd3e\\65\\Modules",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\77ccecdd\\1a2c19d\\77\\SIG",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\MinSockaddrLength",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\LsaExtensionConfig\\SspiCli\\CheckSignatureDll",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\77ccecdd\\1a2c19d\\77\\Modules",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86\\NIDependencies",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{C247F616-BBEB-406A-AED3-F75E656599AE}\\(Default)",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\EvalationData",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\2d382ce6\\85\\DisplayName",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Direct3D\\DX6TextureEnumInclusionList\\Name",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\1bd7b0d8\\87\\DisplayName",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\\WinHttpSettings",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\1bd7b0d8\\87\\Modules",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6b2ef2ae\\3270cb54\\75\\DisplayName",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\MissingDependencies",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Capabilities",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.png\\Content Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\LogResourceBinds",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System,2.0.0.0,,b77a5c561934e089,MSIL",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\1c83327b\\86\\LastModTime",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Direct3D\\Drivers\\Ramp Emulation\\Size",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Direct3D\\Drivers\\Name",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\77ccecdd\\1a2c19d\\77\\LastModTime",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\55d78379\\2ffb0c52\\80\\EvalationData",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\LogMask",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\DisableConfigCache",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledSessions\\GlobalSession",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\ConfigString",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\UseDelayedAcceptance",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\EvalationData",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\a5cd4db\\7e\\SIG",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7f3aad1e\\165f8aa0\\7d\\Status",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\PresentationUI,3.0.0.0,,31bf3856ad364e35,MSIL",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\PresentationFramework.Aero,3.0.0.0,,31bf3856ad364e35,MSIL",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\68fb5015\\1b89bb32\\7a\\Modules",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\43fd4348\\4eab5f0e\\74\\Status",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\LatestIndex",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\163e1f5e\\80\\SIG",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7f3aad1e\\165f8aa0\\7d\\SIG",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\UseDelayedAcceptance",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7f3aad1e\\165f8aa0\\7d\\LastModTime",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\UseHostnameAsAlias",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\8F43288AD272F3103B6FB1428485EA3014C0BCFE\\Blob",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Drawing,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6e35940e\\1639fec2\\81\\DisplayName",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Wisp\\Pen\\SysEventParameters\\DblDist",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3d67735\\6e35940e\\81\\NIDependencies",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3d590c3f\\59f3b67b\\82\\Modules",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\43fd4348\\4eab5f0e\\74\\LastModTime",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\CertCheck\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$Function",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\2d382ce6\\85\\Modules",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Message\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$DLL",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\75638fee\\7566cac\\84\\DisplayName",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3d67735\\6e35940e\\81\\ConfigString",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\LoadAppInit_DLLs",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Signature\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$Function",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8\\87\\Status",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\1b2590b1\\7c\\DisplayName",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\PresentationCFFRasterizer,3.0.0.0,,31bf3856ad364e35,MSIL",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\6f1da7aa\\88\\DisplayName",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\5b43ba09\\48ffecdd\\76\\SIG",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\ConfigMask",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Direct3D\\Drivers\\RGB Emulation\\Size",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\LogFailures",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Deployment,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Direct3D\\Drivers\\Ramp Emulation\\Name",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\NIDependencies",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\MaxAIAUrlRetrievalByteCount",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\75638fee\\7566cac\\84\\Modules",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\UseLegacyIdentityFormat",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\LogLevel",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Message\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$DLL",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\6f1da7aa\\88\\Modules",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\LdapClientIntegrity",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\CryptnetMaxCachedOcspPerCrlCount",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winsock\\Setup Migration\\Providers\\Tcpip6\\WinSock 2.0 Provider ID",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\1c83327b\\86\\Status",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\68fb5015\\1b89bb32\\7a\\DisplayName",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Certificate\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$Function",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3d67735\\6e35940e\\81\\ILDependencies",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Cleanup\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$DLL",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\6f1da7aa\\88\\Status",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\EnableInetUnknownAuth",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\CacheLocation",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\55d78379\\2ffb0c52\\80\\Status",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\DisableCANameConstraints",
        "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\p2pcollab.dll,-8042",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\MinSockaddrLength",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Initialization\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$DLL",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6e35940e\\1639fec2\\81\\Modules",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\55d78379\\2ffb0c52\\80\\MissingDependencies",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Signature\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$DLL",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\GCStressStartAtJit",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\2708d9ec\\27899ac4\\65\\EvalationData",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\68fb5015\\1b89bb32\\7a\\SIG",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\a5cd4db\\7e\\DisplayName",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\FinalPolicy\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$Function",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\ILDependencies",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\2708d9ec\\27899ac4\\65\\NIDependencies",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\WindowsBase,3.0.0.0,,31bf3856ad364e35,MSIL",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\HelperDllName",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\5b43ba09\\48ffecdd\\76\\DisplayName",
        "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\dnsapi.dll,-103",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Certificate\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$DLL",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Security_HKLM_only",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6b2ef2ae\\3270cb54\\75\\SIG",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\MaxUrlRetrievalByteCount",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\27899ac4\\2944bd3e\\65\\SIG",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Wisp\\Pen\\SysEventParameters\\Cancel",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2ffb0c52\\13250b76\\7f\\LastModTime",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\Accessibility,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\DisplayName",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\163e1f5e\\80\\Modules",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Message\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$Function",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\WinHttp\\Tracing\\Enabled",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Direct3D\\Drivers\\Direct3D HAL\\Size",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\FinalPolicy\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$DLL",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\Mapping",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Certificate\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$Function",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\WinHttp\\DisableBranchCache",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CEIPEnable",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\DisableMandatoryBasicConstraints",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\1bd7b0d8\\87\\LastModTime",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Direct3D\\DX6TextureEnumInclusionList\\Size",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\EnableWeakSignatureFlags",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2d485ce4\\6944285d\\73\\DisplayName",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\43fd4348\\4eab5f0e\\74\\SIG",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2d485ce4\\6944285d\\73\\Modules",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\46b91004\\77ccecdd\\77\\ILDependencies",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\index4"
    ],
    "directory_enumerated": [
        "C:\\Users\\cuck\\AppData",
        "C:\\Users\\cuck\\AppData\\Local\\Temp",
        "C:\\Windows\\assembly\\GAC_32\\PresentationCore\\3.0.0.0__31bf3856ad364e35\\PresentationCore.INI",
        "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscoreei.dll",
        "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorwks.dll",
        "C:\\Windows\\assembly\\GAC_MSIL\\WindowsBase\\3.0.0.0__31bf3856ad364e35\\WindowsBase.INI",
        "C:\\Windows\\assembly\\GAC_MSIL\\System.Xml\\2.0.0.0__b77a5c561934e089\\System.Xml.INI",
        "C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\4DD39726D4B55AC3B4119B35A893323C_*",
        "C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\D47DBD2F9E3365FBBE008D71FB06716F_*",
        "C:\\Users",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\a0baca93efc59dcf46ab738db278815c26f18caa6ddabbe50e9db8921fa23bc6.INI",
        "C:\\Windows\\assembly\\GAC_MSIL\\System.Configuration\\2.0.0.0__b03f5f7f11d50a3a\\System.Configuration.INI",
        "C:\\Windows\\Microsoft.NET\\Framework\\Upgrades.2.0.50727\\mscoreei.dll",
        "C:\\Users\\cuck",
        "C:\\Users\\cuck\\AppData\\Local",
        "C:\\Windows\\assembly\\GAC_MSIL\\PresentationFramework\\3.0.0.0__31bf3856ad364e35\\PresentationFramework.INI",
        "C:\\Windows\\winsxs\\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\\msvcr80.dll",
        "C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\mscorlib.INI",
        "C:\\Windows",
        "C:\\Windows\\winsxs",
        "C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\System.INI",
        "C:\\Windows\\assembly\\GAC_MSIL\\PresentationFramework.Aero\\3.0.0.0__31bf3856ad364e35\\PresentationFramework.Aero.INI"
    ]
}

Dropped

[
    {
        "yara": [
            {
                "meta": {
                    "description": "Contains an embedded Mach-O file",
                    "author": "nex"
                },
                "name": "embedded_macho",
                "offsets": {
                    "magic1": [
                        [
                            47966606,
                            0
                        ]
                    ]
                },
                "strings": [
                    "yv66vg=="
                ]
            },
            {
                "meta": {
                    "description": "Contains an embedded PE32 file",
                    "author": "nex"
                },
                "name": "embedded_pe",
                "offsets": {
                    "a": [
                        [
                            53050113,
                            0
                        ],
                        [
                            57382087,
                            0
                        ]
                    ],
                    "b": [
                        [
                            30504049,
                            1
                        ]
                    ]
                },
                "strings": [
                    "UEUzMg==",
                    "VGhpcyBwcm9ncmFt"
                ]
            },
            {
                "meta": {
                    "description": "A non-Windows executable contains win32 API functions names",
                    "author": "nex"
                },
                "name": "embedded_win_api",
                "offsets": {
                    "api6": [
                        [
                            41258349,
                            6
                        ],
                        [
                            41459008,
                            6
                        ],
                        [
                            44288604,
                            6
                        ],
                        [
                            50556770,
                            6
                        ],
                        [
                            51862272,
                            6
                        ],
                        [
                            53110150,
                            6
                        ],
                        [
                            53138651,
                            6
                        ],
                        [
                            62595257,
                            6
                        ]
                    ],
                    "api7": [
                        [
                            5335721,
                            5
                        ],
                        [
                            5905461,
                            5
                        ],
                        [
                            5905474,
                            5
                        ],
                        [
                            5905498,
                            5
                        ],
                        [
                            5905537,
                            5
                        ],
                        [
                            32531561,
                            5
                        ],
                        [
                            32531578,
                            5
                        ],
                        [
                            32559643,
                            5
                        ],
                        [
                            32559709,
                            5
                        ],
                        [
                            33723433,
                            5
                        ],
                        [
                            33723470,
                            5
                        ],
                        [
                            40079586,
                            5
                        ],
                        [
                            40080062,
                            5
                        ],
                        [
                            40080173,
                            5
                        ],
                        [
                            40122264,
                            5
                        ],
                        [
                            41105258,
                            5
                        ],
                        [
                            41129323,
                            5
                        ],
                        [
                            41165763,
                            5
                        ],
                        [
                            41169323,
                            5
                        ],
                        [
                            41272361,
                            5
                        ],
                        [
                            41449281,
                            5
                        ],
                        [
                            41450580,
                            5
                        ],
                        [
                            41450601,
                            5
                        ],
                        [
                            41452053,
                            5
                        ],
                        [
                            41452621,
                            5
                        ],
                        [
                            41452641,
                            5
                        ],
                        [
                            41452991,
                            5
                        ],
                        [
                            41859944,
                            5
                        ],
                        [
                            44286984,
                            5
                        ]
                    ],
                    "api2": [
                        [
                            18663460,
                            0
                        ],
                        [
                            20377183,
                            0
                        ],
                        [
                            20803173,
                            0
                        ],
                        [
                            32001842,
                            0
                        ],
                        [
                            32561681,
                            0
                        ],
                        [
                            32561696,
                            0
                        ],
                        [
                            32561722,
                            0
                        ],
                        [
                            39905236,
                            0
                        ],
                        [
                            41257761,
                            0
                        ]
                    ],
                    "api3": [
                        [
                            41476630,
                            3
                        ],
                        [
                            44281542,
                            3
                        ]
                    ],
                    "api8": [
                        [
                            50554696,
                            1
                        ],
                        [
                            51860186,
                            1
                        ],
                        [
                            53069855,
                            1
                        ],
                        [
                            53110228,
                            1
                        ]
                    ],
                    "api14": [
                        [
                            50554696,
                            1
                        ],
                        [
                            51860186,
                            1
                        ],
                        [
                            53069855,
                            1
                        ],
                        [
                            53110228,
                            1
                        ]
                    ],
                    "api12": [
                        [
                            50556701,
                            4
                        ],
                        [
                            53110106,
                            4
                        ],
                        [
                            53110126,
                            4
                        ]
                    ],
                    "api13": [
                        [
                            41134225,
                            2
                        ],
                        [
                            41469534,
                            2
                        ],
                        [
                            50554778,
                            2
                        ],
                        [
                            53109732,
                            2
                        ],
                        [
                            66478846,
                            2
                        ],
                        [
                            66494309,
                            2
                        ],
                        [
                            67246904,
                            2
                        ]
                    ]
                },
                "strings": [
                    "R2V0UHJvY0FkZHJlc3M=",
                    "R2V0V2luZG93c0RpcmVjdG9yeQ==",
                    "R2V0VGVtcFBhdGg=",
                    "TG9hZExpYnJhcnlB",
                    "U2V0RmlsZVBvaW50ZXI=",
                    "U2hlbGxFeGVjdXRl",
                    "V3JpdGVGaWxl"
                ]
            },
            {
                "meta": {
                    "description": "Possibly employs anti-virtualization techniques",
                    "author": "nex"
                },
                "name": "vmdetect",
                "offsets": {
                    "vmcheckdll": [
                        [
                            12641864,
                            0
                        ]
                    ]
                },
                "strings": [
                    "RccAAQ=="
                ]
            },
            {
                "meta": {
                    "description": "Matched shellcode byte patterns",
                    "author": "nex"
                },
                "name": "shellcode",
                "offsets": {
                    "shell7": [
                        [
                            1754459,
                            0
                        ],
                        [
                            1754491,
                            0
                        ],
                        [
                            1754539,
                            0
                        ],
                        [
                            1815947,
                            0
                        ],
                        [
                            2009259,
                            0
                        ],
                        [
                            2009307,
                            0
                        ],
                        [
                            2009339,
                            0
                        ],
                        [
                            2204219,
                            0
                        ],
                        [
                            2218315,
                            0
                        ],
                        [
                            2244363,
                            0
                        ],
                        [
                            2249307,
                            0
                        ],
                        [
                            2321563,
                            0
                        ],
                        [
                            2341563,
                            0
                        ],
                        [
                            2356891,
                            0
                        ],
                        [
                            2443947,
                            0
                        ],
                        [
                            2484379,
                            0
                        ],
                        [
                            2526043,
                            0
                        ],
                        [
                            2526075,
                            0
                        ],
                        [
                            2526123,
                            0
                        ],
                        [
                            8321535,
                            0
                        ],
                        [
                            8339423,
                            0
                        ],
                        [
                            8357635,
                            0
                        ],
                        [
                            8436387,
                            0
                        ],
                        [
                            8457947,
                            0
                        ],
                        [
                            8458347,
                            0
                        ],
                        [
                            8460415,
                            0
                        ],
                        [
                            8460447,
                            0
                        ],
                        [
                            8460635,
                            0
                        ],
                        [
                            8460667,
                            0
                        ],
                        [
                            8460787,
                            0
                        ],
                        [
                            8460827,
                            0
                        ],
                        [
                            8461079,
                            0
                        ],
                        [
                            8461199,
                            0
                        ],
                        [
                            8461239,
                            0
                        ],
                        [
                            8501931,
                            0
                        ],
                        [
                            8501959,
                            0
                        ],
                        [
                            8501987,
                            0
                        ],
                        [
                            8502015,
                            0
                        ],
                        [
                            8502043,
                            0
                        ],
                        [
                            8502075,
                            0
                        ],
                        [
                            8502107,
                            0
                        ],
                        [
                            8502139,
                            0
                        ],
                        [
                            8502171,
                            0
                        ],
                        [
                            8506203,
                            0
                        ],
                        [
                            8506235,
                            0
                        ],
                        [
                            8512023,
                            0
                        ],
                        [
                            8628327,
                            0
                        ],
                        [
                            8628959,
                            0
                        ],
                        [
                            8635391,
                            0
                        ],
                        [
                            8635419,
                            0
                        ],
                        [
                            8648067,
                            0
                        ],
                        [
                            8660543,
                            0
                        ],
                        [
                            8675991,
                            0
                        ],
                        [
                            8820775,
                            0
                        ],
                        [
                            8856031,
                            0
                        ],
                        [
                            8856063,
                            0
                        ],
                        [
                            8899235,
                            0
                        ],
                        [
                            8932459,
                            0
                        ],
                        [
                            9035871,
                            0
                        ],
                        [
                            9036039,
                            0
                        ],
                        [
                            9056575,
                            0
                        ],
                        [
                            9127115,
                            0
                        ],
                        [
                            9127331,
                            0
                        ],
                        [
                            9167583,
                            0
                        ],
                        [
                            9181083,
                            0
                        ],
                        [
                            9191279,
                            0
                        ],
                        [
                            9205403,
                            0
                        ],
                        [
                            9226159,
                            0
                        ],
                        [
                            9296547,
                            0
                        ],
                        [
                            9323259,
                            0
                        ],
                        [
                            9333627,
                            0
                        ],
                        [
                            9351863,
                            0
                        ],
                        [
                            9419307,
                            0
                        ],
                        [
                            9420455,
                            0
                        ],
                        [
                            9438971,
                            0
                        ],
                        [
                            9439155,
                            0
                        ],
                        [
                            9538251,
                            0
                        ],
                        [
                            9554259,
                            0
                        ],
                        [
                            9570875,
                            0
                        ],
                        [
                            9570951,
                            0
                        ],
                        [
                            9570987,
                            0
                        ],
                        [
                            9575643,
                            0
                        ],
                        [
                            9580091,
                            0
                        ],
                        [
                            9580187,
                            0
                        ],
                        [
                            9589787,
                            0
                        ],
                        [
                            9706943,
                            0
                        ],
                        [
                            9758519,
                            0
                        ],
                        [
                            9758943,
                            0
                        ],
                        [
                            9759867,
                            0
                        ],
                        [
                            9852639,
                            0
                        ],
                        [
                            9882075,
                            0
                        ],
                        [
                            9882363,
                            0
                        ],
                        [
                            9895675,
                            0
                        ],
                        [
                            9895767,
                            0
                        ],
                        [
                            9895815,
                            0
                        ],
                        [
                            9895863,
                            0
                        ],
                        [
                            9895911,
                            0
                        ],
                        [
                            9895947,
                            0
                        ],
                        [
                            9896111,
                            0
                        ],
                        [
                            9896159,
                            0
                        ],
                        [
                            9896195,
                            0
                        ],
                        [
                            9896231,
                            0
                        ],
                        [
                            9896267,
                            0
                        ],
                        [
                            9896303,
                            0
                        ],
                        [
                            9896339,
                            0
                        ],
                        [
                            9896387,
                            0
                        ],
                        [
                            9896423,
                            0
                        ],
                        [
                            9897003,
                            0
                        ],
                        [
                            9947679,
                            0
                        ],
                        [
                            10050983,
                            0
                        ],
                        [
                            10057143,
                            0
                        ],
                        [
                            10130891,
                            0
                        ],
                        [
                            10181347,
                            0
                        ],
                        [
                            10200691,
                            0
                        ],
                        [
                            10274719,
                            0
                        ],
                        [
                            10281947,
                            0
                        ],
                        [
                            10365575,
                            0
                        ],
                        [
                            10365607,
                            0
                        ],
                        [
                            10509855,
                            0
                        ],
                        [
                            10561831,
                            0
                        ],
                        [
                            10584495,
                            0
                        ],
                        [
                            10584527,
                            0
                        ],
                        [
                            10739423,
                            0
                        ],
                        [
                            10946215,
                            0
                        ],
                        [
                            10947855,
                            0
                        ],
                        [
                            10955519,
                            0
                        ],
                        [
                            10976991,
                            0
                        ],
                        [
                            10979003,
                            0
                        ],
                        [
                            10981487,
                            0
                        ],
                        [
                            10981835,
                            0
                        ],
                        [
                            10982491,
                            0
                        ],
                        [
                            10985755,
                            0
                        ],
                        [
                            10989695,
                            0
                        ],
                        [
                            10990891,
                            0
                        ],
                        [
                            10991835,
                            0
                        ],
                        [
                            10998119,
                            0
                        ],
                        [
                            11002691,
                            0
                        ],
                        [
                            11003611,
                            0
                        ],
                        [
                            11005591,
                            0
                        ],
                        [
                            11008199,
                            0
                        ],
                        [
                            11009915,
                            0
                        ],
                        [
                            11014227,
                            0
                        ],
                        [
                            11015611,
                            0
                        ],
                        [
                            11016719,
                            0
                        ],
                        [
                            11018495,
                            0
                        ],
                        [
                            11019703,
                            0
                        ],
                        [
                            11021327,
                            0
                        ],
                        [
                            11027803,
                            0
                        ],
                        [
                            11029243,
                            0
                        ],
                        [
                            11030595,
                            0
                        ],
                        [
                            11034995,
                            0
                        ],
                        [
                            11035355,
                            0
                        ],
                        [
                            11041139,
                            0
                        ],
                        [
                            11047323,
                            0
                        ],
                        [
                            11053019,
                            0
                        ],
                        [
                            11056231,
                            0
                        ],
                        [
                            11056891,
                            0
                        ],
                        [
                            11058355,
                            0
                        ],
                        [
                            11079451,
                            0
                        ],
                        [
                            11082363,
                            0
                        ],
                        [
                            11084467,
                            0
                        ],
                        [
                            11089439,
                            0
                        ],
                        [
                            11089499,
                            0
                        ],
                        [
                            11089691,
                            0
                        ],
                        [
                            11091035,
                            0
                        ],
                        [
                            11091591,
                            0
                        ],
                        [
                            11101467,
                            0
                        ],
                        [
                            17927923,
                            0
                        ],
                        [
                            17928051,
                            0
                        ],
                        [
                            18143107,
                            0
                        ],
                        [
                            18153699,
                            0
                        ],
                        [
                            18153891,
                            0
                        ],
                        [
                            18153923,
                            0
                        ],
                        [
                            18200691,
                            0
                        ],
                        [
                            18203139,
                            0
                        ],
                        [
                            18216739,
                            0
                        ],
                        [
                            18216899,
                            0
                        ],
                        [
                            18303667,
                            0
                        ],
                        [
                            18316195,
                            0
                        ],
                        [
                            18350499,
                            0
                        ],
                        [
                            18394355,
                            0
                        ],
                        [
                            18394531,
                            0
                        ],
                        [
                            22727875,
                            0
                        ],
                        [
                            22727959,
                            0
                        ],
                        [
                            22727987,
                            0
                        ],
                        [
                            22728015,
                            0
                        ],
                        [
                            23028879,
                            0
                        ],
                        [
                            23061035,
                            0
                        ],
                        [
                            23061939,
                            0
                        ],
                        [
                            23063495,
                            0
                        ],
                        [
                            23069031,
                            0
                        ],
                        [
                            23086991,
                            0
                        ],
                        [
                            23118715,
                            0
                        ],
                        [
                            23166659,
                            0
                        ],
                        [
                            23166699,
                            0
                        ],
                        [
                            23166819,
                            0
                        ],
                        [
                            23166851,
                            0
                        ],
                        [
                            23166883,
                            0
                        ],
                        [
                            23166915,
                            0
                        ],
                        [
                            23201675,
                            0
                        ],
                        [
                            23376031,
                            0
                        ],
                        [
                            23376075,
                            0
                        ],
                        [
                            23376103,
                            0
                        ],
                        [
                            23499551,
                            0
                        ],
                        [
                            23501507,
                            0
                        ],
                        [
                            23591055,
                            0
                        ],
                        [
                            23591115,
                            0
                        ],
                        [
                            23591303,
                            0
                        ],
                        [
                            23604123,
                            0
                        ],
                        [
                            23615427,
                            0
                        ],
                        [
                            23738047,
                            0
                        ],
                        [
                            23740739,
                            0
                        ],
                        [
                            23778923,
                            0
                        ],
                        [
                            23807095,
                            0
                        ],
                        [
                            23807139,
                            0
                        ],
                        [
                            23807183,
                            0
                        ],
                        [
                            23945363,
                            0
                        ],
                        [
                            23991643,
                            0
                        ],
                        [
                            23994275,
                            0
                        ],
                        [
                            24004147,
                            0
                        ],
                        [
                            24045219,
                            0
                        ],
                        [
                            24046663,
                            0
                        ],
                        [
                            24066663,
                            0
                        ],
                        [
                            24074843,
                            0
                        ],
                        [
                            24108435,
                            0
                        ],
                        [
                            24120287,
                            0
                        ],
                        [
                            24202423,
                            0
                        ],
                        [
                            24202611,
                            0
                        ],
                        [
                            24202783,
                            0
                        ],
                        [
                            24213123,
                            0
                        ],
                        [
                            24213587,
                            0
                        ],
                        [
                            24213663,
                            0
                        ],
                        [
                            24213699,
                            0
                        ],
                        [
                            24213735,
                            0
                        ],
                        [
                            24215235,
                            0
                        ],
                        [
                            24215331,
                            0
                        ],
                        [
                            24215363,
                            0
                        ],
                        [
                            24215395,
                            0
                        ],
                        [
                            24215427,
                            0
                        ],
                        [
                            24272635,
                            0
                        ],
                        [
                            24276831,
                            0
                        ],
                        [
                            24279911,
                            0
                        ],
                        [
                            24289859,
                            0
                        ],
                        [
                            24326795,
                            0
                        ],
                        [
                            24336855,
                            0
                        ],
                        [
                            24341643,
                            0
                        ],
                        [
                            24363639,
                            0
                        ],
                        [
                            24367279,
                            0
                        ],
                        [
                            24376311,
                            0
                        ],
                        [
                            24378635,
                            0
                        ],
                        [
                            24385187,
                            0
                        ],
                        [
                            24390771,
                            0
                        ],
                        [
                            24398787,
                            0
                        ],
                        [
                            24437339,
                            0
                        ],
                        [
                            24445399,
                            0
                        ],
                        [
                            24453687,
                            0
                        ],
                        [
                            24457251,
                            0
                        ],
                        [
                            24465843,
                            0
                        ],
                        [
                            24469059,
                            0
                        ],
                        [
                            24474295,
                            0
                        ],
                        [
                            24487715,
                            0
                        ],
                        [
                            24497023,
                            0
                        ],
                        [
                            24505539,
                            0
                        ],
                        [
                            24520547,
                            0
                        ],
                        [
                            24534211,
                            0
                        ],
                        [
                            24549375,
                            0
                        ],
                        [
                            24564995,
                            0
                        ],
                        [
                            24568363,
                            0
                        ],
                        [
                            24577195,
                            0
                        ],
                        [
                            24583583,
                            0
                        ],
                        [
                            24589219,
                            0
                        ],
                        [
                            24617195,
                            0
                        ],
                        [
                            24619159,
                            0
                        ],
                        [
                            24625731,
                            0
                        ],
                        [
                            24641675,
                            0
                        ],
                        [
                            24676407,
                            0
                        ],
                        [
                            24702115,
                            0
                        ],
                        [
                            24702343,
                            0
                        ],
                        [
                            24879059,
                            0
                        ],
                        [
                            25009471,
                            0
                        ],
                        [
                            25014963,
                            0
                        ],
                        [
                            25113403,
                            0
                        ],
                        [
                            25155219,
                            0
                        ],
                        [
                            25156783,
                            0
                        ],
                        [
                            25166339,
                            0
                        ],
                        [
                            25177871,
                            0
                        ],
                        [
                            25179891,
                            0
                        ],
                        [
                            25181603,
                            0
                        ],
                        [
                            25182371,
                            0
                        ],
                        [
                            25184007,
                            0
                        ],
                        [
                            25184667,
                            0
                        ],
                        [
                            25194931,
                            0
                        ],
                        [
                            25195555,
                            0
                        ],
                        [
                            25216323,
                            0
                        ],
                        [
                            25217931,
                            0
                        ],
                        [
                            25219619,
                            0
                        ],
                        [
                            25221771,
                            0
                        ],
                        [
                            25224355,
                            0
                        ],
                        [
                            25230471,
                            0
                        ],
                        [
                            25243555,
                            0
                        ],
                        [
                            25246703,
                            0
                        ],
                        [
                            25250555,
                            0
                        ],
                        [
                            25252215,
                            0
                        ],
                        [
                            25252755,
                            0
                        ],
                        [
                            25254091,
                            0
                        ],
                        [
                            25255319,
                            0
                        ],
                        [
                            25256419,
                            0
                        ],
                        [
                            25256643,
                            0
                        ],
                        [
                            25262539,
                            0
                        ],
                        [
                            25268275,
                            0
                        ],
                        [
                            25274499,
                            0
                        ],
                        [
                            25278799,
                            0
                        ],
                        [
                            25281791,
                            0
                        ],
                        [
                            25285435,
                            0
                        ],
                        [
                            25294339,
                            0
                        ],
                        [
                            25295555,
                            0
                        ],
                        [
                            25299331,
                            0
                        ],
                        [
                            25305231,
                            0
                        ],
                        [
                            25305667,
                            0
                        ],
                        [
                            25307619,
                            0
                        ],
                        [
                            25312531,
                            0
                        ],
                        [
                            25315567,
                            0
                        ],
                        [
                            25317443,
                            0
                        ],
                        [
                            25326767,
                            0
                        ],
                        [
                            25327691,
                            0
                        ],
                        [
                            25327747,
                            0
                        ],
                        [
                            25329543,
                            0
                        ],
                        [
                            25330819,
                            0
                        ],
                        [
                            25337251,
                            0
                        ],
                        [
                            25342983,
                            0
                        ],
                        [
                            25359651,
                            0
                        ],
                        [
                            25372331,
                            0
                        ],
                        [
                            25374243,
                            0
                        ],
                        [
                            25376207,
                            0
                        ],
                        [
                            25377283,
                            0
                        ],
                        [
                            25386563,
                            0
                        ],
                        [
                            25389667,
                            0
                        ],
                        [
                            25391435,
                            0
                        ],
                        [
                            25398779,
                            0
                        ],
                        [
                            25417243,
                            0
                        ],
                        [
                            25419659,
                            0
                        ],
                        [
                            25423139,
                            0
                        ],
                        [
                            25429267,
                            0
                        ],
                        [
                            25431403,
                            0
                        ],
                        [
                            25445991,
                            0
                        ],
                        [
                            25448451,
                            0
                        ],
                        [
                            25465699,
                            0
                        ],
                        [
                            31778875,
                            0
                        ],
                        [
                            31805819,
                            0
                        ],
                        [
                            31905851,
                            0
                        ],
                        [
                            31913003,
                            0
                        ],
                        [
                            33224763,
                            0
                        ],
                        [
                            33236315,
                            0
                        ],
                        [
                            33236531,
                            0
                        ],
                        [
                            33236819,
                            0
                        ],
                        [
                            33237371,
                            0
                        ],
                        [
                            33251259,
                            0
                        ],
                        [
                            33251291,
                            0
                        ],
                        [
                            33251323,
                            0
                        ],
                        [
                            33251355,
                            0
                        ],
                        [
                            33251387,
                            0
                        ],
                        [
                            33251483,
                            0
                        ],
                        [
                            33251515,
                            0
                        ],
                        [
                            33251547,
                            0
                        ],
                        [
                            33251995,
                            0
                        ],
                        [
                            33260155,
                            0
                        ],
                        [
                            33341767,
                            0
                        ],
                        [
                            33405567,
                            0
                        ],
                        [
                            33407643,
                            0
                        ],
                        [
                            33414363,
                            0
                        ],
                        [
                            33488955,
                            0
                        ],
                        [
                            33506035,
                            0
                        ],
                        [
                            33648143,
                            0
                        ],
                        [
                            33648587,
                            0
                        ],
                        [
                            33653731,
                            0
                        ],
                        [
                            33663267,
                            0
                        ],
                        [
                            33665327,
                            0
                        ],
                        [
                            33668095,
                            0
                        ],
                        [
                            33673891,
                            0
                        ],
                        [
                            33679019,
                            0
                        ],
                        [
                            33680859,
                            0
                        ],
                        [
                            33684003,
                            0
                        ],
                        [
                            33684659,
                            0
                        ],
                        [
                            33692003,
                            0
                        ],
                        [
                            33696943,
                            0
                        ],
                        [
                            33697295,
                            0
                        ],
                        [
                            33699131,
                            0
                        ],
                        [
                            33700343,
                            0
                        ],
                        [
                            33712211,
                            0
                        ],
                        [
                            33713051,
                            0
                        ],
                        [
                            39281861,
                            0
                        ],
                        [
                            39359253,
                            0
                        ],
                        [
                            39400581,
                            0
                        ],
                        [
                            39431093,
                            0
                        ],
                        [
                            42901281,
                            0
                        ],
                        [
                            42949241,
                            0
                        ],
                        [
                            43063561,
                            0
                        ],
                        [
                            43110605,
                            0
                        ],
                        [
                            43129829,
                            0
                        ],
                        [
                            43164345,
                            0
                        ],
                        [
                            43176381,
                            0
                        ],
                        [
                            43176457,
                            0
                        ],
                        [
                            43181805,
                            0
                        ],
                        [
                            43182597,
                            0
                        ],
                        [
                            43208901,
                            0
                        ],
                        [
                            43300345,
                            0
                        ],
                        [
                            43393177,
                            0
                        ],
                        [
                            43413509,
                            0
                        ],
                        [
                            43425605,
                            0
                        ],
                        [
                            43637477,
                            0
                        ],
                        [
                            43676901,
                            0
                        ],
                        [
                            43948517,
                            0
                        ],
                        [
                            43950033,
                            0
                        ],
                        [
                            43966281,
                            0
                        ],
                        [
                            44042801,
                            0
                        ],
                        [
                            44063653,
                            0
                        ],
                        [
                            44075849,
                            0
                        ],
                        [
                            44108297,
                            0
                        ],
                        [
                            44221509,
                            0
                        ],
                        [
                            44227205,
                            0
                        ],
                        [
                            44228421,
                            0
                        ],
                        [
                            44230901,
                            0
                        ],
                        [
                            44254309,
                            0
                        ],
                        [
                            44255941,
                            0
                        ],
                        [
                            49719598,
                            0
                        ],
                        [
                            49733950,
                            0
                        ],
                        [
                            49734190,
                            0
                        ],
                        [
                            49734238,
                            0
                        ],
                        [
                            49735374,
                            0
                        ],
                        [
                            49753678,
                            0
                        ],
                        [
                            49834190,
                            0
                        ],
                        [
                            49905422,
                            0
                        ],
                        [
                            49905614,
                            0
                        ],
                        [
                            49927086,
                            0
                        ],
                        [
                            49955614,
                            0
                        ],
                        [
                            49984846,
                            0
                        ],
                        [
                            50004862,
                            0
                        ],
                        [
                            50031726,
                            0
                        ],
                        [
                            50050590,
                            0
                        ],
                        [
                            50120046,
                            0
                        ],
                        [
                            50158990,
                            0
                        ],
                        [
                            50200558,
                            0
                        ],
                        [
                            50219022,
                            0
                        ],
                        [
                            50219086,
                            0
                        ],
                        [
                            50263550,
                            0
                        ],
                        [
                            50277230,
                            0
                        ],
                        [
                            50279150,
                            0
                        ],
                        [
                            50287150,
                            0
                        ],
                        [
                            54774818,
                            0
                        ],
                        [
                            54842562,
                            0
                        ],
                        [
                            54842734,
                            0
                        ],
                        [
                            54842762,
                            0
                        ],
                        [
                            54842790,
                            0
                        ],
                        [
                            54842866,
                            0
                        ],
                        [
                            54859082,
                            0
                        ],
                        [
                            54859710,
                            0
                        ],
                        [
                            54893934,
                            0
                        ],
                        [
                            54911342,
                            0
                        ],
                        [
                            54930886,
                            0
                        ],
                        [
                            54943914,
                            0
                        ],
                        [
                            55009646,
                            0
                        ],
                        [
                            55018646,
                            0
                        ],
                        [
                            55062654,
                            0
                        ],
                        [
                            55063114,
                            0
                        ],
                        [
                            55066178,
                            0
                        ],
                        [
                            55070606,
                            0
                        ],
                        [
                            55108934,
                            0
                        ],
                        [
                            55128602,
                            0
                        ],
                        [
                            55128630,
                            0
                        ],
                        [
                            55128658,
                            0
                        ],
                        [
                            55131710,
                            0
                        ],
                        [
                            55131746,
                            0
                        ],
                        [
                            55131846,
                            0
                        ],
                        [
                            55131882,
                            0
                        ],
                        [
                            55131926,
                            0
                        ],
                        [
                            55133102,
                            0
                        ],
                        [
                            55133146,
                            0
                        ],
                        [
                            55133186,
                            0
                        ],
                        [
                            55133986,
                            0
                        ],
                        [
                            55134022,
                            0
                        ],
                        [
                            55459726,
                            0
                        ],
                        [
                            55459790,
                            0
                        ],
                        [
                            55459818,
                            0
                        ],
                        [
                            55460190,
                            0
                        ],
                        [
                            55460542,
                            0
                        ],
                        [
                            55460958,
                            0
                        ],
                        [
                            55460990,
                            0
                        ],
                        [
                            55461406,
                            0
                        ],
                        [
                            55461438,
                            0
                        ],
                        [
                            55461726,
                            0
                        ],
                        [
                            55461758,
                            0
                        ],
                        [
                            55461826,
                            0
                        ],
                        [
                            55461854,
                            0
                        ],
                        [
                            55470174,
                            0
                        ],
                        [
                            55470206,
                            0
                        ],
                        [
                            55470238,
                            0
                        ],
                        [
                            55470334,
                            0
                        ],
                        [
                            55478142,
                            0
                        ],
                        [
                            55478310,
                            0
                        ],
                        [
                            55478526,
                            0
                        ],
                        [
                            55484710,
                            0
                        ],
                        [
                            55485110,
                            0
                        ],
                        [
                            55485918,
                            0
                        ],
                        [
                            55486182,
                            0
                        ],
                        [
                            55541510,
                            0
                        ],
                        [
                            55541566,
                            0
                        ],
                        [
                            55717766,
                            0
                        ],
                        [
                            55721918,
                            0
                        ],
                        [
                            55727386,
                            0
                        ],
                        [
                            55738582,
                            0
                        ],
                        [
                            55744478,
                            0
                        ],
                        [
                            55763070,
                            0
                        ],
                        [
                            55779966,
                            0
                        ],
                        [
                            55871498,
                            0
                        ],
                        [
                            55914302,
                            0
                        ],
                        [
                            55965218,
                            0
                        ],
                        [
                            55965266,
                            0
                        ],
                        [
                            55965422,
                            0
                        ],
                        [
                            55965502,
                            0
                        ],
                        [
                            55965550,
                            0
                        ],
                        [
                            55980818,
                            0
                        ],
                        [
                            55982522,
                            0
                        ],
                        [
                            55998942,
                            0
                        ],
                        [
                            56017846,
                            0
                        ],
                        [
                            56055566,
                            0
                        ],
                        [
                            56369278,
                            0
                        ],
                        [
                            56369474,
                            0
                        ],
                        [
                            56369662,
                            0
                        ],
                        [
                            56369822,
                            0
                        ],
                        [
                            56369918,
                            0
                        ],
                        [
                            56370238,
                            0
                        ],
                        [
                            56372302,
                            0
                        ],
                        [
                            56373622,
                            0
                        ],
                        [
                            56374450,
                            0
                        ],
                        [
                            56374482,
                            0
                        ],
                        [
                            56375742,
                            0
                        ],
                        [
                            56376414,
                            0
                        ],
                        [
                            56387450,
                            0
                        ],
                        [
                            56388894,
                            0
                        ],
                        [
                            56388990,
                            0
                        ],
                        [
                            56390018,
                            0
                        ],
                        [
                            56395990,
                            0
                        ],
                        [
                            56398894,
                            0
                        ],
                        [
                            56399010,
                            0
                        ],
                        [
                            56401378,
                            0
                        ],
                        [
                            56415614,
                            0
                        ],
                        [
                            56426078,
                            0
                        ],
                        [
                            56430238,
                            0
                        ],
                        [
                            56430270,
                            0
                        ],
                        [
                            56431870,
                            0
                        ],
                        [
                            56433986,
                            0
                        ],
                        [
                            56434462,
                            0
                        ],
                        [
                            56435018,
                            0
                        ],
                        [
                            56435610,
                            0
                        ],
                        [
                            56435870,
                            0
                        ],
                        [
                            56436842,
                            0
                        ],
                        [
                            56437054,
                            0
                        ],
                        [
                            56441374,
                            0
                        ],
                        [
                            56441510,
                            0
                        ],
                        [
                            56441834,
                            0
                        ],
                        [
                            56442410,
                            0
                        ],
                        [
                            56443542,
                            0
                        ],
                        [
                            56444202,
                            0
                        ],
                        [
                            56451022,
                            0
                        ],
                        [
                            56457354,
                            0
                        ],
                        [
                            56458494,
                            0
                        ],
                        [
                            56458786,
                            0
                        ],
                        [
                            56461778,
                            0
                        ],
                        [
                            56465118,
                            0
                        ],
                        [
                            56465822,
                            0
                        ],
                        [
                            56467430,
                            0
                        ],
                        [
                            56473246,
                            0
                        ],
                        [
                            56473446,
                            0
                        ],
                        [
                            56476670,
                            0
                        ],
                        [
                            56476766,
                            0
                        ],
                        [
                            56479874,
                            0
                        ],
                        [
                            56480062,
                            0
                        ],
                        [
                            56480894,
                            0
                        ],
                        [
                            56481670,
                            0
                        ],
                        [
                            56481998,
                            0
                        ],
                        [
                            56483934,
                            0
                        ],
                        [
                            56484362,
                            0
                        ],
                        [
                            56486194,
                            0
                        ],
                        [
                            56498046,
                            0
                        ],
                        [
                            56498886,
                            0
                        ],
                        [
                            56505626,
                            0
                        ],
                        [
                            56510314,
                            0
                        ],
                        [
                            56511546,
                            0
                        ],
                        [
                            56511614,
                            0
                        ],
                        [
                            56511782,
                            0
                        ],
                        [
                            56512714,
                            0
                        ],
                        [
                            56513246,
                            0
                        ],
                        [
                            56518366,
                            0
                        ],
                        [
                            56518614,
                            0
                        ],
                        [
                            56527222,
                            0
                        ],
                        [
                            56527550,
                            0
                        ],
                        [
                            56531422,
                            0
                        ],
                        [
                            56535134,
                            0
                        ],
                        [
                            56535198,
                            0
                        ],
                        [
                            56536222,
                            0
                        ],
                        [
                            56537038,
                            0
                        ],
                        [
                            56537782,
                            0
                        ],
                        [
                            56537910,
                            0
                        ],
                        [
                            56545474,
                            0
                        ],
                        [
                            56545630,
                            0
                        ],
                        [
                            56551718,
                            0
                        ],
                        [
                            56552906,
                            0
                        ],
                        [
                            56552990,
                            0
                        ],
                        [
                            56553242,
                            0
                        ],
                        [
                            56554350,
                            0
                        ],
                        [
                            56554462,
                            0
                        ],
                        [
                            56561306,
                            0
                        ],
                        [
                            56563950,
                            0
                        ],
                        [
                            56579266,
                            0
                        ],
                        [
                            56582666,
                            0
                        ],
                        [
                            56588466,
                            0
                        ],
                        [
                            56589118,
                            0
                        ],
                        [
                            56591530,
                            0
                        ],
                        [
                            56592822,
                            0
                        ],
                        [
                            56592990,
                            0
                        ],
                        [
                            56593254,
                            0
                        ],
                        [
                            56593314,
                            0
                        ],
                        [
                            56594622,
                            0
                        ],
                        [
                            56595082,
                            0
                        ],
                        [
                            56596718,
                            0
                        ],
                        [
                            56597166,
                            0
                        ],
                        [
                            56606078,
                            0
                        ],
                        [
                            56606270,
                            0
                        ],
                        [
                            56607966,
                            0
                        ],
                        [
                            56608382,
                            0
                        ],
                        [
                            56609762,
                            0
                        ],
                        [
                            56613346,
                            0
                        ],
                        [
                            56614754,
                            0
                        ],
                        [
                            56621470,
                            0
                        ],
                        [
                            56625458,
                            0
                        ],
                        [
                            56627970,
                            0
                        ],
                        [
                            56630398,
                            0
                        ],
                        [
                            56635742,
                            0
                        ],
                        [
                            56635922,
                            0
                        ],
                        [
                            56640322,
                            0
                        ],
                        [
                            56641350,
                            0
                        ],
                        [
                            56641406,
                            0
                        ],
                        [
                            56642602,
                            0
                        ],
                        [
                            56643270,
                            0
                        ],
                        [
                            56644490,
                            0
                        ],
                        [
                            56645290,
                            0
                        ],
                        [
                            56655262,
                            0
                        ],
                        [
                            56658430,
                            0
                        ],
                        [
                            56658590,
                            0
                        ],
                        [
                            56659822,
                            0
                        ],
                        [
                            56660830,
                            0
                        ],
                        [
                            56663666,
                            0
                        ],
                        [
                            56664098,
                            0
                        ],
                        [
                            56668090,
                            0
                        ],
                        [
                            56668598,
                            0
                        ],
                        [
                            56674622,
                            0
                        ],
                        [
                            56674814,
                            0
                        ],
                        [
                            56676478,
                            0
                        ],
                        [
                            56677038,
                            0
                        ],
                        [
                            56678862,
                            0
                        ],
                        [
                            56680930,
                            0
                        ],
                        [
                            56686022,
                            0
                        ],
                        [
                            56689214,
                            0
                        ],
                        [
                            56692958,
                            0
                        ],
                        [
                            56693522,
                            0
                        ],
                        [
                            56694454,
                            0
                        ],
                        [
                            56694718,
                            0
                        ],
                        [
                            56695870,
                            0
                        ],
                        [
                            56696486,
                            0
                        ],
                        [
                            56700254,
                            0
                        ],
                        [
                            56700786,
                            0
                        ],
                        [
                            56704230,
                            0
                        ],
                        [
                            56704670,
                            0
                        ],
                        [
                            56705958,
                            0
                        ],
                        [
                            62388474,
                            0
                        ],
                        [
                            62845286,
                            0
                        ],
                        [
                            62845386,
                            0
                        ],
                        [
                            62880418,
                            0
                        ],
                        [
                            62894242,
                            0
                        ],
                        [
                            62894270,
                            0
                        ],
                        [
                            62946182,
                            0
                        ],
                        [
                            62976506,
                            0
                        ],
                        [
                            62977702,
                            0
                        ],
                        [
                            62988134,
                            0
                        ],
                        [
                            66171018,
                            0
                        ],
                        [
                            68333010,
                            0
                        ],
                        [
                            68333206,
                            0
                        ],
                        [
                            68333518,
                            0
                        ],
                        [
                            68398682,
                            0
                        ],
                        [
                            68653558,
                            0
                        ],
                        [
                            69306722,
                            0
                        ],
                        [
                            69320178,
                            0
                        ],
                        [
                            69373966,
                            0
                        ],
                        [
                            69373994,
                            0
                        ],
                        [
                            69374026,
                            0
                        ],
                        [
                            69506350,
                            0
                        ],
                        [
                            69699366,
                            0
                        ],
                        [
                            69700450,
                            0
                        ],
                        [
                            69706662,
                            0
                        ],
                        [
                            69712486,
                            0
                        ],
                        [
                            69713802,
                            0
                        ],
                        [
                            69717814,
                            0
                        ],
                        [
                            69721526,
                            0
                        ],
                        [
                            69731034,
                            0
                        ],
                        [
                            69731830,
                            0
                        ],
                        [
                            69734162,
                            0
                        ],
                        [
                            69734506,
                            0
                        ],
                        [
                            69736606,
                            0
                        ],
                        [
                            69736666,
                            0
                        ],
                        [
                            69736810,
                            0
                        ],
                        [
                            69737066,
                            0
                        ],
                        [
                            69738602,
                            0
                        ],
                        [
                            69739066,
                            0
                        ],
                        [
                            69739874,
                            0
                        ],
                        [
                            69740266,
                            0
                        ],
                        [
                            69741178,
                            0
                        ],
                        [
                            69742290,
                            0
                        ],
                        [
                            69743006,
                            0
                        ],
                        [
                            69743274,
                            0
                        ],
                        [
                            69744306,
                            0
                        ],
                        [
                            69744958,
                            0
                        ],
                        [
                            69746734,
                            0
                        ],
                        [
                            69747042,
                            0
                        ]
                    ],
                    "shell8": [
                        [
                            2046267,
                            1
                        ]
                    ],
                    "shell1": [
                        [
                            51163315,
                            2
                        ],
                        [
                            51174733,
                            2
                        ],
                        [
                            51293047,
                            2
                        ],
                        [
                            51466891,
                            2
                        ],
                        [
                            51518495,
                            2
                        ],
                        [
                            51560749,
                            2
                        ],
                        [
                            51606645,
                            2
                        ],
                        [
                            51633433,
                            2
                        ],
                        [
                            51658163,
                            2
                        ],
                        [
                            51703335,
                            2
                        ]
                    ]
                },
                "strings": [
                    "VYvs6A==",
                    "VYvs6Q==",
                    "ZItk"
                ]
            }
        ],
        "sha1": "f8dea56059aff837f08227ded031542c81ae4d7a",
        "name": "9b74504c4c3d1cde_wer12dc.tmp.hdmp",
        "filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\WER12DC.tmp.hdmp",
        "type": "MDMP crash report data",
        "sha256": "9b74504c4c3d1cde8c88b3570a4f828b6e1ff2d755b741095cf269fb4e19a42a",
        "urls": [
            "http:\/\/www.iec.ch",
            "http:\/\/crl.mic",
            "http:\/\/ocsp.verisign.com0",
            "https:\/\/www.verisign.com\/rpa",
            "http:\/\/csc3-2009-2-crl.verisign.com\/CSC3-2009-2.crl0D",
            "http:\/\/crl.verisign.com\/pca3.crl0",
            "https:\/\/www.verisign.com\/rpa0",
            "http:\/\/www.microsoft.com\/pki\/certs\/MicRooCerAut_2010-06-23.crt07",
            "http:\/\/www.microsoft.com\/pki\/certs\/MicrosoftRootCert.crt0",
            "https:\/\/www.verisign.com\/CPS04",
            "http:\/\/tempuri.org\/XMLSchema.xsd",
            "https:\/\/www.verisig",
            "http:\/\/csc3-2009-2-aia.verisign.com\/CSC3-2009-2.cer0",
            "http:\/\/csc3",
            "https:\/\/www.verisign.com\/repository\/verisignlogo.gif0D",
            "http:\/\/www.microsoft.com\/pki\/certs\/MicCerLisCA2011_2011-03-29.crt0",
            "http:\/\/www.microsoft.com\/pkiops\/certs\/Microsoft%20Certificate%20Trust%20List%20PCA(3).crt0",
            "https:\/\/www.verisign.com",
            "http:\/\/crl.verisign.com\/tss-ca.crl0",
            "https:\/\/www.verisign.com\/repository\/CPS",
            "http:\/\/g",
            "http:\/\/www.microsoft.com\/pkiops\/crl\/Microsoft%20Certificate%20Trust%20List%20PCA(3).crl0u",
            "http:\/\/crl.globalsign.net\/root-r2.crl0"
        ],
        "crc32": "2AE6858E",
        "path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/1571\/files\/9b74504c4c3d1cde_wer12dc.tmp.hdmp",
        "ssdeep": null,
        "size": 73674513,
        "sha512": "6f3301e34fcb302dd02f16960c9e4668f2e61c8a5a735748a648c4029f9c884fa779639498202eaf4b607ce4b5249627e264d2125818866181c3a023e4eb1534",
        "pids": [
            2844
        ],
        "md5": "79046b4de84284d393484b8e76760336"
    },
    {
        "yara": [],
        "sha1": "c64ad224b877cd5bbdcdb1799b71f3682602d231",
        "name": "b0a39e28d93f7822_Tar57D9.tmp",
        "filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar57D9.tmp",
        "type": "data",
        "sha256": "b0a39e28d93f7822fe6cac1e082c7adc581dcd2b61eb9f536e74bd14a75b27bc",
        "urls": [
            "http:\/\/www.microsoft.com\/pkiops\/certs\/Microsoft%20Certificate%20Trust%20List%20PCA(3).crt0",
            "http:\/\/www.microsoft.com\/pki\/certs\/MicRooCerAut_2010-06-23.crt07",
            "http:\/\/www.microsoft.com\/pki\/certs\/MicCerLisCA2011_2011-03-29.crt0",
            "http:\/\/www.microsoft.com\/pki\/certs\/MicrosoftRootCert.crt0",
            "http:\/\/www.microsoft.com\/pkiops\/crl\/Microsoft%20Certificate%20Trust%20List%20PCA(3).crl0u"
        ],
        "crc32": "B495BE07",
        "path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/1571\/files\/b0a39e28d93f7822_Tar57D9.tmp",
        "ssdeep": null,
        "size": 138525,
        "sha512": "0663fb22bcefd0ac5f090104322a8c0dc1ceb77a168b589d7dbb9a74d109daf38beac97dab715220abab08c355496f5719159e17995248caa19eff45bc2a5d46",
        "pids": [
            2816
        ],
        "md5": "0e34ebf89b843b303f0fb5f194be9d28"
    },
    {
        "yara": [],
        "sha1": "cf925fc512b936fe7d44ceb6e999e4a020ed6ff0",
        "name": "4c9c4d831d61c8c3_Cab57C8.tmp",
        "filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab57C8.tmp",
        "type": "Microsoft Cabinet archive data, 56952 bytes, 1 file",
        "sha256": "4c9c4d831d61c8c38b2513f9b431ef4f4cf6af9fb18a2317cd2178d6e0997822",
        "urls": [],
        "crc32": "5168F337",
        "path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/1571\/files\/4c9c4d831d61c8c3_Cab57C8.tmp",
        "ssdeep": null,
        "size": 56952,
        "sha512": "65dc435f6d3e1afd347ba1617a3eee59c6660f221faa36456a09e307d434d7276e8095e8aa34d59933e685a9f84564ec783e59ae9658791f7ebdbbc2eda32f7a",
        "pids": [
            2816
        ],
        "md5": "04d79a0dc77a8f449cbff6252862d398"
    },
    {
        "yara": [],
        "sha1": "0a251c545c013168e04270b87d9fdf697fdc4745",
        "name": "d70e7965b198f5d8_wer87b.tmp.werinternalmetadata.xml",
        "filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\WER87B.tmp.WERInternalMetadata.xml",
        "type": "XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators",
        "sha256": "d70e7965b198f5d858806b76d061f9cfa95cdffb03e53d43fa15189decff4546",
        "urls": [],
        "crc32": "356D471B",
        "path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/1571\/files\/d70e7965b198f5d8_wer87b.tmp.werinternalmetadata.xml",
        "ssdeep": null,
        "size": 2652,
        "sha512": "52e5472bd098a385d144eb99e7b71161cc4e0e2f100581f27525db04248ad818840556660a10853d0182548db3d60398acd2fee27501be580b4b5ad477067e22",
        "pids": [
            2844
        ],
        "md5": "1d916ef0d9f83a916feb43a76c0fc550"
    },
    {
        "yara": [],
        "sha1": "da39a3ee5e6b4b0d3255bfef95601890afd80709",
        "name": "e3b0c44298fc1c14_WER87B.tmp",
        "type": "empty",
        "sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
        "urls": [],
        "crc32": "00000000",
        "path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/1571\/files\/e3b0c44298fc1c14_WER87B.tmp",
        "ssdeep": null,
        "size": 0,
        "sha512": "cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e",
        "md5": "d41d8cd98f00b204e9800998ecf8427e"
    }
]

Generic

[
    {
        "process_path": "C:\\Users\\cuck\\AppData\\Local\\Temp\\a0baca93efc59dcf46ab738db278815c26f18caa6ddabbe50e9db8921fa23bc6.bin",
        "process_name": "a0baca93efc59dcf46ab738db278815c26f18caa6ddabbe50e9db8921fa23bc6.bin",
        "pid": 2816,
        "summary": {
            "file_created": [
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab57EA.tmp",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar57EB.tmp",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\CabA001.tmp",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab57C8.tmp",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\CabA041.tmp",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\TarA042.tmp",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar57D9.tmp",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\TarA002.tmp"
            ],
            "file_recreated": [
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab57EA.tmp",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar57EB.tmp",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\CabA001.tmp",
                "\\Device\\KsecDD",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab57C8.tmp",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\CabA041.tmp",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\TarA042.tmp",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar57D9.tmp",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\TarA002.tmp"
            ],
            "regkey_written": [
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\8F43288AD272F3103B6FB1428485EA3014C0BCFE\\Blob",
                "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\LanguageList",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Direct3D\\MostRecentApplication\\Name"
            ],
            "dll_loaded": [
                "imagehlp.dll",
                "API-MS-Win-Security-LSALookup-L1-1-0.dll",
                "DNSAPI.dll",
                "icm32.dll",
                "dwmapi.dll",
                "cryptsp.dll",
                "C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Configuration\\bc09ad2d49d8535371845cd7532f9271\\System.Configuration.ni.dll",
                "ncrypt.dll",
                "API-MS-WIN-Service-Management-L2-1-0.dll",
                "C:\\Windows\\assembly\\GAC_MSIL\\WindowsBase\\3.0.0.0__31bf3856ad364e35\\uxtheme.dll",
                "C:\\Windows\\SysWOW64\\bcryptprimitives.dll",
                "WtsApi32.dll",
                "SspiCli.dll",
                "C:\\Windows\\assembly\\GAC_32\\PresentationCore\\3.0.0.0__31bf3856ad364e35\\WindowsCodecs.dll",
                "advapi32.dll",
                "ole32.dll",
                "SHLWAPI.dll",
                "USER32.dll",
                "C:\\Windows\\syswow64\\CRYPT32.dll",
                "C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\psapi.dll",
                "C:\\Windows\\assembly\\GAC_MSIL\\WindowsBase\\3.0.0.0__31bf3856ad364e35\\msctf.dll",
                "WindowsCodecs.dll",
                "C:\\Windows\\System32\\wship6.dll",
                "setupapi.dll",
                "C:\\Windows\\assembly\\GAC_32\\PresentationCore\\3.0.0.0__31bf3856ad364e35\\MSVCR80.dll",
                "WINMM.dll",
                "WindowsCodecsExt.dll",
                "C:\\Windows\\assembly\\GAC_32\\PresentationCore\\3.0.0.0__31bf3856ad364e35\\PresentationNative_v0300.dll",
                "C:\\Windows\\System32\\wshtcpip.dll",
                "C:\\Windows\\assembly\\GAC_32\\PresentationCore\\3.0.0.0__31bf3856ad364e35\\ntdll.dll",
                "C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Xml\\461d3b6b3f43e6fbe6c897d5936e17e4\\System.Xml.ni.dll",
                "urlmon.dll",
                "ntdll",
                "WINSTA.dll",
                "CFGMGR32.dll",
                "kernel32.dll",
                "C:\\Windows\\system32\\IMM32.DLL",
                "C:\\Windows\\Microsoft.NET\\Framework\\v3.0\\WPF\\wpfgfx_v0300.dll",
                "SensApi.dll",
                "ntdll.dll",
                "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\ole32.dll",
                "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\culture.dll",
                "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\VERSION.dll",
                "API-MS-Win-Core-LocalRegistry-L1-1-0.dll",
                "C:\\Windows\\assembly\\GAC_MSIL\\WindowsBase\\3.0.0.0__31bf3856ad364e35\\shell32.dll",
                "C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\WindowsBase\\cf293040f3a93afa1ea782487acae816\\WindowsBase.ni.dll",
                "IPHLPAPI.DLL",
                "RichEd20.dll",
                "uxtheme.dll",
                "winhttp.dll",
                "C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\PresentationCore\\2ad23de8284d4594aa658dfb5e667d97\\PresentationCore.ni.dll",
                "profapi.dll",
                "d3d9.dll",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\DiskInfo.dll",
                "VERSION.dll",
                "RpcRtRemote.dll",
                "WINTRUST.DLL",
                "C:\\Windows\\system32\\cryptnet.dll",
                "DEVRTL.dll",
                "C:\\Windows\\assembly\\GAC_MSIL\\WindowsBase\\3.0.0.0__31bf3856ad364e35\\WtsApi32.dll",
                "Cabinet.dll",
                "user32.dll",
                "WINHTTP.dll",
                "C:\\Windows\\assembly\\GAC_32\\PresentationCore\\3.0.0.0__31bf3856ad364e35\\WindowsCodecsExt.dll",
                "gdi32.dll",
                "C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\PresentationFramewo#\\299d0b38053fd7cbd84bac2178c3703b\\PresentationFramework.Aero.ni.dll",
                "KERNEL32.dll",
                "DWMAPI.dll",
                "bcrypt.dll",
                "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorjit.dll",
                "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorsec.dll",
                "mscms.dll",
                "CRYPTSP.dll",
                "C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\PresentationFramewo#\\bfaf8f86e69928fb2f67987c0203f603\\PresentationFramework.ni.dll",
                "credssp.dll",
                "API-MS-WIN-Service-winsvc-L1-1-0.dll",
                "msctf.dll",
                "MSVCR80.dll",
                "psapi.dll",
                "NSI.dll",
                "mscorsec.dll",
                "ADVAPI32.dll",
                "advapi32",
                "WS2_32.dll",
                "C:\\Windows\\assembly\\GAC_32\\PresentationCore\\3.0.0.0__31bf3856ad364e35\\wpfgfx_v0300.dll",
                "DiskInfo.dll",
                "C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System\\9e0a3b9b9f457233a335d7fba8f95419\\System.ni.dll",
                "C:\\Windows\\assembly\\GAC_32\\PresentationCore\\3.0.0.0__31bf3856ad364e35\\mscms.dll",
                "imm32.dll",
                "API-MS-WIN-Service-Management-L1-1-0.dll",
                "cryptnet.dll",
                "PresentationNative_v0300.dll",
                "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorwks.dll",
                "API-MS-Win-Security-SDDL-L1-1-0.dll",
                "shell32.dll",
                "RPCRT4.dll",
                "C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\mscorlib\\62a0b3e4b40ec0e8c5cfaa0c8848e64a\\mscorlib.ni.dll",
                "mscoree.dll",
                "C:\\Windows\\system32\\mswsock.dll",
                "AdvApi32.dll",
                "C:\\Windows\\assembly\\GAC_32\\PresentationCore\\3.0.0.0__31bf3856ad364e35\\urlmon.dll"
            ],
            "file_failed": [
                "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\enterprisesec.config.cch",
                "C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\D47DBD2F9E3365FBBE008D71FB06716F_BBB35F3D100606CE5776FB7E4248C8F3",
                "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\security.config.cch",
                "C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\4DD39726D4B55AC3B4119B35A893323C_A9B67992415C7278B802A8719047D9A9",
                "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\enterprisesec.config",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\a0baca93efc59dcf46ab738db278815c26f18caa6ddabbe50e9db8921fa23bc6.bin.config",
                "C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\D47DBD2F9E3365FBBE008D71FB06716F_4DD1053BCC726DA41115FFF4C7D6E9CC",
                "C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\60E31627FDA0A46932B0E5948949F2A5",
                "C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\4DD39726D4B55AC3B4119B35A893323C_B1CB1333D42495D9A10D2CAA47E4B14A",
                "C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\security.config.cch",
                "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\security.config",
                "C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\security.config",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\a0baca93efc59dcf46ab738db278815c26f18caa6ddabbe50e9db8921fa23bc6.config",
                "C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\0797C381B2F87EB5A1D5573BD15BA4F4"
            ],
            "regkey_opened": [
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.Accessibility__b03f5f7f11d50a3a",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\46b91004\\77ccecdd\\77",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Deployment__b03f5f7f11d50a3a",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.3.0.UIAutomationProvider__31bf3856ad364e35",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7f3aad1e\\165f8aa0\\7d",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets\\LocalIntranet",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\index127",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.3.0.ReachFramework__31bf3856ad364e35",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Installer\\Assemblies\\Global",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PCHealth\\ErrorReporting\\ExclusionList",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Fusion",
                "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\Standards\\v2.0.50727",
                "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-699399860-4089948139-3198924279-1001",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Avalon.Graphics",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\6f1da7aa\\88",
                "HKEY_CLASSES_ROOT\\Interface\\{C247F616-BBEB-406A-AED3-F75E656599AE}",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\27899ac4\\2944bd3e\\65",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\Upgrades",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\68fb5015\\1b89bb32\\7a",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83",
                "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\Policy\\Standards",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.3.0.System.Printing__31bf3856ad364e35",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\1c83327b\\86",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Fonts",
                "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\Policy\\",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\43fd4348\\4eab5f0e\\74",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\Managed\\S-1-5-21-699399860-4089948139-3198924279-1001\\Installer\\Assemblies\\C:|Users|cuck|AppData|Local|Temp|a0baca93efc59dcf46ab738db278815c26f18caa6ddabbe50e9db8921fa23bc6.bin",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PCHealth\\ErrorReporting\\InclusionList",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.3.0.WindowsBase__31bf3856ad364e35",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PCHealth\\ErrorReporting\\ExclusionList",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\163e1f5e\\80",
                "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32",
                "HKEY_CURRENT_USER\\SOFTWARE\\Policies\\Microsoft\\PCHealth\\ErrorReporting\\InclusionList",
                "HKEY_LOCAL_MACHINE\\SoftWare\\Wow6432Node\\ASUS\\AI RECOVERY",
                "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Security__b03f5f7f11d50a3a",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\LanguageProfile",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\46b91004\\77ccecdd",
                "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\2708d9ec\\27899ac4\\65",
                "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\v2.0.50727\\Security\\Policy",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System__b77a5c561934e089",
                "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\StrongName",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Xml__b77a5c561934e089",
                "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Net Framework Setup\\NDP\\v3.0\\Setup\\Windows Presentation Foundation",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Wisp\\Pen\\SysEventParameters",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6e35940e\\1639fec2\\81",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\75638fee\\7566cac\\84",
                "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\PCHealth\\ErrorReporting\\ExclusionList",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8\\87",
                "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\PCHealth\\ErrorReporting\\InclusionList",
                "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Class\\{4d36e972-e325-11ce-bfc1-08002be10318}",
                "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\a0baca93efc59dcf46ab738db278815c26f18caa6ddabbe50e9db8921fa23bc6.bin",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88",
                "HKEY_LOCAL_MACHINE\\SoftWare\\ASUS\\AI RECOVERY",
                "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\LanguageProfile\\0x00000000",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.3.0.PresentationUI__31bf3856ad364e35",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\1bd7b0d8\\87",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.3.0.PresentationCFFRasterizer__31bf3856ad364e35",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\LanguageProfile\\0x00000000\\{0001bea3-ed56-483d-a2e2-aeae25577436}",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3d590c3f\\59f3b67b\\82",
                "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Video\\{6FABAC3A-B3E4-4C2F-82E9-AA53D01C5093}\\0000",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.3.0.PresentationFramework.Aero__31bf3856ad364e35",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2ffb0c52\\13250b76\\7f",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\CTF",
                "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Avalon.Graphics",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\a5cd4db\\7e",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\Managed\\S-1-5-21-699399860-4089948139-3198924279-1001\\Installer\\Assemblies\\Global",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\1b2590b1\\7c",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PCHealth\\ErrorReporting",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\55d78379\\2ffb0c52\\80",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\2568d43a\\5aa3a8ee",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Installer\\Assemblies\\Global",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.3.0.UIAutomationTypes__31bf3856ad364e35",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\77ccecdd\\1a2c19d\\77",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\5b43ba09\\48ffecdd\\76",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\Standards",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Installer\\Assemblies\\C:|Users|cuck|AppData|Local|Temp|a0baca93efc59dcf46ab738db278815c26f18caa6ddabbe50e9db8921fa23bc6.bin",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Drawing__b03f5f7f11d50a3a",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Installer\\Assemblies\\C:|Users|cuck|AppData|Local|Temp|a0baca93efc59dcf46ab738db278815c26f18caa6ddabbe50e9db8921fa23bc6.bin",
                "HKEY_CLASSES_ROOT\\CLSID\\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\\Instance\\Disabled",
                "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion\\GACChangeNotification\\Default",
                "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\Windows Presentation Foundation\\Features",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\.NETFramework",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3d67735\\6e35940e\\81",
                "HKEY_CLASSES_ROOT\\CLSID\\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\\Instance",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.8.0.Microsoft.VisualC__b03f5f7f11d50a3a",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PCHealth\\ErrorReporting\\InclusionList",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Tracing\\WPF",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6b2ef2ae\\3270cb54\\75",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\Policy\\APTCA",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\v2.0",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2d485ce4\\6944285d\\73",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\18c31e23\\77858a0e",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Data.SqlXml__b77a5c561934e089",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\2568d43a\\608e407e",
                "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\PCHealth\\ErrorReporting",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\AppPatch",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\2d382ce6\\85",
                "HKEY_CLASSES_ROOT\\.png",
                "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\.NETFramework\\Policy\\Standards",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets\\Internet",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\2708d9ec\\27899ac4",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\528efda8\\3dbff305\\7b",
                "HKEY_CLASSES_ROOT\\CLSID\\{7ED96837-96F0-4812-B211-F13C24117ED3}\\Instance",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Configuration__b03f5f7f11d50a3a",
                "HKEY_CURRENT_USER\\SOFTWARE\\Policies\\Microsoft\\PCHealth\\ErrorReporting\\ExclusionList",
                "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion\\PublisherPolicy\\Default",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.3.0.PresentationCore__31bf3856ad364e35",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Data__b77a5c561934e089",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PCHealth\\ErrorReporting",
                "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\WinSAT",
                "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\LanguageProfile",
                "HKEY_CLASSES_ROOT\\CLSID\\{2B46E70F-CDA7-473E-89F6-DC9630A2390B}\\Instance",
                "HKEY_CURRENT_USER\\SOFTWARE\\Policies\\Microsoft\\PCHealth\\ErrorReporting",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.3.0.PresentationFramework__31bf3856ad364e35"
            ],
            "resolves_host": [
                "www.download.windowsupdate.com",
                "ocsp.verisign.com",
                "crl.verisign.com",
                "csc3-2009-2-crl.verisign.com"
            ],
            "file_written": [
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab57EA.tmp",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar57EB.tmp",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\CabA001.tmp",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab57C8.tmp",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\CabA041.tmp",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\TarA042.tmp",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar57D9.tmp",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\TarA002.tmp"
            ],
            "regkey_deleted": [
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\8F43288AD272F3103B6FB1428485EA3014C0BCFE"
            ],
            "file_deleted": [
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab57EA.tmp",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar57EB.tmp",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\CabA001.tmp",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab57C8.tmp",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\CabA041.tmp",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\TarA042.tmp",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar57D9.tmp",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\TarA002.tmp"
            ],
            "file_exists": [
                "C:\\Windows\\Globalization\\fi-fi.nlp",
                "C:\\Windows\\Globalization\\da-dk.nlp",
                "C:\\Users\\cuck\\AppData\\LocalLow",
                "C:\\Windows\\Globalization\\en-us.nlp",
                "C:\\Windows\\Globalization\\de.nlp",
                "C:\\Users\\cuck\\AppData\\Local\\Temp",
                "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\machine.config",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\en-US\\AIRecoveryRemind.resources\\AIRecoveryRemind.resources.exe",
                "C:\\Windows\\Globalization\\it-it.nlp",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\en\\AIRecoveryRemind.resources.exe",
                "C:\\Windows\\Globalization\\de-de.nlp",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\en\\AIRecoveryRemind.resources.dll",
                "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\fusion.localgac",
                "C:\\Windows\\Globalization\\ru-ru.nlp",
                "C:\\Windows\\Globalization\\nb-no.nlp",
                "C:\\Windows\\System32\\qagentrt.dll",
                "C:\\Windows\\Globalization\\sk-sk.nlp",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\en-US\\AIRecoveryRemind.resources.exe",
                "C:\\Windows\\Globalization\\es-mx.nlp",
                "C:\\Windows\\Globalization\\hu-hu.nlp",
                "C:\\Windows\\Globalization\\fr-fr.nlp",
                "C:\\Windows\\inf\\",
                "C:\\Windows\\Globalization\\ca-es.nlp",
                "C:\\Windows\\System32\\MSCOREE.DLL.local",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\en\\AIRecoveryRemind.resources\\AIRecoveryRemind.resources.dll",
                "C:\\Windows\\Globalization\\fr-ca.nlp",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\a0baca93efc59dcf46ab738db278815c26f18caa6ddabbe50e9db8921fa23bc6.config",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\en-US\\AIRecoveryRemind.resources.dll",
                "C:\\Windows\\Globalization\\en.nlp",
                "C:\\Windows\\Globalization\\ja.nlp",
                "C:\\Windows\\Globalization\\el-gr.nlp",
                "C:\\Windows\\Globalization\\cs-cz.nlp",
                "C:\\Windows\\Globalization\\pt-br.nlp",
                "C:\\Windows\\System32\\p2pcollab.dll",
                "C:\\Windows\\Globalization\\sl-si.nlp",
                "C:\\Windows\\Globalization\\pl-pl.nlp",
                "C:\\Windows\\Globalization\\es-es.nlp",
                "C:\\Windows\\Globalization\\sv-se.nlp",
                "C:\\Windows\\Globalization\\eu-es.nlp",
                "C:\\Windows\\winsxs\\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\\msvcr80.dll",
                "C:\\Windows\\Globalization\\tr-tr.nlp",
                "C:\\Windows\\Globalization\\nl-nl.nlp",
                "C:\\Windows\\System32\\dnsapi.dll",
                "C:\\Windows\\assembly\\GAC\\PublisherPolicy.tme",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\a0baca93efc59dcf46ab738db278815c26f18caa6ddabbe50e9db8921fa23bc6.bin",
                "C:\\Windows\\Globalization\\pt-pt.nlp",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\en-US\\AIRecoveryRemind.resources\\AIRecoveryRemind.resources.dll",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\en\\AIRecoveryRemind.resources\\AIRecoveryRemind.resources.exe",
                "C:\\Windows\\Fonts\\"
            ],
            "mutex": [
                "Local\\__DDrawExclMode__",
                "Local\\__DDrawCheckExclMode__"
            ],
            "file_opened": [
                "C:\\Users\\cuck\\AppData\\LocalLow",
                "C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\index127.dat",
                "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\machine.config",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab57EA.tmp",
                "C:\\Windows\\assembly\\pubpol4.dat",
                "C:\\Windows\\Fonts\\verdanab.ttf",
                "C:\\Windows\\System32\\l_intl.nls",
                "C:\\Windows\\System32\\en-US\\WINHTTP.dll.mui",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab57C8.tmp",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\TarA042.tmp",
                "C:\\Windows\\Fonts\\verdana.ttf",
                "C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\sorttbls.nlp",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\CabA001.tmp",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\TarA002.tmp",
                "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorrc.dll",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar57EB.tmp",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar57D9.tmp",
                "C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\sortkey.nlp",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\CabA041.tmp",
                "C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\94308059B57B3142E455B38A6EB92015",
                "C:\\Windows\\System32\\spool\\drivers\\color\\sRGB Color Space Profile.icm",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\a0baca93efc59dcf46ab738db278815c26f18caa6ddabbe50e9db8921fa23bc6.bin",
                "C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\94308059B57B3142E455B38A6EB92015"
            ],
            "command_line": [
                "dw20.exe -x -s 1460"
            ],
            "file_read": [
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab57EA.tmp",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar57EB.tmp",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar57D9.tmp",
                "C:\\Windows\\System32\\spool\\drivers\\color\\sRGB Color Space Profile.icm",
                "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\machine.config",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\TarA042.tmp",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab57C8.tmp",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\CabA041.tmp",
                "C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\94308059B57B3142E455B38A6EB92015",
                "C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\94308059B57B3142E455B38A6EB92015",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\CabA001.tmp",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\TarA002.tmp"
            ],
            "regkey_read": [
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Initialization\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$Function",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\WinSock2\\Parameters\\Protocol_Catalog9\\Serial_Access_Num",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Wisp\\Pen\\SysEventParameters\\DblTime",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2d485ce4\\6944285d\\73\\Status",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SecurityProviders\\SecurityProviders",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-699399860-4089948139-3198924279-1001\\ProfileImagePath",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.44.3.4!7\\Name",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\crypt32\\DiagMatchAnyMask",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\77ccecdd\\1a2c19d\\77\\DisplayName",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\75638fee\\7566cac\\84\\Status",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2ffb0c52\\13250b76\\7f\\DisplayName",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\Extensions\\RemoteRpcDll",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\2708d9ec\\27899ac4\\65\\Status",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86\\EvalationData",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\DisableImprovedZoneCheck",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\a5cd4db\\7e\\LastModTime",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\2d382ce6\\85\\LastModTime",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\77ccecdd\\1a2c19d\\77\\Status",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\DevOverrideEnable",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\CertCheck\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$DLL",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86\\DisplayName",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NoClientChecks",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\1b2590b1\\7c\\Modules",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\DownloadCacheQuotaInKB",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8\\87\\EvalationData",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.64.1.1!7\\Name",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\6f1da7aa\\88\\LastModTime",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\5b43ba09\\48ffecdd\\76\\Modules",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86\\MVID",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\Status",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\UIAutomationTypes,3.0.0.0,,31bf3856ad364e35,MSIL",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\MaxAIAUrlRetrievalCertCount",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Video\\{6FABAC3A-B3E4-4C2F-82E9-AA53D01C5093}\\0000\\HardwareInformation.MemorySize",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3d67735\\6e35940e\\81\\Status",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\2708d9ec\\27899ac4\\65\\MVID",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7f3aad1e\\165f8aa0\\7d\\Modules",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8\\87\\ConfigString",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Signature\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$DLL",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\crypt32\\DebugFlags",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Comment",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\DisableUnsupportedCriticalExtensions",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\46b91004\\77ccecdd\\77\\MissingDependencies",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2d485ce4\\6944285d\\73\\SIG",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\FinalPolicy\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$Function",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3d590c3f\\59f3b67b\\82\\LastModTime",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\46b91004\\77ccecdd\\77\\Status",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\index127\\NIUsageMask",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\2708d9ec\\27899ac4\\65\\MissingDependencies",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\1c83327b\\86\\SIG",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\Status",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Type",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Video\\{6FABAC3A-B3E4-4C2F-82E9-AA53D01C5093}\\0000\\InstalledDisplayDrivers",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\46b91004\\77ccecdd\\77\\ConfigMask",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\2708d9ec\\27899ac4\\65\\ConfigString",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8\\87\\NIDependencies",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\MVID",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\CTF\\Disable Thread Input Manager",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\SIG",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Data,2.0.0.0,,b77a5c561934e089,x86",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86\\ConfigMask",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\DisplayName",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\LegacyPolicyTimeStamp",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\6f1da7aa\\88\\SIG",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\68fb5015\\1b89bb32\\7a\\LastModTime",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\43fd4348\\4eab5f0e\\74\\DisplayName",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\mscorlib,2.0.0.0,,b77a5c561934e089,x86",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\27899ac4\\2944bd3e\\65\\DisplayName",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\MaxSockaddrLength",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\55d78379\\2ffb0c52\\80\\ConfigString",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\Latest",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\1b2590b1\\7c\\SIG",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2ffb0c52\\13250b76\\7f\\Status",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\DevicePath",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\TokenSize",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Winsat\\VideoMemoryBandwidth",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3d67735\\6e35940e\\81\\DisplayName",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\PresentationCore,3.0.0.0,,31bf3856ad364e35,x86",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Initialization\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$DLL",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\CertCheck\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$Function",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ICM\\RegisteredProfiles\\sRGB",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\EnableLog",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\crypt32\\DiagLevel",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8\\87\\MVID",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\2708d9ec\\27899ac4\\65\\ConfigMask",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\163e1f5e\\80\\Status",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\PresentationFramework,3.0.0.0,,31bf3856ad364e35,MSIL",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\DisplayName",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6e35940e\\1639fec2\\81\\LastModTime",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\VersioningLog",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\DisableMSIPeek",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.47.1.1!7\\Name",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE\\MaximumAllowedAllocationSize",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7f3aad1e\\165f8aa0\\7d\\DisplayName",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\1b2590b1\\7c\\LastModTime",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\55d78379\\2ffb0c52\\80\\ILDependencies",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\43fd4348\\4eab5f0e\\74\\Modules",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\LanguageProfile\\0x00000000\\{0001bea3-ed56-483d-a2e2-aeae25577436}\\Enable",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\46b91004\\77ccecdd\\77\\EvalationData",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\46b91004\\77ccecdd\\77\\DisplayName",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\CryptnetCachedOcspSwitchToCrlCount",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\SystemSetupInProgress",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\5b43ba09\\48ffecdd\\76\\LastModTime",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Message\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$Function",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Data.SqlXml,2.0.0.0,,b77a5c561934e089,MSIL",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3d67735\\6e35940e\\81\\MissingDependencies",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\ReachFramework,3.0.0.0,,31bf3856ad364e35,MSIL",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\SourcePath",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\1c83327b\\86\\DisplayName",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\UseOldHostResolutionOrder",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\CLRLoadLogDir",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\a5cd4db\\7e\\Modules",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2ffb0c52\\13250b76\\7f\\SIG",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3d67735\\6e35940e\\81\\EvalationData",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8\\87\\ConfigMask",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\ChainCacheResyncFiletime",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Certificate\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$DLL",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\CertCheck\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$DLL",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\crypt32\\DebugHeapFlags",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\WpadOverride",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86\\ILDependencies",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Initialization\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$Function",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledProcesses\\2FDE6D39",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86\\MissingDependencies",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\1bd7b0d8\\87\\SIG",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\Microsoft.VisualC,8.0.0.0,,b03f5f7f11d50a3a,MSIL",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledSessions\\MachineThrottling",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3d590c3f\\59f3b67b\\82\\DisplayName",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\ConfigString",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6e35940e\\1639fec2\\81\\SIG",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\2d382ce6\\85\\SIG",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Direct3D\\Drivers\\RGB Emulation\\Name",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\163e1f5e\\80\\LastModTime",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8\\87\\DisplayName",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Direct3D\\Drivers\\Size",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Direct3D\\Drivers\\SoftwareOnly",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\5b43ba09\\48ffecdd\\76\\Status",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\8F43288AD272F3103B6FB1428485EA3014C0BCFE",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\1c83327b\\86\\Modules",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\LastModTime",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\55d78379\\2ffb0c52\\80\\MVID",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ShareCredsWithWinHttp",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Direct3D\\LoadDebugRuntime",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\1bd7b0d8\\87\\Status",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\528efda8\\3dbff305\\7b\\LastModTime",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Name",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\1b2590b1\\7c\\Status",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\75638fee\\7566cac\\84\\SIG",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\2708d9ec\\27899ac4\\65\\DisplayName",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\ConfigMask",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\MVID",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing\\State",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\27899ac4\\2944bd3e\\65\\Status",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\528efda8\\3dbff305\\7b\\Status",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Security,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Printing,3.0.0.0,,31bf3856ad364e35,x86",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\InstallRoot",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\MaxSockaddrLength",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\MaxAIAUrlCountInCert",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\Status",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6e35940e\\1639fec2\\81\\Status",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86\\Status",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winsock\\Setup Migration\\Providers\\Tcpip\\WinSock 2.0 Provider ID",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8\\87\\ILDependencies",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Cleanup\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$Function",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Configuration,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3d67735\\6e35940e\\81\\MVID",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\ILDependencies",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\ForceLog",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\GCStressStart",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\46b91004\\77ccecdd\\77\\ConfigString",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86\\ConfigString",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\LogMaxFileSize",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Version",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Direct3D\\DisableD3DXPSGP",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\68fb5015\\1b89bb32\\7a\\Status",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3d67735\\6e35940e\\81\\ConfigMask",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{00000134-0000-0000-C000-000000000046}\\ProxyStubClsid32\\(Default)",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Security\\Safety Warning Level",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\StringCacheSettings\\StringCacheGeneration",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\RpcId",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\a5cd4db\\7e\\Status",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\Modules",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6b2ef2ae\\3270cb54\\75\\Status",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2d485ce4\\6944285d\\73\\LastModTime",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6b2ef2ae\\3270cb54\\75\\Modules",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\NIDependencies",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\FinalPolicy\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$DLL",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8\\87\\MissingDependencies",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\NET Framework Setup\\NDP\\v3.0\\Setup\\Windows Presentation Foundation\\InstallRoot",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\CryptnetPreFetchTriggerPeriodSeconds",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\75638fee\\7566cac\\84\\LastModTime",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\Extensions\\NdrOleExtDLL",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\55d78379\\2ffb0c52\\80\\ConfigMask",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Direct3D\\Drivers\\Direct3D HAL\\Name",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\MaxAIAUrlRetrievalCountPerChain",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ProxySettingsPerUser",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winsock\\Parameters\\Transports",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2ffb0c52\\13250b76\\7f\\Modules",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\LoggingLevel",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\46b91004\\77ccecdd\\77\\NIDependencies",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Signature\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$Function",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\\DefaultConnectionSettings",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3d590c3f\\59f3b67b\\82\\Status",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\163e1f5e\\80\\DisplayName",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\MissingDependencies",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3d590c3f\\59f3b67b\\82\\SIG",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\Enabled",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Direct3D\\ForceDriverFlagsOff",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\55d78379\\2ffb0c52\\80\\NIDependencies",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\2708d9ec\\27899ac4\\65\\ILDependencies",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Local AppData",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\index127\\ILUsageMask",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\27899ac4\\2944bd3e\\65\\LastModTime",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\OnlyUseLatestCLR",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\2d382ce6\\85\\Status",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\HelperDllName",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Xml,2.0.0.0,,b77a5c561934e089,MSIL",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\46b91004\\77ccecdd\\77\\MVID",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\Mapping",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\528efda8\\3dbff305\\7b\\DisplayName",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Winsat\\VideoMemorySize",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\528efda8\\3dbff305\\7b\\SIG",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\UIAutomationProvider,3.0.0.0,,31bf3856ad364e35,MSIL",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Direct3D\\DisablePSGP",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6b2ef2ae\\3270cb54\\75\\LastModTime",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\55d78379\\2ffb0c52\\80\\DisplayName",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\528efda8\\3dbff305\\7b\\Modules",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\LsaExtensionConfig\\SspiCli\\CheckSignatureRoutine",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\27899ac4\\2944bd3e\\65\\Modules",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\77ccecdd\\1a2c19d\\77\\SIG",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\MinSockaddrLength",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\LsaExtensionConfig\\SspiCli\\CheckSignatureDll",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\77ccecdd\\1a2c19d\\77\\Modules",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86\\NIDependencies",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{C247F616-BBEB-406A-AED3-F75E656599AE}\\(Default)",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\EvalationData",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\2d382ce6\\85\\DisplayName",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Direct3D\\DX6TextureEnumInclusionList\\Name",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\1bd7b0d8\\87\\DisplayName",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\\WinHttpSettings",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\1bd7b0d8\\87\\Modules",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6b2ef2ae\\3270cb54\\75\\DisplayName",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\MissingDependencies",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Capabilities",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.png\\Content Type",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\LogResourceBinds",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System,2.0.0.0,,b77a5c561934e089,MSIL",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\1c83327b\\86\\LastModTime",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Direct3D\\Drivers\\Ramp Emulation\\Size",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Direct3D\\Drivers\\Name",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\77ccecdd\\1a2c19d\\77\\LastModTime",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\55d78379\\2ffb0c52\\80\\EvalationData",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\LogMask",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\DisableConfigCache",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledSessions\\GlobalSession",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\ConfigString",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\UseDelayedAcceptance",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\EvalationData",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\a5cd4db\\7e\\SIG",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7f3aad1e\\165f8aa0\\7d\\Status",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\PresentationUI,3.0.0.0,,31bf3856ad364e35,MSIL",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\PresentationFramework.Aero,3.0.0.0,,31bf3856ad364e35,MSIL",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\68fb5015\\1b89bb32\\7a\\Modules",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\43fd4348\\4eab5f0e\\74\\Status",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\LatestIndex",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\163e1f5e\\80\\SIG",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7f3aad1e\\165f8aa0\\7d\\SIG",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\UseDelayedAcceptance",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7f3aad1e\\165f8aa0\\7d\\LastModTime",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\UseHostnameAsAlias",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\8F43288AD272F3103B6FB1428485EA3014C0BCFE\\Blob",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Drawing,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6e35940e\\1639fec2\\81\\DisplayName",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Wisp\\Pen\\SysEventParameters\\DblDist",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3d67735\\6e35940e\\81\\NIDependencies",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3d590c3f\\59f3b67b\\82\\Modules",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\43fd4348\\4eab5f0e\\74\\LastModTime",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\CertCheck\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$Function",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\2d382ce6\\85\\Modules",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Message\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$DLL",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\75638fee\\7566cac\\84\\DisplayName",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3d67735\\6e35940e\\81\\ConfigString",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\LoadAppInit_DLLs",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Signature\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$Function",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8\\87\\Status",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\1b2590b1\\7c\\DisplayName",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\PresentationCFFRasterizer,3.0.0.0,,31bf3856ad364e35,MSIL",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\6f1da7aa\\88\\DisplayName",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\5b43ba09\\48ffecdd\\76\\SIG",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\ConfigMask",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Direct3D\\Drivers\\RGB Emulation\\Size",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\LogFailures",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Deployment,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Direct3D\\Drivers\\Ramp Emulation\\Name",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\NIDependencies",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\MaxAIAUrlRetrievalByteCount",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\75638fee\\7566cac\\84\\Modules",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\UseLegacyIdentityFormat",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\LogLevel",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Message\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$DLL",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\6f1da7aa\\88\\Modules",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\LdapClientIntegrity",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\CryptnetMaxCachedOcspPerCrlCount",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winsock\\Setup Migration\\Providers\\Tcpip6\\WinSock 2.0 Provider ID",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\1c83327b\\86\\Status",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\68fb5015\\1b89bb32\\7a\\DisplayName",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Certificate\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$Function",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3d67735\\6e35940e\\81\\ILDependencies",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Cleanup\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$DLL",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\6f1da7aa\\88\\Status",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\EnableInetUnknownAuth",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\CacheLocation",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\55d78379\\2ffb0c52\\80\\Status",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\DisableCANameConstraints",
                "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\p2pcollab.dll,-8042",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\MinSockaddrLength",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Initialization\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$DLL",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6e35940e\\1639fec2\\81\\Modules",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\55d78379\\2ffb0c52\\80\\MissingDependencies",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Signature\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$DLL",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\GCStressStartAtJit",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\2708d9ec\\27899ac4\\65\\EvalationData",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\68fb5015\\1b89bb32\\7a\\SIG",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\a5cd4db\\7e\\DisplayName",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\FinalPolicy\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$Function",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\ILDependencies",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\2708d9ec\\27899ac4\\65\\NIDependencies",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\WindowsBase,3.0.0.0,,31bf3856ad364e35,MSIL",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\HelperDllName",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\5b43ba09\\48ffecdd\\76\\DisplayName",
                "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\dnsapi.dll,-103",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Certificate\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$DLL",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Security_HKLM_only",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6b2ef2ae\\3270cb54\\75\\SIG",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\MaxUrlRetrievalByteCount",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\27899ac4\\2944bd3e\\65\\SIG",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Wisp\\Pen\\SysEventParameters\\Cancel",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2ffb0c52\\13250b76\\7f\\LastModTime",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\Accessibility,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\DisplayName",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\163e1f5e\\80\\Modules",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Message\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$Function",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\WinHttp\\Tracing\\Enabled",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Direct3D\\Drivers\\Direct3D HAL\\Size",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\FinalPolicy\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$DLL",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\Mapping",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Certificate\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$Function",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\WinHttp\\DisableBranchCache",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CEIPEnable",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\DisableMandatoryBasicConstraints",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\1bd7b0d8\\87\\LastModTime",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Direct3D\\DX6TextureEnumInclusionList\\Size",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\EnableWeakSignatureFlags",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2d485ce4\\6944285d\\73\\DisplayName",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\43fd4348\\4eab5f0e\\74\\SIG",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2d485ce4\\6944285d\\73\\Modules",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\46b91004\\77ccecdd\\77\\ILDependencies",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\index4"
            ],
            "directory_enumerated": [
                "C:\\Users\\cuck\\AppData",
                "C:\\Users\\cuck\\AppData\\Local\\Temp",
                "C:\\Windows\\assembly\\GAC_32\\PresentationCore\\3.0.0.0__31bf3856ad364e35\\PresentationCore.INI",
                "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscoreei.dll",
                "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorwks.dll",
                "C:\\Windows\\assembly\\GAC_MSIL\\WindowsBase\\3.0.0.0__31bf3856ad364e35\\WindowsBase.INI",
                "C:\\Windows\\assembly\\GAC_MSIL\\System.Xml\\2.0.0.0__b77a5c561934e089\\System.Xml.INI",
                "C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\4DD39726D4B55AC3B4119B35A893323C_*",
                "C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\D47DBD2F9E3365FBBE008D71FB06716F_*",
                "C:\\Users",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\a0baca93efc59dcf46ab738db278815c26f18caa6ddabbe50e9db8921fa23bc6.INI",
                "C:\\Windows\\assembly\\GAC_MSIL\\System.Configuration\\2.0.0.0__b03f5f7f11d50a3a\\System.Configuration.INI",
                "C:\\Windows\\Microsoft.NET\\Framework\\Upgrades.2.0.50727\\mscoreei.dll",
                "C:\\Users\\cuck",
                "C:\\Users\\cuck\\AppData\\Local",
                "C:\\Windows\\assembly\\GAC_MSIL\\PresentationFramework\\3.0.0.0__31bf3856ad364e35\\PresentationFramework.INI",
                "C:\\Windows\\winsxs\\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\\msvcr80.dll",
                "C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\mscorlib.INI",
                "C:\\Windows",
                "C:\\Windows\\winsxs",
                "C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\System.INI",
                "C:\\Windows\\assembly\\GAC_MSIL\\PresentationFramework.Aero\\3.0.0.0__31bf3856ad364e35\\PresentationFramework.Aero.INI"
            ]
        },
        "first_seen": 1565063586.625,
        "ppid": 2016
    },
    {
        "process_path": "C:\\Windows\\System32\\lsass.exe",
        "process_name": "lsass.exe",
        "pid": 476,
        "summary": {},
        "first_seen": 1565063586.3281,
        "ppid": 376
    }
]

Signatures

[
    {
        "markcount": 9,
        "families": [],
        "description": "Checks if process is being debugged by a debugger",
        "severity": 1,
        "marks": [
            {
                "call": {
                    "category": "system",
                    "status": 0,
                    "stacktrace": [],
                    "last_error": 0,
                    "nt_status": -1073741700,
                    "api": "IsDebuggerPresent",
                    "return_value": 0,
                    "arguments": {},
                    "time": 1565063586.781,
                    "tid": 2420,
                    "flags": {}
                },
                "pid": 2816,
                "type": "call",
                "cid": 365
            },
            {
                "call": {
                    "category": "system",
                    "status": 0,
                    "stacktrace": [],
                    "last_error": 0,
                    "nt_status": -1073741772,
                    "api": "IsDebuggerPresent",
                    "return_value": 0,
                    "arguments": {},
                    "time": 1565063628.5,
                    "tid": 2420,
                    "flags": {}
                },
                "pid": 2816,
                "type": "call",
                "cid": 6483
            },
            {
                "call": {
                    "category": "system",
                    "status": 0,
                    "stacktrace": [],
                    "last_error": 3,
                    "nt_status": -1073741766,
                    "api": "IsDebuggerPresent",
                    "return_value": 0,
                    "arguments": {},
                    "time": 1565063628.547,
                    "tid": 2420,
                    "flags": {}
                },
                "pid": 2816,
                "type": "call",
                "cid": 6580
            },
            {
                "call": {
                    "category": "system",
                    "status": 0,
                    "stacktrace": [],
                    "last_error": 127,
                    "nt_status": -1073741772,
                    "api": "IsDebuggerPresent",
                    "return_value": 0,
                    "arguments": {},
                    "time": 1565063628.61,
                    "tid": 2420,
                    "flags": {}
                },
                "pid": 2816,
                "type": "call",
                "cid": 6612
            },
            {
                "call": {
                    "category": "system",
                    "status": 0,
                    "stacktrace": [],
                    "last_error": 0,
                    "nt_status": -1073741772,
                    "api": "IsDebuggerPresent",
                    "return_value": 0,
                    "arguments": {},
                    "time": 1565063628.75,
                    "tid": 2420,
                    "flags": {}
                },
                "pid": 2816,
                "type": "call",
                "cid": 7237
            },
            {
                "call": {
                    "category": "system",
                    "status": 0,
                    "stacktrace": [],
                    "last_error": 2,
                    "nt_status": -1073741809,
                    "api": "IsDebuggerPresent",
                    "return_value": 0,
                    "arguments": {},
                    "time": 1565063628.781,
                    "tid": 2420,
                    "flags": {}
                },
                "pid": 2816,
                "type": "call",
                "cid": 7291
            },
            {
                "call": {
                    "category": "system",
                    "status": 0,
                    "stacktrace": [],
                    "last_error": 2,
                    "nt_status": -1073741515,
                    "api": "IsDebuggerPresent",
                    "return_value": 0,
                    "arguments": {},
                    "time": 1565063629.391,
                    "tid": 2420,
                    "flags": {}
                },
                "pid": 2816,
                "type": "call",
                "cid": 7630
            },
            {
                "call": {
                    "category": "system",
                    "status": 0,
                    "stacktrace": [],
                    "last_error": 2,
                    "nt_status": -1073741515,
                    "api": "IsDebuggerPresent",
                    "return_value": 0,
                    "arguments": {},
                    "time": 1565063629.391,
                    "tid": 2420,
                    "flags": {}
                },
                "pid": 2816,
                "type": "call",
                "cid": 7631
            },
            {
                "call": {
                    "category": "system",
                    "status": 0,
                    "stacktrace": [],
                    "last_error": 126,
                    "nt_status": -1073741515,
                    "api": "IsDebuggerPresent",
                    "return_value": 0,
                    "arguments": {},
                    "time": 1565063629.469,
                    "tid": 2420,
                    "flags": {}
                },
                "pid": 2816,
                "type": "call",
                "cid": 7883
            }
        ],
        "references": [],
        "name": "checks_debugger"
    },
    {
        "markcount": 1,
        "families": [],
        "description": "This executable has a PDB path",
        "severity": 1,
        "marks": [
            {
                "category": "pdb_path",
                "ioc": "D:\\WorkItem\\RecoveryDVD\\AIRecoveryRemindWin7\\obj\\Release\\AIRecoveryRemind.pdb",
                "type": "ioc",
                "description": null
            }
        ],
        "references": [],
        "name": "has_pdb"
    },
    {
        "markcount": 43,
        "families": [],
        "description": "Allocates read-write-execute memory (usually to unpack itself)",
        "severity": 2,
        "marks": [
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtProtectVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 2816,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "length": 4096,
                        "protection": 64,
                        "process_handle": "0xffffffff",
                        "base_address": "0x749f1000"
                    },
                    "time": 1565063586.781,
                    "tid": 2420,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 255
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 2816,
                        "region_size": 4096,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 1,
                        "protection": 64,
                        "process_handle": "0xffffffff",
                        "allocation_type": 4096,
                        "base_address": "0x003aa000"
                    },
                    "time": 1565063586.781,
                    "tid": 2420,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 377
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtProtectVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 2816,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "length": 8192,
                        "protection": 64,
                        "process_handle": "0xffffffff",
                        "base_address": "0x749f2000"
                    },
                    "time": 1565063586.781,
                    "tid": 2420,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 378
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 2816,
                        "region_size": 4096,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 1,
                        "protection": 64,
                        "process_handle": "0xffffffff",
                        "allocation_type": 4096,
                        "base_address": "0x003a2000"
                    },
                    "time": 1565063586.781,
                    "tid": 2420,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 379
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 2816,
                        "region_size": 4096,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 1,
                        "protection": 64,
                        "process_handle": "0xffffffff",
                        "allocation_type": 4096,
                        "base_address": "0x003b2000"
                    },
                    "time": 1565063586.813,
                    "tid": 2420,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 525
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 2816,
                        "region_size": 4096,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 1,
                        "protection": 64,
                        "process_handle": "0xffffffff",
                        "allocation_type": 4096,
                        "base_address": "0x003b3000"
                    },
                    "time": 1565063628.281,
                    "tid": 2420,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 5958
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 2816,
                        "region_size": 4096,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 1,
                        "protection": 64,
                        "process_handle": "0xffffffff",
                        "allocation_type": 4096,
                        "base_address": "0x0046b000"
                    },
                    "time": 1565063628.281,
                    "tid": 2420,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 5965
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 2816,
                        "region_size": 4096,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 1,
                        "protection": 64,
                        "process_handle": "0xffffffff",
                        "allocation_type": 4096,
                        "base_address": "0x00467000"
                    },
                    "time": 1565063628.281,
                    "tid": 2420,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 5966
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 2816,
                        "region_size": 4096,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 1,
                        "protection": 64,
                        "process_handle": "0xffffffff",
                        "allocation_type": 4096,
                        "base_address": "0x003b4000"
                    },
                    "time": 1565063628.406,
                    "tid": 2420,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 6295
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 2816,
                        "region_size": 4096,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 1,
                        "protection": 64,
                        "process_handle": "0xffffffff",
                        "allocation_type": 4096,
                        "base_address": "0x003b5000"
                    },
                    "time": 1565063628.406,
                    "tid": 2420,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 6296
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 2816,
                        "region_size": 4096,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 1,
                        "protection": 64,
                        "process_handle": "0xffffffff",
                        "allocation_type": 4096,
                        "base_address": "0x003b6000"
                    },
                    "time": 1565063628.406,
                    "tid": 2420,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 6297
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 2816,
                        "region_size": 4096,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 1,
                        "protection": 64,
                        "process_handle": "0xffffffff",
                        "allocation_type": 4096,
                        "base_address": "0x003bc000"
                    },
                    "time": 1565063628.422,
                    "tid": 2420,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 6298
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 2816,
                        "region_size": 4096,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 1,
                        "protection": 64,
                        "process_handle": "0xffffffff",
                        "allocation_type": 4096,
                        "base_address": "0x003ba000"
                    },
                    "time": 1565063628.438,
                    "tid": 2420,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 6303
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 2816,
                        "region_size": 4096,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 1,
                        "protection": 64,
                        "process_handle": "0xffffffff",
                        "allocation_type": 4096,
                        "base_address": "0x05be0000"
                    },
                    "time": 1565063628.485,
                    "tid": 2420,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 6446
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 2816,
                        "region_size": 4096,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 1,
                        "protection": 64,
                        "process_handle": "0xffffffff",
                        "allocation_type": 4096,
                        "base_address": "0x003da000"
                    },
                    "time": 1565063628.485,
                    "tid": 2420,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 6449
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 2816,
                        "region_size": 4096,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 1,
                        "protection": 64,
                        "process_handle": "0xffffffff",
                        "allocation_type": 4096,
                        "base_address": "0x003d2000"
                    },
                    "time": 1565063628.485,
                    "tid": 2420,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 6462
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 2816,
                        "region_size": 4096,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 1,
                        "protection": 64,
                        "process_handle": "0xffffffff",
                        "allocation_type": 4096,
                        "base_address": "0x003c6000"
                    },
                    "time": 1565063628.5,
                    "tid": 2420,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 6484
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 2816,
                        "region_size": 4096,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 1,
                        "protection": 64,
                        "process_handle": "0xffffffff",
                        "allocation_type": 4096,
                        "base_address": "0x003ca000"
                    },
                    "time": 1565063628.5,
                    "tid": 2420,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 6486
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 2816,
                        "region_size": 4096,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 1,
                        "protection": 64,
                        "process_handle": "0xffffffff",
                        "allocation_type": 4096,
                        "base_address": "0x003c7000"
                    },
                    "time": 1565063628.5,
                    "tid": 2420,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 6487
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 2816,
                        "region_size": 4096,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 1,
                        "protection": 64,
                        "process_handle": "0xffffffff",
                        "allocation_type": 4096,
                        "base_address": "0x003ab000"
                    },
                    "time": 1565063628.5,
                    "tid": 2420,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 6513
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 2816,
                        "region_size": 4096,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 1,
                        "protection": 64,
                        "process_handle": "0xffffffff",
                        "allocation_type": 4096,
                        "base_address": "0x00465000"
                    },
                    "time": 1565063628.531,
                    "tid": 2420,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 6535
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 2816,
                        "region_size": 4096,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 1,
                        "protection": 64,
                        "process_handle": "0xffffffff",
                        "allocation_type": 4096,
                        "base_address": "0x003b7000"
                    },
                    "time": 1565063628.547,
                    "tid": 2420,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 6581
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 2816,
                        "region_size": 4096,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 1,
                        "protection": 64,
                        "process_handle": "0xffffffff",
                        "allocation_type": 4096,
                        "base_address": "0x003b8000"
                    },
                    "time": 1565063628.578,
                    "tid": 2420,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 6600
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 2816,
                        "region_size": 4096,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 1,
                        "protection": 64,
                        "process_handle": "0xffffffff",
                        "allocation_type": 4096,
                        "base_address": "0x05e60000"
                    },
                    "time": 1565063628.672,
                    "tid": 2420,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 6815
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 2816,
                        "region_size": 4096,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 1,
                        "protection": 64,
                        "process_handle": "0xffffffff",
                        "allocation_type": 4096,
                        "base_address": "0x003a3000"
                    },
                    "time": 1565063628.703,
                    "tid": 2420,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 6951
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 2816,
                        "region_size": 4096,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 1,
                        "protection": 64,
                        "process_handle": "0xffffffff",
                        "allocation_type": 4096,
                        "base_address": "0x003cb000"
                    },
                    "time": 1565063628.703,
                    "tid": 2420,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 6972
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 2816,
                        "region_size": 4096,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 1,
                        "protection": 64,
                        "process_handle": "0xffffffff",
                        "allocation_type": 4096,
                        "base_address": "0x05e61000"
                    },
                    "time": 1565063628.719,
                    "tid": 2420,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 7113
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 2816,
                        "region_size": 4096,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 1,
                        "protection": 64,
                        "process_handle": "0xffffffff",
                        "allocation_type": 4096,
                        "base_address": "0x003cc000"
                    },
                    "time": 1565063628.797,
                    "tid": 2420,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 7299
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 2816,
                        "region_size": 4096,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 1,
                        "protection": 64,
                        "process_handle": "0xffffffff",
                        "allocation_type": 4096,
                        "base_address": "0x00c11000"
                    },
                    "time": 1565063628.813,
                    "tid": 2420,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 7315
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 2816,
                        "region_size": 4096,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 1,
                        "protection": 64,
                        "process_handle": "0xffffffff",
                        "allocation_type": 4096,
                        "base_address": "0x003cd000"
                    },
                    "time": 1565063628.828,
                    "tid": 2420,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 7362
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 2816,
                        "region_size": 4096,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 1,
                        "protection": 64,
                        "process_handle": "0xffffffff",
                        "allocation_type": 4096,
                        "base_address": "0x05e62000"
                    },
                    "time": 1565063628.844,
                    "tid": 2420,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 7435
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 2816,
                        "region_size": 16384,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 1,
                        "protection": 64,
                        "process_handle": "0xffffffff",
                        "allocation_type": 4096,
                        "base_address": "0x00c12000"
                    },
                    "time": 1565063628.86,
                    "tid": 2420,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 7479
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 2816,
                        "region_size": 28672,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 1,
                        "protection": 64,
                        "process_handle": "0xffffffff",
                        "allocation_type": 4096,
                        "base_address": "0x00c16000"
                    },
                    "time": 1565063628.86,
                    "tid": 2420,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 7480
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 2816,
                        "region_size": 4096,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 1,
                        "protection": 64,
                        "process_handle": "0xffffffff",
                        "allocation_type": 4096,
                        "base_address": "0x003bb000"
                    },
                    "time": 1565063629.328,
                    "tid": 2420,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 7535
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 2816,
                        "region_size": 4096,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 1,
                        "protection": 64,
                        "process_handle": "0xffffffff",
                        "allocation_type": 4096,
                        "base_address": "0x003c8000"
                    },
                    "time": 1565063629.328,
                    "tid": 2420,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 7545
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 2816,
                        "region_size": 4096,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 1,
                        "protection": 64,
                        "process_handle": "0xffffffff",
                        "allocation_type": 4096,
                        "base_address": "0x003b9000"
                    },
                    "time": 1565063629.36,
                    "tid": 2420,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 7563
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 2816,
                        "region_size": 8192,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 1,
                        "protection": 64,
                        "process_handle": "0xffffffff",
                        "allocation_type": 4096,
                        "base_address": "0x06070000"
                    },
                    "time": 1565063629.36,
                    "tid": 2420,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 7565
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 2816,
                        "region_size": 4096,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 1,
                        "protection": 64,
                        "process_handle": "0xffffffff",
                        "allocation_type": 4096,
                        "base_address": "0x00c1d000"
                    },
                    "time": 1565063629.391,
                    "tid": 2420,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 7617
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 2816,
                        "region_size": 4096,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 1,
                        "protection": 64,
                        "process_handle": "0xffffffff",
                        "allocation_type": 4096,
                        "base_address": "0x05e63000"
                    },
                    "time": 1565063629.391,
                    "tid": 2420,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 7625
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 2816,
                        "region_size": 4096,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 1,
                        "protection": 64,
                        "process_handle": "0xffffffff",
                        "allocation_type": 4096,
                        "base_address": "0x003ce000"
                    },
                    "time": 1565063629.391,
                    "tid": 2420,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 7635
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 2816,
                        "region_size": 2162688,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "protection": 64,
                        "process_handle": "0xffffffff",
                        "allocation_type": 8192,
                        "base_address": "0x078d0000"
                    },
                    "time": 1565063629.469,
                    "tid": 2420,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_RESERVE"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 7931
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 2816,
                        "region_size": 4096,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 1,
                        "protection": 64,
                        "process_handle": "0xffffffff",
                        "allocation_type": 4096,
                        "base_address": "0x07aa0000"
                    },
                    "time": 1565063629.469,
                    "tid": 2420,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 7933
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 2816,
                        "region_size": 4096,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 1,
                        "protection": 64,
                        "process_handle": "0xffffffff",
                        "allocation_type": 4096,
                        "base_address": "0x07aa1000"
                    },
                    "time": 1565063629.469,
                    "tid": 2420,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 7934
            }
        ],
        "references": [],
        "name": "allocates_rwx"
    },
    {
        "markcount": 1,
        "families": [],
        "description": "Checks adapter addresses which can be used to detect virtual network interfaces",
        "severity": 2,
        "marks": [
            {
                "call": {
                    "category": "network",
                    "status": 0,
                    "stacktrace": [],
                    "last_error": 0,
                    "nt_status": -1073741772,
                    "api": "GetAdaptersAddresses",
                    "return_value": 111,
                    "arguments": {
                        "flags": 15,
                        "family": 0
                    },
                    "time": 1565063587.031,
                    "tid": 3016,
                    "flags": {}
                },
                "pid": 2816,
                "type": "call",
                "cid": 2403
            }
        ],
        "references": [],
        "name": "antivm_network_adapters"
    },
    {
        "markcount": 2,
        "families": [],
        "description": "The binary likely contains encrypted or compressed data indicative of a packer",
        "severity": 2,
        "marks": [
            {
                "entropy": 7.1017372238646,
                "section": {
                    "size_of_data": "0x00083e00",
                    "virtual_address": "0x00002000",
                    "entropy": 7.1017372238646,
                    "name": ".text",
                    "virtual_size": "0x00083c64"
                },
                "type": "generic",
                "description": "A section with a high entropy has been found"
            },
            {
                "entropy": 0.83597464342314,
                "type": "generic",
                "description": "Overall entropy of this PE file is high"
            }
        ],
        "references": [
            "http:\/\/www.forensickb.com\/2013\/03\/file-entropy-explained.html",
            "http:\/\/virii.es\/U\/Using%20Entropy%20Analysis%20to%20Find%20Encrypted%20and%20Packed%20Malware.pdf"
        ],
        "name": "packer_entropy"
    },
    {
        "markcount": 1,
        "families": [],
        "description": "Checks for the Locally Unique Identifier on the system for a suspicious privilege",
        "severity": 2,
        "marks": [
            {
                "call": {
                    "category": "system",
                    "status": 1,
                    "stacktrace": [],
                    "api": "LookupPrivilegeValueW",
                    "return_value": 1,
                    "arguments": {
                        "system_name": "",
                        "privilege_name": "SeDebugPrivilege"
                    },
                    "time": 1565063629.422,
                    "tid": 2420,
                    "flags": {}
                },
                "pid": 2816,
                "type": "call",
                "cid": 7657
            }
        ],
        "references": [],
        "name": "privilege_luid_check"
    },
    {
        "markcount": 519,
        "families": [],
        "description": "Potentially malicious URLs were found in the process memory dump",
        "severity": 2,
        "marks": [
            {
                "category": "url",
                "ioc": "http:\/\/www.expedia.com\/favicon.ico",
                "type": "ioc",
                "description": null
            },
            {
                "category": "url",
                "ioc": "http:\/\/uk.ask.com\/favicon.ico",
                "type": "ioc",
                "description": null
            },
            {
                "category": "url",
                "ioc": "http:\/\/www.priceminister.com\/",
                "type": "ioc",
                "description": null
            },
            {
                "category": "url",
                "ioc": "http:\/\/ru.wikipedia.org\/",
                "type": "ioc",
                "description": null
            },
            {
                "category": "url",
                "ioc": "http:\/\/ocsp.infonotary.com\/responder.cgi0V",
                "type": "ioc",
                "description": null
            },
            {
                "category": "url",
                "ioc": "http:\/\/www.merlin.com.pl\/favicon.ico",
                "type": "ioc",
                "description": null
            },
            {
                "category": "url",
                "ioc": "http:\/\/www.cnet.com\/favicon.ico",
                "type": "ioc",
                "description": null
            },
            {
                "category": "url",
                "ioc": "http:\/\/www.certificadodigital.com.br\/repositorio\/serasaca\/crl\/SerasaCAII.crl0",
                "type": "ioc",
                "description": null
            },
            {
                "category": "url",
                "ioc": "http:\/\/search.nifty.com\/",
                "type": "ioc",
                "description": null
            },
            {
                "category": "url",
                "ioc": "http:\/\/ns.adobe.com\/exif\/1.0\/",
                "type": "ioc",
                "description": null
            },
            {
                "category": "url",
                "ioc": "http:\/\/www.etmall.com.tw\/",
                "type": "ioc",
                "description": null
            },
            {
                "category": "url",
                "ioc": "http:\/\/crl.chambersign.org\/publicnotaryroot.crl0",
                "type": "ioc",
                "description": null
            },
            {
                "category": "url",
                "ioc": "http:\/\/search.goo.ne.jp\/",
                "type": "ioc",
                "description": null
            },
            {
                "category": "url",
                "ioc": "http:\/\/fr.wikipedia.org\/favicon.ico",
                "type": "ioc",
                "description": null
            },
            {
                "category": "url",
                "ioc": "http:\/\/busca.estadao.com.br\/favicon.ico",
                "type": "ioc",
                "description": null
            },
            {
                "category": "url",
                "ioc": "http:\/\/search.hanafos.com\/favicon.ico",
                "type": "ioc",
                "description": null
            },
            {
                "category": "url",
                "ioc": "http:\/\/search.chol.com\/favicon.ico",
                "type": "ioc",
                "description": null
            },
            {
                "category": "url",
                "ioc": "http:\/\/purl.org\/rss\/1.0\/",
                "type": "ioc",
                "description": null
            },
            {
                "category": "url",
                "ioc": "http:\/\/search.interpark.com\/",
                "type": "ioc",
                "description": null
            },
            {
                "category": "url",
                "ioc": "http:\/\/crl.verisign.com\/tss-ca.crl0",
                "type": "ioc",
                "description": null
            },
            {
                "category": "url",
                "ioc": "http:\/\/www.amazon.co.jp\/",
                "type": "ioc",
                "description": null
            },
            {
                "category": "url",
                "ioc": "http:\/\/www.mtv.com\/favicon.ico",
                "type": "ioc",
                "description": null
            },
            {
                "category": "url",
                "ioc": "http:\/\/busqueda.aol.com.mx\/",
                "type": "ioc",
                "description": null
            },
            {
                "category": "url",
                "ioc": "http:\/\/search.live.com\/results.aspx?FORM=SOLTDF",
                "type": "ioc",
                "description": null
            },
            {
                "category": "url",
                "ioc": "http:\/\/msdn.microsoft.com\/",
                "type": "ioc",
                "description": null
            },
            {
                "category": "url",
                "ioc": "http:\/\/msdn.microsoft.com\/workshop\/security\/privacy\/overview\/privacyimportxml.asp)",
                "type": "ioc",
                "description": null
            },
            {
                "category": "url",
                "ioc": "http:\/\/www.sify.com\/favicon.ico",
                "type": "ioc",
                "description": null
            },
            {
                "category": "url",
                "ioc": "http:\/\/yellowpages.superpages.com\/",
                "type": "ioc",
                "description": null
            },
            {
                "category": "url",
                "ioc": "http:\/\/suche.freenet.de\/",
                "type": "ioc",
                "description": null
            },
            {
                "category": "url",
                "ioc": "http:\/\/crl.chambersign.org\/chambersroot.crl0",
                "type": "ioc",
                "description": null
            },
            {
                "category": "url",
                "ioc": "http:\/\/search.aol.com\/",
                "type": "ioc",
                "description": null
            },
            {
                "category": "url",
                "ioc": "http:\/\/browse.guardian.co.uk\/",
                "type": "ioc",
                "description": null
            },
            {
                "category": "url",
                "ioc": "http:\/\/www.mercadolibre.com.mx\/",
                "type": "ioc",
                "description": null
            },
            {
                "category": "url",
                "ioc": "http:\/\/www.asharqalawsat.com\/",
                "type": "ioc",
                "description": null
            },
            {
                "category": "url",
                "ioc": "http:\/\/www.facebook.com\/",
                "type": "ioc",
                "description": null
            },
            {
                "category": "url",
                "ioc": "http:\/\/si.wikipedia.org\/favicon.ico",
                "type": "ioc",
                "description": null
            },
            {
                "category": "url",
                "ioc": "http:\/\/www.rtl.de\/favicon.ico",
                "type": "ioc",
                "description": null
            },
            {
                "category": "url",
                "ioc": "http:\/\/search.msn.com\/results.aspx?q=",
                "type": "ioc",
                "description": null
            },
            {
                "category": "url",
                "ioc": "http:\/\/www.microsoft.com.",
                "type": "ioc",
                "description": null
            },
            {
                "category": "url",
                "ioc": "http:\/\/search.naver.com\/favicon.ico",
                "type": "ioc",
                "description": null
            },
            {
                "category": "url",
                "ioc": "http:\/\/fedir.comsign.co.il\/cacert\/ComSignAdvancedSecurityCA.crt0",
                "type": "ioc",
                "description": null
            },
            {
                "category": "url",
                "ioc": "https:\/\/www.verisign.com\/repository\/verisignlogo.gif0D",
                "type": "ioc",
                "description": null
            },
            {
                "category": "url",
                "ioc": "http:\/\/crl.usertrust.com\/UTN-USERFirst-NetworkApplications.crl0",
                "type": "ioc",
                "description": null
            },
            {
                "category": "url",
                "ioc": "https:\/\/www.netlock.net\/docs",
                "type": "ioc",
                "description": null
            },
            {
                "category": "url",
                "ioc": "http:\/\/en.wikipedia.org\/favicon.ico",
                "type": "ioc",
                "description": null
            },
            {
                "category": "url",
                "ioc": "http:\/\/si.wikipedia.org\/w\/api.php?action=opensearch",
                "type": "ioc",
                "description": null
            },
            {
                "category": "url",
                "ioc": "http:\/\/www.signatur.rtr.at\/de\/directory\/cps.html0",
                "type": "ioc",
                "description": null
            },
            {
                "category": "url",
                "ioc": "http:\/\/udn.com\/favicon.ico",
                "type": "ioc",
                "description": null
            },
            {
                "category": "url",
                "ioc": "http:\/\/rover.ebay.com",
                "type": "ioc",
                "description": null
            },
            {
                "category": "url",
                "ioc": "http:\/\/search.ebay.fr\/",
                "type": "ioc",
                "description": null
            }
        ],
        "references": [],
        "name": "memdump_urls"
    },
    {
        "markcount": 1,
        "families": [],
        "description": "Looks for the Windows Idle Time to determine the uptime",
        "severity": 3,
        "marks": [
            {
                "call": {
                    "category": "system",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtQuerySystemInformation",
                    "return_value": 0,
                    "arguments": {
                        "information_class": 8
                    },
                    "time": 1565063629.25,
                    "tid": 2184,
                    "flags": {
                        "information_class": "SystemProcessorPerformanceInformation"
                    }
                },
                "pid": 2816,
                "type": "call",
                "cid": 7532
            }
        ],
        "references": [],
        "name": "antisandbox_idletime"
    },
    {
        "markcount": 1,
        "families": [],
        "description": "Attempts to create or modify system certificates",
        "severity": 3,
        "marks": [
            {
                "category": "registry",
                "ioc": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\8F43288AD272F3103B6FB1428485EA3014C0BCFE\\Blob",
                "type": "ioc",
                "description": null
            }
        ],
        "references": [],
        "name": "modifies_certificates"
    }
]

Yara

The Yara rules did not detect anything in the file.

Network

{
    "tls": [],
    "udp": [
        {
            "src": "192.168.56.101",
            "dst": "192.168.56.255",
            "offset": 546,
            "time": 3.0795691013336,
            "dport": 137,
            "sport": 137
        },
        {
            "src": "192.168.56.101",
            "dst": "192.168.56.255",
            "offset": 17538,
            "time": 9.0797700881958,
            "dport": 138,
            "sport": 138
        },
        {
            "src": "192.168.56.101",
            "dst": "224.0.0.252",
            "offset": 19382,
            "time": 31.062268972397,
            "dport": 5355,
            "sport": 49556
        },
        {
            "src": "192.168.56.101",
            "dst": "224.0.0.252",
            "offset": 19702,
            "time": 3.0238130092621,
            "dport": 5355,
            "sport": 49840
        },
        {
            "src": "192.168.56.101",
            "dst": "224.0.0.252",
            "offset": 20030,
            "time": 25.892407178879,
            "dport": 5355,
            "sport": 50202
        },
        {
            "src": "192.168.56.101",
            "dst": "224.0.0.252",
            "offset": 20350,
            "time": 2.247878074646,
            "dport": 5355,
            "sport": 51001
        },
        {
            "src": "192.168.56.101",
            "dst": "224.0.0.252",
            "offset": 20670,
            "time": 5.6401829719543,
            "dport": 5355,
            "sport": 52259
        },
        {
            "src": "192.168.56.101",
            "dst": "224.0.0.252",
            "offset": 20990,
            "time": 1.0157470703125,
            "dport": 5355,
            "sport": 53595
        },
        {
            "src": "192.168.56.101",
            "dst": "224.0.0.252",
            "offset": 21318,
            "time": 2.6071059703827,
            "dport": 5355,
            "sport": 53848
        },
        {
            "src": "192.168.56.101",
            "dst": "224.0.0.252",
            "offset": 21638,
            "time": 41.08865904808,
            "dport": 5355,
            "sport": 54025
        },
        {
            "src": "192.168.56.101",
            "dst": "224.0.0.252",
            "offset": 21958,
            "time": 18.207760095596,
            "dport": 5355,
            "sport": 54237
        },
        {
            "src": "192.168.56.101",
            "dst": "224.0.0.252",
            "offset": 22278,
            "time": 1.5200371742249,
            "dport": 5355,
            "sport": 54255
        },
        {
            "src": "192.168.56.101",
            "dst": "224.0.0.252",
            "offset": 22606,
            "time": 10.836673021317,
            "dport": 5355,
            "sport": 54335
        },
        {
            "src": "192.168.56.101",
            "dst": "224.0.0.252",
            "offset": 22926,
            "time": -0.099179983139038,
            "dport": 5355,
            "sport": 55314
        },
        {
            "src": "192.168.56.101",
            "dst": "224.0.0.252",
            "offset": 23254,
            "time": 3.0135171413422,
            "dport": 5355,
            "sport": 55880
        },
        {
            "src": "192.168.56.101",
            "dst": "224.0.0.252",
            "offset": 23582,
            "time": 36.283425092697,
            "dport": 5355,
            "sport": 56347
        },
        {
            "src": "192.168.56.101",
            "dst": "224.0.0.252",
            "offset": 23902,
            "time": 28.471712112427,
            "dport": 5355,
            "sport": 56353
        },
        {
            "src": "192.168.56.101",
            "dst": "224.0.0.252",
            "offset": 24222,
            "time": 47.429686069489,
            "dport": 5355,
            "sport": 56388
        },
        {
            "src": "192.168.56.101",
            "dst": "224.0.0.252",
            "offset": 24542,
            "time": 43.656061172485,
            "dport": 5355,
            "sport": 58651
        },
        {
            "src": "192.168.56.101",
            "dst": "224.0.0.252",
            "offset": 24862,
            "time": 16.042515039444,
            "dport": 5355,
            "sport": 58989
        },
        {
            "src": "192.168.56.101",
            "dst": "224.0.0.252",
            "offset": 25182,
            "time": 38.888642072678,
            "dport": 5355,
            "sport": 59490
        },
        {
            "src": "192.168.56.101",
            "dst": "224.0.0.252",
            "offset": 25502,
            "time": 13.446779966354,
            "dport": 5355,
            "sport": 59548
        },
        {
            "src": "192.168.56.101",
            "dst": "224.0.0.252",
            "offset": 25822,
            "time": 20.786534070969,
            "dport": 5355,
            "sport": 60071
        },
        {
            "src": "192.168.56.101",
            "dst": "224.0.0.252",
            "offset": 26142,
            "time": 33.653337001801,
            "dport": 5355,
            "sport": 60575
        },
        {
            "src": "192.168.56.101",
            "dst": "224.0.0.252",
            "offset": 26462,
            "time": 23.28542804718,
            "dport": 5355,
            "sport": 62601
        },
        {
            "src": "192.168.56.101",
            "dst": "224.0.0.252",
            "offset": 26782,
            "time": 8.2332711219788,
            "dport": 5355,
            "sport": 63506
        },
        {
            "src": "192.168.56.101",
            "dst": "224.0.0.252",
            "offset": 27102,
            "time": 20.70650601387,
            "dport": 5355,
            "sport": 63646
        },
        {
            "src": "192.168.56.101",
            "dst": "224.0.0.252",
            "offset": 27422,
            "time": 3.0375139713287,
            "dport": 5355,
            "sport": 64017
        },
        {
            "src": "192.168.56.101",
            "dst": "239.255.255.250",
            "offset": 27742,
            "time": 1.5317850112915,
            "dport": 1900,
            "sport": 1900
        },
        {
            "src": "192.168.56.101",
            "dst": "239.255.255.250",
            "offset": 47152,
            "time": 1.0459570884705,
            "dport": 3702,
            "sport": 49152
        },
        {
            "src": "192.168.56.101",
            "dst": "239.255.255.250",
            "offset": 55536,
            "time": 3.1262471675873,
            "dport": 1900,
            "sport": 53598
        }
    ],
    "dns_servers": [],
    "http": [],
    "icmp": [],
    "smtp": [],
    "tcp": [],
    "smtp_ex": [],
    "mitm": [],
    "hosts": [],
    "pcap_sha256": "d9489d155705430bb32c48f66a82cf3563cc5f117e4fa4e8f4882c0f6212dab9",
    "dns": [],
    "http_ex": [],
    "domains": [],
    "dead_hosts": [],
    "sorted_pcap_sha256": "2b75b7f9362520b93297fbcf5565a544ad60bdfa5796fbac3959c24f53b45fe6",
    "irc": [],
    "https_ex": []
}

Screenshots

Screenshot from the sandboxScreenshot from the sandboxScreenshot from the sandboxScreenshot from the sandboxScreenshot from the sandboxScreenshot from the sandboxScreenshot from the sandboxScreenshot from the sandboxScreenshot from the sandboxScreenshot from the sandboxScreenshot from the sandboxScreenshot from the sandboxScreenshot from the sandbox

Hashes [?]

PropertyValue
MD5371a5a8d91fa53e95e53795c39bde91a
SHA256a0baca93efc59dcf46ab738db278815c26f18caa6ddabbe50e9db8921fa23bc6

Error Messages

These are some of the error messages that can appear related to airecoveryremind.exe:

airecoveryremind.exe has encountered a problem and needs to close. We are sorry for the inconvenience.

airecoveryremind.exe - Application Error. The instruction at "0xXXXXXXXX" referenced memory at "0xXXXXXXXX". The memory could not be "read/written". Click on OK to terminate the program.

AIRecoveryRemind has stopped working.

End Program - airecoveryremind.exe. This program is not responding.

airecoveryremind.exe is not a valid Win32 application.

airecoveryremind.exe - Application Error. The application failed to initialize properly (0xXXXXXXXX). Click OK to terminate the application.

What will you do with the file?

To help other users, please let us know what you will do with the file:



Malware or legitimate?

If you feel that you need more information to determine if your should keep this file or remove it, please read this guide.

Please select the option that best describe your thoughts on the information provided on this web page


Free online surveys

And now some shameless self promotion ;)

A screenshot of FreeFixer's scan result.Hi, my name is Roger Karlsson. I've been running this website since 2006. I want to let you know about the FreeFixer program. FreeFixer is a freeware tool that analyzes your system and let you manually identify unwanted programs. Once you've identified some malware files, FreeFixer is pretty good at removing them. You can download FreeFixer here. It runs on Windows 2000/XP/2003/2008/2016/2019/Vista/7/8/8.1/10. Supports both 32- and 64-bit Windows.

If you have questions, feedback on FreeFixer or the freefixer.com website, need help analyzing FreeFixer's scan result or just want to say hello, please contact me. You can find my email address at the contact page.

Comments

Please share with the other users what you think about this file. What does this file do? Is it legitimate or something that your computer is better without? Do you know how it was installed on your system? Did you install it yourself or did it come bundled with some other software? Is it running smoothly or do you get some error message? Any information that will help to document this file is welcome. Thank you for your contributions.

I'm reading all new comments so don't hesitate to post a question about the file. If I don't have the answer perhaps another user can help you.

No comments posted yet.

Leave a reply