Avira.Systray.exe is part of Avira.Systray and developed by Avira Operations GmbH & Co. KG according to the Avira.Systray.exe version information.
Avira.Systray.exe's description is "Avira"
Avira.Systray.exe is digitally signed by Avira Operations GmbH & Co. KG.
Avira.Systray.exe is usually located in the 'C:\Program Files (x86)\Avira\Launcher\' folder.
None of the anti-virus scanners at VirusTotal reports anything malicious about Avira.Systray.exe.
If you have additional information about the file, please share it with the FreeFixer users by posting a comment at the bottom of this page.
The following is the available information on Avira.Systray.exe:
Property | Value |
---|---|
Product name | Avira.Systray |
Company name | Avira Operations GmbH & Co. KG |
File description | Avira |
Internal name | Avira.Systray.exe |
Original filename | Avira.Systray.exe |
Legal copyright | Copyright © 2019 Avira Operations GmbH & Co. KG and its Licensors |
Product version | 1.2.136.25116 |
File version | 1.2.136.25116 |
Here's a screenshot of the file properties when displayed by Windows Explorer:
Product name | Avira.Systray |
Company name | Avira Operations GmbH & Co. KG |
File description | Avira |
Internal name | Avira.Systray.exe |
Original filename | Avira.Systray.exe |
Legal copyright | Copyright © 2019 Avira Operations G.. |
Product version | 1.2.136.25116 |
File version | 1.2.136.25116 |
Avira.Systray.exe has a valid digital signature.
Property | Value |
---|---|
Signer name | Avira Operations GmbH & Co. KG |
Certificate issuer name | Symantec Class 3 Extended Validation Code Signing CA - G2 |
Certificate serial number | 1feb5456b9e0c2c68357c42975b98224 |
None of the 71 anti-virus programs at VirusTotal detected the Avira.Systray.exe file.
The following information was gathered by executing the file inside Cuckoo Sandbox.
Successfully executed process in sandbox.
{ "file_created": [ "C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab50F8.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab57BB.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\CabB70B.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar5A31.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\CabDFC5.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\TarDFF7.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab5A30.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\WER5B7D.tmp.WERInternalMetadata.xml", "C:\\Users\\cuck\\AppData\\Local\\Temp\\TarDFC6.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab6EA4.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\WER65DE.tmp.hdmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\TarB70C.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\TarB72E.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\CabE017.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab58F5.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar6EA5.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\WER5B7D.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar58F6.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\CabDFF6.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\CabB72D.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab6EC5.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar50F9.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar2880.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar57AA.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\WER65DE.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar57BC.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\CabE029.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar6EC6.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\TarE03A.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab287F.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab5799.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\TarE018.tmp" ], "file_recreated": [ "C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab50F8.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab57BB.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\CabB70B.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar5A31.tmp", "\\Device\\KsecDD", "C:\\Users\\cuck\\AppData\\Local\\Temp\\TarDFF7.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab5A30.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\WER5B7D.tmp.WERInternalMetadata.xml", "C:\\Users\\cuck\\AppData\\Local\\Temp\\TarDFC6.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab6EA4.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\TarB70C.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\TarB72E.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\CabE017.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab58F5.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar6EA5.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar58F6.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\CabDFF6.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\CabB72D.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab6EC5.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar50F9.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar2880.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\TarE018.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\CabDFC5.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar57BC.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\CabE029.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar6EC6.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\TarE03A.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab287F.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab5799.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar57AA.tmp" ], "regkey_written": [ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\\Blob", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\8F43288AD272F3103B6FB1428485EA3014C0BCFE\\Blob", "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\LanguageList" ], "dll_loaded": [ "dbghelp.dll", "version.dll", "imm32.dll", "C:\\Windows\\system32\\ole32.dll", "imagehlp.dll", "API-MS-Win-Security-LSALookup-L1-1-0.dll", "ntdll", "gdi32.dll", "CFGMGR32.dll", "DUI70.dll", "C:\\Windows\\system32\\DUser.dll", "UxTheme.dll", "AdvApi32.dll", "SensApi.dll", "werui.dll", "dwmapi.dll", "ntdll.dll", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\ole32.dll", "cryptsp.dll", "winhttp.dll", "verifier.dll", "ncrypt.dll", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorwks.dll", "C:\\Windows\\system32\\RICHED20.DLL", "API-MS-WIN-Service-Management-L2-1-0.dll", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorjit.dll", "API-MS-WIN-Service-Management-L1-1-0.dll", "API-MS-Win-Security-SDDL-L1-1-0.dll", "cryptnet.dll", "C:\\Windows\\syswow64\\MSCTF.dll", "setupapi.dll", "crypt32.dll", "C:\\Windows\\SysWOW64\\bcryptprimitives.dll", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorsec.dll", "API-MS-Win-Core-LocalRegistry-L1-1-0.dll", "psapi.dll", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscordacwks.dll", "OLEAUT32.DLL", "SspiCli.dll", "C:\\Windows\\system32\\wer.dll", "advapi32.dll", "comctl32", "ole32.dll", "SHLWAPI.dll", "CRYPTSP.dll", "USER32.dll", "Comctl32.dll", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\VERSION.dll", "credssp.dll", "API-MS-WIN-Service-winsvc-L1-1-0.dll", "IPHLPAPI.DLL", "C:\\Windows\\syswow64\\CRYPT32.dll", "shell32.dll", "C:\\Windows\\system32\\xmllite.dll", "bcrypt.dll", "OLEAUT32.dll", "profapi.dll", "SHELL32.dll", "RPCRT4.dll", "DNSAPI.dll", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\culture.dll", "C:\\Windows\\System32\\wship6.dll", "DUser.dll", "comctl32.dll", "NSI.dll", "mscorsec.dll", "C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\mscorlib\\62a0b3e4b40ec0e8c5cfaa0c8848e64a\\mscorlib.ni.dll", "RichEd20.dll", "VERSION.dll", "mscoree.dll", "kernel32.dll", "WINTRUST.DLL", "C:\\Windows\\system32\\cryptnet.dll", "C:\\Windows\\system32\\IMM32.DLL", "DEVRTL.dll", "C:\\Windows\\system32\\mswsock.dll", "powrprof.dll", "ADVAPI32.dll", "rpcrt4.dll", "C:\\Windows\\System32\\wshtcpip.dll", "WS2_32.dll", "Cabinet.dll", "user32.dll", "WINHTTP.dll" ], "file_opened": [ "C:\\Windows\\System32\\mscoree.dll", "C:\\Windows\\SysWOW64\\user32.dll", "C:\\Windows\\SysWOW64\\crypt32.dll", "C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\index127.dat", "C:\\Windows\\SysWOW64\\sspicli.dll", "C:\\Windows\\System32\\cabinet.dll", "C:\\Users\\cuck\\AppData\\Local\\Temp\\WER5B7D.tmp.WERInternalMetadata.xml", "C:\\Users\\cuck\\AppData\\Local\\Temp\\TarDFC6.tmp", "C:\\Windows\\SysWOW64\\sechost.dll", "C:\\Windows\\System32\\gpapi.dll", "C:\\Windows\\System32\\netmsg.dll", "C:\\Windows\\SysWOW64\\ole32.dll", "C:\\Windows\\System32\\profapi.dll", "C:\\Windows\\System32\\IPHLPAPI.DLL", "C:\\Windows\\System32\\en-US\\WINHTTP.dll.mui", "C:\\Windows\\SysWOW64\\bcryptprimitives.dll", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar6EA5.tmp", "C:\\Windows\\SysWOW64\\wintrust.dll", "C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\94308059B57B3142E455B38A6EB92015", "C:\\Users\\cuck\\AppData\\Local\\Temp\\CabDFF6.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\CabB70B.tmp", "C:\\Windows\\System32\\rasadhlp.dll", "C:\\Windows\\SysWOW64\\usp10.dll", "C:\\Windows\\System32\\mswsock.dll", "C:\\Windows\\System32\\WSHTCPIP.DLL", "C:\\Windows\\System32\\wship6.dll", "C:\\Windows\\System32\\credssp.dll", "C:\\Windows\\Globalization\\Sorting\\sortdefault.nls", "C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\sorttbls.nlp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar57BC.tmp", "C:\\Windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\\comctl32.dll", "C:\\Windows\\SysWOW64\\Wldap32.dll", "C:\\Users\\cuck\\AppData\\Local\\Temp\\TarB72E.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab5799.tmp", "C:\\Windows\\SysWOW64\\CRYPTBASE.dll", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar5A31.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\CabDFC5.tmp", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\machine.config", "C:\\Windows\\System32\\winnsi.dll", "C:\\Windows\\SysWOW64\\rpcrt4.dll", "C:\\Windows\\System32\\webio.dll", "C:\\Windows\\System32\\devrtl.dll", "C:\\Windows\\SysWOW64\\shell32.dll", "C:\\Windows\\SysWOW64\\lpk.dll", "C:\\Windows\\System32\\version.dll", "C:\\Users\\cuck\\AppData\\Local\\Temp\\CabE017.tmp", "C:\\Windows\\win.ini", "C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\sortkey.nlp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\ef984e44a56a46dbf90c4443ac5908be667cbd221d6ea18a094fca7e3f0cd8f3.bin", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar2880.tmp", "C:\\Windows\\System32\\dnsapi.dll", "C:\\Windows\\SysWOW64\\ws2_32.dll", "C:\\Windows\\assembly\\pubpol4.dat", "C:\\Windows\\SysWOW64\\gdi32.dll", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorjit.dll", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab287F.tmp", "C:\\Windows\\System32\\rsaenh.dll", "C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\94308059B57B3142E455B38A6EB92015", "C:\\Windows\\System32\\SensApi.dll", "C:\\Windows\\System32\\uxtheme.dll", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab50F8.tmp", "C:\\Windows\\System32\\cryptnet.dll", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab5A30.tmp", "C:\\Windows\\SysWOW64\\kernel32.dll", "C:\\Windows\\SysWOW64\\msvcrt.dll", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab6EA4.tmp", "C:\\Windows\\SysWOW64\\shlwapi.dll", "C:\\Users\\cuck\\AppData\\Local\\Temp\\TarB70C.tmp", "C:\\Windows\\System32\\dhcpcsvc6.DLL", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorsec.dll", "C:\\Windows\\System32\\winhttp.dll", "C:\\Windows\\SysWOW64\\ntdll.dll", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar57AA.tmp", "C:\\Windows\\System32\\imm32.dll", "C:\\Windows\\winsxs\\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\\msvcr80.dll", "C:\\Windows\\SysWOW64\\cfgmgr32.dll", "C:\\Users\\cuck\\AppData\\Local\\Temp\\CabE029.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar6EC6.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\TarE03A.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\TarE018.tmp", "C:\\Windows\\System32\\apphelp.dll", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab57BB.tmp", "C:\\Users\\cuck\\AppData\\LocalLow", "C:\\Windows\\SysWOW64\\advapi32.dll", "C:\\Windows\\SysWOW64\\msctf.dll", "C:\\Users\\cuck\\AppData\\Local\\Temp\\TarDFF7.tmp", "C:\\Windows\\System32\\userenv.dll", "C:\\Windows\\System32\\bcrypt.dll", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorwks.dll", "C:\\Windows\\System32\\cryptsp.dll", "C:\\Windows\\SysWOW64\\nsi.dll", "C:\\Users\\cuck\\AppData\\Local\\Temp\\CabB72D.tmp", "C:\\Windows\\System32\\l_intl.nls", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab58F5.tmp", "C:\\Windows\\SysWOW64\\msasn1.dll", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar58F6.tmp", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorrc.dll", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab6EC5.tmp", "C:\\Windows\\System32\\dhcpcsvc.dll", "C:\\Windows\\System32\\en-US\\erofflps.txt", "C:\\Windows\\System32\\ncrypt.dll", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar50F9.tmp", "C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\mscorlib\\62a0b3e4b40ec0e8c5cfaa0c8848e64a\\mscorlib.ni.dll", "C:\\Windows\\SysWOW64\\imagehlp.dll", "C:\\Windows\\SysWOW64\\KERNELBASE.dll" ], "command_line": [ "dw20.exe -x -s 1108" ], "regkey_opened": [ "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Winsock", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\Managed\\S-1-5-21-699399860-4089948139-3198924279-1001\\Installer\\Assemblies\\C:|Users|cuck|AppData|Local|Temp|ef984e44a56a46dbf90c4443ac5908be667cbd221d6ea18a094fca7e3f0cd8f3.bin", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\LanguageProfile\\0x00000000\\{0001bea3-ed56-483d-a2e2-aeae25577436}", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\DebugApplications", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\SecurityProviders", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\KnownClasses", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets\\LocalIntranet", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\index127", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\SecurityProviders\\SaslProfiles", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\Standards\\v2.0.50727", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-699399860-4089948139-3198924279-1001", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\Upgrades", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ExcludedApplications", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\Policy\\Standards", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\LsaExtensionConfig\\SspiCli", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\Policy\\", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\OLE\\Tracing", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\Windows Error Reporting", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PCHealth\\ErrorReporting\\ExclusionList", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip6\\Parameters\\Winsock", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32", "HKEY_CURRENT_USER\\SOFTWARE\\Policies\\Microsoft\\PCHealth\\ErrorReporting\\InclusionList", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes", "HKEY_CURRENT_USER\\Software\\Microsoft\\Fusion", "HKEY_CURRENT_USER\\Software\\Microsoft\\windows\\CurrentVersion\\Internet Settings\\Connections", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\Compatibility\\dw20.exe", "HKEY_CURRENT_USER\\Software\\Microsoft\\CTF\\DirectSwitchHotkeys", "HKEY_CURRENT_USER\\Software\\Microsoft\\Installer\\Assemblies\\C:|Users|cuck|AppData|Local|Temp|ef984e44a56a46dbf90c4443ac5908be667cbd221d6ea18a094fca7e3f0cd8f3.bin", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\WinHttp\\Tracing", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\CEIPRole\\RolesInWER", "HKEY_CURRENT_USER\\SOFTWARE\\Policies\\Microsoft\\PCHealth\\ErrorReporting\\ExclusionList", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\v2.0.50727\\Security\\Policy", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DebugApplications", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winsock\\Setup Migration\\Providers\\Tcpip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\5f57882f\\140d0d2a", "HKEY_CURRENT_USER\\Software\\Microsoft\\windows\\CurrentVersion\\Internet Settings\\Wpad", "HKEY_CURRENT_USER\\Software\\Microsoft\\CTF\\LayoutIcon\\0409\\0000041d", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\ef984e44a56a46dbf90c4443ac5908be667cbd221d6ea18a094fca7e3f0cd8f3.bin", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Class\\{4d36e972-e325-11ce-bfc1-08002be10318}", "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\Windows Error Reporting", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\SspiCache", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\WinHttp", "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Windows", "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\Rpc", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PCHealth\\ErrorReporting\\ExclusionList", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Setup", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PCHealth\\ErrorReporting\\InclusionList", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Consent", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\PCHealth\\ErrorReporting\\ExclusionList", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PCHealth\\ErrorReporting", "HKEY_CURRENT_USER\\Software\\Microsoft\\Installer\\Assemblies\\Global", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\Standards", "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\Windows Error Reporting", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\ExcludedApplications", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\PCHealth\\ErrorReporting\\InclusionList", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\DirectUI", "HKEY_CURRENT_USER\\Keyboard Layout\\Toggle", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Installer\\Assemblies\\C:|Users|cuck|AppData|Local|Temp|ef984e44a56a46dbf90c4443ac5908be667cbd221d6ea18a094fca7e3f0cd8f3.bin", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Debug", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion\\GACChangeNotification\\Default", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}", "HKEY_CURRENT_USER\\Software\\Microsoft\\.NETFramework", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Installer\\Assemblies\\Global", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PCHealth\\ErrorReporting\\InclusionList", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\v2.0", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\PCHealth\\ErrorReporting", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6292b898\\1d90e993", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\Managed\\S-1-5-21-699399860-4089948139-3198924279-1001\\Installer\\Assemblies\\Global", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Reliability Analysis\\RAC", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\Windows Error Reporting\\HeapControlledList\\ef984e44a56a46dbf90c4443ac5908be667cbd221d6ea18a094fca7e3f0cd8f3.bin", "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\SystemInformation", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\AppPatch", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\windows\\CurrentVersion\\Internet Settings\\Connections", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}", "HKEY_CURRENT_USER\\Software\\Microsoft\\.NETFramework\\Policy\\Standards", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winsock\\Setup Migration\\Providers\\Tcpip6", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets\\Internet", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Rpc", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\StrongName", "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Winsock\\Setup Migration\\Providers", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\KnownManagedDebuggingDlls", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLEAUT", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion\\PublisherPolicy\\Default", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{3697C5FA-60DD-4B56-92D4-74A569205C16}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}", "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Winsock\\Parameters", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}", "HKEY_CURRENT_USER", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PCHealth\\ErrorReporting", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Ole", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}", "HKEY_CURRENT_USER\\SOFTWARE\\Policies\\Microsoft\\PCHealth\\ErrorReporting" ], "resolves_host": [ "sw.symcd.com", "watson.microsoft.com", "s.symcb.com", "s.symcd.com", "www.download.windowsupdate.com", "sw.symcb.com" ], "file_written": [ "C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab50F8.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab57BB.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\CabB70B.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar5A31.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\CabDFC5.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\TarDFF7.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab5A30.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\WER5B7D.tmp.WERInternalMetadata.xml", "C:\\Users\\cuck\\AppData\\Local\\Temp\\TarDFC6.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab6EA4.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\WER65DE.tmp.hdmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\TarB70C.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\TarB72E.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\CabE017.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab58F5.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar6EA5.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar58F6.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\CabDFF6.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\CabB72D.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab6EC5.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar50F9.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar2880.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar57AA.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar57BC.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\CabE029.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar6EC6.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\TarE03A.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab287F.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab5799.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\TarE018.tmp" ], "regkey_deleted": [ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\8F43288AD272F3103B6FB1428485EA3014C0BCFE" ], "file_deleted": [ "C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab50F8.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab57BB.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\CabB70B.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar5A31.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\CabDFC5.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\TarDFF7.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab5A30.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\WER5B7D.tmp.WERInternalMetadata.xml", "C:\\Users\\cuck\\AppData\\Local\\Temp\\TarDFC6.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab6EA4.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\WER65DE.tmp.hdmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\TarB70C.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\TarB72E.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\CabE017.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab58F5.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar6EA5.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\WER5B7D.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar58F6.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\CabDFF6.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\CabB72D.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab6EC5.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar50F9.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar2880.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar57AA.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\WER65DE.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar57BC.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\CabE029.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar6EC6.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\TarE03A.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab287F.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab5799.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\TarE018.tmp" ], "file_exists": [ "C:\\Windows\\System32\\apphelp.dll", "C:\\Windows\\Globalization\\en-us.nlp", "C:\\Windows\\System32\\mswsock.dll", "C:\\Windows\\SysWOW64\\CRYPTBASE.dll", "C:\\Windows\\System32\\mscoree.dll", "C:\\Windows\\SysWOW64\\user32.dll", "C:\\Windows\\System32\\qagentrt.dll", "C:\\Windows\\SysWOW64\\advapi32.dll", "C:\\Windows\\SysWOW64\\msctf.dll", "C:\\Users\\cuck\\AppData\\Local\\Temp", "C:\\Windows\\SysWOW64\\sspicli.dll", "C:\\Windows\\System32\\cabinet.dll", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\machine.config", "C:\\Windows\\System32\\winhttp.dll", "C:\\Windows\\SysWOW64\\kernel32.dll", "C:\\Users\\cuck\\AppData\\Local\\Temp\\WER5B7D.tmp.WERInternalMetadata.xml", "C:\\Windows\\System32\\winnsi.dll", "C:\\Windows\\SysWOW64\\shlwapi.dll", "C:\\Users\\cuck\\AppData\\Local\\Temp\\WER65DE.tmp.hdmp", "C:\\Windows\\SysWOW64\\cfgmgr32.dll", "C:\\Windows\\System32\\bcrypt.dll", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorwks.dll", "C:\\Windows\\System32\\cryptsp.dll", "C:\\Windows\\SysWOW64\\bcryptprimitives.dll", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Avira.OE.WinCore\\Avira.OE.WinCore.dll", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Avira.OE.WinCore.dll", "C:\\Windows\\System32\\dhcpcsvc6.DLL", "C:\\Windows\\SysWOW64\\ole32.dll", "C:\\Windows\\System32\\devrtl.dll", "C:\\Windows\\System32\\profapi.dll", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Avira.OE.WinCore.exe", "C:\\Windows\\SysWOW64\\crypt32.dll", "C:\\Windows\\SysWOW64\\msasn1.dll", "C:\\Windows\\System32\\IPHLPAPI.DLL", "C:\\Users\\cuck\\AppData\\Local\\Temp\\", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorsec.dll", "C:\\Windows\\SysWOW64\\shell32.dll", "C:\\Windows\\SysWOW64\\lpk.dll", "C:\\Windows\\System32\\version.dll", "C:\\Windows\\SysWOW64\\wintrust.dll", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Avira.OE.WinCore\\Avira.OE.WinCore.exe", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorjit.dll", "C:\\Windows\\System32\\gpapi.dll", "C:\\Windows\\System32\\userenv.dll", "C:\\Windows\\inf\\", "C:\\Windows\\assembly\\GAC\\PublisherPolicy.tme", "C:\\Windows\\System32\\webio.dll", "C:\\Windows\\System32\\rasadhlp.dll", "C:\\Windows\\System32\\dhcpcsvc.dll", "C:\\Windows\\System32\\en-US\\erofflps.txt", "C:\\Windows\\System32\\ncrypt.dll", "C:\\Windows\\SysWOW64\\ntdll.dll", "C:\\Users\\cuck\\AppData\\Local\\Temp\\ef984e44a56a46dbf90c4443ac5908be667cbd221d6ea18a094fca7e3f0cd8f3.bin", "C:\\Windows\\SysWOW64\\usp10.dll", "C:\\Windows\\System32\\dnsapi.dll", "C:\\Windows\\SysWOW64\\ws2_32.dll", "C:\\Windows\\SysWOW64\\sechost.dll", "C:\\Windows\\System32\\cryptnet.dll", "C:\\Windows\\System32\\wship6.dll", "C:\\Windows\\System32\\p2pcollab.dll", "C:\\Windows\\System32\\credssp.dll", "C:\\Users\\cuck\\AppData\\Local\\Temp\\ef984e44a56a46dbf90c4443ac5908be667cbd221d6ea18a094fca7e3f0cd8f3.config", "C:\\Windows\\System32\\imm32.dll", "C:\\Windows\\SysWOW64\\gdi32.dll", "C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\mscorlib\\62a0b3e4b40ec0e8c5cfaa0c8848e64a\\mscorlib.ni.dll", "C:\\Users\\cuck\\AppData\\LocalLow", "C:\\Windows\\SysWOW64\\imagehlp.dll", "C:\\Windows\\winsxs\\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\\msvcr80.dll", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\fusion.localgac", "C:\\Windows\\SysWOW64\\rpcrt4.dll", "C:\\Windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\\comctl32.dll", "C:\\Windows\\System32\\WSHTCPIP.DLL", "C:\\Windows\\System32\\rsaenh.dll", "C:\\Windows\\System32\\MSCOREE.DLL.local", "C:\\Windows\\SysWOW64\\nsi.dll", "C:\\Windows\\SysWOW64\\Wldap32.dll", "C:\\Windows\\System32\\uxtheme.dll", "C:\\Windows\\System32\\SensApi.dll", "C:\\Windows\\SysWOW64\\KERNELBASE.dll", "C:\\Windows\\SysWOW64\\msvcrt.dll" ], "mutex": [ "Global\\b892f634-daf5-11e9-8829-08002749d99b" ], "file_failed": [ "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\enterprisesec.config.cch", "C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\FA47BF11E3FC6DA7A80A2910535F021F", "C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\0972B7C417F696E06E186AEB26286F01_EC6918D7CB4A54242E7A79500CDB31EB", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\security.config.cch", "C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\3D0AC26322348780E90E022EA217C58C", "C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8828F39C7C0CE9A14B25C7EB321181BA_DC03E45EC7611F50ADAEBABE405A8C4C", "C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\A3D5BF1283C2E63D8C8A8C72F0051F5A", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\enterprisesec.config", "C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8828F39C7C0CE9A14B25C7EB321181BA_3DF94EB797096674F7793A562A778C5F", "C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\security.config.cch", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\security.config", "C:\\Users\\cuck\\AppData\\Local\\Temp\\ef984e44a56a46dbf90c4443ac5908be667cbd221d6ea18a094fca7e3f0cd8f3.bin.config", "C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\security.config", "C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\0972B7C417F696E06E186AEB26286F01_8A7601FFF9878487CA80CB28D50438E2" ], "guid": [ "{713aacc8-3b71-435c-a3a1-be4e53621ab1}", "{22e4c895-8ab9-40bb-b81a-001dd9b1f449}" ], "file_read": [ "C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab50F8.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab57BB.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\CabB70B.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar5A31.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\CabDFC5.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\TarDFF7.tmp", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\machine.config", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab5A30.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\TarDFC6.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab6EA4.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\TarB70C.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\TarB72E.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\CabE017.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab58F5.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar6EA5.tmp", "C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\94308059B57B3142E455B38A6EB92015", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar58F6.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\CabDFF6.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\CabB72D.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab6EC5.tmp", "C:\\Windows\\win.ini", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar50F9.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar2880.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar57AA.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar57BC.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\CabE029.tmp", "C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\94308059B57B3142E455B38A6EB92015", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar6EC6.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\TarE03A.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab287F.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab5799.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\TarE018.tmp" ], "regkey_read": [ "HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Language Hotkey", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\Status", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\GPAPI.dll", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\LegacyPolicyTimeStamp", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\profapi.dll", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\MaxRpcSize", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\MaxArchiveCount", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Initialization\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$Function", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\LanguageProfile\\0x00000000\\{0001bea3-ed56-483d-a2e2-aeae25577436}\\Enable", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\QueuePesterInterval", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\LdapClientIntegrity", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\System32\\wshtcpip.dll", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\UseDelayedAcceptance", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\Modules", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DisableQueue", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\DEVRTL.dll", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\LatestIndex", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SecurityProviders\\SecurityProviders", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\MaxAIAUrlRetrievalCertCount", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ConfigureArchive", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\FinalPolicy\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$DLL", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultConsent", "HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\SystemSetupInProgress", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\ScrollDelay", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.44.3.4!7\\Name", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\crypt32\\DiagMatchAnyMask", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Message\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$Function", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\WS2_32.dll", "HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Hotkey", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\DevOverrideEnable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\SspiCli.dll", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\System32\\wship6.dll", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\SendEFSFiles", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\CTF\\EnableAnchorContext", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\DisplayName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledProcesses\\44D72C57", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\CertCheck\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$Function", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\CryptnetPreFetchTriggerPeriodSeconds", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\UseOldHostResolutionOrder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\MaxAIAUrlRetrievalCountPerChain", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Message\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$DLL", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\DisableArchive", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\WLDAP32.dll", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\IPHLPAPI.DLL", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\CLRLoadLogDir", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerPortNumber", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\LogMask", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\LastWatsonCabUploaded", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Initialization\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$DLL", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\credssp.dll", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Signature\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$Function", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerUseSSL", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\HelperDllName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\LPK.dll", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\WinSock2\\Parameters\\Protocol_Catalog9\\Serial_Access_Num", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\shell32.dll", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\CertCheck\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$DLL", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerServer", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\ForceUserModeCabCollection", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ProxySettingsPerUser", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\EvalationData", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NoClientChecks", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorjit.dll", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\DownloadCacheQuotaInKB", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winsock\\Parameters\\Transports", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing\\State", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SystemInformation\\BIOSVersion", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\DisableConfigCache", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\ILDependencies", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\BuildLabEx", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\KERNELBASE.dll", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Users\\cuck\\AppData\\Local\\Temp\\ef984e44a56a46dbf90c4443ac5908be667cbd221d6ea18a094fca7e3f0cd8f3.bin", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\UseLegacyIdentityFormat", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\APPCRASH", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Signature\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$Function", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\\DefaultConnectionSettings", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\MaxQueueCount", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\ConfigMask", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\NSI.dll", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultOverrideBehavior", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\CSDBuildNumber", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\CurrentType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\imagehlp.dll", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\\COMCTL32.dll", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\Status", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\mscorlib\\62a0b3e4b40ec0e8c5cfaa0c8848e64a\\mscorlib.ni.dll", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\LogFailures", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\MissingDependencies", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\DontShowUI", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\DontSendAdditionalData", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\crypt32\\DebugHeapFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Segoe UI", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\ScrollInset", "HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Layout Hotkey", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\webio.dll", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\CRYPT32.dll", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\NIDependencies", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\ConfigureArchive", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\Latest", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Local AppData", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Initialization\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$Function", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\MaxAIAUrlRetrievalByteCount", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\CryptnetCachedOcspSwitchToCrlCount", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\WINTRUST.dll", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Windows\\CSDBuildNumber", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\QueuePesterInterval", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Certificate\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$Function", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\WinSxS\\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\\MSVCR80.dll", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\DisableUnsupportedCriticalExtensions", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Comment", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\GCStressStart", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\RPCRT4.dll", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledSessions\\MachineThrottling", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\WINHTTP.dll", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Message\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$DLL", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\SensApi.dll", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\OnlyUseLatestCLR", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-699399860-4089948139-3198924279-1001\\ProfileImagePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DisableArchive", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\MaxArchiveCount", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\EditionID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\index127\\ILUsageMask", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\UseHostnameAsAlias", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\LogLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\KERNEL32.dll", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\CryptnetMaxCachedOcspPerCrlCount", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\FinalPolicy\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$Function", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultOverrideBehavior", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\HelperDllName", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winsock\\Setup Migration\\Providers\\Tcpip6\\WinSock 2.0 Provider ID", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\ForceQueue", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\index127\\NIUsageMask", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Certificate\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$Function", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\SysWOW64\\sechost.dll", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\ConfigString", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\WpadOverride", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\Mapping", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\CFGMGR32.dll", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\ncrypt.dll", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\uxtheme.dll", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Cleanup\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$DLL", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceUserModeCabCollection", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\cryptnet.dll", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LoggingDisabled", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\MVID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorsec.dll", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\VersioningLog", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\CRYPTBASE.dll", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\EnableInetUnknownAuth", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProductName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\SIG", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\CacheLocation", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\\Blob", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\LsaExtensionConfig\\SspiCli\\CheckSignatureRoutine", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\DisableCANameConstraints", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\MachineID", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\MinSockaddrLength", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\rsaenh.dll", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\8F43288AD272F3103B6FB1428485EA3014C0BCFE", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceQueue", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\ScrollInterval", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.64.1.1!7\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\IMM32.DLL", "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\p2pcollab.dll,-8042", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\LoggingLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Initialization\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$DLL", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\MinSockaddrLength", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\LsaExtensionConfig\\SspiCli\\CheckSignatureDll", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\USERENV.dll", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\ChainCacheResyncFiletime", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\APPCRASH", "HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\OOBEInProgress", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\ole32.dll", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\LastModTime", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\MaxQueueCount", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\USER32.dll", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerUseAuthentication", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Signature\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$DLL", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\DisplayName", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\MSCTF.dll", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\DragMinDist", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\mscorlib,2.0.0.0,,b77a5c561934e089,x86", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\SendEFSFiles", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DontShowUI", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\DisableMSIPeek", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\MaxSockaddrLength", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\FinalPolicy\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$Function", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\TurnOffSPIAnimations", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE\\PageAllocatorSystemHeapIsPrivate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\MSASN1.dll", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\MaxSockaddrLength", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SystemInformation\\SystemProductName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\DNSAPI.dll", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\BypassDataThrottling", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\KnownManagedDebuggingDlls\\C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscordacwks.dll", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Certificate\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$DLL", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\FinalPolicy\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$DLL", "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\dnsapi.dll,-103", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\CertCheck\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$DLL", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\DragDelay", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\\WinHttpSettings", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\ADVAPI32.dll", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\SourcePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\DevicePath", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\TokenSize", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\UseDelayedAcceptance", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\MaxUrlRetrievalByteCount", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Signature\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$DLL", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE\\PageAllocatorUseSystemHeap", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\InstallRoot", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Disabled", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Capabilities", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\dhcpcsvc6.DLL", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\MaxAIAUrlCountInCert", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Certificate\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$DLL", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\CertCheck\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$Function", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\LoggingDisabled", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\dhcpcsvc.DLL", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\SYSTEM32\\MSCOREE.DLL", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ShareCredsWithWinHttp", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\WinHttp\\Tracing\\Enabled", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\CRYPTSP.dll", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SystemInformation\\SystemManufacturer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\LogResourceBinds", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\crypt32\\DiagLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\apphelp.dll", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Message\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$Function", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\StringCacheSettings\\StringCacheGeneration", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassDataThrottling", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Cleanup\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$Function", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorwks.dll", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\msvcrt.dll", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Reliability Analysis\\RAC\\RacWerSampleTime", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\SysWOW64\\ntdll.dll", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\ForceLog", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\Cabinet.dll", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledSessions\\GlobalSession", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\CurrentType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\RestartRunTime", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\SHLWAPI.dll", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\LogMaxFileSize", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultConsent", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\WinHttp\\DisableBranchCache", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DontSendAdditionalData", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CEIPEnable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\mswsock.dll", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\USP10.dll", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Version", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\DisableMandatoryBasicConstraints", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\ComputerName\\ActiveComputerName\\ComputerName", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\RestartRunTime", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winsock\\Setup Migration\\Providers\\Tcpip\\WinSock 2.0 Provider ID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\8F43288AD272F3103B6FB1428485EA3014C0BCFE\\Blob", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\GDI32.dll", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\crypt32\\DebugFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\SysWOW64\\bcryptprimitives.dll", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\EnableWeakSignatureFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\GCStressStartAtJit", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.47.1.1!7\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE\\MaximumAllowedAllocationSize", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\rasadhlp.dll", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\LoadAppInit_DLLs", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\WINNSI.DLL", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\Enabled", "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Security\\Safety Warning Level", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\Mapping", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\EnableLog", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\bcrypt.dll", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\RpcId", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Disabled", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\DisableQueue", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\index4", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\VERSION.dll" ], "directory_enumerated": [ "C:\\Windows\\System32\\apphelp.dll", "C:\\Windows\\SysWOW64", "C:\\Users\\cuck\\AppData", "C:\\Windows\\SysWOW64\\user32.dll", "C:\\Windows\\SysWOW64\\advapi32.dll", "C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\mscorlib", "C:\\Windows\\SysWOW64\\msctf.dll", "C:\\Users\\cuck\\AppData\\Local\\Temp", "C:\\Windows\\SysWOW64\\sspicli.dll", "C:\\Windows\\System32\\cabinet.dll", "C:\\Windows\\System32\\winhttp.dll", "C:\\Windows\\SysWOW64\\kernel32.dll", "C:\\Windows\\SysWOW64\\msvcrt.dll", "C:\\Windows\\assembly", "C:\\Windows\\System32\\winnsi.dll", "C:\\Windows\\SysWOW64\\shlwapi.dll", "C:\\Windows\\System32\\bcrypt.dll", "C:\\Windows\\SysWOW64\\cfgmgr32.dll", "C:\\Windows\\System32\\WSHTCPIP.DLL", "C:\\Windows\\System32", "C:\\Windows\\System32\\cryptsp.dll", "C:\\Windows\\System32\\webio.dll", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorjit.dll", "C:\\Windows\\SysWOW64\\ole32.dll", "C:\\Windows\\System32\\devrtl.dll", "C:\\Windows\\System32\\profapi.dll", "C:\\Windows\\System32\\mscoree.dll", "C:\\Windows\\SysWOW64\\crypt32.dll", "C:\\Windows\\SysWOW64\\msasn1.dll", "C:\\Windows\\System32\\IPHLPAPI.DLL", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorsec.dll", "C:\\Windows\\SysWOW64\\shell32.dll", "C:\\Windows\\SysWOW64\\lpk.dll", "C:\\Windows\\System32\\version.dll", "C:\\Users", "C:\\Windows\\SysWOW64\\wintrust.dll", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorwks.dll", "C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\WER\\ReportArchive\\AppCrash_*_66cb87fc63aae6c3cbb79a998d143e7b8dd8b0_cab_*", "C:\\Windows\\System32\\gpapi.dll", "C:\\Windows\\System32\\userenv.dll", "C:\\Windows\\Microsoft.NET\\Framework\\Upgrades.2.0.50727\\mscoreei.dll", "C:\\Windows\\SysWOW64\\nsi.dll", "C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\mscorlib.INI", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscoreei.dll", "C:\\Windows\\System32\\rasadhlp.dll", "C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8828F39C7C0CE9A14B25C7EB321181BA_*", "C:\\Windows\\System32\\dhcpcsvc.dll", "C:\\Windows\\System32\\ncrypt.dll", "C:\\Windows\\SysWOW64\\ntdll.dll", "C:\\Users\\cuck", "C:\\Windows\\System32\\dnsapi.dll", "C:\\Windows\\SysWOW64\\ws2_32.dll", "C:\\Windows\\SysWOW64\\sechost.dll", "C:\\Windows\\System32\\cryptnet.dll", "C:\\Users\\cuck\\AppData\\Local", "C:\\Windows\\System32\\wship6.dll", "C:\\Windows\\System32\\credssp.dll", "C:\\Users\\cuck\\AppData\\Local\\Temp\\ef984e44a56a46dbf90c4443ac5908be667cbd221d6ea18a094fca7e3f0cd8f3.INI", "C:\\Windows\\System32\\imm32.dll", "C:\\Windows\\SysWOW64\\gdi32.dll", "C:\\Windows\\System32\\mswsock.dll", "C:\\Windows\\SysWOW64\\imagehlp.dll", "C:\\Windows\\winsxs\\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\\msvcr80.dll", "C:\\Windows\\SysWOW64\\usp10.dll", "C:\\Windows\\SysWOW64\\rpcrt4.dll", "C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\0972B7C417F696E06E186AEB26286F01_*", "C:\\Windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\\comctl32.dll", "C:\\Windows\\System32\\drivers\\*.mrk", "C:\\Windows\\System32\\rsaenh.dll", "C:\\Windows", "C:\\Windows\\winsxs", "C:\\Windows\\SysWOW64\\Wldap32.dll", "C:\\Windows\\System32\\uxtheme.dll", "C:\\Windows\\System32\\SensApi.dll", "C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_*_66cb87fc63aae6c3cbb79a998d143e7b8dd8b0_cab_*" ] }
[ { "yara": [], "sha1": "c64ad224b877cd5bbdcdb1799b71f3682602d231", "name": "b0a39e28d93f7822_Tar57AA.tmp", "filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar57AA.tmp", "type": "data", "sha256": "b0a39e28d93f7822fe6cac1e082c7adc581dcd2b61eb9f536e74bd14a75b27bc", "urls": [ "http:\/\/www.microsoft.com\/pkiops\/certs\/Microsoft%20Certificate%20Trust%20List%20PCA(3).crt0", "http:\/\/www.microsoft.com\/pki\/certs\/MicRooCerAut_2010-06-23.crt07", "http:\/\/www.microsoft.com\/pki\/certs\/MicCerLisCA2011_2011-03-29.crt0", "http:\/\/www.microsoft.com\/pki\/certs\/MicrosoftRootCert.crt0", "http:\/\/www.microsoft.com\/pkiops\/crl\/Microsoft%20Certificate%20Trust%20List%20PCA(3).crl0u" ], "crc32": "B495BE07", "path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/2641\/files\/b0a39e28d93f7822_Tar57AA.tmp", "ssdeep": null, "size": 138525, "sha512": "0663fb22bcefd0ac5f090104322a8c0dc1ceb77a168b589d7dbb9a74d109daf38beac97dab715220abab08c355496f5719159e17995248caa19eff45bc2a5d46", "pids": [ 2816 ], "md5": "0e34ebf89b843b303f0fb5f194be9d28" }, { "yara": [ { "meta": { "description": "Contains an embedded Mach-O file", "author": "nex" }, "name": "embedded_macho", "offsets": { "magic1": [ [ 6794731, 0 ] ] }, "strings": [ "yv66vg==" ] }, { "meta": { "description": "Contains an embedded PE32 file", "author": "nex" }, "name": "embedded_pe", "offsets": { "a": [ [ 11878238, 0 ], [ 16210212, 0 ] ], "b": [ [ 3597770, 1 ] ] }, "strings": [ "UEUzMg==", "VGhpcyBwcm9ncmFt" ] }, { "meta": { "description": "A non-Windows executable contains win32 API functions names", "author": "nex" }, "name": "embedded_win_api", "offsets": { "api6": [ [ 9384895, 4 ], [ 10690397, 4 ], [ 11938275, 4 ], [ 11966776, 4 ] ], "api1": [ [ 3660851, 0 ], [ 3660918, 0 ] ], "api8": [ [ 9382821, 1 ], [ 10688311, 1 ], [ 11897980, 1 ], [ 11938353, 1 ] ], "api14": [ [ 9382821, 1 ], [ 10688311, 1 ], [ 11897980, 1 ], [ 11938353, 1 ] ], "api12": [ [ 9384826, 3 ], [ 11938231, 3 ], [ 11938251, 3 ] ], "api13": [ [ 9382903, 2 ], [ 11937857, 2 ] ] }, "strings": [ "Q3JlYXRlRmlsZUE=", "R2V0V2luZG93c0RpcmVjdG9yeQ==", "R2V0VGVtcFBhdGg=", "U2V0RmlsZVBvaW50ZXI=", "V3JpdGVGaWxl" ] }, { "meta": { "description": "Matched shellcode byte patterns", "author": "nex" }, "name": "shellcode", "offsets": { "shell7": [ [ 8547723, 0 ], [ 8562075, 0 ], [ 8562315, 0 ], [ 8562363, 0 ], [ 8563499, 0 ], [ 8581803, 0 ], [ 8662315, 0 ], [ 8733547, 0 ], [ 8733739, 0 ], [ 8755211, 0 ], [ 8783739, 0 ], [ 8812971, 0 ], [ 8832987, 0 ], [ 8859851, 0 ], [ 8878715, 0 ], [ 8948171, 0 ], [ 8987115, 0 ], [ 9028683, 0 ], [ 9047147, 0 ], [ 9047211, 0 ], [ 9091675, 0 ], [ 9105355, 0 ], [ 9107275, 0 ], [ 9115275, 0 ], [ 13602943, 0 ], [ 13670687, 0 ], [ 13670859, 0 ], [ 13670887, 0 ], [ 13670915, 0 ], [ 13670991, 0 ], [ 13687207, 0 ], [ 13687835, 0 ], [ 13722059, 0 ], [ 13739467, 0 ], [ 13759011, 0 ], [ 13772039, 0 ], [ 13837771, 0 ], [ 13846771, 0 ], [ 13890779, 0 ], [ 13891239, 0 ], [ 13894303, 0 ], [ 13898731, 0 ], [ 13937059, 0 ], [ 13956727, 0 ], [ 13956755, 0 ], [ 13956783, 0 ], [ 13959835, 0 ], [ 13959871, 0 ], [ 13959971, 0 ], [ 13960007, 0 ], [ 13960051, 0 ], [ 13961227, 0 ], [ 13961271, 0 ], [ 13961311, 0 ], [ 13962111, 0 ], [ 13962147, 0 ], [ 14287851, 0 ], [ 14287915, 0 ], [ 14287943, 0 ], [ 14288315, 0 ], [ 14288667, 0 ], [ 14289083, 0 ], [ 14289115, 0 ], [ 14289531, 0 ], [ 14289563, 0 ], [ 14289851, 0 ], [ 14289883, 0 ], [ 14289951, 0 ], [ 14289979, 0 ], [ 14298299, 0 ], [ 14298331, 0 ], [ 14298363, 0 ], [ 14298459, 0 ], [ 14306267, 0 ], [ 14306435, 0 ], [ 14306651, 0 ], [ 14312835, 0 ], [ 14313235, 0 ], [ 14314043, 0 ], [ 14314307, 0 ], [ 14369635, 0 ], [ 14369691, 0 ], [ 14545891, 0 ], [ 14550043, 0 ], [ 14555511, 0 ], [ 14566707, 0 ], [ 14572603, 0 ], [ 14591195, 0 ], [ 14608091, 0 ], [ 14699623, 0 ], [ 14742427, 0 ], [ 14793343, 0 ], [ 14793391, 0 ], [ 14793547, 0 ], [ 14793627, 0 ], [ 14793675, 0 ], [ 14808943, 0 ], [ 14810647, 0 ], [ 14827067, 0 ], [ 14845971, 0 ], [ 14883691, 0 ], [ 15197403, 0 ], [ 15197599, 0 ], [ 15197787, 0 ], [ 15197947, 0 ], [ 15198043, 0 ], [ 15198363, 0 ], [ 15200427, 0 ], [ 15201747, 0 ], [ 15202575, 0 ], [ 15202607, 0 ], [ 15203867, 0 ], [ 15204539, 0 ], [ 15215575, 0 ], [ 15217019, 0 ], [ 15217115, 0 ], [ 15218143, 0 ], [ 15224115, 0 ], [ 15227019, 0 ], [ 15227135, 0 ], [ 15229503, 0 ], [ 15243739, 0 ], [ 15254203, 0 ], [ 15258363, 0 ], [ 15258395, 0 ], [ 15259995, 0 ], [ 15262111, 0 ], [ 15262587, 0 ], [ 15263143, 0 ], [ 15263735, 0 ], [ 15263995, 0 ], [ 15264967, 0 ], [ 15265179, 0 ], [ 15269499, 0 ], [ 15269635, 0 ], [ 15269959, 0 ], [ 15270535, 0 ], [ 15271667, 0 ], [ 15272327, 0 ], [ 15279147, 0 ], [ 15285479, 0 ], [ 15286619, 0 ], [ 15286911, 0 ], [ 15289903, 0 ], [ 15293243, 0 ], [ 15293947, 0 ], [ 15295555, 0 ], [ 15301371, 0 ], [ 15301571, 0 ], [ 15304795, 0 ], [ 15304891, 0 ], [ 15307999, 0 ], [ 15308187, 0 ], [ 15309019, 0 ], [ 15309795, 0 ], [ 15310123, 0 ], [ 15312059, 0 ], [ 15312487, 0 ], [ 15314319, 0 ], [ 15326171, 0 ], [ 15327011, 0 ], [ 15333751, 0 ], [ 15338439, 0 ], [ 15339671, 0 ], [ 15339739, 0 ], [ 15339907, 0 ], [ 15340839, 0 ], [ 15341371, 0 ], [ 15346491, 0 ], [ 15346739, 0 ], [ 15355347, 0 ], [ 15355675, 0 ], [ 15359547, 0 ], [ 15363259, 0 ], [ 15363323, 0 ], [ 15364347, 0 ], [ 15365163, 0 ], [ 15365907, 0 ], [ 15366035, 0 ], [ 15373599, 0 ], [ 15373755, 0 ], [ 15379843, 0 ], [ 15381031, 0 ], [ 15381115, 0 ], [ 15381367, 0 ], [ 15382475, 0 ], [ 15382587, 0 ], [ 15389431, 0 ], [ 15392075, 0 ], [ 15407391, 0 ], [ 15410791, 0 ], [ 15416591, 0 ], [ 15417243, 0 ], [ 15419655, 0 ], [ 15420947, 0 ], [ 15421115, 0 ], [ 15421379, 0 ], [ 15421439, 0 ], [ 15422747, 0 ], [ 15423207, 0 ], [ 15424843, 0 ], [ 15425291, 0 ], [ 15434203, 0 ], [ 15434395, 0 ], [ 15436091, 0 ], [ 15436507, 0 ], [ 15437887, 0 ], [ 15441471, 0 ], [ 15442879, 0 ], [ 15449595, 0 ], [ 15453583, 0 ], [ 15456095, 0 ], [ 15458523, 0 ], [ 15463867, 0 ], [ 15464047, 0 ], [ 15468447, 0 ], [ 15469475, 0 ], [ 15469531, 0 ], [ 15470727, 0 ], [ 15471395, 0 ], [ 15472615, 0 ], [ 15473415, 0 ], [ 15483387, 0 ], [ 15486555, 0 ], [ 15486715, 0 ], [ 15487947, 0 ], [ 15488955, 0 ], [ 15491791, 0 ], [ 15492223, 0 ], [ 15496215, 0 ], [ 15496723, 0 ], [ 15502747, 0 ], [ 15502939, 0 ], [ 15504603, 0 ], [ 15505163, 0 ], [ 15506987, 0 ], [ 15509055, 0 ], [ 15514147, 0 ], [ 15517339, 0 ], [ 15521083, 0 ], [ 15521647, 0 ], [ 15522579, 0 ], [ 15522843, 0 ], [ 15523995, 0 ], [ 15524611, 0 ], [ 15528379, 0 ], [ 15528911, 0 ], [ 15532355, 0 ], [ 15532795, 0 ], [ 15534083, 0 ] ], "shell1": [ [ 9991440, 1 ], [ 10002858, 1 ], [ 10121172, 1 ], [ 10295016, 1 ], [ 10346620, 1 ], [ 10388874, 1 ], [ 10434770, 1 ], [ 10461558, 1 ], [ 10486288, 1 ], [ 10531460, 1 ] ] }, "strings": [ "VYvs6A==", "ZItk" ] } ], "sha1": "18a83f4d962f0a7b402bf5cc7c9f4a0abdb626ca", "name": "a8e742aac2cbb8b0_wer65de.tmp.hdmp", "filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\WER65DE.tmp.hdmp", "type": "MDMP crash report data", "sha256": "a8e742aac2cbb8b0902740bd1bcda949d088114875eeb7818f982b2663d2d04b", "urls": [ "http:\/\/s.symcb.com\/universal-root.crl0", "http:\/\/www.microsoft.com\/pki\/certs\/MicRooCerAut_2010-06-23.crt07", "http:\/\/www2.public-trust.com\/crl\/ct\/ctroot.crl0", "http:\/\/crl.xrampsecurity.com\/XGCA.crl0", "http:\/\/users.ocsp.d-trust.net03", "http:\/\/www.trustcenter.de\/guidelines0", "http:\/\/sw.symcd.com0", "http:\/\/crl.usertrust.com\/UTN-DATACorpSGC.crl0", "http:\/\/www.rootca.or.kr\/rca\/cps.html0", "http:\/\/www.a-cert.at0E", "http:\/\/crl.verisign.com\/pca3.crl0", "https:\/\/www.verisign.com\/rpa0", "http:\/\/crl.securetrust.com\/STCA.crl0", "http:\/\/ocsp.infonotary.com\/responder.cgi0V", "http:\/\/www.d-trust.net\/crl\/d-trust_qualified_root_ca_1_2007_pn.crl0", "http:\/\/www.entrust.net\/CRL\/Client1.crl0", "http:\/\/www.ssc.lt\/cps03", "http:\/\/qual.ocsp.d-trust.net0", "http:\/\/www.microsoft.com\/pki\/certs\/MicrosoftRootCert.crt0", "https:\/\/www.verisign.com\/CPS04", "http:\/\/www.a-cert.at\/certificate-policy.html0", "http:\/\/ts-crl.ws.symantec.com\/sha256-tss-ca.crl0", "https:\/\/d.symcb.com\/cps0%", "http:\/\/www.pki.gva.es\/cps0", "http:\/\/www.registradores.org\/scr\/normativa\/cp_f2.htm0", "http:\/\/www.usertrust.com1604", "http:\/\/ca.sia.it\/seccli\/repository\/CRL.der0J", "http:\/\/cps.chambersign.org\/cps\/publicnotaryroot.html0", "http:\/\/sw1.symcb.com\/sw.crt0", "http:\/\/www.signatur.rtr.at\/current.crl0", "http:\/\/www.certplus.com\/CRL\/class2.crl0", "https:\/\/www.verisign.com\/repository\/verisignlogo.gif0D", "http:\/\/repository.swisssign.com\/0", "http:\/\/www.microsoft.com\/pki\/cert", "http:\/\/crl.ssc.lt\/root-a\/cacrl.crl0", "http:\/\/cps.chambersign.org\/cps\/chambersroot.html0", "http:\/\/www.microsoft.com\/pki\/certs\/MicCerLisCA2011_2011-03-29.crt0", "https:\/\/d.symcb.com\/rpa0", "http:\/\/www.microsoft.com\/pkiops\/certs\/Microsoft%20Certificate%20Trust%20List%20PCA(3).crt0", "http:\/\/crl.chambersign.org\/publicnotaryroot.crl0", "https:\/\/www.verisign.com", "http:\/\/crl.pki.wellsfargo.com\/wsprca.crl0", "http:\/\/www.signatur.rtr.at\/de\/directory\/cps.html0", "http:\/\/www.e-trusX", "http:\/\/www.post.trust.ie\/reposit\/cps.html0", "http:\/\/www.usertrust.com1", "http:\/\/www.certplus.com\/CRL\/class3P.crl0", "http:\/\/www.d-trust.net0", "http:\/\/logo.verisign.com\/vslogo.gif0", "https:\/\/www.netlock.net\/docs", "http:\/\/fedir.comsign.co.il\/crl\/ComSignSecuredCA.crl0", "http:\/\/www.d-trust.net\/crl\/d-trust_root_class_3_ca_2007.crl0", "http:\/\/ocsp.pki.gva.es0", "http:\/\/ts-ocsp.ws.symantec.com0", "https:\/\/d.symcb.com\/rpa0.", "http:\/\/crl.usertrust.com\/UTN-USERFirst-ClientAuthenticationandEmail.crl0", "https:\/\/secure.a-cert.at\/cgi-bin\/a-cert-advanced.cgi0", "https:\/\/www.verisign.com\/repository\/CPS", "https:\/\/ca.sia.it\/seccli\/repository\/CPS0", "http:\/\/www.chambersign.org1", "http:\/\/g", "http:\/\/www.valicert.com\/1", "http:\/\/certificates.starfieldtech.com\/repository\/1604", "https:\/\/ca.sia.it\/secsrv\/repository\/CPS0", "http:\/\/ts-aia.ws.symantec.com\/sha256-tss-ca.cer0(", "http:\/\/www.ancert.com\/cps0", "http:\/\/crl.chambersign.org\/chambersroot.crl0", "http:\/\/www.microsoft.com\/pkiops\/crl\/Microsoft%20Certificate%20Trust%20List%20PCA(3).crl0u", "http:\/\/www.certicamara.com\/certicamaraca.crl0", "http:\/\/ca.sia.it\/secsrv\/repository\/CRL.der0J", "http:\/\/crl.chamb", "http:\/\/crl.globalsign.net\/root-r2.crl0", "http:\/\/www.e-trust.be\/CPS\/QNcerts", "http:\/\/s.symcd.com06", "http:\/\/crl.usertrust.com\/UTN-USERFirst-Hardware.crl01" ], "crc32": "C64373AF", "path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/2641\/files\/a8e742aac2cbb8b0_wer65de.tmp.hdmp", "ssdeep": null, "size": 23791114, "sha512": "4047dcd4e74c68446c1f369d1e1857725ecb8d4add916fabd9ce1a8b2858085c676b3cf1a8295a20897ac3c10aa79b6611a8f4cc360c28b9c977ec155f24dff1", "pids": [ 2248 ], "md5": "a7a68a38c3e40737913c44660ff7c65c" }, { "yara": [], "sha1": "184d3fffeccd2c6ab2e54820b6638f08e1afffd9", "name": "24098bcb3613d6ec_wer5b7d.tmp.werinternalmetadata.xml", "filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\WER5B7D.tmp.WERInternalMetadata.xml", "type": "XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators", "sha256": "24098bcb3613d6ecf79063c4332e48292ac554455508917b574dba6ba4713397", "urls": [], "crc32": "373C3B51", "path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/2641\/files\/24098bcb3613d6ec_wer5b7d.tmp.werinternalmetadata.xml", "ssdeep": null, "size": 2650, "sha512": "a922c676293d47e2617de0342858659e25edbbfd58773aa40dbe42590e09b83c359c4ae102a5a2804cc790a3329507a774be9b628b7d65f2947cae4eecb86e6c", "pids": [ 2248 ], "md5": "85ba2b7593285cf41e23b16f3fa6bc3f" }, { "yara": [], "sha1": "cf925fc512b936fe7d44ceb6e999e4a020ed6ff0", "name": "4c9c4d831d61c8c3_Cab5799.tmp", "filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab5799.tmp", "type": "Microsoft Cabinet archive data, 56952 bytes, 1 file", "sha256": "4c9c4d831d61c8c38b2513f9b431ef4f4cf6af9fb18a2317cd2178d6e0997822", "urls": [], "crc32": "5168F337", "path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/2641\/files\/4c9c4d831d61c8c3_Cab5799.tmp", "ssdeep": null, "size": 56952, "sha512": "65dc435f6d3e1afd347ba1617a3eee59c6660f221faa36456a09e307d434d7276e8095e8aa34d59933e685a9f84564ec783e59ae9658791f7ebdbbc2eda32f7a", "pids": [ 2816 ], "md5": "04d79a0dc77a8f449cbff6252862d398" }, { "yara": [], "sha1": "da39a3ee5e6b4b0d3255bfef95601890afd80709", "name": "e3b0c44298fc1c14_WER5B7D.tmp", "type": "empty", "sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", "urls": [], "crc32": "00000000", "path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/2641\/files\/e3b0c44298fc1c14_WER5B7D.tmp", "ssdeep": null, "size": 0, "sha512": "cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e", "md5": "d41d8cd98f00b204e9800998ecf8427e" } ]
[ { "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\dw20.exe", "process_name": "dw20.exe", "pid": 2248, "summary": { "file_created": [ "C:\\Users\\cuck\\AppData\\Local\\Temp\\WER5B7D.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\WER65DE.tmp.hdmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\WER5B7D.tmp.WERInternalMetadata.xml", "C:\\Users\\cuck\\AppData\\Local\\Temp\\WER65DE.tmp" ], "file_recreated": [ "C:\\Users\\cuck\\AppData\\Local\\Temp\\WER5B7D.tmp.WERInternalMetadata.xml" ], "dll_loaded": [ "dbghelp.dll", "version.dll", "C:\\Windows\\system32\\ole32.dll", "CFGMGR32.dll", "DUI70.dll", "C:\\Windows\\system32\\DUser.dll", "UxTheme.dll", "SensApi.dll", "werui.dll", "dwmapi.dll", "ntdll.dll", "cryptsp.dll", "winhttp.dll", "verifier.dll", "C:\\Windows\\system32\\RICHED20.DLL", "API-MS-WIN-Service-Management-L2-1-0.dll", "API-MS-WIN-Service-Management-L1-1-0.dll", "C:\\Windows\\syswow64\\MSCTF.dll", "API-MS-Win-Core-LocalRegistry-L1-1-0.dll", "psapi.dll", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscordacwks.dll", "OLEAUT32.DLL", "SspiCli.dll", "C:\\Windows\\system32\\wer.dll", "advapi32.dll", "comctl32", "ole32.dll", "SHLWAPI.dll", "CRYPTSP.dll", "USER32.dll", "Comctl32.dll", "credssp.dll", "API-MS-WIN-Service-winsvc-L1-1-0.dll", "IPHLPAPI.DLL", "C:\\Windows\\system32\\xmllite.dll", "OLEAUT32.dll", "SHELL32.dll", "RPCRT4.dll", "DNSAPI.dll", "C:\\Windows\\System32\\wship6.dll", "DUser.dll", "comctl32.dll", "NSI.dll", "kernel32.dll", "C:\\Windows\\system32\\mswsock.dll", "powrprof.dll", "ADVAPI32.dll", "rpcrt4.dll", "C:\\Windows\\System32\\wshtcpip.dll", "WS2_32.dll", "user32.dll", "WINHTTP.dll" ], "file_opened": [ "C:\\Windows\\System32\\apphelp.dll", "C:\\Windows\\System32\\mswsock.dll", "C:\\Windows\\SysWOW64\\CRYPTBASE.dll", "C:\\Windows\\System32\\mscoree.dll", "C:\\Windows\\SysWOW64\\user32.dll", "C:\\Windows\\SysWOW64\\advapi32.dll", "C:\\Windows\\SysWOW64\\msctf.dll", "C:\\Windows\\System32\\cryptnet.dll", "C:\\Windows\\SysWOW64\\sspicli.dll", "C:\\Windows\\System32\\cabinet.dll", "C:\\Windows\\System32\\winhttp.dll", "C:\\Windows\\SysWOW64\\kernel32.dll", "C:\\Users\\cuck\\AppData\\Local\\Temp\\WER5B7D.tmp.WERInternalMetadata.xml", "C:\\Windows\\System32\\winnsi.dll", "C:\\Windows\\SysWOW64\\shlwapi.dll", "C:\\Windows\\System32\\bcrypt.dll", "C:\\Windows\\SysWOW64\\cfgmgr32.dll", "C:\\Windows\\System32\\WSHTCPIP.DLL", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorwks.dll", "C:\\Windows\\System32\\cryptsp.dll", "C:\\Windows\\System32\\webio.dll", "C:\\Windows\\System32\\dhcpcsvc6.DLL", "C:\\Windows\\SysWOW64\\ole32.dll", "C:\\Windows\\System32\\devrtl.dll", "C:\\Windows\\System32\\profapi.dll", "C:\\Windows\\SysWOW64\\crypt32.dll", "C:\\Windows\\SysWOW64\\msasn1.dll", "C:\\Windows\\System32\\IPHLPAPI.DLL", "C:\\Windows\\SysWOW64\\bcryptprimitives.dll", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorsec.dll", "C:\\Windows\\SysWOW64\\shell32.dll", "C:\\Windows\\SysWOW64\\lpk.dll", "C:\\Windows\\System32\\version.dll", "C:\\Windows\\System32\\rasadhlp.dll", "C:\\Windows\\SysWOW64\\wintrust.dll", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorjit.dll", "C:\\Windows\\System32\\gpapi.dll", "C:\\Windows\\System32\\userenv.dll", "C:\\Windows\\System32\\dhcpcsvc.dll", "C:\\Windows\\win.ini", "C:\\Windows\\System32\\en-US\\erofflps.txt", "C:\\Windows\\System32\\ncrypt.dll", "C:\\Windows\\SysWOW64\\ntdll.dll", "C:\\Users\\cuck\\AppData\\Local\\Temp\\ef984e44a56a46dbf90c4443ac5908be667cbd221d6ea18a094fca7e3f0cd8f3.bin", "C:\\Windows\\SysWOW64\\usp10.dll", "C:\\Windows\\System32\\dnsapi.dll", "C:\\Windows\\SysWOW64\\ws2_32.dll", "C:\\Windows\\SysWOW64\\sechost.dll", "C:\\Windows\\System32\\wship6.dll", "C:\\Windows\\System32\\credssp.dll", "C:\\Windows\\System32\\imm32.dll", "C:\\Windows\\SysWOW64\\gdi32.dll", "C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\mscorlib\\62a0b3e4b40ec0e8c5cfaa0c8848e64a\\mscorlib.ni.dll", "C:\\Windows\\Globalization\\Sorting\\sortdefault.nls", "C:\\Windows\\SysWOW64\\imagehlp.dll", "C:\\Windows\\winsxs\\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\\msvcr80.dll", "C:\\Windows\\SysWOW64\\rpcrt4.dll", "C:\\Windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\\comctl32.dll", "C:\\Windows\\System32\\rsaenh.dll", "C:\\Windows\\SysWOW64\\nsi.dll", "C:\\Windows\\SysWOW64\\Wldap32.dll", "C:\\Windows\\System32\\uxtheme.dll", "C:\\Windows\\System32\\SensApi.dll", "C:\\Windows\\SysWOW64\\KERNELBASE.dll", "C:\\Windows\\SysWOW64\\msvcrt.dll" ], "regkey_opened": [ "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\LsaExtensionConfig\\SspiCli", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings", "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\Rpc", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Reliability Analysis\\RAC", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip6\\Parameters\\Winsock", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Winsock", "HKEY_CURRENT_USER\\Software\\Microsoft\\windows\\CurrentVersion\\Internet Settings\\Connections", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\OLE\\Tracing", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\Windows Error Reporting", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Setup", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Consent", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\LanguageProfile\\0x00000000\\{0001bea3-ed56-483d-a2e2-aeae25577436}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\DebugApplications", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\SecurityProviders", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\KnownClasses", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\windows\\CurrentVersion\\Internet Settings\\Connections", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\CEIPRole\\RolesInWER", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winsock\\Setup Migration\\Providers\\Tcpip6", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}", "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\Windows Error Reporting", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Rpc", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\Compatibility\\dw20.exe", "HKEY_CURRENT_USER\\Software\\Microsoft\\CTF\\DirectSwitchHotkeys", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\SecurityProviders\\SaslProfiles", "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\SystemInformation", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\ExcludedApplications", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\Windows Error Reporting\\HeapControlledList\\ef984e44a56a46dbf90c4443ac5908be667cbd221d6ea18a094fca7e3f0cd8f3.bin", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer", "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Winsock\\Setup Migration\\Providers", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\WinHttp\\Tracing", "HKEY_CURRENT_USER\\Software\\Microsoft\\CTF\\LayoutIcon\\0409\\0000041d", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\KnownManagedDebuggingDlls", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\DirectUI", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLEAUT", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{3697C5FA-60DD-4B56-92D4-74A569205C16}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DebugApplications", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Debug", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winsock\\Setup Migration\\Providers\\Tcpip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", "HKEY_CURRENT_USER\\Software\\Microsoft\\windows\\CurrentVersion\\Internet Settings\\Wpad", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}", "HKEY_CURRENT_USER", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Class\\{4d36e972-e325-11ce-bfc1-08002be10318}", "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\Windows Error Reporting", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Ole", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\WinHttp", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ExcludedApplications", "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Windows", "HKEY_CURRENT_USER\\Keyboard Layout\\Toggle", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\SspiCache", "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Winsock\\Parameters" ], "resolves_host": [ "watson.microsoft.com" ], "file_written": [ "C:\\Users\\cuck\\AppData\\Local\\Temp\\WER65DE.tmp.hdmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\WER5B7D.tmp.WERInternalMetadata.xml" ], "file_deleted": [ "C:\\Users\\cuck\\AppData\\Local\\Temp\\WER5B7D.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\WER65DE.tmp.hdmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\WER5B7D.tmp.WERInternalMetadata.xml", "C:\\Users\\cuck\\AppData\\Local\\Temp\\WER65DE.tmp" ], "file_exists": [ "C:\\Windows\\System32\\apphelp.dll", "C:\\Windows\\System32\\mswsock.dll", "C:\\Windows\\SysWOW64\\CRYPTBASE.dll", "C:\\Windows\\System32\\mscoree.dll", "C:\\Windows\\SysWOW64\\user32.dll", "C:\\Windows\\SysWOW64\\advapi32.dll", "C:\\Windows\\SysWOW64\\msctf.dll", "C:\\Users\\cuck\\AppData\\Local\\Temp", "C:\\Windows\\SysWOW64\\sspicli.dll", "C:\\Windows\\System32\\cabinet.dll", "C:\\Windows\\System32\\winhttp.dll", "C:\\Windows\\SysWOW64\\kernel32.dll", "C:\\Users\\cuck\\AppData\\Local\\Temp\\WER5B7D.tmp.WERInternalMetadata.xml", "C:\\Windows\\System32\\winnsi.dll", "C:\\Windows\\SysWOW64\\shlwapi.dll", "C:\\Users\\cuck\\AppData\\Local\\Temp\\WER65DE.tmp.hdmp", "C:\\Windows\\SysWOW64\\cfgmgr32.dll", "C:\\Windows\\System32\\bcrypt.dll", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorwks.dll", "C:\\Windows\\System32\\cryptsp.dll", "C:\\Windows\\SysWOW64\\bcryptprimitives.dll", "C:\\Windows\\System32\\dhcpcsvc6.DLL", "C:\\Windows\\SysWOW64\\ole32.dll", "C:\\Windows\\System32\\devrtl.dll", "C:\\Windows\\System32\\profapi.dll", "C:\\Windows\\SysWOW64\\crypt32.dll", "C:\\Windows\\SysWOW64\\msasn1.dll", "C:\\Windows\\System32\\IPHLPAPI.DLL", "C:\\Users\\cuck\\AppData\\Local\\Temp\\", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorsec.dll", "C:\\Windows\\SysWOW64\\shell32.dll", "C:\\Windows\\SysWOW64\\lpk.dll", "C:\\Windows\\System32\\version.dll", "C:\\Windows\\SysWOW64\\wintrust.dll", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorjit.dll", "C:\\Windows\\System32\\gpapi.dll", "C:\\Windows\\System32\\userenv.dll", "C:\\Windows\\System32\\webio.dll", "C:\\Windows\\System32\\rasadhlp.dll", "C:\\Windows\\System32\\dhcpcsvc.dll", "C:\\Windows\\System32\\en-US\\erofflps.txt", "C:\\Windows\\System32\\ncrypt.dll", "C:\\Windows\\SysWOW64\\ntdll.dll", "C:\\Users\\cuck\\AppData\\Local\\Temp\\ef984e44a56a46dbf90c4443ac5908be667cbd221d6ea18a094fca7e3f0cd8f3.bin", "C:\\Windows\\SysWOW64\\usp10.dll", "C:\\Windows\\System32\\dnsapi.dll", "C:\\Windows\\SysWOW64\\ws2_32.dll", "C:\\Windows\\SysWOW64\\sechost.dll", "C:\\Windows\\System32\\cryptnet.dll", "C:\\Windows\\System32\\wship6.dll", "C:\\Windows\\System32\\credssp.dll", "C:\\Windows\\System32\\imm32.dll", "C:\\Windows\\SysWOW64\\gdi32.dll", "C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\mscorlib\\62a0b3e4b40ec0e8c5cfaa0c8848e64a\\mscorlib.ni.dll", "C:\\Windows\\SysWOW64\\imagehlp.dll", "C:\\Windows\\winsxs\\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\\msvcr80.dll", "C:\\Windows\\SysWOW64\\rpcrt4.dll", "C:\\Windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\\comctl32.dll", "C:\\Windows\\System32\\WSHTCPIP.DLL", "C:\\Windows\\System32\\rsaenh.dll", "C:\\Windows\\SysWOW64\\nsi.dll", "C:\\Windows\\SysWOW64\\Wldap32.dll", "C:\\Windows\\System32\\uxtheme.dll", "C:\\Windows\\System32\\SensApi.dll", "C:\\Windows\\SysWOW64\\KERNELBASE.dll", "C:\\Windows\\SysWOW64\\msvcrt.dll" ], "mutex": [ "Global\\b892f634-daf5-11e9-8829-08002749d99b" ], "guid": [ "{713aacc8-3b71-435c-a3a1-be4e53621ab1}", "{22e4c895-8ab9-40bb-b81a-001dd9b1f449}" ], "file_read": [ "C:\\Windows\\win.ini" ], "regkey_read": [ "HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Language Hotkey", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\GPAPI.dll", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\profapi.dll", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\MaxRpcSize", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\MaxArchiveCount", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\LanguageProfile\\0x00000000\\{0001bea3-ed56-483d-a2e2-aeae25577436}\\Enable", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\QueuePesterInterval", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\System32\\wshtcpip.dll", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\UseDelayedAcceptance", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DisableQueue", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\DEVRTL.dll", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SecurityProviders\\SecurityProviders", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ConfigureArchive", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultConsent", "HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\SystemSetupInProgress", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\ScrollDelay", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\WS2_32.dll", "HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Hotkey", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\SspiCli.dll", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\System32\\wship6.dll", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\SendEFSFiles", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\CTF\\EnableAnchorContext", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledProcesses\\44D72C57", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\DisableArchive", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\WLDAP32.dll", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\IPHLPAPI.DLL", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerPortNumber", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\LastWatsonCabUploaded", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\credssp.dll", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerUseSSL", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\HelperDllName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\LPK.dll", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\shell32.dll", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerServer", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\ForceUserModeCabCollection", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ProxySettingsPerUser", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorjit.dll", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winsock\\Parameters\\Transports", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SystemInformation\\BIOSVersion", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\BuildLabEx", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\KERNELBASE.dll", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Users\\cuck\\AppData\\Local\\Temp\\ef984e44a56a46dbf90c4443ac5908be667cbd221d6ea18a094fca7e3f0cd8f3.bin", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\APPCRASH", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\\DefaultConnectionSettings", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\MaxQueueCount", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\NSI.dll", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultOverrideBehavior", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\CSDBuildNumber", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\CurrentType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\imagehlp.dll", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\\COMCTL32.dll", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\mscorlib\\62a0b3e4b40ec0e8c5cfaa0c8848e64a\\mscorlib.ni.dll", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\DontShowUI", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\DontSendAdditionalData", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Segoe UI", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\ScrollInset", "HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Layout Hotkey", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\webio.dll", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\CRYPT32.dll", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\ConfigureArchive", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\WINTRUST.dll", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Windows\\CSDBuildNumber", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\QueuePesterInterval", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\WinSxS\\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\\MSVCR80.dll", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Comment", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\RPCRT4.dll", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledSessions\\MachineThrottling", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\WINHTTP.dll", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\SensApi.dll", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DisableArchive", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\MaxArchiveCount", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\EditionID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\KERNEL32.dll", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultOverrideBehavior", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\HelperDllName", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winsock\\Setup Migration\\Providers\\Tcpip6\\WinSock 2.0 Provider ID", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\ForceQueue", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\SysWOW64\\sechost.dll", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\WpadOverride", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\Mapping", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\CFGMGR32.dll", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\ncrypt.dll", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\uxtheme.dll", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceUserModeCabCollection", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\cryptnet.dll", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LoggingDisabled", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorsec.dll", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\CRYPTBASE.dll", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProductName", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\LsaExtensionConfig\\SspiCli\\CheckSignatureRoutine", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\MachineID", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\MinSockaddrLength", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\rsaenh.dll", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceQueue", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\ScrollInterval", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\IMM32.DLL", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\MinSockaddrLength", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\LsaExtensionConfig\\SspiCli\\CheckSignatureDll", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\USERENV.dll", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\APPCRASH", "HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\OOBEInProgress", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\ole32.dll", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\MaxQueueCount", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\USER32.dll", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerUseAuthentication", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\MSCTF.dll", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\DragMinDist", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\SendEFSFiles", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DontShowUI", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\MaxSockaddrLength", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\TurnOffSPIAnimations", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE\\PageAllocatorSystemHeapIsPrivate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\MSASN1.dll", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\MaxSockaddrLength", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SystemInformation\\SystemProductName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\DNSAPI.dll", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\BypassDataThrottling", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\KnownManagedDebuggingDlls\\C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscordacwks.dll", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\DragDelay", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\\WinHttpSettings", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\ADVAPI32.dll", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\SourcePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\DevicePath", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\TokenSize", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\UseDelayedAcceptance", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE\\PageAllocatorUseSystemHeap", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Disabled", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Capabilities", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\dhcpcsvc6.DLL", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\LoggingDisabled", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\dhcpcsvc.DLL", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\SYSTEM32\\MSCOREE.DLL", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ShareCredsWithWinHttp", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\WinHttp\\Tracing\\Enabled", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\CRYPTSP.dll", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SystemInformation\\SystemManufacturer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\apphelp.dll", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassDataThrottling", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorwks.dll", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\msvcrt.dll", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Reliability Analysis\\RAC\\RacWerSampleTime", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\SysWOW64\\ntdll.dll", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\Cabinet.dll", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledSessions\\GlobalSession", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\CurrentType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\RestartRunTime", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\SHLWAPI.dll", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultConsent", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\WinHttp\\DisableBranchCache", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DontSendAdditionalData", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CEIPEnable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\mswsock.dll", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\USP10.dll", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Version", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\ComputerName\\ActiveComputerName\\ComputerName", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\RestartRunTime", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winsock\\Setup Migration\\Providers\\Tcpip\\WinSock 2.0 Provider ID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\GDI32.dll", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\SysWOW64\\bcryptprimitives.dll", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE\\MaximumAllowedAllocationSize", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\rasadhlp.dll", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\WINNSI.DLL", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\Mapping", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\bcrypt.dll", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\RpcId", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Disabled", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\DisableQueue", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\VERSION.dll" ], "directory_enumerated": [ "C:\\Windows\\System32\\apphelp.dll", "C:\\Windows\\SysWOW64", "C:\\Users\\cuck\\AppData", "C:\\Windows\\SysWOW64\\user32.dll", "C:\\Windows\\SysWOW64\\advapi32.dll", "C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\mscorlib", "C:\\Windows\\SysWOW64\\msctf.dll", "C:\\Users\\cuck\\AppData\\Local\\Temp", "C:\\Windows\\SysWOW64\\sspicli.dll", "C:\\Windows\\System32\\cabinet.dll", "C:\\Windows\\System32\\winhttp.dll", "C:\\Windows\\SysWOW64\\kernel32.dll", "C:\\Windows\\SysWOW64\\msvcrt.dll", "C:\\Windows\\assembly", "C:\\Windows\\System32\\winnsi.dll", "C:\\Windows\\SysWOW64\\shlwapi.dll", "C:\\Windows\\System32\\bcrypt.dll", "C:\\Windows\\SysWOW64\\cfgmgr32.dll", "C:\\Windows\\System32\\WSHTCPIP.DLL", "C:\\Windows\\System32", "C:\\Windows\\System32\\cryptsp.dll", "C:\\Windows\\System32\\webio.dll", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorjit.dll", "C:\\Windows\\SysWOW64\\ole32.dll", "C:\\Windows\\System32\\devrtl.dll", "C:\\Windows\\System32\\profapi.dll", "C:\\Windows\\System32\\mscoree.dll", "C:\\Windows\\SysWOW64\\crypt32.dll", "C:\\Windows\\SysWOW64\\msasn1.dll", "C:\\Windows\\System32\\IPHLPAPI.DLL", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorsec.dll", "C:\\Windows\\SysWOW64\\shell32.dll", "C:\\Windows\\SysWOW64\\lpk.dll", "C:\\Windows\\System32\\version.dll", "C:\\Users", "C:\\Windows\\SysWOW64\\wintrust.dll", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorwks.dll", "C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\WER\\ReportArchive\\AppCrash_*_66cb87fc63aae6c3cbb79a998d143e7b8dd8b0_cab_*", "C:\\Windows\\System32\\gpapi.dll", "C:\\Windows\\System32\\userenv.dll", "C:\\Windows\\SysWOW64\\nsi.dll", "C:\\Windows\\System32\\rasadhlp.dll", "C:\\Windows\\System32\\dhcpcsvc.dll", "C:\\Windows\\System32\\ncrypt.dll", "C:\\Windows\\SysWOW64\\ntdll.dll", "C:\\Users\\cuck", "C:\\Windows\\System32\\dnsapi.dll", "C:\\Windows\\SysWOW64\\ws2_32.dll", "C:\\Windows\\SysWOW64\\sechost.dll", "C:\\Windows\\System32\\cryptnet.dll", "C:\\Users\\cuck\\AppData\\Local", "C:\\Windows\\System32\\wship6.dll", "C:\\Windows\\System32\\credssp.dll", "C:\\Windows\\System32\\imm32.dll", "C:\\Windows\\SysWOW64\\gdi32.dll", "C:\\Windows\\System32\\mswsock.dll", "C:\\Windows\\SysWOW64\\imagehlp.dll", "C:\\Windows\\winsxs\\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\\msvcr80.dll", "C:\\Windows\\SysWOW64\\usp10.dll", "C:\\Windows\\SysWOW64\\rpcrt4.dll", "C:\\Windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\\comctl32.dll", "C:\\Windows\\System32\\drivers\\*.mrk", "C:\\Windows\\System32\\rsaenh.dll", "C:\\Windows", "C:\\Windows\\winsxs", "C:\\Windows\\SysWOW64\\Wldap32.dll", "C:\\Windows\\System32\\uxtheme.dll", "C:\\Windows\\System32\\SensApi.dll", "C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_*_66cb87fc63aae6c3cbb79a998d143e7b8dd8b0_cab_*" ] }, "first_seen": 1568915651.9055, "ppid": 2816 }, { "process_path": "C:\\Users\\cuck\\AppData\\Local\\Temp\\ef984e44a56a46dbf90c4443ac5908be667cbd221d6ea18a094fca7e3f0cd8f3.bin", "process_name": "ef984e44a56a46dbf90c4443ac5908be667cbd221d6ea18a094fca7e3f0cd8f3.bin", "pid": 2816, "summary": { "file_created": [ "C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab50F8.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab57BB.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\CabB70B.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar5A31.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\CabDFC5.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\TarDFF7.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab5A30.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\TarDFC6.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab6EA4.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\TarB70C.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\TarB72E.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab6EC5.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab58F5.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar6EA5.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar58F6.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\CabDFF6.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\CabB72D.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\CabE017.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar50F9.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar2880.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar57AA.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar57BC.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\CabE029.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar6EC6.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\TarE03A.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab287F.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab5799.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\TarE018.tmp" ], "file_recreated": [ "C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab50F8.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab57BB.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\CabB70B.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar5A31.tmp", "\\Device\\KsecDD", "C:\\Users\\cuck\\AppData\\Local\\Temp\\TarDFF7.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab5A30.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\TarDFC6.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab6EA4.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\TarB70C.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\TarB72E.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab6EC5.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab58F5.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar6EA5.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar58F6.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\CabDFF6.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\CabB72D.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\CabE017.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\CabDFC5.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar50F9.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar2880.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar57AA.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar57BC.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\CabE029.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar6EC6.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\TarE03A.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab287F.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab5799.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\TarE018.tmp" ], "regkey_written": [ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\\Blob", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\8F43288AD272F3103B6FB1428485EA3014C0BCFE\\Blob", "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\LanguageList" ], "dll_loaded": [ "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\culture.dll", "imagehlp.dll", "API-MS-Win-Security-LSALookup-L1-1-0.dll", "credssp.dll", "ntdll", "API-MS-WIN-Service-Management-L2-1-0.dll", "gdi32.dll", "DNSAPI.dll", "kernel32.dll", "API-MS-Win-Security-SDDL-L1-1-0.dll", "SensApi.dll", "ntdll.dll", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\ole32.dll", "cryptsp.dll", "imm32.dll", "ADVAPI32.dll", "ncrypt.dll", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorwks.dll", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\VERSION.dll", "bcrypt.dll", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorjit.dll", "API-MS-WIN-Service-Management-L1-1-0.dll", "cryptnet.dll", "crypt32.dll", "C:\\Windows\\SysWOW64\\bcryptprimitives.dll", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorsec.dll", "API-MS-Win-Core-LocalRegistry-L1-1-0.dll", "AdvApi32.dll", "SspiCli.dll", "advapi32.dll", "ole32.dll", "SHLWAPI.dll", "CRYPTSP.dll", "USER32.dll", "C:\\Windows\\system32\\IMM32.DLL", "API-MS-WIN-Service-winsvc-L1-1-0.dll", "IPHLPAPI.DLL", "C:\\Windows\\syswow64\\CRYPT32.dll", "RichEd20.dll", "NSI.dll", "winhttp.dll", "profapi.dll", "RPCRT4.dll", "C:\\Windows\\System32\\wship6.dll", "setupapi.dll", "mscorsec.dll", "C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\mscorlib\\62a0b3e4b40ec0e8c5cfaa0c8848e64a\\mscorlib.ni.dll", "VERSION.dll", "mscoree.dll", "CFGMGR32.dll", "WINTRUST.DLL", "C:\\Windows\\system32\\cryptnet.dll", "DEVRTL.dll", "C:\\Windows\\system32\\mswsock.dll", "shell32.dll", "C:\\Windows\\System32\\wshtcpip.dll", "WS2_32.dll", "Cabinet.dll", "WINHTTP.dll" ], "file_failed": [ "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\enterprisesec.config.cch", "C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\FA47BF11E3FC6DA7A80A2910535F021F", "C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\0972B7C417F696E06E186AEB26286F01_EC6918D7CB4A54242E7A79500CDB31EB", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\security.config.cch", "C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\3D0AC26322348780E90E022EA217C58C", "C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8828F39C7C0CE9A14B25C7EB321181BA_DC03E45EC7611F50ADAEBABE405A8C4C", "C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\A3D5BF1283C2E63D8C8A8C72F0051F5A", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\enterprisesec.config", "C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8828F39C7C0CE9A14B25C7EB321181BA_3DF94EB797096674F7793A562A778C5F", "C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\security.config.cch", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\security.config", "C:\\Users\\cuck\\AppData\\Local\\Temp\\ef984e44a56a46dbf90c4443ac5908be667cbd221d6ea18a094fca7e3f0cd8f3.bin.config", "C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\security.config", "C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\0972B7C417F696E06E186AEB26286F01_8A7601FFF9878487CA80CB28D50438E2" ], "regkey_opened": [ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6292b898\\1d90e993", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\Managed\\S-1-5-21-699399860-4089948139-3198924279-1001\\Installer\\Assemblies\\Global", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PCHealth\\ErrorReporting\\ExclusionList", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\Policy\\", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets\\LocalIntranet", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\AppPatch", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PCHealth\\ErrorReporting\\InclusionList", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PCHealth\\ErrorReporting\\ExclusionList", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\PCHealth\\ErrorReporting\\ExclusionList", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PCHealth\\ErrorReporting", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\PCHealth\\ErrorReporting", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32", "HKEY_CURRENT_USER\\Software\\Microsoft\\Installer\\Assemblies\\Global", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets\\Internet", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\index127", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options", "HKEY_CURRENT_USER\\Software\\Microsoft\\Installer\\Assemblies\\C:|Users|cuck|AppData|Local|Temp|ef984e44a56a46dbf90c4443ac5908be667cbd221d6ea18a094fca7e3f0cd8f3.bin", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\Standards", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\Standards\\v2.0.50727", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-699399860-4089948139-3198924279-1001", "HKEY_CURRENT_USER\\SOFTWARE\\Policies\\Microsoft\\PCHealth\\ErrorReporting\\ExclusionList", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\v2.0.50727\\Security\\Policy", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PCHealth\\ErrorReporting", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\StrongName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5", "HKEY_CURRENT_USER\\Software\\Microsoft\\Fusion", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion\\PublisherPolicy\\Default", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Installer\\Assemblies\\C:|Users|cuck|AppData|Local|Temp|ef984e44a56a46dbf90c4443ac5908be667cbd221d6ea18a094fca7e3f0cd8f3.bin", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion\\GACChangeNotification\\Default", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\5f57882f\\140d0d2a", "HKEY_CURRENT_USER\\Software\\Microsoft\\.NETFramework", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\PCHealth\\ErrorReporting\\InclusionList", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\ef984e44a56a46dbf90c4443ac5908be667cbd221d6ea18a094fca7e3f0cd8f3.bin", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Class\\{4d36e972-e325-11ce-bfc1-08002be10318}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\Upgrades", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\Managed\\S-1-5-21-699399860-4089948139-3198924279-1001\\Installer\\Assemblies\\C:|Users|cuck|AppData|Local|Temp|ef984e44a56a46dbf90c4443ac5908be667cbd221d6ea18a094fca7e3f0cd8f3.bin", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\Policy\\Standards", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PCHealth\\ErrorReporting\\InclusionList", "HKEY_CURRENT_USER\\SOFTWARE\\Policies\\Microsoft\\PCHealth\\ErrorReporting", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83", "HKEY_CURRENT_USER\\SOFTWARE\\Policies\\Microsoft\\PCHealth\\ErrorReporting\\InclusionList", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\v2.0", "HKEY_CURRENT_USER\\Software\\Microsoft\\.NETFramework\\Policy\\Standards", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Installer\\Assemblies\\Global" ], "resolves_host": [ "www.download.windowsupdate.com", "sw.symcd.com", "sw.symcb.com", "s.symcb.com", "s.symcd.com" ], "file_written": [ "C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab50F8.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab57BB.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\CabB70B.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar5A31.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\CabDFC5.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\TarDFF7.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab5A30.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\TarDFC6.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab6EA4.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\TarB70C.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\TarB72E.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab6EC5.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab58F5.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar6EA5.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar58F6.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\CabDFF6.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\CabB72D.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\CabE017.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar50F9.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar2880.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar57AA.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar57BC.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\CabE029.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar6EC6.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\TarE03A.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab287F.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab5799.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\TarE018.tmp" ], "regkey_deleted": [ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\8F43288AD272F3103B6FB1428485EA3014C0BCFE" ], "file_deleted": [ "C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab50F8.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab57BB.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\CabB70B.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar5A31.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\CabDFC5.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\TarDFF7.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab5A30.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\TarDFC6.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab6EA4.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\TarB70C.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\TarB72E.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab6EC5.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab58F5.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar6EA5.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar58F6.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\CabDFF6.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\CabB72D.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\CabE017.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar50F9.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar2880.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar57AA.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar57BC.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\CabE029.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar6EC6.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\TarE03A.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab287F.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab5799.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\TarE018.tmp" ], "file_exists": [ "C:\\Windows\\inf\\", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\fusion.localgac", "C:\\Users\\cuck\\AppData\\LocalLow", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Avira.OE.WinCore.dll", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Avira.OE.WinCore\\Avira.OE.WinCore.exe", "C:\\Windows\\Globalization\\en-us.nlp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\ef984e44a56a46dbf90c4443ac5908be667cbd221d6ea18a094fca7e3f0cd8f3.config", "C:\\Windows\\winsxs\\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\\msvcr80.dll", "C:\\Windows\\System32\\qagentrt.dll", "C:\\Users\\cuck\\AppData\\Local\\Temp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\ef984e44a56a46dbf90c4443ac5908be667cbd221d6ea18a094fca7e3f0cd8f3.bin", "C:\\Windows\\assembly\\GAC\\PublisherPolicy.tme", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\machine.config", "C:\\Windows\\System32\\dnsapi.dll", "C:\\Windows\\System32\\MSCOREE.DLL.local", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Avira.OE.WinCore.exe", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Avira.OE.WinCore\\Avira.OE.WinCore.dll", "C:\\Windows\\System32\\p2pcollab.dll" ], "file_opened": [ "C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\index127.dat", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab50F8.tmp", "C:\\Windows\\System32\\l_intl.nls", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab57BB.tmp", "C:\\Users\\cuck\\AppData\\LocalLow", "C:\\Users\\cuck\\AppData\\Local\\Temp\\CabB70B.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar5A31.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\CabDFC5.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\TarDFF7.tmp", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\machine.config", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab5A30.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\TarDFC6.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab6EA4.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\TarB70C.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\TarB72E.tmp", "C:\\Windows\\System32\\netmsg.dll", "C:\\Users\\cuck\\AppData\\Local\\Temp\\CabE017.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab58F5.tmp", "C:\\Windows\\System32\\en-US\\WINHTTP.dll.mui", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar6EA5.tmp", "C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\94308059B57B3142E455B38A6EB92015", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar58F6.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\CabDFF6.tmp", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorrc.dll", "C:\\Users\\cuck\\AppData\\Local\\Temp\\CabB72D.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab6EC5.tmp", "C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\sortkey.nlp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar50F9.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\ef984e44a56a46dbf90c4443ac5908be667cbd221d6ea18a094fca7e3f0cd8f3.bin", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar2880.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar57AA.tmp", "C:\\Windows\\assembly\\pubpol4.dat", "C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\sorttbls.nlp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar57BC.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\CabE029.tmp", "C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\94308059B57B3142E455B38A6EB92015", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar6EC6.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\TarE03A.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab287F.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab5799.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\TarE018.tmp" ], "command_line": [ "dw20.exe -x -s 1108" ], "file_read": [ "C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab50F8.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab57BB.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\CabB70B.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar5A31.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\CabDFC5.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\TarDFF7.tmp", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\machine.config", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab5A30.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\TarDFC6.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab6EA4.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\TarB70C.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\TarB72E.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\CabE017.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab58F5.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar6EA5.tmp", "C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\94308059B57B3142E455B38A6EB92015", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar58F6.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\CabDFF6.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\CabB72D.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab6EC5.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar50F9.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar2880.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar57AA.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar57BC.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\CabE029.tmp", "C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\94308059B57B3142E455B38A6EB92015", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar6EC6.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\TarE03A.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab287F.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab5799.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\TarE018.tmp" ], "regkey_read": [ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\LatestIndex", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\\DefaultConnectionSettings", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Initialization\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$Function", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\WinSock2\\Parameters\\Protocol_Catalog9\\Serial_Access_Num", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\UseDelayedAcceptance", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\UseHostnameAsAlias", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\Modules", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SecurityProviders\\SecurityProviders", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-699399860-4089948139-3198924279-1001\\ProfileImagePath", "HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\SystemSetupInProgress", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\MaxAIAUrlRetrievalCertCount", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.44.3.4!7\\Name", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\crypt32\\DiagMatchAnyMask", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Message\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$Function", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\SourcePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\CertCheck\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$Function", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\CryptnetPreFetchTriggerPeriodSeconds", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\UseOldHostResolutionOrder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Message\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$DLL", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\LoadAppInit_DLLs", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\CLRLoadLogDir", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\DevOverrideEnable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Signature\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$Function", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\MaxAIAUrlRetrievalCountPerChain", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\CertCheck\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$DLL", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ProxySettingsPerUser", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NoClientChecks", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\DownloadCacheQuotaInKB", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winsock\\Parameters\\Transports", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.64.1.1!7\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\LoggingLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Signature\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$Function", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\MVID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\ConfigMask", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\CertCheck\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$DLL", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\Status", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\LogFailures", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\MissingDependencies", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\WpadOverride", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\Enabled", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\Status", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\NIDependencies", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Local AppData", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Initialization\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$Function", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\MaxAIAUrlRetrievalByteCount", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\CryptnetCachedOcspSwitchToCrlCount", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\index127\\ILUsageMask", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\UseLegacyIdentityFormat", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\8F43288AD272F3103B6FB1428485EA3014C0BCFE\\Blob", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\DisableUnsupportedCriticalExtensions", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Comment", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\crypt32\\DebugFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\LogLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Certificate\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$DLL", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Message\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$DLL", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\OnlyUseLatestCLR", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\LdapClientIntegrity", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\CryptnetMaxCachedOcspPerCrlCount", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\FinalPolicy\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$Function", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\HelperDllName", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winsock\\Setup Migration\\Providers\\Tcpip6\\WinSock 2.0 Provider ID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\index127\\NIUsageMask", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Certificate\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$Function", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\ConfigString", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\Mapping", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Cleanup\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$DLL", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\MaxSockaddrLength", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\EnableInetUnknownAuth", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\SIG", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\CacheLocation", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\\Blob", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\LsaExtensionConfig\\SspiCli\\CheckSignatureRoutine", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\DisableCANameConstraints", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\LegacyPolicyTimeStamp", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\MinSockaddrLength", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\DisplayName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\8F43288AD272F3103B6FB1428485EA3014C0BCFE", "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\p2pcollab.dll,-8042", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Initialization\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$DLL", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\MinSockaddrLength", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\LastModTime", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\LsaExtensionConfig\\SspiCli\\CheckSignatureDll", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Signature\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$DLL", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Signature\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$DLL", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\VersioningLog", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\GCStressStartAtJit", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\mscorlib,2.0.0.0,,b77a5c561934e089,x86", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Capabilities", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\MaxSockaddrLength", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\FinalPolicy\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$Function", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\FinalPolicy\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$DLL", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\DisableMSIPeek", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\ChainCacheResyncFiletime", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\HelperDllName", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing\\State", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Certificate\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$DLL", "HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\dnsapi.dll,-103", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\Latest", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\\WinHttpSettings", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\DevicePath", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\TokenSize", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\MaxUrlRetrievalByteCount", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\InstallRoot", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Initialization\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$DLL", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\MaxAIAUrlCountInCert", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\CertCheck\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$Function", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\LogResourceBinds", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winsock\\Setup Migration\\Providers\\Tcpip\\WinSock 2.0 Provider ID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ShareCredsWithWinHttp", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\EnableLog", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\crypt32\\DiagLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Cleanup\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$Function", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\LogMask", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\DisableConfigCache", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\ILDependencies", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\FinalPolicy\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$DLL", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\ForceLog", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\GCStressStart", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Certificate\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$Function", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\LogMaxFileSize", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\WinHttp\\DisableBranchCache", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CEIPEnable", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Version", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\DisableMandatoryBasicConstraints", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\UseDelayedAcceptance", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Message\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$Function", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\EvalationData", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\crypt32\\DebugHeapFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\EnableWeakSignatureFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.47.1.1!7\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE\\MaximumAllowedAllocationSize", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\DisplayName", "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Security\\Safety Warning Level", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\Mapping", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\WinHttp\\Tracing\\Enabled", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\StringCacheSettings\\StringCacheGeneration", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\RpcId", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\index4" ], "directory_enumerated": [ "C:\\Users\\cuck\\AppData\\Local\\Temp\\ef984e44a56a46dbf90c4443ac5908be667cbd221d6ea18a094fca7e3f0cd8f3.INI", "C:\\Users", "C:\\Windows\\Microsoft.NET\\Framework\\Upgrades.2.0.50727\\mscoreei.dll", "C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8828F39C7C0CE9A14B25C7EB321181BA_*", "C:\\Users\\cuck\\AppData", "C:\\Windows\\winsxs\\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\\msvcr80.dll", "C:\\Users\\cuck\\AppData\\Local\\Temp", "C:\\Users\\cuck", "C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\mscorlib.INI", "C:\\Windows", "C:\\Windows\\winsxs", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscoreei.dll", "C:\\Users\\cuck\\AppData\\Local", "C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\0972B7C417F696E06E186AEB26286F01_*", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorwks.dll" ] }, "first_seen": 1568915587.5938, "ppid": 2016 }, { "process_path": "C:\\Windows\\System32\\lsass.exe", "process_name": "lsass.exe", "pid": 476, "summary": {}, "first_seen": 1568915587.3281, "ppid": 376 } ]
[ { "markcount": 2, "families": [], "description": "Queries for the computername", "severity": 1, "marks": [ { "call": { "category": "misc", "status": 1, "stacktrace": [], "api": "GetComputerNameA", "return_value": 1, "arguments": { "computer_name": "CUCKPC" }, "time": 1568915652.0155, "tid": 2700, "flags": {} }, "pid": 2248, "type": "call", "cid": 95 }, { "call": { "category": "misc", "status": 1, "stacktrace": [], "api": "GetComputerNameW", "return_value": 1, "arguments": { "computer_name": "CUCKPC" }, "time": 1568915652.0155, "tid": 2700, "flags": {} }, "pid": 2248, "type": "call", "cid": 96 } ], "references": [], "name": "antivm_queries_computername" }, { "markcount": 2, "families": [], "description": "Checks if process is being debugged by a debugger", "severity": 1, "marks": [ { "call": { "category": "system", "status": 0, "stacktrace": [], "last_error": 0, "nt_status": -1073741700, "api": "IsDebuggerPresent", "return_value": 0, "arguments": {}, "time": 1568915587.7657, "tid": 2420, "flags": {} }, "pid": 2816, "type": "call", "cid": 365 }, { "call": { "category": "system", "status": 0, "stacktrace": [], "last_error": 0, "nt_status": -1073741772, "api": "IsDebuggerPresent", "return_value": 0, "arguments": {}, "time": 1568915651.8128, "tid": 2420, "flags": {} }, "pid": 2816, "type": "call", "cid": 8450 } ], "references": [], "name": "checks_debugger" }, { "markcount": 1, "families": [], "description": "This executable has a PDB path", "severity": 1, "marks": [ { "category": "pdb_path", "ioc": "C:\\bamboo-build\\LAUN-WCC171-JOB1\\Source\\Avira.OE.Systray\\obj\\x86\\Release\\Avira.Systray.pdb", "type": "ioc", "description": null } ], "references": [], "name": "has_pdb" }, { "markcount": 1, "families": [], "description": "Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available", "severity": 1, "marks": [ { "call": { "category": "system", "status": 1, "stacktrace": [], "api": "GlobalMemoryStatusEx", "return_value": 1, "arguments": {}, "time": 1568915651.9995, "tid": 2700, "flags": {} }, "pid": 2248, "type": "call", "cid": 48 } ], "references": [], "name": "antivm_memory_available" }, { "markcount": 0, "families": [], "description": "One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.", "severity": 2, "marks": [], "references": [], "name": "dumped_buffer" }, { "markcount": 15, "families": [], "description": "Allocates read-write-execute memory (usually to unpack itself)", "severity": 2, "marks": [ { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtProtectVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 2816, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "length": 4096, "protection": 64, "process_handle": "0xffffffff", "base_address": "0x749f1000" }, "time": 1568915587.7497, "tid": 2420, "flags": { "protection": "PAGE_EXECUTE_READWRITE" } }, "pid": 2816, "type": "call", "cid": 255 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 2816, "region_size": 4096, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 1, "protection": 64, "process_handle": "0xffffffff", "allocation_type": 4096, "base_address": "0x002ba000" }, "time": 1568915587.7657, "tid": 2420, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT" } }, "pid": 2816, "type": "call", "cid": 377 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtProtectVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 2816, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "length": 8192, "protection": 64, "process_handle": "0xffffffff", "base_address": "0x749f2000" }, "time": 1568915587.7657, "tid": 2420, "flags": { "protection": "PAGE_EXECUTE_READWRITE" } }, "pid": 2816, "type": "call", "cid": 378 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 2816, "region_size": 4096, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 1, "protection": 64, "process_handle": "0xffffffff", "allocation_type": 4096, "base_address": "0x002b2000" }, "time": 1568915587.7657, "tid": 2420, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT" } }, "pid": 2816, "type": "call", "cid": 379 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 2816, "region_size": 4096, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 1, "protection": 64, "process_handle": "0xffffffff", "allocation_type": 4096, "base_address": "0x002c2000" }, "time": 1568915587.7808, "tid": 2420, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT" } }, "pid": 2816, "type": "call", "cid": 507 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 2816, "region_size": 4096, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 1, "protection": 64, "process_handle": "0xffffffff", "allocation_type": 4096, "base_address": "0x002c3000" }, "time": 1568915651.7497, "tid": 2420, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT" } }, "pid": 2816, "type": "call", "cid": 8303 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 2816, "region_size": 4096, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 1, "protection": 64, "process_handle": "0xffffffff", "allocation_type": 4096, "base_address": "0x002fb000" }, "time": 1568915651.7497, "tid": 2420, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT" } }, "pid": 2816, "type": "call", "cid": 8310 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 2816, "region_size": 4096, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 1, "protection": 64, "process_handle": "0xffffffff", "allocation_type": 4096, "base_address": "0x002f7000" }, "time": 1568915651.7497, "tid": 2420, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT" } }, "pid": 2816, "type": "call", "cid": 8311 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 2816, "region_size": 4096, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 1, "protection": 64, "process_handle": "0xffffffff", "allocation_type": 4096, "base_address": "0x002cc000" }, "time": 1568915651.7497, "tid": 2420, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT" } }, "pid": 2816, "type": "call", "cid": 8352 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 2816, "region_size": 4096, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 1, "protection": 64, "process_handle": "0xffffffff", "allocation_type": 4096, "base_address": "0x002ea000" }, "time": 1568915651.7968, "tid": 2420, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT" } }, "pid": 2816, "type": "call", "cid": 8425 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 2816, "region_size": 4096, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 1, "protection": 64, "process_handle": "0xffffffff", "allocation_type": 4096, "base_address": "0x002e2000" }, "time": 1568915651.7968, "tid": 2420, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT" } }, "pid": 2816, "type": "call", "cid": 8437 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 2816, "region_size": 4096, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 1, "protection": 64, "process_handle": "0xffffffff", "allocation_type": 4096, "base_address": "0x002f5000" }, "time": 1568915651.7968, "tid": 2420, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT" } }, "pid": 2816, "type": "call", "cid": 8448 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 2248, "region_size": 4096, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "protection": 64, "process_handle": "0xffffffff", "allocation_type": 4096, "base_address": "0x02840000" }, "time": 1568915652.7655, "tid": 2516, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT" } }, "pid": 2248, "type": "call", "cid": 2715 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 2248, "region_size": 1835008, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "protection": 64, "process_handle": "0xffffffff", "allocation_type": 8192, "base_address": "0x047b0000" }, "time": 1568915657.7965, "tid": 2700, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_RESERVE" } }, "pid": 2248, "type": "call", "cid": 11570 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 2248, "region_size": 4096, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 1, "protection": 64, "process_handle": "0xffffffff", "allocation_type": 4096, "base_address": "0x04930000" }, "time": 1568915657.7965, "tid": 2700, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT" } }, "pid": 2248, "type": "call", "cid": 11572 } ], "references": [], "name": "allocates_rwx" }, { "markcount": 1, "families": [], "description": "Checks adapter addresses which can be used to detect virtual network interfaces", "severity": 2, "marks": [ { "call": { "category": "network", "status": 0, "stacktrace": [], "last_error": 0, "nt_status": -1073741772, "api": "GetAdaptersAddresses", "return_value": 111, "arguments": { "flags": 15, "family": 0 }, "time": 1568915588.6098, "tid": 1948, "flags": {} }, "pid": 2816, "type": "call", "cid": 2594 } ], "references": [], "name": "antivm_network_adapters" }, { "markcount": 519, "families": [], "description": "Potentially malicious URLs were found in the process memory dump", "severity": 2, "marks": [ { "category": "url", "ioc": "http:\/\/s.symcb.com\/universal-root.crl0", "type": "ioc", "description": null }, { "category": "url", "ioc": "http:\/\/www.expedia.com\/favicon.ico", "type": "ioc", "description": null }, { "category": "url", "ioc": "http:\/\/uk.ask.com\/favicon.ico", "type": "ioc", "description": null }, { "category": "url", "ioc": "http:\/\/www.priceminister.com\/", "type": "ioc", "description": null }, { "category": "url", "ioc": "http:\/\/www.iask.com\/favicon.ico", "type": "ioc", "description": null }, { "category": "url", "ioc": "http:\/\/ocsp.infonotary.com\/responder.cgi0V", "type": "ioc", "description": null }, { "category": "url", "ioc": "http:\/\/www.merlin.com.pl\/favicon.ico", "type": "ioc", "description": null }, { "category": "url", "ioc": "http:\/\/www.cnet.com\/favicon.ico", "type": "ioc", "description": null }, { "category": "url", "ioc": "http:\/\/www.certificadodigital.com.br\/repositorio\/serasaca\/crl\/SerasaCAII.crl0", "type": "ioc", "description": null }, { "category": "url", "ioc": "http:\/\/search.nifty.com\/", "type": "ioc", "description": null }, { "category": "url", "ioc": "http:\/\/ns.adobe.com\/exif\/1.0\/", "type": "ioc", "description": null }, { "category": "url", "ioc": "http:\/\/www.etmall.com.tw\/", "type": "ioc", "description": null }, { "category": "url", "ioc": "http:\/\/crl.chambersign.org\/publicnotaryroot.crl0", "type": "ioc", "description": null }, { "category": "url", "ioc": "http:\/\/search.goo.ne.jp\/", "type": "ioc", "description": null }, { "category": "url", "ioc": "http:\/\/fr.wikipedia.org\/favicon.ico", "type": "ioc", "description": null }, { "category": "url", "ioc": "http:\/\/www.e-trusX", "type": "ioc", "description": null }, { "category": "url", "ioc": "http:\/\/busca.estadao.com.br\/favicon.ico", "type": "ioc", "description": null }, { "category": "url", "ioc": "http:\/\/search.hanafos.com\/favicon.ico", "type": "ioc", "description": null }, { "category": "url", "ioc": "http:\/\/search.chol.com\/favicon.ico", "type": "ioc", "description": null }, { "category": "url", "ioc": "http:\/\/search.interpark.com\/", "type": "ioc", "description": null }, { "category": "url", "ioc": "http:\/\/amazon.fr\/", "type": "ioc", "description": null }, { "category": "url", "ioc": "http:\/\/www.amazon.co.jp\/", "type": "ioc", "description": null }, { "category": "url", "ioc": "http:\/\/www.mtv.com\/favicon.ico", "type": "ioc", "description": null }, { "category": "url", "ioc": "http:\/\/busqueda.aol.com.mx\/", "type": "ioc", "description": null }, { "category": "url", "ioc": "http:\/\/search.live.com\/results.aspx?FORM=SOLTDF", "type": "ioc", "description": null }, { "category": "url", "ioc": "http:\/\/msdn.microsoft.com\/", "type": "ioc", "description": null }, { "category": "url", "ioc": "http:\/\/www.sogou.com\/favicon.ico", "type": "ioc", "description": null }, { "category": "url", "ioc": "http:\/\/www.sify.com\/favicon.ico", "type": "ioc", "description": null }, { "category": "url", "ioc": "http:\/\/yellowpages.superpages.com\/", "type": "ioc", "description": null }, { "category": "url", "ioc": "http:\/\/suche.freenet.de\/", "type": "ioc", "description": null }, { "category": "url", "ioc": "http:\/\/crl.chambersign.org\/chambersroot.crl0", "type": "ioc", "description": null }, { "category": "url", "ioc": "http:\/\/search.aol.com\/", "type": "ioc", "description": null }, { "category": "url", "ioc": "http:\/\/browse.guardian.co.uk\/", "type": "ioc", "description": null }, { "category": "url", "ioc": "http:\/\/www.mercadolibre.com.mx\/", "type": "ioc", "description": null }, { "category": "url", "ioc": "http:\/\/www.asharqalawsat.com\/", "type": "ioc", "description": null }, { "category": "url", "ioc": "http:\/\/www.facebook.com\/", "type": "ioc", "description": null }, { "category": "url", "ioc": "http:\/\/si.wikipedia.org\/favicon.ico", "type": "ioc", "description": null }, { "category": "url", "ioc": "http:\/\/www.rtl.de\/favicon.ico", "type": "ioc", "description": null }, { "category": "url", "ioc": "http:\/\/search.msn.com\/results.aspx?q=", "type": "ioc", "description": null }, { "category": "url", "ioc": "http:\/\/www.microsoft.com.", "type": "ioc", "description": null }, { "category": "url", "ioc": "http:\/\/search.naver.com\/favicon.ico", "type": "ioc", "description": null }, { "category": "url", "ioc": "http:\/\/fedir.comsign.co.il\/cacert\/ComSignAdvancedSecurityCA.crt0", "type": "ioc", "description": null }, { "category": "url", "ioc": "https:\/\/www.verisign.com\/repository\/verisignlogo.gif0D", "type": "ioc", "description": null }, { "category": "url", "ioc": "http:\/\/crl.usertrust.com\/UTN-USERFirst-NetworkApplications.crl0", "type": "ioc", "description": null }, { "category": "url", "ioc": "http:\/\/en.wikipedia.org\/favicon.ico", "type": "ioc", "description": null }, { "category": "url", "ioc": "http:\/\/si.wikipedia.org\/w\/api.php?action=opensearch", "type": "ioc", "description": null }, { "category": "url", "ioc": "http:\/\/www.signatur.rtr.at\/de\/directory\/cps.html0", "type": "ioc", "description": null }, { "category": "url", "ioc": "http:\/\/udn.com\/favicon.ico", "type": "ioc", "description": null }, { "category": "url", "ioc": "http:\/\/rover.ebay.com", "type": "ioc", "description": null }, { "category": "url", "ioc": "http:\/\/search.ebay.fr\/", "type": "ioc", "description": null } ], "references": [], "name": "memdump_urls" }, { "markcount": 4, "families": [], "description": "Attempts to identify installed AV products by installation directory", "severity": 3, "marks": [ { "category": "file", "ioc": "C:\\Users\\cuck\\AppData\\Local\\Temp\\Avira.OE.WinCore.exe", "type": "ioc", "description": null }, { "category": "file", "ioc": "C:\\Users\\cuck\\AppData\\Local\\Temp\\Avira.OE.WinCore\\Avira.OE.WinCore.dll", "type": "ioc", "description": null }, { "category": "file", "ioc": "C:\\Users\\cuck\\AppData\\Local\\Temp\\Avira.OE.WinCore.dll", "type": "ioc", "description": null }, { "category": "file", "ioc": "C:\\Users\\cuck\\AppData\\Local\\Temp\\Avira.OE.WinCore\\Avira.OE.WinCore.exe", "type": "ioc", "description": null } ], "references": [], "name": "antiav_detectfile" }, { "markcount": 2, "families": [], "description": "Attempts to create or modify system certificates", "severity": 3, "marks": [ { "category": "registry", "ioc": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\\Blob", "type": "ioc", "description": null }, { "category": "registry", "ioc": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\8F43288AD272F3103B6FB1428485EA3014C0BCFE\\Blob", "type": "ioc", "description": null } ], "references": [], "name": "modifies_certificates" }, { "markcount": 2, "families": [], "description": "Resumed a suspended thread in a remote process potentially indicative of process injection", "severity": 3, "marks": [ { "category": "Process injection", "ioc": "Process 2248 resumed a thread in remote process 2816", "type": "ioc", "description": null }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtResumeThread", "return_value": 0, "arguments": { "thread_handle": "0x000002dc", "suspend_count": 1, "process_identifier": 2816 }, "time": 1568915705.6405, "tid": 2700, "flags": {} }, "pid": 2248, "type": "call", "cid": 625884 } ], "references": [ "www.endgame.com\/blog\/technical-blog\/ten-process-injection-techniques-technical-survey-common-and-trending-process" ], "name": "injection_resumethread" } ]
The Yara rules did not detect anything in the file.
{ "tls": [], "udp": [ { "src": "192.168.56.101", "dst": "192.168.56.255", "offset": 546, "time": 3.078332901001, "dport": 137, "sport": 137 }, { "src": "192.168.56.101", "dst": "192.168.56.255", "offset": 27906, "time": 9.0796439647675, "dport": 138, "sport": 138 }, { "src": "192.168.56.101", "dst": "224.0.0.252", "offset": 29750, "time": 37.093699932098, "dport": 5355, "sport": 49556 }, { "src": "192.168.56.101", "dst": "224.0.0.252", "offset": 30070, "time": 5.4048409461975, "dport": 5355, "sport": 49840 }, { "src": "192.168.56.101", "dst": "224.0.0.252", "offset": 30390, "time": 31.742980003357, "dport": 5355, "sport": 50202 }, { "src": "192.168.56.101", "dst": "224.0.0.252", "offset": 30710, "time": 55.586935043335, "dport": 5355, "sport": 50952 }, { "src": "192.168.56.101", "dst": "224.0.0.252", "offset": 31030, "time": 2.8188710212708, "dport": 5355, "sport": 51001 }, { "src": "192.168.56.101", "dst": "224.0.0.252", "offset": 31350, "time": 68.699220895767, "dport": 5355, "sport": 51670 }, { "src": "192.168.56.101", "dst": "224.0.0.252", "offset": 31670, "time": 10.660630941391, "dport": 5355, "sport": 52259 }, { "src": "192.168.56.101", "dst": "224.0.0.252", "offset": 31990, "time": 1.0145919322968, "dport": 5355, "sport": 53595 }, { "src": "192.168.56.101", "dst": "224.0.0.252", "offset": 32318, "time": 3.0369338989258, "dport": 5355, "sport": 53848 }, { "src": "192.168.56.101", "dst": "224.0.0.252", "offset": 32646, "time": 50.865056991577, "dport": 5355, "sport": 54025 }, { "src": "192.168.56.101", "dst": "224.0.0.252", "offset": 32966, "time": 24.97068810463, "dport": 5355, "sport": 54237 }, { "src": "192.168.56.101", "dst": "224.0.0.252", "offset": 33286, "time": 1.5198628902435, "dport": 5355, "sport": 54255 }, { "src": "192.168.56.101", "dst": "224.0.0.252", "offset": 33614, "time": 18.088680028915, "dport": 5355, "sport": 54335 }, { "src": "192.168.56.101", "dst": "224.0.0.252", "offset": 33934, "time": -0.10009789466858, "dport": 5355, "sport": 55314 }, { "src": "192.168.56.101", "dst": "224.0.0.252", "offset": 34262, "time": 63.357462882996, "dport": 5355, "sport": 55385 }, { "src": "192.168.56.101", "dst": "224.0.0.252", "offset": 34582, "time": 3.048003911972, "dport": 5355, "sport": 55880 }, { "src": "192.168.56.101", "dst": "224.0.0.252", "offset": 34910, "time": 44.504679918289, "dport": 5355, "sport": 56347 }, { "src": "192.168.56.101", "dst": "224.0.0.252", "offset": 35230, "time": 34.342637062073, "dport": 5355, "sport": 56353 }, { "src": "192.168.56.101", "dst": "224.0.0.252", "offset": 35550, "time": 54.003190040588, "dport": 5355, "sport": 56388 }, { "src": "192.168.56.101", "dst": "224.0.0.252", "offset": 35870, "time": 58.17352104187, "dport": 5355, "sport": 58056 }, { "src": "192.168.56.101", "dst": "224.0.0.252", "offset": 36190, "time": 53.440972089767, "dport": 5355, "sport": 58651 }, { "src": "192.168.56.101", "dst": "224.0.0.252", "offset": 36510, "time": 24.408225059509, "dport": 5355, "sport": 58989 }, { "src": "192.168.56.101", "dst": "224.0.0.252", "offset": 36830, "time": 60.760416984558, "dport": 5355, "sport": 59113 }, { "src": "192.168.56.101", "dst": "224.0.0.252", "offset": 37150, "time": 47.104686021805, "dport": 5355, "sport": 59490 }, { "src": "192.168.56.101", "dst": "224.0.0.252", "offset": 37470, "time": 21.823652029037, "dport": 5355, "sport": 59548 }, { "src": "192.168.56.101", "dst": "224.0.0.252", "offset": 37790, "time": 27.57679104805, "dport": 5355, "sport": 60071 }, { "src": "192.168.56.101", "dst": "224.0.0.252", "offset": 38110, "time": 39.673377037048, "dport": 5355, "sport": 60575 }, { "src": "192.168.56.101", "dst": "224.0.0.252", "offset": 38430, "time": 29.161513090134, "dport": 5355, "sport": 62601 }, { "src": "192.168.56.101", "dst": "224.0.0.252", "offset": 38750, "time": 56.599694013596, "dport": 5355, "sport": 63089 }, { "src": "192.168.56.101", "dst": "224.0.0.252", "offset": 39070, "time": 15.490571022034, "dport": 5355, "sport": 63506 }, { "src": "192.168.56.101", "dst": "224.0.0.252", "offset": 39390, "time": 26.587939977646, "dport": 5355, "sport": 63646 }, { "src": "192.168.56.101", "dst": "224.0.0.252", "offset": 39710, "time": 8.0824859142303, "dport": 5355, "sport": 64017 }, { "src": "192.168.56.101", "dst": "239.255.255.250", "offset": 40030, "time": 1.5310680866241, "dport": 1900, "sport": 1900 }, { "src": "192.168.56.101", "dst": "239.255.255.250", "offset": 59440, "time": 1.0352818965912, "dport": 3702, "sport": 49152 }, { "src": "192.168.56.101", "dst": "239.255.255.250", "offset": 67824, "time": 3.1411190032959, "dport": 1900, "sport": 53598 } ], "dns_servers": [], "http": [], "icmp": [], "smtp": [], "tcp": [], "smtp_ex": [], "mitm": [], "hosts": [], "pcap_sha256": "3c43e7ca75c8ff6ea8650fe476a00c94d99743280d0a1a5563dcc69c0b9802b9", "dns": [], "http_ex": [], "domains": [], "dead_hosts": [], "sorted_pcap_sha256": "e0cb839f24ec0e1a19ebab7ba18034e243f0d0b10f4b8da5ebc65c2007d10f59", "irc": [], "https_ex": [] }
Avira.Systray.exe (15 votes)
Avira.Systray.exe has been reported to listen on the following TCP/UDP ports.
Port | Protocol | # Occurrences |
---|---|---|
50413 | UDP v4 | 1 |
Property | Value |
---|---|
MD5 | 9cd7e437d8a2fb2f6b8efbc8296b911c |
SHA256 | ef984e44a56a46dbf90c4443ac5908be667cbd221d6ea18a094fca7e3f0cd8f3 |
These are some of the error messages that can appear related to avira.systray.exe:
avira.systray.exe has encountered a problem and needs to close. We are sorry for the inconvenience.
avira.systray.exe - Application Error. The instruction at "0xXXXXXXXX" referenced memory at "0xXXXXXXXX". The memory could not be "read/written". Click on OK to terminate the program.
Avira has stopped working.
End Program - avira.systray.exe. This program is not responding.
avira.systray.exe is not a valid Win32 application.
avira.systray.exe - Application Error. The application failed to initialize properly (0xXXXXXXXX). Click OK to terminate the application.
To help other users, please let us know what you will do with the file:
The poll result listed below shows what users chose to do with the file. 100% have voted for removal. Based on votes from 1 user.
Votes | |||
---|---|---|---|
Keep | 0 % | 0 | |
Remove | 100 % | 1 |
NOTE: Please do not use this poll as the only source of input to determine what you will do with the file. Only 1 user has voted so far so it does not offer a high degree of confidence.
If you feel that you need more information to determine if your should keep this file or remove it, please read this guide.
Hi, my name is Roger Karlsson. I've been running this website since 2006. I want to let you know about the FreeFixer program. FreeFixer is a freeware tool that analyzes your system and let you manually identify unwanted programs. Once you've identified some malware files, FreeFixer is pretty good at removing them. You can download FreeFixer here. It runs on Windows 2000/XP/2003/2008/2016/2019/Vista/7/8/8.1/10. Supports both 32- and 64-bit Windows.
If you have questions, feedback on FreeFixer or the freefixer.com website, need help analyzing FreeFixer's scan result or just want to say hello, please contact me. You can find my email address at the contact page.
Please share with the other users what you think about this file. What does this file do? Is it legitimate or something that your computer is better without? Do you know how it was installed on your system? Did you install it yourself or did it come bundled with some other software? Is it running smoothly or do you get some error message? Any information that will help to document this file is welcome. Thank you for your contributions.
I'm reading all new comments so don't hesitate to post a question about the file. If I don't have the answer perhaps another user can help you.
No comments posted yet.