What is Avira.Systray.exe?
Avira.Systray.exe is part of Avira.Systray and developed by Avira Operations GmbH & Co. KG according to the Avira.Systray.exe version information.
Avira.Systray.exe's description is "Avira"
Avira.Systray.exe is digitally signed by Avira Operations GmbH & Co. KG.
Avira.Systray.exe is usually located in the 'C:\Program Files (x86)\Avira\Launcher\' folder.
None of the anti-virus scanners at VirusTotal reports anything malicious about Avira.Systray.exe.
If you have additional information about the file, please share it with the FreeFixer users by posting a comment at the bottom of this page.
Vendor and version information [?]
The following is the available information on Avira.Systray.exe:
| Property | Value |
|---|---|
| Product name | Avira.Systray |
| Company name | Avira Operations GmbH & Co. KG |
| File description | Avira |
| Internal name | Avira.Systray.exe |
| Original filename | Avira.Systray.exe |
| Legal copyright | Copyright © 2019 Avira Operations GmbH & Co. KG and its Licensors |
| Product version | 1.2.136.25116 |
| File version | 1.2.136.25116 |
Here's a screenshot of the file properties when displayed by Windows Explorer:
| Product name | Avira.Systray |
| Company name | Avira Operations GmbH & Co. KG |
| File description | Avira |
| Internal name | Avira.Systray.exe |
| Original filename | Avira.Systray.exe |
| Legal copyright | Copyright © 2019 Avira Operations G.. |
| Product version | 1.2.136.25116 |
| File version | 1.2.136.25116 |
Digital signatures [?]
Avira.Systray.exe has a valid digital signature.
| Property | Value |
|---|---|
| Signer name | Avira Operations GmbH & Co. KG |
| Certificate issuer name | Symantec Class 3 Extended Validation Code Signing CA - G2 |
| Certificate serial number | 1feb5456b9e0c2c68357c42975b98224 |
VirusTotal report
None of the 71 anti-virus programs at VirusTotal detected the Avira.Systray.exe file.
Sandbox Report
The following information was gathered by executing the file inside Cuckoo Sandbox.
Summary
Successfully executed process in sandbox.
Summary
{
"file_created": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab50F8.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab57BB.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabB70B.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar5A31.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabDFC5.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarDFF7.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab5A30.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER5B7D.tmp.WERInternalMetadata.xml",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarDFC6.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab6EA4.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER65DE.tmp.hdmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarB70C.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarB72E.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabE017.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab58F5.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar6EA5.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER5B7D.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar58F6.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabDFF6.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabB72D.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab6EC5.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar50F9.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar2880.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar57AA.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER65DE.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar57BC.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabE029.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar6EC6.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarE03A.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab287F.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab5799.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarE018.tmp"
],
"file_recreated": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab50F8.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab57BB.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabB70B.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar5A31.tmp",
"\\Device\\KsecDD",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarDFF7.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab5A30.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER5B7D.tmp.WERInternalMetadata.xml",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarDFC6.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab6EA4.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarB70C.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarB72E.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabE017.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab58F5.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar6EA5.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar58F6.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabDFF6.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabB72D.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab6EC5.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar50F9.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar2880.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarE018.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabDFC5.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar57BC.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabE029.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar6EC6.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarE03A.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab287F.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab5799.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar57AA.tmp"
],
"regkey_written": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\\Blob",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\8F43288AD272F3103B6FB1428485EA3014C0BCFE\\Blob",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\LanguageList"
],
"dll_loaded": [
"dbghelp.dll",
"version.dll",
"imm32.dll",
"C:\\Windows\\system32\\ole32.dll",
"imagehlp.dll",
"API-MS-Win-Security-LSALookup-L1-1-0.dll",
"ntdll",
"gdi32.dll",
"CFGMGR32.dll",
"DUI70.dll",
"C:\\Windows\\system32\\DUser.dll",
"UxTheme.dll",
"AdvApi32.dll",
"SensApi.dll",
"werui.dll",
"dwmapi.dll",
"ntdll.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\ole32.dll",
"cryptsp.dll",
"winhttp.dll",
"verifier.dll",
"ncrypt.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorwks.dll",
"C:\\Windows\\system32\\RICHED20.DLL",
"API-MS-WIN-Service-Management-L2-1-0.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorjit.dll",
"API-MS-WIN-Service-Management-L1-1-0.dll",
"API-MS-Win-Security-SDDL-L1-1-0.dll",
"cryptnet.dll",
"C:\\Windows\\syswow64\\MSCTF.dll",
"setupapi.dll",
"crypt32.dll",
"C:\\Windows\\SysWOW64\\bcryptprimitives.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorsec.dll",
"API-MS-Win-Core-LocalRegistry-L1-1-0.dll",
"psapi.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscordacwks.dll",
"OLEAUT32.DLL",
"SspiCli.dll",
"C:\\Windows\\system32\\wer.dll",
"advapi32.dll",
"comctl32",
"ole32.dll",
"SHLWAPI.dll",
"CRYPTSP.dll",
"USER32.dll",
"Comctl32.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\VERSION.dll",
"credssp.dll",
"API-MS-WIN-Service-winsvc-L1-1-0.dll",
"IPHLPAPI.DLL",
"C:\\Windows\\syswow64\\CRYPT32.dll",
"shell32.dll",
"C:\\Windows\\system32\\xmllite.dll",
"bcrypt.dll",
"OLEAUT32.dll",
"profapi.dll",
"SHELL32.dll",
"RPCRT4.dll",
"DNSAPI.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\culture.dll",
"C:\\Windows\\System32\\wship6.dll",
"DUser.dll",
"comctl32.dll",
"NSI.dll",
"mscorsec.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\mscorlib\\62a0b3e4b40ec0e8c5cfaa0c8848e64a\\mscorlib.ni.dll",
"RichEd20.dll",
"VERSION.dll",
"mscoree.dll",
"kernel32.dll",
"WINTRUST.DLL",
"C:\\Windows\\system32\\cryptnet.dll",
"C:\\Windows\\system32\\IMM32.DLL",
"DEVRTL.dll",
"C:\\Windows\\system32\\mswsock.dll",
"powrprof.dll",
"ADVAPI32.dll",
"rpcrt4.dll",
"C:\\Windows\\System32\\wshtcpip.dll",
"WS2_32.dll",
"Cabinet.dll",
"user32.dll",
"WINHTTP.dll"
],
"file_opened": [
"C:\\Windows\\System32\\mscoree.dll",
"C:\\Windows\\SysWOW64\\user32.dll",
"C:\\Windows\\SysWOW64\\crypt32.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\index127.dat",
"C:\\Windows\\SysWOW64\\sspicli.dll",
"C:\\Windows\\System32\\cabinet.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER5B7D.tmp.WERInternalMetadata.xml",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarDFC6.tmp",
"C:\\Windows\\SysWOW64\\sechost.dll",
"C:\\Windows\\System32\\gpapi.dll",
"C:\\Windows\\System32\\netmsg.dll",
"C:\\Windows\\SysWOW64\\ole32.dll",
"C:\\Windows\\System32\\profapi.dll",
"C:\\Windows\\System32\\IPHLPAPI.DLL",
"C:\\Windows\\System32\\en-US\\WINHTTP.dll.mui",
"C:\\Windows\\SysWOW64\\bcryptprimitives.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar6EA5.tmp",
"C:\\Windows\\SysWOW64\\wintrust.dll",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\94308059B57B3142E455B38A6EB92015",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabDFF6.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabB70B.tmp",
"C:\\Windows\\System32\\rasadhlp.dll",
"C:\\Windows\\SysWOW64\\usp10.dll",
"C:\\Windows\\System32\\mswsock.dll",
"C:\\Windows\\System32\\WSHTCPIP.DLL",
"C:\\Windows\\System32\\wship6.dll",
"C:\\Windows\\System32\\credssp.dll",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls",
"C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\sorttbls.nlp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar57BC.tmp",
"C:\\Windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\\comctl32.dll",
"C:\\Windows\\SysWOW64\\Wldap32.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarB72E.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab5799.tmp",
"C:\\Windows\\SysWOW64\\CRYPTBASE.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar5A31.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabDFC5.tmp",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\machine.config",
"C:\\Windows\\System32\\winnsi.dll",
"C:\\Windows\\SysWOW64\\rpcrt4.dll",
"C:\\Windows\\System32\\webio.dll",
"C:\\Windows\\System32\\devrtl.dll",
"C:\\Windows\\SysWOW64\\shell32.dll",
"C:\\Windows\\SysWOW64\\lpk.dll",
"C:\\Windows\\System32\\version.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabE017.tmp",
"C:\\Windows\\win.ini",
"C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\sortkey.nlp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\ef984e44a56a46dbf90c4443ac5908be667cbd221d6ea18a094fca7e3f0cd8f3.bin",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar2880.tmp",
"C:\\Windows\\System32\\dnsapi.dll",
"C:\\Windows\\SysWOW64\\ws2_32.dll",
"C:\\Windows\\assembly\\pubpol4.dat",
"C:\\Windows\\SysWOW64\\gdi32.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorjit.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab287F.tmp",
"C:\\Windows\\System32\\rsaenh.dll",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\94308059B57B3142E455B38A6EB92015",
"C:\\Windows\\System32\\SensApi.dll",
"C:\\Windows\\System32\\uxtheme.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab50F8.tmp",
"C:\\Windows\\System32\\cryptnet.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab5A30.tmp",
"C:\\Windows\\SysWOW64\\kernel32.dll",
"C:\\Windows\\SysWOW64\\msvcrt.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab6EA4.tmp",
"C:\\Windows\\SysWOW64\\shlwapi.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarB70C.tmp",
"C:\\Windows\\System32\\dhcpcsvc6.DLL",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorsec.dll",
"C:\\Windows\\System32\\winhttp.dll",
"C:\\Windows\\SysWOW64\\ntdll.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar57AA.tmp",
"C:\\Windows\\System32\\imm32.dll",
"C:\\Windows\\winsxs\\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\\msvcr80.dll",
"C:\\Windows\\SysWOW64\\cfgmgr32.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabE029.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar6EC6.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarE03A.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarE018.tmp",
"C:\\Windows\\System32\\apphelp.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab57BB.tmp",
"C:\\Users\\cuck\\AppData\\LocalLow",
"C:\\Windows\\SysWOW64\\advapi32.dll",
"C:\\Windows\\SysWOW64\\msctf.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarDFF7.tmp",
"C:\\Windows\\System32\\userenv.dll",
"C:\\Windows\\System32\\bcrypt.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorwks.dll",
"C:\\Windows\\System32\\cryptsp.dll",
"C:\\Windows\\SysWOW64\\nsi.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabB72D.tmp",
"C:\\Windows\\System32\\l_intl.nls",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab58F5.tmp",
"C:\\Windows\\SysWOW64\\msasn1.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar58F6.tmp",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorrc.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab6EC5.tmp",
"C:\\Windows\\System32\\dhcpcsvc.dll",
"C:\\Windows\\System32\\en-US\\erofflps.txt",
"C:\\Windows\\System32\\ncrypt.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar50F9.tmp",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\mscorlib\\62a0b3e4b40ec0e8c5cfaa0c8848e64a\\mscorlib.ni.dll",
"C:\\Windows\\SysWOW64\\imagehlp.dll",
"C:\\Windows\\SysWOW64\\KERNELBASE.dll"
],
"command_line": [
"dw20.exe -x -s 1108"
],
"regkey_opened": [
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Winsock",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\Managed\\S-1-5-21-699399860-4089948139-3198924279-1001\\Installer\\Assemblies\\C:|Users|cuck|AppData|Local|Temp|ef984e44a56a46dbf90c4443ac5908be667cbd221d6ea18a094fca7e3f0cd8f3.bin",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\LanguageProfile\\0x00000000\\{0001bea3-ed56-483d-a2e2-aeae25577436}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\DebugApplications",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\SecurityProviders",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\KnownClasses",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets\\LocalIntranet",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\index127",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\SecurityProviders\\SaslProfiles",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\Standards\\v2.0.50727",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-699399860-4089948139-3198924279-1001",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\Upgrades",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ExcludedApplications",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\Policy\\Standards",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\LsaExtensionConfig\\SspiCli",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\Policy\\",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\OLE\\Tracing",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\Windows Error Reporting",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PCHealth\\ErrorReporting\\ExclusionList",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip6\\Parameters\\Winsock",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32",
"HKEY_CURRENT_USER\\SOFTWARE\\Policies\\Microsoft\\PCHealth\\ErrorReporting\\InclusionList",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Fusion",
"HKEY_CURRENT_USER\\Software\\Microsoft\\windows\\CurrentVersion\\Internet Settings\\Connections",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\Compatibility\\dw20.exe",
"HKEY_CURRENT_USER\\Software\\Microsoft\\CTF\\DirectSwitchHotkeys",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Installer\\Assemblies\\C:|Users|cuck|AppData|Local|Temp|ef984e44a56a46dbf90c4443ac5908be667cbd221d6ea18a094fca7e3f0cd8f3.bin",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\WinHttp\\Tracing",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\CEIPRole\\RolesInWER",
"HKEY_CURRENT_USER\\SOFTWARE\\Policies\\Microsoft\\PCHealth\\ErrorReporting\\ExclusionList",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\v2.0.50727\\Security\\Policy",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DebugApplications",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winsock\\Setup Migration\\Providers\\Tcpip",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\5f57882f\\140d0d2a",
"HKEY_CURRENT_USER\\Software\\Microsoft\\windows\\CurrentVersion\\Internet Settings\\Wpad",
"HKEY_CURRENT_USER\\Software\\Microsoft\\CTF\\LayoutIcon\\0409\\0000041d",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\ef984e44a56a46dbf90c4443ac5908be667cbd221d6ea18a094fca7e3f0cd8f3.bin",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Class\\{4d36e972-e325-11ce-bfc1-08002be10318}",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\Windows Error Reporting",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\SspiCache",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\WinHttp",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Windows",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\Rpc",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PCHealth\\ErrorReporting\\ExclusionList",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Setup",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PCHealth\\ErrorReporting\\InclusionList",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Consent",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\",
"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\PCHealth\\ErrorReporting\\ExclusionList",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PCHealth\\ErrorReporting",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Installer\\Assemblies\\Global",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\Standards",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\Windows Error Reporting",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\ExcludedApplications",
"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\PCHealth\\ErrorReporting\\InclusionList",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\DirectUI",
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Installer\\Assemblies\\C:|Users|cuck|AppData|Local|Temp|ef984e44a56a46dbf90c4443ac5908be667cbd221d6ea18a094fca7e3f0cd8f3.bin",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Debug",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion\\GACChangeNotification\\Default",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\.NETFramework",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Installer\\Assemblies\\Global",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PCHealth\\ErrorReporting\\InclusionList",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\v2.0",
"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\PCHealth\\ErrorReporting",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6292b898\\1d90e993",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\Managed\\S-1-5-21-699399860-4089948139-3198924279-1001\\Installer\\Assemblies\\Global",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Reliability Analysis\\RAC",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\Windows Error Reporting\\HeapControlledList\\ef984e44a56a46dbf90c4443ac5908be667cbd221d6ea18a094fca7e3f0cd8f3.bin",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\SystemInformation",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\AppPatch",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\windows\\CurrentVersion\\Internet Settings\\Connections",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\.NETFramework\\Policy\\Standards",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winsock\\Setup Migration\\Providers\\Tcpip6",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets\\Internet",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Rpc",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\StrongName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Winsock\\Setup Migration\\Providers",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\KnownManagedDebuggingDlls",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLEAUT",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion\\PublisherPolicy\\Default",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{3697C5FA-60DD-4B56-92D4-74A569205C16}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Winsock\\Parameters",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PCHealth\\ErrorReporting",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Ole",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\SOFTWARE\\Policies\\Microsoft\\PCHealth\\ErrorReporting"
],
"resolves_host": [
"sw.symcd.com",
"watson.microsoft.com",
"s.symcb.com",
"s.symcd.com",
"www.download.windowsupdate.com",
"sw.symcb.com"
],
"file_written": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab50F8.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab57BB.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabB70B.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar5A31.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabDFC5.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarDFF7.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab5A30.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER5B7D.tmp.WERInternalMetadata.xml",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarDFC6.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab6EA4.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER65DE.tmp.hdmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarB70C.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarB72E.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabE017.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab58F5.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar6EA5.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar58F6.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabDFF6.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabB72D.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab6EC5.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar50F9.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar2880.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar57AA.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar57BC.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabE029.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar6EC6.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarE03A.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab287F.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab5799.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarE018.tmp"
],
"regkey_deleted": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\8F43288AD272F3103B6FB1428485EA3014C0BCFE"
],
"file_deleted": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab50F8.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab57BB.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabB70B.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar5A31.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabDFC5.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarDFF7.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab5A30.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER5B7D.tmp.WERInternalMetadata.xml",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarDFC6.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab6EA4.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER65DE.tmp.hdmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarB70C.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarB72E.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabE017.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab58F5.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar6EA5.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER5B7D.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar58F6.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabDFF6.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabB72D.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab6EC5.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar50F9.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar2880.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar57AA.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER65DE.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar57BC.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabE029.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar6EC6.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarE03A.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab287F.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab5799.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarE018.tmp"
],
"file_exists": [
"C:\\Windows\\System32\\apphelp.dll",
"C:\\Windows\\Globalization\\en-us.nlp",
"C:\\Windows\\System32\\mswsock.dll",
"C:\\Windows\\SysWOW64\\CRYPTBASE.dll",
"C:\\Windows\\System32\\mscoree.dll",
"C:\\Windows\\SysWOW64\\user32.dll",
"C:\\Windows\\System32\\qagentrt.dll",
"C:\\Windows\\SysWOW64\\advapi32.dll",
"C:\\Windows\\SysWOW64\\msctf.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp",
"C:\\Windows\\SysWOW64\\sspicli.dll",
"C:\\Windows\\System32\\cabinet.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\machine.config",
"C:\\Windows\\System32\\winhttp.dll",
"C:\\Windows\\SysWOW64\\kernel32.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER5B7D.tmp.WERInternalMetadata.xml",
"C:\\Windows\\System32\\winnsi.dll",
"C:\\Windows\\SysWOW64\\shlwapi.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER65DE.tmp.hdmp",
"C:\\Windows\\SysWOW64\\cfgmgr32.dll",
"C:\\Windows\\System32\\bcrypt.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorwks.dll",
"C:\\Windows\\System32\\cryptsp.dll",
"C:\\Windows\\SysWOW64\\bcryptprimitives.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Avira.OE.WinCore\\Avira.OE.WinCore.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Avira.OE.WinCore.dll",
"C:\\Windows\\System32\\dhcpcsvc6.DLL",
"C:\\Windows\\SysWOW64\\ole32.dll",
"C:\\Windows\\System32\\devrtl.dll",
"C:\\Windows\\System32\\profapi.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Avira.OE.WinCore.exe",
"C:\\Windows\\SysWOW64\\crypt32.dll",
"C:\\Windows\\SysWOW64\\msasn1.dll",
"C:\\Windows\\System32\\IPHLPAPI.DLL",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorsec.dll",
"C:\\Windows\\SysWOW64\\shell32.dll",
"C:\\Windows\\SysWOW64\\lpk.dll",
"C:\\Windows\\System32\\version.dll",
"C:\\Windows\\SysWOW64\\wintrust.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Avira.OE.WinCore\\Avira.OE.WinCore.exe",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorjit.dll",
"C:\\Windows\\System32\\gpapi.dll",
"C:\\Windows\\System32\\userenv.dll",
"C:\\Windows\\inf\\",
"C:\\Windows\\assembly\\GAC\\PublisherPolicy.tme",
"C:\\Windows\\System32\\webio.dll",
"C:\\Windows\\System32\\rasadhlp.dll",
"C:\\Windows\\System32\\dhcpcsvc.dll",
"C:\\Windows\\System32\\en-US\\erofflps.txt",
"C:\\Windows\\System32\\ncrypt.dll",
"C:\\Windows\\SysWOW64\\ntdll.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\ef984e44a56a46dbf90c4443ac5908be667cbd221d6ea18a094fca7e3f0cd8f3.bin",
"C:\\Windows\\SysWOW64\\usp10.dll",
"C:\\Windows\\System32\\dnsapi.dll",
"C:\\Windows\\SysWOW64\\ws2_32.dll",
"C:\\Windows\\SysWOW64\\sechost.dll",
"C:\\Windows\\System32\\cryptnet.dll",
"C:\\Windows\\System32\\wship6.dll",
"C:\\Windows\\System32\\p2pcollab.dll",
"C:\\Windows\\System32\\credssp.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\ef984e44a56a46dbf90c4443ac5908be667cbd221d6ea18a094fca7e3f0cd8f3.config",
"C:\\Windows\\System32\\imm32.dll",
"C:\\Windows\\SysWOW64\\gdi32.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\mscorlib\\62a0b3e4b40ec0e8c5cfaa0c8848e64a\\mscorlib.ni.dll",
"C:\\Users\\cuck\\AppData\\LocalLow",
"C:\\Windows\\SysWOW64\\imagehlp.dll",
"C:\\Windows\\winsxs\\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\\msvcr80.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\fusion.localgac",
"C:\\Windows\\SysWOW64\\rpcrt4.dll",
"C:\\Windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\\comctl32.dll",
"C:\\Windows\\System32\\WSHTCPIP.DLL",
"C:\\Windows\\System32\\rsaenh.dll",
"C:\\Windows\\System32\\MSCOREE.DLL.local",
"C:\\Windows\\SysWOW64\\nsi.dll",
"C:\\Windows\\SysWOW64\\Wldap32.dll",
"C:\\Windows\\System32\\uxtheme.dll",
"C:\\Windows\\System32\\SensApi.dll",
"C:\\Windows\\SysWOW64\\KERNELBASE.dll",
"C:\\Windows\\SysWOW64\\msvcrt.dll"
],
"mutex": [
"Global\\b892f634-daf5-11e9-8829-08002749d99b"
],
"file_failed": [
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\enterprisesec.config.cch",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\FA47BF11E3FC6DA7A80A2910535F021F",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\0972B7C417F696E06E186AEB26286F01_EC6918D7CB4A54242E7A79500CDB31EB",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\security.config.cch",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\3D0AC26322348780E90E022EA217C58C",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8828F39C7C0CE9A14B25C7EB321181BA_DC03E45EC7611F50ADAEBABE405A8C4C",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\A3D5BF1283C2E63D8C8A8C72F0051F5A",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\enterprisesec.config",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8828F39C7C0CE9A14B25C7EB321181BA_3DF94EB797096674F7793A562A778C5F",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\security.config.cch",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\security.config",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\ef984e44a56a46dbf90c4443ac5908be667cbd221d6ea18a094fca7e3f0cd8f3.bin.config",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\security.config",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\0972B7C417F696E06E186AEB26286F01_8A7601FFF9878487CA80CB28D50438E2"
],
"guid": [
"{713aacc8-3b71-435c-a3a1-be4e53621ab1}",
"{22e4c895-8ab9-40bb-b81a-001dd9b1f449}"
],
"file_read": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab50F8.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab57BB.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabB70B.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar5A31.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabDFC5.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarDFF7.tmp",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\machine.config",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab5A30.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarDFC6.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab6EA4.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarB70C.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarB72E.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabE017.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab58F5.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar6EA5.tmp",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\94308059B57B3142E455B38A6EB92015",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar58F6.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabDFF6.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabB72D.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab6EC5.tmp",
"C:\\Windows\\win.ini",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar50F9.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar2880.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar57AA.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar57BC.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabE029.tmp",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\94308059B57B3142E455B38A6EB92015",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar6EC6.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarE03A.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab287F.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab5799.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarE018.tmp"
],
"regkey_read": [
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Language Hotkey",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\GPAPI.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\LegacyPolicyTimeStamp",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\profapi.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\MaxRpcSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\MaxArchiveCount",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Initialization\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$Function",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\LanguageProfile\\0x00000000\\{0001bea3-ed56-483d-a2e2-aeae25577436}\\Enable",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\QueuePesterInterval",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\LdapClientIntegrity",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\System32\\wshtcpip.dll",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\UseDelayedAcceptance",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DisableQueue",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\DEVRTL.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\LatestIndex",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SecurityProviders\\SecurityProviders",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\MaxAIAUrlRetrievalCertCount",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ConfigureArchive",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\FinalPolicy\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$DLL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultConsent",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\SystemSetupInProgress",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\ScrollDelay",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.44.3.4!7\\Name",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\crypt32\\DiagMatchAnyMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Message\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$Function",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\WS2_32.dll",
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Hotkey",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\DevOverrideEnable",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\SspiCli.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\System32\\wship6.dll",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\SendEFSFiles",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\CTF\\EnableAnchorContext",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledProcesses\\44D72C57",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\CertCheck\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$Function",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\CryptnetPreFetchTriggerPeriodSeconds",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\UseOldHostResolutionOrder",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\MaxAIAUrlRetrievalCountPerChain",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Message\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$DLL",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\DisableArchive",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\WLDAP32.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\IPHLPAPI.DLL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\CLRLoadLogDir",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerPortNumber",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\LogMask",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\LastWatsonCabUploaded",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Initialization\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$DLL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\credssp.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Signature\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$Function",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerUseSSL",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\HelperDllName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\LPK.dll",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\WinSock2\\Parameters\\Protocol_Catalog9\\Serial_Access_Num",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\shell32.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\CertCheck\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$DLL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerServer",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\ForceUserModeCabCollection",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ProxySettingsPerUser",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\EvalationData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NoClientChecks",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorjit.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\DownloadCacheQuotaInKB",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winsock\\Parameters\\Transports",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing\\State",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SystemInformation\\BIOSVersion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\DisableConfigCache",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\ILDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\BuildLabEx",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\KERNELBASE.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Users\\cuck\\AppData\\Local\\Temp\\ef984e44a56a46dbf90c4443ac5908be667cbd221d6ea18a094fca7e3f0cd8f3.bin",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\UseLegacyIdentityFormat",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\APPCRASH",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Signature\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$Function",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\\DefaultConnectionSettings",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\MaxQueueCount",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\ConfigMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\NSI.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultOverrideBehavior",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\CSDBuildNumber",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\CurrentType",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\imagehlp.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\\COMCTL32.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\mscorlib\\62a0b3e4b40ec0e8c5cfaa0c8848e64a\\mscorlib.ni.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\LogFailures",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\MissingDependencies",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\DontShowUI",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\DontSendAdditionalData",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\crypt32\\DebugHeapFlags",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Segoe UI",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\ScrollInset",
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Layout Hotkey",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\webio.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\CRYPT32.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\NIDependencies",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\ConfigureArchive",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\Latest",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Local AppData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Initialization\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$Function",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\MaxAIAUrlRetrievalByteCount",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\CryptnetCachedOcspSwitchToCrlCount",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\WINTRUST.dll",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Windows\\CSDBuildNumber",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\QueuePesterInterval",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Certificate\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$Function",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\WinSxS\\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\\MSVCR80.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\DisableUnsupportedCriticalExtensions",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Comment",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\GCStressStart",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\RPCRT4.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledSessions\\MachineThrottling",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\WINHTTP.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Message\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$DLL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\SensApi.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\OnlyUseLatestCLR",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-699399860-4089948139-3198924279-1001\\ProfileImagePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DisableArchive",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\MaxArchiveCount",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\EditionID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\index127\\ILUsageMask",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\UseHostnameAsAlias",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\LogLevel",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\KERNEL32.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\CryptnetMaxCachedOcspPerCrlCount",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\FinalPolicy\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$Function",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultOverrideBehavior",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\HelperDllName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winsock\\Setup Migration\\Providers\\Tcpip6\\WinSock 2.0 Provider ID",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\ForceQueue",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\index127\\NIUsageMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Certificate\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$Function",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\SysWOW64\\sechost.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\ConfigString",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\WpadOverride",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\Mapping",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\CFGMGR32.dll",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Type",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\ncrypt.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\uxtheme.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Cleanup\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$DLL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceUserModeCabCollection",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\cryptnet.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LoggingDisabled",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\MVID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorsec.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\VersioningLog",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\CRYPTBASE.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\EnableInetUnknownAuth",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProductName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\CacheLocation",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\\Blob",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\LsaExtensionConfig\\SspiCli\\CheckSignatureRoutine",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\DisableCANameConstraints",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\MachineID",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\MinSockaddrLength",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\rsaenh.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\8F43288AD272F3103B6FB1428485EA3014C0BCFE",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceQueue",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\ScrollInterval",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.64.1.1!7\\Name",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\IMM32.DLL",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\p2pcollab.dll,-8042",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\LoggingLevel",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Initialization\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$DLL",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\MinSockaddrLength",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\LsaExtensionConfig\\SspiCli\\CheckSignatureDll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\USERENV.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\ChainCacheResyncFiletime",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\APPCRASH",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\OOBEInProgress",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\ole32.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\LastModTime",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\MaxQueueCount",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\USER32.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerUseAuthentication",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Signature\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$DLL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\DisplayName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Name",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\MSCTF.dll",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\DragMinDist",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\mscorlib,2.0.0.0,,b77a5c561934e089,x86",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\SendEFSFiles",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DontShowUI",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\DisableMSIPeek",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\MaxSockaddrLength",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\FinalPolicy\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$Function",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\TurnOffSPIAnimations",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE\\PageAllocatorSystemHeapIsPrivate",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\MSASN1.dll",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\MaxSockaddrLength",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SystemInformation\\SystemProductName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\DNSAPI.dll",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\BypassDataThrottling",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\KnownManagedDebuggingDlls\\C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscordacwks.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Certificate\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$DLL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\FinalPolicy\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$DLL",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\dnsapi.dll,-103",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\CertCheck\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$DLL",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\DragDelay",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\\WinHttpSettings",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\ADVAPI32.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\SourcePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\DevicePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\TokenSize",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\UseDelayedAcceptance",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\MaxUrlRetrievalByteCount",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Signature\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$DLL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE\\PageAllocatorUseSystemHeap",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\InstallRoot",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Disabled",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Capabilities",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\dhcpcsvc6.DLL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\MaxAIAUrlCountInCert",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Certificate\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$DLL",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\CertCheck\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$Function",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\LoggingDisabled",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\dhcpcsvc.DLL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\SYSTEM32\\MSCOREE.DLL",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ShareCredsWithWinHttp",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\WinHttp\\Tracing\\Enabled",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\CRYPTSP.dll",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SystemInformation\\SystemManufacturer",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\LogResourceBinds",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\crypt32\\DiagLevel",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\apphelp.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Message\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$Function",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\StringCacheSettings\\StringCacheGeneration",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassDataThrottling",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Cleanup\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$Function",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorwks.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\msvcrt.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Reliability Analysis\\RAC\\RacWerSampleTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\SysWOW64\\ntdll.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\ForceLog",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\Cabinet.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledSessions\\GlobalSession",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\CurrentType",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\RestartRunTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\SHLWAPI.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\LogMaxFileSize",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultConsent",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\WinHttp\\DisableBranchCache",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DontSendAdditionalData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CEIPEnable",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\mswsock.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\USP10.dll",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Version",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\DisableMandatoryBasicConstraints",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\ComputerName\\ActiveComputerName\\ComputerName",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\RestartRunTime",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winsock\\Setup Migration\\Providers\\Tcpip\\WinSock 2.0 Provider ID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\8F43288AD272F3103B6FB1428485EA3014C0BCFE\\Blob",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\GDI32.dll",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\crypt32\\DebugFlags",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\SysWOW64\\bcryptprimitives.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\EnableWeakSignatureFlags",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\GCStressStartAtJit",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.47.1.1!7\\Name",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE\\MaximumAllowedAllocationSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\rasadhlp.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\LoadAppInit_DLLs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\WINNSI.DLL",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\Enabled",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Security\\Safety Warning Level",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\Mapping",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\EnableLog",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\bcrypt.dll",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\RpcId",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Disabled",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\DisableQueue",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\index4",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\VERSION.dll"
],
"directory_enumerated": [
"C:\\Windows\\System32\\apphelp.dll",
"C:\\Windows\\SysWOW64",
"C:\\Users\\cuck\\AppData",
"C:\\Windows\\SysWOW64\\user32.dll",
"C:\\Windows\\SysWOW64\\advapi32.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\mscorlib",
"C:\\Windows\\SysWOW64\\msctf.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp",
"C:\\Windows\\SysWOW64\\sspicli.dll",
"C:\\Windows\\System32\\cabinet.dll",
"C:\\Windows\\System32\\winhttp.dll",
"C:\\Windows\\SysWOW64\\kernel32.dll",
"C:\\Windows\\SysWOW64\\msvcrt.dll",
"C:\\Windows\\assembly",
"C:\\Windows\\System32\\winnsi.dll",
"C:\\Windows\\SysWOW64\\shlwapi.dll",
"C:\\Windows\\System32\\bcrypt.dll",
"C:\\Windows\\SysWOW64\\cfgmgr32.dll",
"C:\\Windows\\System32\\WSHTCPIP.DLL",
"C:\\Windows\\System32",
"C:\\Windows\\System32\\cryptsp.dll",
"C:\\Windows\\System32\\webio.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorjit.dll",
"C:\\Windows\\SysWOW64\\ole32.dll",
"C:\\Windows\\System32\\devrtl.dll",
"C:\\Windows\\System32\\profapi.dll",
"C:\\Windows\\System32\\mscoree.dll",
"C:\\Windows\\SysWOW64\\crypt32.dll",
"C:\\Windows\\SysWOW64\\msasn1.dll",
"C:\\Windows\\System32\\IPHLPAPI.DLL",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorsec.dll",
"C:\\Windows\\SysWOW64\\shell32.dll",
"C:\\Windows\\SysWOW64\\lpk.dll",
"C:\\Windows\\System32\\version.dll",
"C:\\Users",
"C:\\Windows\\SysWOW64\\wintrust.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorwks.dll",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\WER\\ReportArchive\\AppCrash_*_66cb87fc63aae6c3cbb79a998d143e7b8dd8b0_cab_*",
"C:\\Windows\\System32\\gpapi.dll",
"C:\\Windows\\System32\\userenv.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\Upgrades.2.0.50727\\mscoreei.dll",
"C:\\Windows\\SysWOW64\\nsi.dll",
"C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\mscorlib.INI",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscoreei.dll",
"C:\\Windows\\System32\\rasadhlp.dll",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8828F39C7C0CE9A14B25C7EB321181BA_*",
"C:\\Windows\\System32\\dhcpcsvc.dll",
"C:\\Windows\\System32\\ncrypt.dll",
"C:\\Windows\\SysWOW64\\ntdll.dll",
"C:\\Users\\cuck",
"C:\\Windows\\System32\\dnsapi.dll",
"C:\\Windows\\SysWOW64\\ws2_32.dll",
"C:\\Windows\\SysWOW64\\sechost.dll",
"C:\\Windows\\System32\\cryptnet.dll",
"C:\\Users\\cuck\\AppData\\Local",
"C:\\Windows\\System32\\wship6.dll",
"C:\\Windows\\System32\\credssp.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\ef984e44a56a46dbf90c4443ac5908be667cbd221d6ea18a094fca7e3f0cd8f3.INI",
"C:\\Windows\\System32\\imm32.dll",
"C:\\Windows\\SysWOW64\\gdi32.dll",
"C:\\Windows\\System32\\mswsock.dll",
"C:\\Windows\\SysWOW64\\imagehlp.dll",
"C:\\Windows\\winsxs\\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\\msvcr80.dll",
"C:\\Windows\\SysWOW64\\usp10.dll",
"C:\\Windows\\SysWOW64\\rpcrt4.dll",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\0972B7C417F696E06E186AEB26286F01_*",
"C:\\Windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\\comctl32.dll",
"C:\\Windows\\System32\\drivers\\*.mrk",
"C:\\Windows\\System32\\rsaenh.dll",
"C:\\Windows",
"C:\\Windows\\winsxs",
"C:\\Windows\\SysWOW64\\Wldap32.dll",
"C:\\Windows\\System32\\uxtheme.dll",
"C:\\Windows\\System32\\SensApi.dll",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_*_66cb87fc63aae6c3cbb79a998d143e7b8dd8b0_cab_*"
]
}Dropped
[
{
"yara": [],
"sha1": "c64ad224b877cd5bbdcdb1799b71f3682602d231",
"name": "b0a39e28d93f7822_Tar57AA.tmp",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar57AA.tmp",
"type": "data",
"sha256": "b0a39e28d93f7822fe6cac1e082c7adc581dcd2b61eb9f536e74bd14a75b27bc",
"urls": [
"http:\/\/www.microsoft.com\/pkiops\/certs\/Microsoft%20Certificate%20Trust%20List%20PCA(3).crt0",
"http:\/\/www.microsoft.com\/pki\/certs\/MicRooCerAut_2010-06-23.crt07",
"http:\/\/www.microsoft.com\/pki\/certs\/MicCerLisCA2011_2011-03-29.crt0",
"http:\/\/www.microsoft.com\/pki\/certs\/MicrosoftRootCert.crt0",
"http:\/\/www.microsoft.com\/pkiops\/crl\/Microsoft%20Certificate%20Trust%20List%20PCA(3).crl0u"
],
"crc32": "B495BE07",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/2641\/files\/b0a39e28d93f7822_Tar57AA.tmp",
"ssdeep": null,
"size": 138525,
"sha512": "0663fb22bcefd0ac5f090104322a8c0dc1ceb77a168b589d7dbb9a74d109daf38beac97dab715220abab08c355496f5719159e17995248caa19eff45bc2a5d46",
"pids": [
2816
],
"md5": "0e34ebf89b843b303f0fb5f194be9d28"
},
{
"yara": [
{
"meta": {
"description": "Contains an embedded Mach-O file",
"author": "nex"
},
"name": "embedded_macho",
"offsets": {
"magic1": [
[
6794731,
0
]
]
},
"strings": [
"yv66vg=="
]
},
{
"meta": {
"description": "Contains an embedded PE32 file",
"author": "nex"
},
"name": "embedded_pe",
"offsets": {
"a": [
[
11878238,
0
],
[
16210212,
0
]
],
"b": [
[
3597770,
1
]
]
},
"strings": [
"UEUzMg==",
"VGhpcyBwcm9ncmFt"
]
},
{
"meta": {
"description": "A non-Windows executable contains win32 API functions names",
"author": "nex"
},
"name": "embedded_win_api",
"offsets": {
"api6": [
[
9384895,
4
],
[
10690397,
4
],
[
11938275,
4
],
[
11966776,
4
]
],
"api1": [
[
3660851,
0
],
[
3660918,
0
]
],
"api8": [
[
9382821,
1
],
[
10688311,
1
],
[
11897980,
1
],
[
11938353,
1
]
],
"api14": [
[
9382821,
1
],
[
10688311,
1
],
[
11897980,
1
],
[
11938353,
1
]
],
"api12": [
[
9384826,
3
],
[
11938231,
3
],
[
11938251,
3
]
],
"api13": [
[
9382903,
2
],
[
11937857,
2
]
]
},
"strings": [
"Q3JlYXRlRmlsZUE=",
"R2V0V2luZG93c0RpcmVjdG9yeQ==",
"R2V0VGVtcFBhdGg=",
"U2V0RmlsZVBvaW50ZXI=",
"V3JpdGVGaWxl"
]
},
{
"meta": {
"description": "Matched shellcode byte patterns",
"author": "nex"
},
"name": "shellcode",
"offsets": {
"shell7": [
[
8547723,
0
],
[
8562075,
0
],
[
8562315,
0
],
[
8562363,
0
],
[
8563499,
0
],
[
8581803,
0
],
[
8662315,
0
],
[
8733547,
0
],
[
8733739,
0
],
[
8755211,
0
],
[
8783739,
0
],
[
8812971,
0
],
[
8832987,
0
],
[
8859851,
0
],
[
8878715,
0
],
[
8948171,
0
],
[
8987115,
0
],
[
9028683,
0
],
[
9047147,
0
],
[
9047211,
0
],
[
9091675,
0
],
[
9105355,
0
],
[
9107275,
0
],
[
9115275,
0
],
[
13602943,
0
],
[
13670687,
0
],
[
13670859,
0
],
[
13670887,
0
],
[
13670915,
0
],
[
13670991,
0
],
[
13687207,
0
],
[
13687835,
0
],
[
13722059,
0
],
[
13739467,
0
],
[
13759011,
0
],
[
13772039,
0
],
[
13837771,
0
],
[
13846771,
0
],
[
13890779,
0
],
[
13891239,
0
],
[
13894303,
0
],
[
13898731,
0
],
[
13937059,
0
],
[
13956727,
0
],
[
13956755,
0
],
[
13956783,
0
],
[
13959835,
0
],
[
13959871,
0
],
[
13959971,
0
],
[
13960007,
0
],
[
13960051,
0
],
[
13961227,
0
],
[
13961271,
0
],
[
13961311,
0
],
[
13962111,
0
],
[
13962147,
0
],
[
14287851,
0
],
[
14287915,
0
],
[
14287943,
0
],
[
14288315,
0
],
[
14288667,
0
],
[
14289083,
0
],
[
14289115,
0
],
[
14289531,
0
],
[
14289563,
0
],
[
14289851,
0
],
[
14289883,
0
],
[
14289951,
0
],
[
14289979,
0
],
[
14298299,
0
],
[
14298331,
0
],
[
14298363,
0
],
[
14298459,
0
],
[
14306267,
0
],
[
14306435,
0
],
[
14306651,
0
],
[
14312835,
0
],
[
14313235,
0
],
[
14314043,
0
],
[
14314307,
0
],
[
14369635,
0
],
[
14369691,
0
],
[
14545891,
0
],
[
14550043,
0
],
[
14555511,
0
],
[
14566707,
0
],
[
14572603,
0
],
[
14591195,
0
],
[
14608091,
0
],
[
14699623,
0
],
[
14742427,
0
],
[
14793343,
0
],
[
14793391,
0
],
[
14793547,
0
],
[
14793627,
0
],
[
14793675,
0
],
[
14808943,
0
],
[
14810647,
0
],
[
14827067,
0
],
[
14845971,
0
],
[
14883691,
0
],
[
15197403,
0
],
[
15197599,
0
],
[
15197787,
0
],
[
15197947,
0
],
[
15198043,
0
],
[
15198363,
0
],
[
15200427,
0
],
[
15201747,
0
],
[
15202575,
0
],
[
15202607,
0
],
[
15203867,
0
],
[
15204539,
0
],
[
15215575,
0
],
[
15217019,
0
],
[
15217115,
0
],
[
15218143,
0
],
[
15224115,
0
],
[
15227019,
0
],
[
15227135,
0
],
[
15229503,
0
],
[
15243739,
0
],
[
15254203,
0
],
[
15258363,
0
],
[
15258395,
0
],
[
15259995,
0
],
[
15262111,
0
],
[
15262587,
0
],
[
15263143,
0
],
[
15263735,
0
],
[
15263995,
0
],
[
15264967,
0
],
[
15265179,
0
],
[
15269499,
0
],
[
15269635,
0
],
[
15269959,
0
],
[
15270535,
0
],
[
15271667,
0
],
[
15272327,
0
],
[
15279147,
0
],
[
15285479,
0
],
[
15286619,
0
],
[
15286911,
0
],
[
15289903,
0
],
[
15293243,
0
],
[
15293947,
0
],
[
15295555,
0
],
[
15301371,
0
],
[
15301571,
0
],
[
15304795,
0
],
[
15304891,
0
],
[
15307999,
0
],
[
15308187,
0
],
[
15309019,
0
],
[
15309795,
0
],
[
15310123,
0
],
[
15312059,
0
],
[
15312487,
0
],
[
15314319,
0
],
[
15326171,
0
],
[
15327011,
0
],
[
15333751,
0
],
[
15338439,
0
],
[
15339671,
0
],
[
15339739,
0
],
[
15339907,
0
],
[
15340839,
0
],
[
15341371,
0
],
[
15346491,
0
],
[
15346739,
0
],
[
15355347,
0
],
[
15355675,
0
],
[
15359547,
0
],
[
15363259,
0
],
[
15363323,
0
],
[
15364347,
0
],
[
15365163,
0
],
[
15365907,
0
],
[
15366035,
0
],
[
15373599,
0
],
[
15373755,
0
],
[
15379843,
0
],
[
15381031,
0
],
[
15381115,
0
],
[
15381367,
0
],
[
15382475,
0
],
[
15382587,
0
],
[
15389431,
0
],
[
15392075,
0
],
[
15407391,
0
],
[
15410791,
0
],
[
15416591,
0
],
[
15417243,
0
],
[
15419655,
0
],
[
15420947,
0
],
[
15421115,
0
],
[
15421379,
0
],
[
15421439,
0
],
[
15422747,
0
],
[
15423207,
0
],
[
15424843,
0
],
[
15425291,
0
],
[
15434203,
0
],
[
15434395,
0
],
[
15436091,
0
],
[
15436507,
0
],
[
15437887,
0
],
[
15441471,
0
],
[
15442879,
0
],
[
15449595,
0
],
[
15453583,
0
],
[
15456095,
0
],
[
15458523,
0
],
[
15463867,
0
],
[
15464047,
0
],
[
15468447,
0
],
[
15469475,
0
],
[
15469531,
0
],
[
15470727,
0
],
[
15471395,
0
],
[
15472615,
0
],
[
15473415,
0
],
[
15483387,
0
],
[
15486555,
0
],
[
15486715,
0
],
[
15487947,
0
],
[
15488955,
0
],
[
15491791,
0
],
[
15492223,
0
],
[
15496215,
0
],
[
15496723,
0
],
[
15502747,
0
],
[
15502939,
0
],
[
15504603,
0
],
[
15505163,
0
],
[
15506987,
0
],
[
15509055,
0
],
[
15514147,
0
],
[
15517339,
0
],
[
15521083,
0
],
[
15521647,
0
],
[
15522579,
0
],
[
15522843,
0
],
[
15523995,
0
],
[
15524611,
0
],
[
15528379,
0
],
[
15528911,
0
],
[
15532355,
0
],
[
15532795,
0
],
[
15534083,
0
]
],
"shell1": [
[
9991440,
1
],
[
10002858,
1
],
[
10121172,
1
],
[
10295016,
1
],
[
10346620,
1
],
[
10388874,
1
],
[
10434770,
1
],
[
10461558,
1
],
[
10486288,
1
],
[
10531460,
1
]
]
},
"strings": [
"VYvs6A==",
"ZItk"
]
}
],
"sha1": "18a83f4d962f0a7b402bf5cc7c9f4a0abdb626ca",
"name": "a8e742aac2cbb8b0_wer65de.tmp.hdmp",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\WER65DE.tmp.hdmp",
"type": "MDMP crash report data",
"sha256": "a8e742aac2cbb8b0902740bd1bcda949d088114875eeb7818f982b2663d2d04b",
"urls": [
"http:\/\/s.symcb.com\/universal-root.crl0",
"http:\/\/www.microsoft.com\/pki\/certs\/MicRooCerAut_2010-06-23.crt07",
"http:\/\/www2.public-trust.com\/crl\/ct\/ctroot.crl0",
"http:\/\/crl.xrampsecurity.com\/XGCA.crl0",
"http:\/\/users.ocsp.d-trust.net03",
"http:\/\/www.trustcenter.de\/guidelines0",
"http:\/\/sw.symcd.com0",
"http:\/\/crl.usertrust.com\/UTN-DATACorpSGC.crl0",
"http:\/\/www.rootca.or.kr\/rca\/cps.html0",
"http:\/\/www.a-cert.at0E",
"http:\/\/crl.verisign.com\/pca3.crl0",
"https:\/\/www.verisign.com\/rpa0",
"http:\/\/crl.securetrust.com\/STCA.crl0",
"http:\/\/ocsp.infonotary.com\/responder.cgi0V",
"http:\/\/www.d-trust.net\/crl\/d-trust_qualified_root_ca_1_2007_pn.crl0",
"http:\/\/www.entrust.net\/CRL\/Client1.crl0",
"http:\/\/www.ssc.lt\/cps03",
"http:\/\/qual.ocsp.d-trust.net0",
"http:\/\/www.microsoft.com\/pki\/certs\/MicrosoftRootCert.crt0",
"https:\/\/www.verisign.com\/CPS04",
"http:\/\/www.a-cert.at\/certificate-policy.html0",
"http:\/\/ts-crl.ws.symantec.com\/sha256-tss-ca.crl0",
"https:\/\/d.symcb.com\/cps0%",
"http:\/\/www.pki.gva.es\/cps0",
"http:\/\/www.registradores.org\/scr\/normativa\/cp_f2.htm0",
"http:\/\/www.usertrust.com1604",
"http:\/\/ca.sia.it\/seccli\/repository\/CRL.der0J",
"http:\/\/cps.chambersign.org\/cps\/publicnotaryroot.html0",
"http:\/\/sw1.symcb.com\/sw.crt0",
"http:\/\/www.signatur.rtr.at\/current.crl0",
"http:\/\/www.certplus.com\/CRL\/class2.crl0",
"https:\/\/www.verisign.com\/repository\/verisignlogo.gif0D",
"http:\/\/repository.swisssign.com\/0",
"http:\/\/www.microsoft.com\/pki\/cert",
"http:\/\/crl.ssc.lt\/root-a\/cacrl.crl0",
"http:\/\/cps.chambersign.org\/cps\/chambersroot.html0",
"http:\/\/www.microsoft.com\/pki\/certs\/MicCerLisCA2011_2011-03-29.crt0",
"https:\/\/d.symcb.com\/rpa0",
"http:\/\/www.microsoft.com\/pkiops\/certs\/Microsoft%20Certificate%20Trust%20List%20PCA(3).crt0",
"http:\/\/crl.chambersign.org\/publicnotaryroot.crl0",
"https:\/\/www.verisign.com",
"http:\/\/crl.pki.wellsfargo.com\/wsprca.crl0",
"http:\/\/www.signatur.rtr.at\/de\/directory\/cps.html0",
"http:\/\/www.e-trusX",
"http:\/\/www.post.trust.ie\/reposit\/cps.html0",
"http:\/\/www.usertrust.com1",
"http:\/\/www.certplus.com\/CRL\/class3P.crl0",
"http:\/\/www.d-trust.net0",
"http:\/\/logo.verisign.com\/vslogo.gif0",
"https:\/\/www.netlock.net\/docs",
"http:\/\/fedir.comsign.co.il\/crl\/ComSignSecuredCA.crl0",
"http:\/\/www.d-trust.net\/crl\/d-trust_root_class_3_ca_2007.crl0",
"http:\/\/ocsp.pki.gva.es0",
"http:\/\/ts-ocsp.ws.symantec.com0",
"https:\/\/d.symcb.com\/rpa0.",
"http:\/\/crl.usertrust.com\/UTN-USERFirst-ClientAuthenticationandEmail.crl0",
"https:\/\/secure.a-cert.at\/cgi-bin\/a-cert-advanced.cgi0",
"https:\/\/www.verisign.com\/repository\/CPS",
"https:\/\/ca.sia.it\/seccli\/repository\/CPS0",
"http:\/\/www.chambersign.org1",
"http:\/\/g",
"http:\/\/www.valicert.com\/1",
"http:\/\/certificates.starfieldtech.com\/repository\/1604",
"https:\/\/ca.sia.it\/secsrv\/repository\/CPS0",
"http:\/\/ts-aia.ws.symantec.com\/sha256-tss-ca.cer0(",
"http:\/\/www.ancert.com\/cps0",
"http:\/\/crl.chambersign.org\/chambersroot.crl0",
"http:\/\/www.microsoft.com\/pkiops\/crl\/Microsoft%20Certificate%20Trust%20List%20PCA(3).crl0u",
"http:\/\/www.certicamara.com\/certicamaraca.crl0",
"http:\/\/ca.sia.it\/secsrv\/repository\/CRL.der0J",
"http:\/\/crl.chamb",
"http:\/\/crl.globalsign.net\/root-r2.crl0",
"http:\/\/www.e-trust.be\/CPS\/QNcerts",
"http:\/\/s.symcd.com06",
"http:\/\/crl.usertrust.com\/UTN-USERFirst-Hardware.crl01"
],
"crc32": "C64373AF",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/2641\/files\/a8e742aac2cbb8b0_wer65de.tmp.hdmp",
"ssdeep": null,
"size": 23791114,
"sha512": "4047dcd4e74c68446c1f369d1e1857725ecb8d4add916fabd9ce1a8b2858085c676b3cf1a8295a20897ac3c10aa79b6611a8f4cc360c28b9c977ec155f24dff1",
"pids": [
2248
],
"md5": "a7a68a38c3e40737913c44660ff7c65c"
},
{
"yara": [],
"sha1": "184d3fffeccd2c6ab2e54820b6638f08e1afffd9",
"name": "24098bcb3613d6ec_wer5b7d.tmp.werinternalmetadata.xml",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\WER5B7D.tmp.WERInternalMetadata.xml",
"type": "XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators",
"sha256": "24098bcb3613d6ecf79063c4332e48292ac554455508917b574dba6ba4713397",
"urls": [],
"crc32": "373C3B51",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/2641\/files\/24098bcb3613d6ec_wer5b7d.tmp.werinternalmetadata.xml",
"ssdeep": null,
"size": 2650,
"sha512": "a922c676293d47e2617de0342858659e25edbbfd58773aa40dbe42590e09b83c359c4ae102a5a2804cc790a3329507a774be9b628b7d65f2947cae4eecb86e6c",
"pids": [
2248
],
"md5": "85ba2b7593285cf41e23b16f3fa6bc3f"
},
{
"yara": [],
"sha1": "cf925fc512b936fe7d44ceb6e999e4a020ed6ff0",
"name": "4c9c4d831d61c8c3_Cab5799.tmp",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab5799.tmp",
"type": "Microsoft Cabinet archive data, 56952 bytes, 1 file",
"sha256": "4c9c4d831d61c8c38b2513f9b431ef4f4cf6af9fb18a2317cd2178d6e0997822",
"urls": [],
"crc32": "5168F337",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/2641\/files\/4c9c4d831d61c8c3_Cab5799.tmp",
"ssdeep": null,
"size": 56952,
"sha512": "65dc435f6d3e1afd347ba1617a3eee59c6660f221faa36456a09e307d434d7276e8095e8aa34d59933e685a9f84564ec783e59ae9658791f7ebdbbc2eda32f7a",
"pids": [
2816
],
"md5": "04d79a0dc77a8f449cbff6252862d398"
},
{
"yara": [],
"sha1": "da39a3ee5e6b4b0d3255bfef95601890afd80709",
"name": "e3b0c44298fc1c14_WER5B7D.tmp",
"type": "empty",
"sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"urls": [],
"crc32": "00000000",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/2641\/files\/e3b0c44298fc1c14_WER5B7D.tmp",
"ssdeep": null,
"size": 0,
"sha512": "cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e",
"md5": "d41d8cd98f00b204e9800998ecf8427e"
}
]Generic
[
{
"process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\dw20.exe",
"process_name": "dw20.exe",
"pid": 2248,
"summary": {
"file_created": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER5B7D.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER65DE.tmp.hdmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER5B7D.tmp.WERInternalMetadata.xml",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER65DE.tmp"
],
"file_recreated": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER5B7D.tmp.WERInternalMetadata.xml"
],
"dll_loaded": [
"dbghelp.dll",
"version.dll",
"C:\\Windows\\system32\\ole32.dll",
"CFGMGR32.dll",
"DUI70.dll",
"C:\\Windows\\system32\\DUser.dll",
"UxTheme.dll",
"SensApi.dll",
"werui.dll",
"dwmapi.dll",
"ntdll.dll",
"cryptsp.dll",
"winhttp.dll",
"verifier.dll",
"C:\\Windows\\system32\\RICHED20.DLL",
"API-MS-WIN-Service-Management-L2-1-0.dll",
"API-MS-WIN-Service-Management-L1-1-0.dll",
"C:\\Windows\\syswow64\\MSCTF.dll",
"API-MS-Win-Core-LocalRegistry-L1-1-0.dll",
"psapi.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscordacwks.dll",
"OLEAUT32.DLL",
"SspiCli.dll",
"C:\\Windows\\system32\\wer.dll",
"advapi32.dll",
"comctl32",
"ole32.dll",
"SHLWAPI.dll",
"CRYPTSP.dll",
"USER32.dll",
"Comctl32.dll",
"credssp.dll",
"API-MS-WIN-Service-winsvc-L1-1-0.dll",
"IPHLPAPI.DLL",
"C:\\Windows\\system32\\xmllite.dll",
"OLEAUT32.dll",
"SHELL32.dll",
"RPCRT4.dll",
"DNSAPI.dll",
"C:\\Windows\\System32\\wship6.dll",
"DUser.dll",
"comctl32.dll",
"NSI.dll",
"kernel32.dll",
"C:\\Windows\\system32\\mswsock.dll",
"powrprof.dll",
"ADVAPI32.dll",
"rpcrt4.dll",
"C:\\Windows\\System32\\wshtcpip.dll",
"WS2_32.dll",
"user32.dll",
"WINHTTP.dll"
],
"file_opened": [
"C:\\Windows\\System32\\apphelp.dll",
"C:\\Windows\\System32\\mswsock.dll",
"C:\\Windows\\SysWOW64\\CRYPTBASE.dll",
"C:\\Windows\\System32\\mscoree.dll",
"C:\\Windows\\SysWOW64\\user32.dll",
"C:\\Windows\\SysWOW64\\advapi32.dll",
"C:\\Windows\\SysWOW64\\msctf.dll",
"C:\\Windows\\System32\\cryptnet.dll",
"C:\\Windows\\SysWOW64\\sspicli.dll",
"C:\\Windows\\System32\\cabinet.dll",
"C:\\Windows\\System32\\winhttp.dll",
"C:\\Windows\\SysWOW64\\kernel32.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER5B7D.tmp.WERInternalMetadata.xml",
"C:\\Windows\\System32\\winnsi.dll",
"C:\\Windows\\SysWOW64\\shlwapi.dll",
"C:\\Windows\\System32\\bcrypt.dll",
"C:\\Windows\\SysWOW64\\cfgmgr32.dll",
"C:\\Windows\\System32\\WSHTCPIP.DLL",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorwks.dll",
"C:\\Windows\\System32\\cryptsp.dll",
"C:\\Windows\\System32\\webio.dll",
"C:\\Windows\\System32\\dhcpcsvc6.DLL",
"C:\\Windows\\SysWOW64\\ole32.dll",
"C:\\Windows\\System32\\devrtl.dll",
"C:\\Windows\\System32\\profapi.dll",
"C:\\Windows\\SysWOW64\\crypt32.dll",
"C:\\Windows\\SysWOW64\\msasn1.dll",
"C:\\Windows\\System32\\IPHLPAPI.DLL",
"C:\\Windows\\SysWOW64\\bcryptprimitives.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorsec.dll",
"C:\\Windows\\SysWOW64\\shell32.dll",
"C:\\Windows\\SysWOW64\\lpk.dll",
"C:\\Windows\\System32\\version.dll",
"C:\\Windows\\System32\\rasadhlp.dll",
"C:\\Windows\\SysWOW64\\wintrust.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorjit.dll",
"C:\\Windows\\System32\\gpapi.dll",
"C:\\Windows\\System32\\userenv.dll",
"C:\\Windows\\System32\\dhcpcsvc.dll",
"C:\\Windows\\win.ini",
"C:\\Windows\\System32\\en-US\\erofflps.txt",
"C:\\Windows\\System32\\ncrypt.dll",
"C:\\Windows\\SysWOW64\\ntdll.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\ef984e44a56a46dbf90c4443ac5908be667cbd221d6ea18a094fca7e3f0cd8f3.bin",
"C:\\Windows\\SysWOW64\\usp10.dll",
"C:\\Windows\\System32\\dnsapi.dll",
"C:\\Windows\\SysWOW64\\ws2_32.dll",
"C:\\Windows\\SysWOW64\\sechost.dll",
"C:\\Windows\\System32\\wship6.dll",
"C:\\Windows\\System32\\credssp.dll",
"C:\\Windows\\System32\\imm32.dll",
"C:\\Windows\\SysWOW64\\gdi32.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\mscorlib\\62a0b3e4b40ec0e8c5cfaa0c8848e64a\\mscorlib.ni.dll",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls",
"C:\\Windows\\SysWOW64\\imagehlp.dll",
"C:\\Windows\\winsxs\\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\\msvcr80.dll",
"C:\\Windows\\SysWOW64\\rpcrt4.dll",
"C:\\Windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\\comctl32.dll",
"C:\\Windows\\System32\\rsaenh.dll",
"C:\\Windows\\SysWOW64\\nsi.dll",
"C:\\Windows\\SysWOW64\\Wldap32.dll",
"C:\\Windows\\System32\\uxtheme.dll",
"C:\\Windows\\System32\\SensApi.dll",
"C:\\Windows\\SysWOW64\\KERNELBASE.dll",
"C:\\Windows\\SysWOW64\\msvcrt.dll"
],
"regkey_opened": [
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\LsaExtensionConfig\\SspiCli",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\Rpc",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Reliability Analysis\\RAC",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip6\\Parameters\\Winsock",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Winsock",
"HKEY_CURRENT_USER\\Software\\Microsoft\\windows\\CurrentVersion\\Internet Settings\\Connections",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\OLE\\Tracing",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\Windows Error Reporting",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Setup",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Consent",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\LanguageProfile\\0x00000000\\{0001bea3-ed56-483d-a2e2-aeae25577436}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\DebugApplications",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\SecurityProviders",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\KnownClasses",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\windows\\CurrentVersion\\Internet Settings\\Connections",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\CEIPRole\\RolesInWER",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winsock\\Setup Migration\\Providers\\Tcpip6",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\Windows Error Reporting",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Rpc",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\Compatibility\\dw20.exe",
"HKEY_CURRENT_USER\\Software\\Microsoft\\CTF\\DirectSwitchHotkeys",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\SecurityProviders\\SaslProfiles",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\SystemInformation",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\ExcludedApplications",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\Windows Error Reporting\\HeapControlledList\\ef984e44a56a46dbf90c4443ac5908be667cbd221d6ea18a094fca7e3f0cd8f3.bin",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Winsock\\Setup Migration\\Providers",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\WinHttp\\Tracing",
"HKEY_CURRENT_USER\\Software\\Microsoft\\CTF\\LayoutIcon\\0409\\0000041d",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\KnownManagedDebuggingDlls",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\DirectUI",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLEAUT",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{3697C5FA-60DD-4B56-92D4-74A569205C16}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DebugApplications",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Debug",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winsock\\Setup Migration\\Providers\\Tcpip",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion",
"HKEY_CURRENT_USER\\Software\\Microsoft\\windows\\CurrentVersion\\Internet Settings\\Wpad",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Class\\{4d36e972-e325-11ce-bfc1-08002be10318}",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\Windows Error Reporting",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Ole",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\WinHttp",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ExcludedApplications",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Windows",
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\SspiCache",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Winsock\\Parameters"
],
"resolves_host": [
"watson.microsoft.com"
],
"file_written": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER65DE.tmp.hdmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER5B7D.tmp.WERInternalMetadata.xml"
],
"file_deleted": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER5B7D.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER65DE.tmp.hdmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER5B7D.tmp.WERInternalMetadata.xml",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER65DE.tmp"
],
"file_exists": [
"C:\\Windows\\System32\\apphelp.dll",
"C:\\Windows\\System32\\mswsock.dll",
"C:\\Windows\\SysWOW64\\CRYPTBASE.dll",
"C:\\Windows\\System32\\mscoree.dll",
"C:\\Windows\\SysWOW64\\user32.dll",
"C:\\Windows\\SysWOW64\\advapi32.dll",
"C:\\Windows\\SysWOW64\\msctf.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp",
"C:\\Windows\\SysWOW64\\sspicli.dll",
"C:\\Windows\\System32\\cabinet.dll",
"C:\\Windows\\System32\\winhttp.dll",
"C:\\Windows\\SysWOW64\\kernel32.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER5B7D.tmp.WERInternalMetadata.xml",
"C:\\Windows\\System32\\winnsi.dll",
"C:\\Windows\\SysWOW64\\shlwapi.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER65DE.tmp.hdmp",
"C:\\Windows\\SysWOW64\\cfgmgr32.dll",
"C:\\Windows\\System32\\bcrypt.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorwks.dll",
"C:\\Windows\\System32\\cryptsp.dll",
"C:\\Windows\\SysWOW64\\bcryptprimitives.dll",
"C:\\Windows\\System32\\dhcpcsvc6.DLL",
"C:\\Windows\\SysWOW64\\ole32.dll",
"C:\\Windows\\System32\\devrtl.dll",
"C:\\Windows\\System32\\profapi.dll",
"C:\\Windows\\SysWOW64\\crypt32.dll",
"C:\\Windows\\SysWOW64\\msasn1.dll",
"C:\\Windows\\System32\\IPHLPAPI.DLL",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorsec.dll",
"C:\\Windows\\SysWOW64\\shell32.dll",
"C:\\Windows\\SysWOW64\\lpk.dll",
"C:\\Windows\\System32\\version.dll",
"C:\\Windows\\SysWOW64\\wintrust.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorjit.dll",
"C:\\Windows\\System32\\gpapi.dll",
"C:\\Windows\\System32\\userenv.dll",
"C:\\Windows\\System32\\webio.dll",
"C:\\Windows\\System32\\rasadhlp.dll",
"C:\\Windows\\System32\\dhcpcsvc.dll",
"C:\\Windows\\System32\\en-US\\erofflps.txt",
"C:\\Windows\\System32\\ncrypt.dll",
"C:\\Windows\\SysWOW64\\ntdll.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\ef984e44a56a46dbf90c4443ac5908be667cbd221d6ea18a094fca7e3f0cd8f3.bin",
"C:\\Windows\\SysWOW64\\usp10.dll",
"C:\\Windows\\System32\\dnsapi.dll",
"C:\\Windows\\SysWOW64\\ws2_32.dll",
"C:\\Windows\\SysWOW64\\sechost.dll",
"C:\\Windows\\System32\\cryptnet.dll",
"C:\\Windows\\System32\\wship6.dll",
"C:\\Windows\\System32\\credssp.dll",
"C:\\Windows\\System32\\imm32.dll",
"C:\\Windows\\SysWOW64\\gdi32.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\mscorlib\\62a0b3e4b40ec0e8c5cfaa0c8848e64a\\mscorlib.ni.dll",
"C:\\Windows\\SysWOW64\\imagehlp.dll",
"C:\\Windows\\winsxs\\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\\msvcr80.dll",
"C:\\Windows\\SysWOW64\\rpcrt4.dll",
"C:\\Windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\\comctl32.dll",
"C:\\Windows\\System32\\WSHTCPIP.DLL",
"C:\\Windows\\System32\\rsaenh.dll",
"C:\\Windows\\SysWOW64\\nsi.dll",
"C:\\Windows\\SysWOW64\\Wldap32.dll",
"C:\\Windows\\System32\\uxtheme.dll",
"C:\\Windows\\System32\\SensApi.dll",
"C:\\Windows\\SysWOW64\\KERNELBASE.dll",
"C:\\Windows\\SysWOW64\\msvcrt.dll"
],
"mutex": [
"Global\\b892f634-daf5-11e9-8829-08002749d99b"
],
"guid": [
"{713aacc8-3b71-435c-a3a1-be4e53621ab1}",
"{22e4c895-8ab9-40bb-b81a-001dd9b1f449}"
],
"file_read": [
"C:\\Windows\\win.ini"
],
"regkey_read": [
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Language Hotkey",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\GPAPI.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\profapi.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\MaxRpcSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\MaxArchiveCount",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\LanguageProfile\\0x00000000\\{0001bea3-ed56-483d-a2e2-aeae25577436}\\Enable",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\QueuePesterInterval",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\System32\\wshtcpip.dll",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\UseDelayedAcceptance",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DisableQueue",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\DEVRTL.dll",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SecurityProviders\\SecurityProviders",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ConfigureArchive",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultConsent",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\SystemSetupInProgress",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\ScrollDelay",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\WS2_32.dll",
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Hotkey",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\SspiCli.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\System32\\wship6.dll",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\SendEFSFiles",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\CTF\\EnableAnchorContext",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledProcesses\\44D72C57",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\DisableArchive",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\WLDAP32.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\IPHLPAPI.DLL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerPortNumber",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\LastWatsonCabUploaded",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\credssp.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerUseSSL",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\HelperDllName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\LPK.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\shell32.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerServer",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\ForceUserModeCabCollection",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ProxySettingsPerUser",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorjit.dll",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winsock\\Parameters\\Transports",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SystemInformation\\BIOSVersion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\BuildLabEx",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\KERNELBASE.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Users\\cuck\\AppData\\Local\\Temp\\ef984e44a56a46dbf90c4443ac5908be667cbd221d6ea18a094fca7e3f0cd8f3.bin",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\APPCRASH",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\\DefaultConnectionSettings",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\MaxQueueCount",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\NSI.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultOverrideBehavior",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\CSDBuildNumber",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\CurrentType",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\imagehlp.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\\COMCTL32.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\mscorlib\\62a0b3e4b40ec0e8c5cfaa0c8848e64a\\mscorlib.ni.dll",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\DontShowUI",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\DontSendAdditionalData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Segoe UI",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\ScrollInset",
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Layout Hotkey",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\webio.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\CRYPT32.dll",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\ConfigureArchive",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\WINTRUST.dll",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Windows\\CSDBuildNumber",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\QueuePesterInterval",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\WinSxS\\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\\MSVCR80.dll",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Comment",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\RPCRT4.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledSessions\\MachineThrottling",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\WINHTTP.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\SensApi.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DisableArchive",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\MaxArchiveCount",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\EditionID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\KERNEL32.dll",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultOverrideBehavior",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\HelperDllName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winsock\\Setup Migration\\Providers\\Tcpip6\\WinSock 2.0 Provider ID",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\ForceQueue",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\SysWOW64\\sechost.dll",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\WpadOverride",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\Mapping",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\CFGMGR32.dll",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Type",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\ncrypt.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\uxtheme.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceUserModeCabCollection",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\cryptnet.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LoggingDisabled",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorsec.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\CRYPTBASE.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProductName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\LsaExtensionConfig\\SspiCli\\CheckSignatureRoutine",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\MachineID",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\MinSockaddrLength",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\rsaenh.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceQueue",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\ScrollInterval",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\IMM32.DLL",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\MinSockaddrLength",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\LsaExtensionConfig\\SspiCli\\CheckSignatureDll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\USERENV.dll",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\APPCRASH",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\OOBEInProgress",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\ole32.dll",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\MaxQueueCount",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\USER32.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerUseAuthentication",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Name",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\MSCTF.dll",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\DragMinDist",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\SendEFSFiles",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DontShowUI",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\MaxSockaddrLength",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\TurnOffSPIAnimations",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE\\PageAllocatorSystemHeapIsPrivate",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\MSASN1.dll",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\MaxSockaddrLength",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SystemInformation\\SystemProductName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\DNSAPI.dll",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\BypassDataThrottling",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\KnownManagedDebuggingDlls\\C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscordacwks.dll",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\DragDelay",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\\WinHttpSettings",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\ADVAPI32.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\SourcePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\DevicePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\TokenSize",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\UseDelayedAcceptance",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE\\PageAllocatorUseSystemHeap",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Disabled",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Capabilities",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\dhcpcsvc6.DLL",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\LoggingDisabled",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\dhcpcsvc.DLL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\SYSTEM32\\MSCOREE.DLL",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ShareCredsWithWinHttp",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\WinHttp\\Tracing\\Enabled",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\CRYPTSP.dll",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SystemInformation\\SystemManufacturer",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\apphelp.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassDataThrottling",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorwks.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\msvcrt.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Reliability Analysis\\RAC\\RacWerSampleTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\SysWOW64\\ntdll.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\Cabinet.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledSessions\\GlobalSession",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\CurrentType",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\RestartRunTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\SHLWAPI.dll",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultConsent",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\WinHttp\\DisableBranchCache",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DontSendAdditionalData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CEIPEnable",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\mswsock.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\USP10.dll",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Version",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\ComputerName\\ActiveComputerName\\ComputerName",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\RestartRunTime",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winsock\\Setup Migration\\Providers\\Tcpip\\WinSock 2.0 Provider ID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\GDI32.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\SysWOW64\\bcryptprimitives.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE\\MaximumAllowedAllocationSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\rasadhlp.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\WINNSI.DLL",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\Mapping",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\bcrypt.dll",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\RpcId",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Disabled",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\DisableQueue",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\VERSION.dll"
],
"directory_enumerated": [
"C:\\Windows\\System32\\apphelp.dll",
"C:\\Windows\\SysWOW64",
"C:\\Users\\cuck\\AppData",
"C:\\Windows\\SysWOW64\\user32.dll",
"C:\\Windows\\SysWOW64\\advapi32.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\mscorlib",
"C:\\Windows\\SysWOW64\\msctf.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp",
"C:\\Windows\\SysWOW64\\sspicli.dll",
"C:\\Windows\\System32\\cabinet.dll",
"C:\\Windows\\System32\\winhttp.dll",
"C:\\Windows\\SysWOW64\\kernel32.dll",
"C:\\Windows\\SysWOW64\\msvcrt.dll",
"C:\\Windows\\assembly",
"C:\\Windows\\System32\\winnsi.dll",
"C:\\Windows\\SysWOW64\\shlwapi.dll",
"C:\\Windows\\System32\\bcrypt.dll",
"C:\\Windows\\SysWOW64\\cfgmgr32.dll",
"C:\\Windows\\System32\\WSHTCPIP.DLL",
"C:\\Windows\\System32",
"C:\\Windows\\System32\\cryptsp.dll",
"C:\\Windows\\System32\\webio.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorjit.dll",
"C:\\Windows\\SysWOW64\\ole32.dll",
"C:\\Windows\\System32\\devrtl.dll",
"C:\\Windows\\System32\\profapi.dll",
"C:\\Windows\\System32\\mscoree.dll",
"C:\\Windows\\SysWOW64\\crypt32.dll",
"C:\\Windows\\SysWOW64\\msasn1.dll",
"C:\\Windows\\System32\\IPHLPAPI.DLL",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorsec.dll",
"C:\\Windows\\SysWOW64\\shell32.dll",
"C:\\Windows\\SysWOW64\\lpk.dll",
"C:\\Windows\\System32\\version.dll",
"C:\\Users",
"C:\\Windows\\SysWOW64\\wintrust.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorwks.dll",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\WER\\ReportArchive\\AppCrash_*_66cb87fc63aae6c3cbb79a998d143e7b8dd8b0_cab_*",
"C:\\Windows\\System32\\gpapi.dll",
"C:\\Windows\\System32\\userenv.dll",
"C:\\Windows\\SysWOW64\\nsi.dll",
"C:\\Windows\\System32\\rasadhlp.dll",
"C:\\Windows\\System32\\dhcpcsvc.dll",
"C:\\Windows\\System32\\ncrypt.dll",
"C:\\Windows\\SysWOW64\\ntdll.dll",
"C:\\Users\\cuck",
"C:\\Windows\\System32\\dnsapi.dll",
"C:\\Windows\\SysWOW64\\ws2_32.dll",
"C:\\Windows\\SysWOW64\\sechost.dll",
"C:\\Windows\\System32\\cryptnet.dll",
"C:\\Users\\cuck\\AppData\\Local",
"C:\\Windows\\System32\\wship6.dll",
"C:\\Windows\\System32\\credssp.dll",
"C:\\Windows\\System32\\imm32.dll",
"C:\\Windows\\SysWOW64\\gdi32.dll",
"C:\\Windows\\System32\\mswsock.dll",
"C:\\Windows\\SysWOW64\\imagehlp.dll",
"C:\\Windows\\winsxs\\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\\msvcr80.dll",
"C:\\Windows\\SysWOW64\\usp10.dll",
"C:\\Windows\\SysWOW64\\rpcrt4.dll",
"C:\\Windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\\comctl32.dll",
"C:\\Windows\\System32\\drivers\\*.mrk",
"C:\\Windows\\System32\\rsaenh.dll",
"C:\\Windows",
"C:\\Windows\\winsxs",
"C:\\Windows\\SysWOW64\\Wldap32.dll",
"C:\\Windows\\System32\\uxtheme.dll",
"C:\\Windows\\System32\\SensApi.dll",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_*_66cb87fc63aae6c3cbb79a998d143e7b8dd8b0_cab_*"
]
},
"first_seen": 1568915651.9055,
"ppid": 2816
},
{
"process_path": "C:\\Users\\cuck\\AppData\\Local\\Temp\\ef984e44a56a46dbf90c4443ac5908be667cbd221d6ea18a094fca7e3f0cd8f3.bin",
"process_name": "ef984e44a56a46dbf90c4443ac5908be667cbd221d6ea18a094fca7e3f0cd8f3.bin",
"pid": 2816,
"summary": {
"file_created": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab50F8.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab57BB.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabB70B.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar5A31.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabDFC5.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarDFF7.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab5A30.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarDFC6.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab6EA4.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarB70C.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarB72E.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab6EC5.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab58F5.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar6EA5.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar58F6.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabDFF6.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabB72D.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabE017.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar50F9.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar2880.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar57AA.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar57BC.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabE029.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar6EC6.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarE03A.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab287F.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab5799.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarE018.tmp"
],
"file_recreated": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab50F8.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab57BB.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabB70B.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar5A31.tmp",
"\\Device\\KsecDD",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarDFF7.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab5A30.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarDFC6.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab6EA4.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarB70C.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarB72E.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab6EC5.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab58F5.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar6EA5.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar58F6.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabDFF6.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabB72D.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabE017.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabDFC5.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar50F9.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar2880.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar57AA.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar57BC.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabE029.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar6EC6.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarE03A.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab287F.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab5799.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarE018.tmp"
],
"regkey_written": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\\Blob",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\8F43288AD272F3103B6FB1428485EA3014C0BCFE\\Blob",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\LanguageList"
],
"dll_loaded": [
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\culture.dll",
"imagehlp.dll",
"API-MS-Win-Security-LSALookup-L1-1-0.dll",
"credssp.dll",
"ntdll",
"API-MS-WIN-Service-Management-L2-1-0.dll",
"gdi32.dll",
"DNSAPI.dll",
"kernel32.dll",
"API-MS-Win-Security-SDDL-L1-1-0.dll",
"SensApi.dll",
"ntdll.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\ole32.dll",
"cryptsp.dll",
"imm32.dll",
"ADVAPI32.dll",
"ncrypt.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorwks.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\VERSION.dll",
"bcrypt.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorjit.dll",
"API-MS-WIN-Service-Management-L1-1-0.dll",
"cryptnet.dll",
"crypt32.dll",
"C:\\Windows\\SysWOW64\\bcryptprimitives.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorsec.dll",
"API-MS-Win-Core-LocalRegistry-L1-1-0.dll",
"AdvApi32.dll",
"SspiCli.dll",
"advapi32.dll",
"ole32.dll",
"SHLWAPI.dll",
"CRYPTSP.dll",
"USER32.dll",
"C:\\Windows\\system32\\IMM32.DLL",
"API-MS-WIN-Service-winsvc-L1-1-0.dll",
"IPHLPAPI.DLL",
"C:\\Windows\\syswow64\\CRYPT32.dll",
"RichEd20.dll",
"NSI.dll",
"winhttp.dll",
"profapi.dll",
"RPCRT4.dll",
"C:\\Windows\\System32\\wship6.dll",
"setupapi.dll",
"mscorsec.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\mscorlib\\62a0b3e4b40ec0e8c5cfaa0c8848e64a\\mscorlib.ni.dll",
"VERSION.dll",
"mscoree.dll",
"CFGMGR32.dll",
"WINTRUST.DLL",
"C:\\Windows\\system32\\cryptnet.dll",
"DEVRTL.dll",
"C:\\Windows\\system32\\mswsock.dll",
"shell32.dll",
"C:\\Windows\\System32\\wshtcpip.dll",
"WS2_32.dll",
"Cabinet.dll",
"WINHTTP.dll"
],
"file_failed": [
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\enterprisesec.config.cch",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\FA47BF11E3FC6DA7A80A2910535F021F",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\0972B7C417F696E06E186AEB26286F01_EC6918D7CB4A54242E7A79500CDB31EB",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\security.config.cch",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\3D0AC26322348780E90E022EA217C58C",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8828F39C7C0CE9A14B25C7EB321181BA_DC03E45EC7611F50ADAEBABE405A8C4C",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\A3D5BF1283C2E63D8C8A8C72F0051F5A",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\enterprisesec.config",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8828F39C7C0CE9A14B25C7EB321181BA_3DF94EB797096674F7793A562A778C5F",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\security.config.cch",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\security.config",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\ef984e44a56a46dbf90c4443ac5908be667cbd221d6ea18a094fca7e3f0cd8f3.bin.config",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\security.config",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\0972B7C417F696E06E186AEB26286F01_8A7601FFF9878487CA80CB28D50438E2"
],
"regkey_opened": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6292b898\\1d90e993",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\Managed\\S-1-5-21-699399860-4089948139-3198924279-1001\\Installer\\Assemblies\\Global",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PCHealth\\ErrorReporting\\ExclusionList",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\Policy\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets\\LocalIntranet",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\AppPatch",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PCHealth\\ErrorReporting\\InclusionList",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PCHealth\\ErrorReporting\\ExclusionList",
"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\PCHealth\\ErrorReporting\\ExclusionList",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PCHealth\\ErrorReporting",
"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\PCHealth\\ErrorReporting",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Installer\\Assemblies\\Global",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets\\Internet",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\index127",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Installer\\Assemblies\\C:|Users|cuck|AppData|Local|Temp|ef984e44a56a46dbf90c4443ac5908be667cbd221d6ea18a094fca7e3f0cd8f3.bin",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\Standards",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\Standards\\v2.0.50727",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-699399860-4089948139-3198924279-1001",
"HKEY_CURRENT_USER\\SOFTWARE\\Policies\\Microsoft\\PCHealth\\ErrorReporting\\ExclusionList",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\v2.0.50727\\Security\\Policy",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PCHealth\\ErrorReporting",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\StrongName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Fusion",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion\\PublisherPolicy\\Default",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Installer\\Assemblies\\C:|Users|cuck|AppData|Local|Temp|ef984e44a56a46dbf90c4443ac5908be667cbd221d6ea18a094fca7e3f0cd8f3.bin",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion\\GACChangeNotification\\Default",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\5f57882f\\140d0d2a",
"HKEY_CURRENT_USER\\Software\\Microsoft\\.NETFramework",
"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\PCHealth\\ErrorReporting\\InclusionList",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\ef984e44a56a46dbf90c4443ac5908be667cbd221d6ea18a094fca7e3f0cd8f3.bin",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Class\\{4d36e972-e325-11ce-bfc1-08002be10318}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\Upgrades",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\Managed\\S-1-5-21-699399860-4089948139-3198924279-1001\\Installer\\Assemblies\\C:|Users|cuck|AppData|Local|Temp|ef984e44a56a46dbf90c4443ac5908be667cbd221d6ea18a094fca7e3f0cd8f3.bin",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\Policy\\Standards",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PCHealth\\ErrorReporting\\InclusionList",
"HKEY_CURRENT_USER\\SOFTWARE\\Policies\\Microsoft\\PCHealth\\ErrorReporting",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83",
"HKEY_CURRENT_USER\\SOFTWARE\\Policies\\Microsoft\\PCHealth\\ErrorReporting\\InclusionList",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\v2.0",
"HKEY_CURRENT_USER\\Software\\Microsoft\\.NETFramework\\Policy\\Standards",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Installer\\Assemblies\\Global"
],
"resolves_host": [
"www.download.windowsupdate.com",
"sw.symcd.com",
"sw.symcb.com",
"s.symcb.com",
"s.symcd.com"
],
"file_written": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab50F8.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab57BB.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabB70B.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar5A31.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabDFC5.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarDFF7.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab5A30.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarDFC6.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab6EA4.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarB70C.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarB72E.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab6EC5.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab58F5.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar6EA5.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar58F6.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabDFF6.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabB72D.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabE017.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar50F9.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar2880.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar57AA.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar57BC.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabE029.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar6EC6.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarE03A.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab287F.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab5799.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarE018.tmp"
],
"regkey_deleted": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\8F43288AD272F3103B6FB1428485EA3014C0BCFE"
],
"file_deleted": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab50F8.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab57BB.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabB70B.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar5A31.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabDFC5.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarDFF7.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab5A30.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarDFC6.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab6EA4.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarB70C.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarB72E.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab6EC5.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab58F5.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar6EA5.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar58F6.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabDFF6.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabB72D.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabE017.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar50F9.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar2880.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar57AA.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar57BC.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabE029.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar6EC6.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarE03A.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab287F.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab5799.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarE018.tmp"
],
"file_exists": [
"C:\\Windows\\inf\\",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\fusion.localgac",
"C:\\Users\\cuck\\AppData\\LocalLow",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Avira.OE.WinCore.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Avira.OE.WinCore\\Avira.OE.WinCore.exe",
"C:\\Windows\\Globalization\\en-us.nlp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\ef984e44a56a46dbf90c4443ac5908be667cbd221d6ea18a094fca7e3f0cd8f3.config",
"C:\\Windows\\winsxs\\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\\msvcr80.dll",
"C:\\Windows\\System32\\qagentrt.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\ef984e44a56a46dbf90c4443ac5908be667cbd221d6ea18a094fca7e3f0cd8f3.bin",
"C:\\Windows\\assembly\\GAC\\PublisherPolicy.tme",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\machine.config",
"C:\\Windows\\System32\\dnsapi.dll",
"C:\\Windows\\System32\\MSCOREE.DLL.local",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Avira.OE.WinCore.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Avira.OE.WinCore\\Avira.OE.WinCore.dll",
"C:\\Windows\\System32\\p2pcollab.dll"
],
"file_opened": [
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\index127.dat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab50F8.tmp",
"C:\\Windows\\System32\\l_intl.nls",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab57BB.tmp",
"C:\\Users\\cuck\\AppData\\LocalLow",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabB70B.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar5A31.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabDFC5.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarDFF7.tmp",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\machine.config",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab5A30.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarDFC6.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab6EA4.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarB70C.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarB72E.tmp",
"C:\\Windows\\System32\\netmsg.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabE017.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab58F5.tmp",
"C:\\Windows\\System32\\en-US\\WINHTTP.dll.mui",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar6EA5.tmp",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\94308059B57B3142E455B38A6EB92015",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar58F6.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabDFF6.tmp",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorrc.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabB72D.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab6EC5.tmp",
"C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\sortkey.nlp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar50F9.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\ef984e44a56a46dbf90c4443ac5908be667cbd221d6ea18a094fca7e3f0cd8f3.bin",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar2880.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar57AA.tmp",
"C:\\Windows\\assembly\\pubpol4.dat",
"C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\sorttbls.nlp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar57BC.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabE029.tmp",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\94308059B57B3142E455B38A6EB92015",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar6EC6.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarE03A.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab287F.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab5799.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarE018.tmp"
],
"command_line": [
"dw20.exe -x -s 1108"
],
"file_read": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab50F8.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab57BB.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabB70B.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar5A31.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabDFC5.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarDFF7.tmp",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\machine.config",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab5A30.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarDFC6.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab6EA4.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarB70C.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarB72E.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabE017.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab58F5.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar6EA5.tmp",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\94308059B57B3142E455B38A6EB92015",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar58F6.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabDFF6.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabB72D.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab6EC5.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar50F9.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar2880.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar57AA.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar57BC.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabE029.tmp",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\94308059B57B3142E455B38A6EB92015",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar6EC6.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarE03A.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab287F.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab5799.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarE018.tmp"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\LatestIndex",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\\DefaultConnectionSettings",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Initialization\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$Function",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\WinSock2\\Parameters\\Protocol_Catalog9\\Serial_Access_Num",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\UseDelayedAcceptance",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\UseHostnameAsAlias",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\Modules",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SecurityProviders\\SecurityProviders",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-699399860-4089948139-3198924279-1001\\ProfileImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\SystemSetupInProgress",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\MaxAIAUrlRetrievalCertCount",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.44.3.4!7\\Name",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\crypt32\\DiagMatchAnyMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Message\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$Function",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\SourcePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\CertCheck\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$Function",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\CryptnetPreFetchTriggerPeriodSeconds",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\UseOldHostResolutionOrder",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Message\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$DLL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\LoadAppInit_DLLs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\CLRLoadLogDir",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\DevOverrideEnable",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Signature\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$Function",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\MaxAIAUrlRetrievalCountPerChain",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\CertCheck\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$DLL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ProxySettingsPerUser",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NoClientChecks",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\DownloadCacheQuotaInKB",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winsock\\Parameters\\Transports",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.64.1.1!7\\Name",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\LoggingLevel",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Signature\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$Function",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\MVID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\ConfigMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\CertCheck\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$DLL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\LogFailures",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\MissingDependencies",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\WpadOverride",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\Enabled",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\NIDependencies",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Local AppData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Initialization\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$Function",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\MaxAIAUrlRetrievalByteCount",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\CryptnetCachedOcspSwitchToCrlCount",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\index127\\ILUsageMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\UseLegacyIdentityFormat",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\8F43288AD272F3103B6FB1428485EA3014C0BCFE\\Blob",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\DisableUnsupportedCriticalExtensions",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Comment",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\crypt32\\DebugFlags",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\LogLevel",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Certificate\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$DLL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Message\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$DLL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\OnlyUseLatestCLR",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\LdapClientIntegrity",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\CryptnetMaxCachedOcspPerCrlCount",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\FinalPolicy\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$Function",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\HelperDllName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winsock\\Setup Migration\\Providers\\Tcpip6\\WinSock 2.0 Provider ID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\index127\\NIUsageMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Certificate\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$Function",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\ConfigString",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\Mapping",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Type",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Cleanup\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$DLL",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\MaxSockaddrLength",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\EnableInetUnknownAuth",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\CacheLocation",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\\Blob",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\LsaExtensionConfig\\SspiCli\\CheckSignatureRoutine",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\DisableCANameConstraints",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\LegacyPolicyTimeStamp",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\MinSockaddrLength",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\8F43288AD272F3103B6FB1428485EA3014C0BCFE",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\p2pcollab.dll,-8042",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Initialization\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$DLL",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\MinSockaddrLength",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\LastModTime",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\LsaExtensionConfig\\SspiCli\\CheckSignatureDll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Signature\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$DLL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Signature\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$DLL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\VersioningLog",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\GCStressStartAtJit",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\mscorlib,2.0.0.0,,b77a5c561934e089,x86",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Capabilities",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\MaxSockaddrLength",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\FinalPolicy\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$Function",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\FinalPolicy\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$DLL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\DisableMSIPeek",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\ChainCacheResyncFiletime",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\HelperDllName",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing\\State",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Certificate\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$DLL",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\dnsapi.dll,-103",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\Latest",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\\WinHttpSettings",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\DevicePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\TokenSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\MaxUrlRetrievalByteCount",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\InstallRoot",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Initialization\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$DLL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\MaxAIAUrlCountInCert",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\CertCheck\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$Function",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\LogResourceBinds",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winsock\\Setup Migration\\Providers\\Tcpip\\WinSock 2.0 Provider ID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ShareCredsWithWinHttp",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\EnableLog",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\crypt32\\DiagLevel",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Cleanup\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$Function",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\LogMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\DisableConfigCache",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\ILDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\FinalPolicy\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$DLL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\ForceLog",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Name",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\GCStressStart",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Certificate\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$Function",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\LogMaxFileSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\WinHttp\\DisableBranchCache",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CEIPEnable",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Version",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\DisableMandatoryBasicConstraints",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\UseDelayedAcceptance",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Message\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$Function",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\EvalationData",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\crypt32\\DebugHeapFlags",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\EnableWeakSignatureFlags",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.47.1.1!7\\Name",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE\\MaximumAllowedAllocationSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\DisplayName",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Security\\Safety Warning Level",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\Mapping",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\WinHttp\\Tracing\\Enabled",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\StringCacheSettings\\StringCacheGeneration",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\RpcId",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\index4"
],
"directory_enumerated": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\ef984e44a56a46dbf90c4443ac5908be667cbd221d6ea18a094fca7e3f0cd8f3.INI",
"C:\\Users",
"C:\\Windows\\Microsoft.NET\\Framework\\Upgrades.2.0.50727\\mscoreei.dll",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8828F39C7C0CE9A14B25C7EB321181BA_*",
"C:\\Users\\cuck\\AppData",
"C:\\Windows\\winsxs\\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\\msvcr80.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp",
"C:\\Users\\cuck",
"C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\mscorlib.INI",
"C:\\Windows",
"C:\\Windows\\winsxs",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscoreei.dll",
"C:\\Users\\cuck\\AppData\\Local",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\0972B7C417F696E06E186AEB26286F01_*",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorwks.dll"
]
},
"first_seen": 1568915587.5938,
"ppid": 2016
},
{
"process_path": "C:\\Windows\\System32\\lsass.exe",
"process_name": "lsass.exe",
"pid": 476,
"summary": {},
"first_seen": 1568915587.3281,
"ppid": 376
}
]Signatures
[
{
"markcount": 2,
"families": [],
"description": "Queries for the computername",
"severity": 1,
"marks": [
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "GetComputerNameA",
"return_value": 1,
"arguments": {
"computer_name": "CUCKPC"
},
"time": 1568915652.0155,
"tid": 2700,
"flags": {}
},
"pid": 2248,
"type": "call",
"cid": 95
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "GetComputerNameW",
"return_value": 1,
"arguments": {
"computer_name": "CUCKPC"
},
"time": 1568915652.0155,
"tid": 2700,
"flags": {}
},
"pid": 2248,
"type": "call",
"cid": 96
}
],
"references": [],
"name": "antivm_queries_computername"
},
{
"markcount": 2,
"families": [],
"description": "Checks if process is being debugged by a debugger",
"severity": 1,
"marks": [
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": -1073741700,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1568915587.7657,
"tid": 2420,
"flags": {}
},
"pid": 2816,
"type": "call",
"cid": 365
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": -1073741772,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1568915651.8128,
"tid": 2420,
"flags": {}
},
"pid": 2816,
"type": "call",
"cid": 8450
}
],
"references": [],
"name": "checks_debugger"
},
{
"markcount": 1,
"families": [],
"description": "This executable has a PDB path",
"severity": 1,
"marks": [
{
"category": "pdb_path",
"ioc": "C:\\bamboo-build\\LAUN-WCC171-JOB1\\Source\\Avira.OE.Systray\\obj\\x86\\Release\\Avira.Systray.pdb",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "has_pdb"
},
{
"markcount": 1,
"families": [],
"description": "Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available",
"severity": 1,
"marks": [
{
"call": {
"category": "system",
"status": 1,
"stacktrace": [],
"api": "GlobalMemoryStatusEx",
"return_value": 1,
"arguments": {},
"time": 1568915651.9995,
"tid": 2700,
"flags": {}
},
"pid": 2248,
"type": "call",
"cid": 48
}
],
"references": [],
"name": "antivm_memory_available"
},
{
"markcount": 0,
"families": [],
"description": "One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.",
"severity": 2,
"marks": [],
"references": [],
"name": "dumped_buffer"
},
{
"markcount": 15,
"families": [],
"description": "Allocates read-write-execute memory (usually to unpack itself)",
"severity": 2,
"marks": [
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2816,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffff",
"base_address": "0x749f1000"
},
"time": 1568915587.7497,
"tid": 2420,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2816,
"type": "call",
"cid": 255
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2816,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x002ba000"
},
"time": 1568915587.7657,
"tid": 2420,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2816,
"type": "call",
"cid": 377
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2816,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 8192,
"protection": 64,
"process_handle": "0xffffffff",
"base_address": "0x749f2000"
},
"time": 1568915587.7657,
"tid": 2420,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2816,
"type": "call",
"cid": 378
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2816,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x002b2000"
},
"time": 1568915587.7657,
"tid": 2420,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2816,
"type": "call",
"cid": 379
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2816,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x002c2000"
},
"time": 1568915587.7808,
"tid": 2420,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2816,
"type": "call",
"cid": 507
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2816,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x002c3000"
},
"time": 1568915651.7497,
"tid": 2420,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2816,
"type": "call",
"cid": 8303
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2816,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x002fb000"
},
"time": 1568915651.7497,
"tid": 2420,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2816,
"type": "call",
"cid": 8310
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2816,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x002f7000"
},
"time": 1568915651.7497,
"tid": 2420,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2816,
"type": "call",
"cid": 8311
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2816,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x002cc000"
},
"time": 1568915651.7497,
"tid": 2420,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2816,
"type": "call",
"cid": 8352
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2816,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x002ea000"
},
"time": 1568915651.7968,
"tid": 2420,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2816,
"type": "call",
"cid": 8425
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2816,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x002e2000"
},
"time": 1568915651.7968,
"tid": 2420,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2816,
"type": "call",
"cid": 8437
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2816,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x002f5000"
},
"time": 1568915651.7968,
"tid": 2420,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2816,
"type": "call",
"cid": 8448
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2248,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x02840000"
},
"time": 1568915652.7655,
"tid": 2516,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2248,
"type": "call",
"cid": 2715
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2248,
"region_size": 1835008,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 8192,
"base_address": "0x047b0000"
},
"time": 1568915657.7965,
"tid": 2700,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_RESERVE"
}
},
"pid": 2248,
"type": "call",
"cid": 11570
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2248,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x04930000"
},
"time": 1568915657.7965,
"tid": 2700,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2248,
"type": "call",
"cid": 11572
}
],
"references": [],
"name": "allocates_rwx"
},
{
"markcount": 1,
"families": [],
"description": "Checks adapter addresses which can be used to detect virtual network interfaces",
"severity": 2,
"marks": [
{
"call": {
"category": "network",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": -1073741772,
"api": "GetAdaptersAddresses",
"return_value": 111,
"arguments": {
"flags": 15,
"family": 0
},
"time": 1568915588.6098,
"tid": 1948,
"flags": {}
},
"pid": 2816,
"type": "call",
"cid": 2594
}
],
"references": [],
"name": "antivm_network_adapters"
},
{
"markcount": 519,
"families": [],
"description": "Potentially malicious URLs were found in the process memory dump",
"severity": 2,
"marks": [
{
"category": "url",
"ioc": "http:\/\/s.symcb.com\/universal-root.crl0",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/www.expedia.com\/favicon.ico",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/uk.ask.com\/favicon.ico",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/www.priceminister.com\/",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/www.iask.com\/favicon.ico",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/ocsp.infonotary.com\/responder.cgi0V",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/www.merlin.com.pl\/favicon.ico",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/www.cnet.com\/favicon.ico",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/www.certificadodigital.com.br\/repositorio\/serasaca\/crl\/SerasaCAII.crl0",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/search.nifty.com\/",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/ns.adobe.com\/exif\/1.0\/",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/www.etmall.com.tw\/",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/crl.chambersign.org\/publicnotaryroot.crl0",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/search.goo.ne.jp\/",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/fr.wikipedia.org\/favicon.ico",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/www.e-trusX",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/busca.estadao.com.br\/favicon.ico",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/search.hanafos.com\/favicon.ico",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/search.chol.com\/favicon.ico",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/search.interpark.com\/",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/amazon.fr\/",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/www.amazon.co.jp\/",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/www.mtv.com\/favicon.ico",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/busqueda.aol.com.mx\/",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/search.live.com\/results.aspx?FORM=SOLTDF",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/msdn.microsoft.com\/",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/www.sogou.com\/favicon.ico",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/www.sify.com\/favicon.ico",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/yellowpages.superpages.com\/",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/suche.freenet.de\/",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/crl.chambersign.org\/chambersroot.crl0",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/search.aol.com\/",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/browse.guardian.co.uk\/",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/www.mercadolibre.com.mx\/",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/www.asharqalawsat.com\/",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/www.facebook.com\/",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/si.wikipedia.org\/favicon.ico",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/www.rtl.de\/favicon.ico",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/search.msn.com\/results.aspx?q=",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/www.microsoft.com.",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/search.naver.com\/favicon.ico",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/fedir.comsign.co.il\/cacert\/ComSignAdvancedSecurityCA.crt0",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "https:\/\/www.verisign.com\/repository\/verisignlogo.gif0D",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/crl.usertrust.com\/UTN-USERFirst-NetworkApplications.crl0",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/en.wikipedia.org\/favicon.ico",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/si.wikipedia.org\/w\/api.php?action=opensearch",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/www.signatur.rtr.at\/de\/directory\/cps.html0",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/udn.com\/favicon.ico",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/rover.ebay.com",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/search.ebay.fr\/",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "memdump_urls"
},
{
"markcount": 4,
"families": [],
"description": "Attempts to identify installed AV products by installation directory",
"severity": 3,
"marks": [
{
"category": "file",
"ioc": "C:\\Users\\cuck\\AppData\\Local\\Temp\\Avira.OE.WinCore.exe",
"type": "ioc",
"description": null
},
{
"category": "file",
"ioc": "C:\\Users\\cuck\\AppData\\Local\\Temp\\Avira.OE.WinCore\\Avira.OE.WinCore.dll",
"type": "ioc",
"description": null
},
{
"category": "file",
"ioc": "C:\\Users\\cuck\\AppData\\Local\\Temp\\Avira.OE.WinCore.dll",
"type": "ioc",
"description": null
},
{
"category": "file",
"ioc": "C:\\Users\\cuck\\AppData\\Local\\Temp\\Avira.OE.WinCore\\Avira.OE.WinCore.exe",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "antiav_detectfile"
},
{
"markcount": 2,
"families": [],
"description": "Attempts to create or modify system certificates",
"severity": 3,
"marks": [
{
"category": "registry",
"ioc": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\\Blob",
"type": "ioc",
"description": null
},
{
"category": "registry",
"ioc": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\8F43288AD272F3103B6FB1428485EA3014C0BCFE\\Blob",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "modifies_certificates"
},
{
"markcount": 2,
"families": [],
"description": "Resumed a suspended thread in a remote process potentially indicative of process injection",
"severity": 3,
"marks": [
{
"category": "Process injection",
"ioc": "Process 2248 resumed a thread in remote process 2816",
"type": "ioc",
"description": null
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtResumeThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x000002dc",
"suspend_count": 1,
"process_identifier": 2816
},
"time": 1568915705.6405,
"tid": 2700,
"flags": {}
},
"pid": 2248,
"type": "call",
"cid": 625884
}
],
"references": [
"www.endgame.com\/blog\/technical-blog\/ten-process-injection-techniques-technical-survey-common-and-trending-process"
],
"name": "injection_resumethread"
}
]Yara
The Yara rules did not detect anything in the file.
Network
{
"tls": [],
"udp": [
{
"src": "192.168.56.101",
"dst": "192.168.56.255",
"offset": 546,
"time": 3.078332901001,
"dport": 137,
"sport": 137
},
{
"src": "192.168.56.101",
"dst": "192.168.56.255",
"offset": 27906,
"time": 9.0796439647675,
"dport": 138,
"sport": 138
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 29750,
"time": 37.093699932098,
"dport": 5355,
"sport": 49556
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 30070,
"time": 5.4048409461975,
"dport": 5355,
"sport": 49840
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 30390,
"time": 31.742980003357,
"dport": 5355,
"sport": 50202
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 30710,
"time": 55.586935043335,
"dport": 5355,
"sport": 50952
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 31030,
"time": 2.8188710212708,
"dport": 5355,
"sport": 51001
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 31350,
"time": 68.699220895767,
"dport": 5355,
"sport": 51670
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 31670,
"time": 10.660630941391,
"dport": 5355,
"sport": 52259
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 31990,
"time": 1.0145919322968,
"dport": 5355,
"sport": 53595
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 32318,
"time": 3.0369338989258,
"dport": 5355,
"sport": 53848
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 32646,
"time": 50.865056991577,
"dport": 5355,
"sport": 54025
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 32966,
"time": 24.97068810463,
"dport": 5355,
"sport": 54237
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 33286,
"time": 1.5198628902435,
"dport": 5355,
"sport": 54255
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 33614,
"time": 18.088680028915,
"dport": 5355,
"sport": 54335
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 33934,
"time": -0.10009789466858,
"dport": 5355,
"sport": 55314
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 34262,
"time": 63.357462882996,
"dport": 5355,
"sport": 55385
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 34582,
"time": 3.048003911972,
"dport": 5355,
"sport": 55880
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 34910,
"time": 44.504679918289,
"dport": 5355,
"sport": 56347
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 35230,
"time": 34.342637062073,
"dport": 5355,
"sport": 56353
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 35550,
"time": 54.003190040588,
"dport": 5355,
"sport": 56388
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 35870,
"time": 58.17352104187,
"dport": 5355,
"sport": 58056
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 36190,
"time": 53.440972089767,
"dport": 5355,
"sport": 58651
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 36510,
"time": 24.408225059509,
"dport": 5355,
"sport": 58989
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 36830,
"time": 60.760416984558,
"dport": 5355,
"sport": 59113
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 37150,
"time": 47.104686021805,
"dport": 5355,
"sport": 59490
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 37470,
"time": 21.823652029037,
"dport": 5355,
"sport": 59548
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 37790,
"time": 27.57679104805,
"dport": 5355,
"sport": 60071
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 38110,
"time": 39.673377037048,
"dport": 5355,
"sport": 60575
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 38430,
"time": 29.161513090134,
"dport": 5355,
"sport": 62601
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 38750,
"time": 56.599694013596,
"dport": 5355,
"sport": 63089
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 39070,
"time": 15.490571022034,
"dport": 5355,
"sport": 63506
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 39390,
"time": 26.587939977646,
"dport": 5355,
"sport": 63646
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 39710,
"time": 8.0824859142303,
"dport": 5355,
"sport": 64017
},
{
"src": "192.168.56.101",
"dst": "239.255.255.250",
"offset": 40030,
"time": 1.5310680866241,
"dport": 1900,
"sport": 1900
},
{
"src": "192.168.56.101",
"dst": "239.255.255.250",
"offset": 59440,
"time": 1.0352818965912,
"dport": 3702,
"sport": 49152
},
{
"src": "192.168.56.101",
"dst": "239.255.255.250",
"offset": 67824,
"time": 3.1411190032959,
"dport": 1900,
"sport": 53598
}
],
"dns_servers": [],
"http": [],
"icmp": [],
"smtp": [],
"tcp": [],
"smtp_ex": [],
"mitm": [],
"hosts": [],
"pcap_sha256": "3c43e7ca75c8ff6ea8650fe476a00c94d99743280d0a1a5563dcc69c0b9802b9",
"dns": [],
"http_ex": [],
"domains": [],
"dead_hosts": [],
"sorted_pcap_sha256": "e0cb839f24ec0e1a19ebab7ba18034e243f0d0b10f4b8da5ebc65c2007d10f59",
"irc": [],
"https_ex": []
}Screenshots
Other files also named Avira.Systray.exe
Avira.Systray.exe (15 votes)
TCP/UDP Listening Ports [?]
Avira.Systray.exe has been reported to listen on the following TCP/UDP ports.
| Port | Protocol | # Occurrences |
|---|---|---|
| 50413 | UDP v4 | 1 |
Hashes [?]
| Property | Value |
|---|---|
| MD5 | 9cd7e437d8a2fb2f6b8efbc8296b911c |
| SHA256 | ef984e44a56a46dbf90c4443ac5908be667cbd221d6ea18a094fca7e3f0cd8f3 |
Error Messages
These are some of the error messages that can appear related to avira.systray.exe:
avira.systray.exe has encountered a problem and needs to close. We are sorry for the inconvenience.
avira.systray.exe - Application Error. The instruction at "0xXXXXXXXX" referenced memory at "0xXXXXXXXX". The memory could not be "read/written". Click on OK to terminate the program.
Avira has stopped working.
End Program - avira.systray.exe. This program is not responding.
avira.systray.exe is not a valid Win32 application.
avira.systray.exe - Application Error. The application failed to initialize properly (0xXXXXXXXX). Click OK to terminate the application.
What will you do with the file?
To help other users, please let us know what you will do with the file:
What did other users do?
The poll result listed below shows what users chose to do with the file. 100% have voted for removal. Based on votes from 1 user.
| Votes | |||
|---|---|---|---|
| Keep | 0 % | 0 | |
| Remove | 100 % | 1 |
NOTE: Please do not use this poll as the only source of input to determine what you will do with the file. Only 1 user has voted so far so it does not offer a high degree of confidence.
Malware or legitimate?
If you feel that you need more information to determine if your should keep this file or remove it, please read this guide.
And now some shameless self promotion ;)
Hi, my name is Roger Karlsson. I've been running this website since 2006. I want to let you know about the FreeFixer program. FreeFixer is a freeware tool that analyzes your system and let you manually identify unwanted programs. Once you've identified some malware files, FreeFixer is pretty good at removing them. You can download FreeFixer here. It runs on Windows 2000/XP/2003/2008/2016/2019/Vista/7/8/8.1/10. Supports both 32- and 64-bit Windows.
If you have questions, feedback on FreeFixer or the freefixer.com website, need help analyzing FreeFixer's scan result or just want to say hello, please contact me. You can find my email address at the contact page.
Comments
Please share with the other users what you think about this file. What does this file do? Is it legitimate or something that your computer is better without? Do you know how it was installed on your system? Did you install it yourself or did it come bundled with some other software? Is it running smoothly or do you get some error message? Any information that will help to document this file is welcome. Thank you for your contributions.
I'm reading all new comments so don't hesitate to post a question about the file. If I don't have the answer perhaps another user can help you.
No comments posted yet.