What is CaliforniaFonts.exe?
CaliforniaFonts.exe is part of California Fonts Manager and developed by SqueakyChocolate, LLC according to the CaliforniaFonts.exe version information.
CaliforniaFonts.exe's description is "California Fonts Manager"
CaliforniaFonts.exe is usually located in the 'C:\Program Files (x86)\California Font Manager\' folder.
Some of the anti-virus scanners at VirusTotal detected CaliforniaFonts.exe.
If you have additional information about the file, please share it with the FreeFixer users by posting a comment at the bottom of this page.
Vendor and version information [?]
The following is the available information on CaliforniaFonts.exe:
| Property | Value |
|---|---|
| Product name | California Fonts Manager |
| Company name | SqueakyChocolate, LLC |
| File description | California Fonts Manager |
| Internal name | CaliforniaFonts.exe |
| Original filename | CaliforniaFonts.exe |
| Comments | California Fonts Manager, all rights reserved. |
| Legal copyright | Copyright © SqueakyChocolate, LLC - 2012 |
| Legal trademark | California Fonts |
| Product version | 2.5.0.0 |
| File version | 2.5.0.0 |
Here's a screenshot of the file properties when displayed by Windows Explorer:
| Product name | California Fonts Manager |
| Company name | SqueakyChocolate, LLC |
| File description | California Fonts Manager |
| Internal name | CaliforniaFonts.exe |
| Original filename | CaliforniaFonts.exe |
| Comments | California Fonts Manager, all rights.. |
| Legal copyright | Copyright © SqueakyChocolate, LLC -.. |
| Legal trademark | California Fonts |
| Product version | 2.5.0.0 |
| File version | 2.5.0.0 |
Digital signatures [?]
CaliforniaFonts.exe is not signed.
VirusTotal report
1 of the 68 anti-virus programs at VirusTotal detected the CaliforniaFonts.exe file. That's a 1% detection rate.
| Scanner | Detection Name |
|---|---|
| APEX | Malicious |
Sandbox Report
The following information was gathered by executing the file inside Cuckoo Sandbox.
Summary
Successfully executed process in sandbox.
Summary
{
"file_created": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER5E31.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER68A2.tmp.hdmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER3104.tmp.mdmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER3104.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER5E31.tmp.WERInternalMetadata.xml",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER68A2.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_BU1QHQDW35ZOCD1J_b9e83dc5ff41cd9ab6ca6b8ccb4a1bddecad908d_cab_081f0da3\\Report.wer"
],
"file_recreated": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER5E31.tmp.WERInternalMetadata.xml"
],
"directory_created": [
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_BU1QHQDW35ZOCD1J_b9e83dc5ff41cd9ab6ca6b8ccb4a1bddecad908d_cab_081f0da3",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\WER\\ReportQueue"
],
"dll_loaded": [
"dbghelp.dll",
"version.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\culture.dll",
"C:\\Windows\\system32\\ole32.dll",
"ntdll",
"gdi32.dll",
"CFGMGR32.dll",
"DUI70.dll",
"kernel32.dll",
"UxTheme.dll",
"AdvApi32.dll",
"SensApi.dll",
"werui.dll",
"dwmapi.dll",
"ntdll.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\ole32.dll",
"cryptsp.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System\\9e0a3b9b9f457233a335d7fba8f95419\\System.ni.dll",
"winhttp.dll",
"verifier.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorwks.dll",
"C:\\Windows\\system32\\RICHED20.DLL",
"API-MS-WIN-Service-Management-L2-1-0.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorjit.dll",
"API-MS-WIN-Service-Management-L1-1-0.dll",
"C:\\Windows\\syswow64\\MSCTF.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Drawing\\dbfe8642a8ed7b2b103ad28e0c96418a\\System.Drawing.ni.dll",
"API-MS-Win-Core-LocalRegistry-L1-1-0.dll",
"psapi.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscordacwks.dll",
"OLEAUT32.DLL",
"SspiCli.dll",
"C:\\Windows\\system32\\wer.dll",
"advapi32.dll",
"comctl32",
"ole32.dll",
"SHLWAPI.dll",
"CRYPTSP.dll",
"USER32.dll",
"Comctl32.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\VERSION.dll",
"credssp.dll",
"API-MS-WIN-Service-winsvc-L1-1-0.dll",
"IPHLPAPI.DLL",
"shell32.dll",
"C:\\Windows\\system32\\xmllite.dll",
"OLEAUT32.dll",
"SHELL32.dll",
"RPCRT4.dll",
"DNSAPI.dll",
"C:\\Windows\\System32\\wship6.dll",
"DUser.dll",
"comctl32.dll",
"NSI.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\diasymreader.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\mscorlib\\62a0b3e4b40ec0e8c5cfaa0c8848e64a\\mscorlib.ni.dll",
"VERSION.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Windows.Forms\\3afcd5168c7a6cb02eab99d7fd71e102\\System.Windows.Forms.ni.dll",
"mscoree.dll",
"C:\\Windows\\system32\\DUser.dll",
"C:\\Windows\\system32\\IMM32.DLL",
"C:\\Windows\\system32\\mswsock.dll",
"powrprof.dll",
"ADVAPI32.dll",
"rpcrt4.dll",
"C:\\Windows\\System32\\wshtcpip.dll",
"WS2_32.dll",
"user32.dll",
"WINHTTP.dll"
],
"file_opened": [
"C:\\Windows\\System32\\apphelp.dll",
"C:\\Windows\\SysWOW64\\CRYPTBASE.dll",
"C:\\Windows\\System32\\mscoree.dll",
"C:\\Windows\\SysWOW64\\user32.dll",
"C:\\Windows\\SysWOW64\\advapi32.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\index127.dat",
"C:\\Windows\\SysWOW64\\msctf.dll",
"C:\\Windows\\SysWOW64\\sspicli.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER68A2.tmp.hdmp",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\machine.config",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\be01c2ddb0dc203874191905dc98e560fd37458af33a800b843628c7a823242d.bin",
"C:\\Windows\\SysWOW64\\msvcrt.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER5E31.tmp.WERInternalMetadata.xml",
"C:\\Windows\\SysWOW64\\shlwapi.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System\\9e0a3b9b9f457233a335d7fba8f95419\\System.ni.dll",
"C:\\Windows\\SysWOW64\\en-US\\KERNELBASE.dll.mui",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Drawing\\dbfe8642a8ed7b2b103ad28e0c96418a\\System.Drawing.ni.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorwks.dll",
"C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\sortkey.nlp",
"C:\\Windows\\assembly\\pubpol4.dat",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorjit.dll",
"C:\\Windows\\SysWOW64\\ole32.dll",
"C:\\Windows\\System32\\profapi.dll",
"C:\\Windows\\System32\\l_intl.nls",
"C:\\Windows\\SysWOW64\\shell32.dll",
"C:\\Windows\\SysWOW64\\lpk.dll",
"C:\\Windows\\System32\\version.dll",
"C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\sorttbls.nlp",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorrc.dll",
"C:\\Windows\\win.ini",
"C:\\Windows\\System32\\en-US\\erofflps.txt",
"C:\\Windows\\SysWOW64\\ntdll.dll",
"C:\\Windows\\SysWOW64\\usp10.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER3104.tmp.mdmp",
"C:\\Windows\\SysWOW64\\sechost.dll",
"C:\\Windows\\System32\\imm32.dll",
"C:\\Windows\\SysWOW64\\gdi32.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\mscorlib\\62a0b3e4b40ec0e8c5cfaa0c8848e64a\\mscorlib.ni.dll",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Windows.Forms\\3afcd5168c7a6cb02eab99d7fd71e102\\System.Windows.Forms.ni.dll",
"C:\\Windows\\winsxs\\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\\msvcr80.dll",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\WER\\ReportQueue",
"C:\\Windows\\SysWOW64\\rpcrt4.dll",
"C:\\Windows\\SysWOW64\\kernel32.dll",
"C:\\Windows\\SysWOW64\\KERNELBASE.dll",
"C:\\Windows\\System32\\uxtheme.dll"
],
"file_copied": [
[
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER68A2.tmp.hdmp",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_BU1QHQDW35ZOCD1J_b9e83dc5ff41cd9ab6ca6b8ccb4a1bddecad908d_cab_081f0da3\\WER68A2.tmp.hdmp"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER5E31.tmp.WERInternalMetadata.xml",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_BU1QHQDW35ZOCD1J_b9e83dc5ff41cd9ab6ca6b8ccb4a1bddecad908d_cab_081f0da3\\WER5E31.tmp.WERInternalMetadata.xml"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER3104.tmp.mdmp",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_BU1QHQDW35ZOCD1J_b9e83dc5ff41cd9ab6ca6b8ccb4a1bddecad908d_cab_081f0da3\\WER3104.tmp.mdmp"
]
],
"regkey_opened": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.Accessibility__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Winsock",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Deployment__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\LanguageProfile\\0x00000000\\{0001bea3-ed56-483d-a2e2-aeae25577436}",
"HKEY_CLASSES_ROOT\\CLSID\\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\\InprocServer32",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\DebugApplications",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\SecurityProviders",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\KnownClasses",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets\\LocalIntranet",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\index127",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\SecurityProviders\\SaslProfiles",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\Standards\\v2.0.50727",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-699399860-4089948139-3198924279-1001",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Security__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System__b77a5c561934e089",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\6f1da7aa\\88",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\Upgrades",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\7f8d0f55\\f331913",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ExcludedApplications",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\Policy\\Standards",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\LsaExtensionConfig\\SspiCli",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83",
"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\1c83327b\\86",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\Policy\\",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\OLE\\Tracing",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\Windows Error Reporting",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PCHealth\\ErrorReporting\\ExclusionList",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\163e1f5e\\80",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip6\\Parameters\\Winsock",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\a5cd4db\\7e",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\c991064\\2bd33e1c\\79",
"HKEY_CURRENT_USER\\SOFTWARE\\Policies\\Microsoft\\PCHealth\\ErrorReporting\\InclusionList",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Fusion",
"HKEY_CURRENT_USER\\Software\\Microsoft\\windows\\CurrentVersion\\Internet Settings\\Connections",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\Compatibility\\dw20.exe",
"HKEY_CURRENT_USER\\Software\\Microsoft\\CTF\\DirectSwitchHotkeys",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\WinHttp\\Tracing",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\CEIPRole\\RolesInWER",
"HKEY_CURRENT_USER\\SOFTWARE\\Policies\\Microsoft\\PCHealth\\ErrorReporting\\ExclusionList",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\be01c2ddb0dc203874191905dc98e560fd37458af33a800b843628c7a823242d.bin",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\v2.0.50727\\Security\\Policy",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Xml__b77a5c561934e089",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DebugApplications",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winsock\\Setup Migration\\Providers\\Tcpip",
"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\PCHealth\\ErrorReporting\\ExclusionList",
"HKEY_CURRENT_USER\\Software\\Microsoft\\windows\\CurrentVersion\\Internet Settings\\Wpad",
"HKEY_CURRENT_USER\\Software\\Microsoft\\CTF\\LayoutIcon\\0409\\0000041d",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Class\\{4d36e972-e325-11ce-bfc1-08002be10318}",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\Windows Error Reporting",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Runtime.Serialization.Formatters.Soap__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\SspiCache",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\WinHttp",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\1bd7b0d8\\87",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Windows",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Installer\\Assemblies\\C:|Users|cuck|AppData|Local|Temp|be01c2ddb0dc203874191905dc98e560fd37458af33a800b843628c7a823242d.bin",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\Rpc",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PCHealth\\ErrorReporting\\ExclusionList",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Installer\\Assemblies\\C:|Users|cuck|AppData|Local|Temp|be01c2ddb0dc203874191905dc98e560fd37458af33a800b843628c7a823242d.bin",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Setup",
"HKEY_CLASSES_ROOT\\CLSID\\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\\Server",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\Managed\\S-1-5-21-699399860-4089948139-3198924279-1001\\Installer\\Assemblies\\C:|Users|cuck|AppData|Local|Temp|be01c2ddb0dc203874191905dc98e560fd37458af33a800b843628c7a823242d.bin",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PCHealth\\ErrorReporting\\InclusionList",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Throttling\\CLR20r3",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Consent",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\1b2590b1\\7c",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PCHealth\\ErrorReporting",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Installer\\Assemblies\\Global",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\Standards",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\Windows Error Reporting",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\ExcludedApplications",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Drawing__b03f5f7f11d50a3a",
"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\PCHealth\\ErrorReporting\\InclusionList",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\DirectUI",
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Debug",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion\\GACChangeNotification\\Default",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\.NETFramework",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Installer\\Assemblies\\Global",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PCHealth\\ErrorReporting\\InclusionList",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\Policy\\APTCA",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\v2.0",
"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\PCHealth\\ErrorReporting",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\Managed\\S-1-5-21-699399860-4089948139-3198924279-1001\\Installer\\Assemblies\\Global",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Reliability Analysis\\RAC",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\41c04c7e\\7f3b6ac4\\78",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\SystemInformation",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\AppPatch",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\2d382ce6\\85",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\windows\\CurrentVersion\\Internet Settings\\Connections",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\.NETFramework\\Policy\\Standards",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winsock\\Setup Migration\\Providers\\Tcpip6",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Windows.Forms__b77a5c561934e089",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets\\Internet",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Rpc",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\StrongName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Configuration__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Winsock\\Setup Migration\\Providers",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\KnownManagedDebuggingDlls",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLEAUT",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion\\PublisherPolicy\\Default",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{3697C5FA-60DD-4B56-92D4-74A569205C16}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Winsock\\Parameters",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\Windows Error Reporting\\HeapControlledList\\be01c2ddb0dc203874191905dc98e560fd37458af33a800b843628c7a823242d.bin",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PCHealth\\ErrorReporting",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Ole",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\SOFTWARE\\Policies\\Microsoft\\PCHealth\\ErrorReporting",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\53bf642d\\216555e6"
],
"resolves_host": [
"watson.microsoft.com"
],
"file_written": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER68A2.tmp.hdmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER3104.tmp.mdmp",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_BU1QHQDW35ZOCD1J_b9e83dc5ff41cd9ab6ca6b8ccb4a1bddecad908d_cab_081f0da3\\Report.wer",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER5E31.tmp.WERInternalMetadata.xml"
],
"file_deleted": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER5E31.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER68A2.tmp.hdmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER3104.tmp.mdmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER3104.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER5E31.tmp.WERInternalMetadata.xml",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER68A2.tmp"
],
"file_exists": [
"C:\\Windows\\System32\\apphelp.dll",
"C:\\Windows\\SysWOW64\\CRYPTBASE.dll",
"C:\\Windows\\System32\\mscoree.dll",
"C:\\Windows\\SysWOW64\\user32.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CaliforniaFontLibrary.exe",
"C:\\Windows\\SysWOW64\\advapi32.dll",
"C:\\Windows\\SysWOW64\\msctf.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp",
"C:\\Windows\\SysWOW64\\sspicli.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER68A2.tmp.hdmp",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\machine.config",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\be01c2ddb0dc203874191905dc98e560fd37458af33a800b843628c7a823242d.bin",
"C:\\Windows\\SysWOW64\\msvcrt.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER5E31.tmp.WERInternalMetadata.xml",
"C:\\Windows\\SysWOW64\\shlwapi.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System\\9e0a3b9b9f457233a335d7fba8f95419\\System.ni.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Drawing\\dbfe8642a8ed7b2b103ad28e0c96418a\\System.Drawing.ni.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorwks.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\fusion.localgac",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\be01c2ddb0dc203874191905dc98e560fd37458af33a800b843628c7a823242d.PDB",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorjit.dll",
"C:\\Windows\\SysWOW64\\ole32.dll",
"C:\\Windows\\System32\\profapi.dll",
"C:\\Windows\\Globalization\\en-us.nlp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\",
"C:\\Windows\\SysWOW64\\shell32.dll",
"C:\\Windows\\SysWOW64\\lpk.dll",
"C:\\Windows\\System32\\version.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CaliforniaFontLibrary\\CaliforniaFontLibrary.dll",
"C:\\Windows\\assembly\\GAC\\PublisherPolicy.tme",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\be01c2ddb0dc203874191905dc98e560fd37458af33a800b843628c7a823242d.bin.config",
"C:\\Windows\\System32\\en-US\\erofflps.txt",
"C:\\Windows\\SysWOW64\\ntdll.dll",
"C:\\Windows\\SysWOW64\\usp10.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER3104.tmp.mdmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CaliforniaFontLibrary\\CaliforniaFontLibrary.exe",
"C:\\Windows\\SysWOW64\\sechost.dll",
"C:\\Windows\\System32\\imm32.dll",
"C:\\Windows\\SysWOW64\\gdi32.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\mscorlib\\62a0b3e4b40ec0e8c5cfaa0c8848e64a\\mscorlib.ni.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Windows.Forms\\3afcd5168c7a6cb02eab99d7fd71e102\\System.Windows.Forms.ni.dll",
"C:\\Windows\\winsxs\\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\\msvcr80.dll",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\WER\\ReportQueue",
"C:\\Windows\\SysWOW64\\rpcrt4.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CaliforniaFontLibrary.dll",
"C:\\Windows\\System32\\MSCOREE.DLL.local",
"C:\\Windows\\SysWOW64\\kernel32.dll",
"C:\\Windows\\SysWOW64\\KERNELBASE.dll",
"C:\\Windows\\System32\\uxtheme.dll"
],
"command_line": [
"dw20.exe -x -s 424"
],
"mutex": [
"Global\\2fabc4e8-f18f-11ea-8829-08002749d99b"
],
"file_failed": [
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\enterprisesec.config.cch",
"C:\\Windows\\symbols\\bin\\CaliforniaFonts.pdb",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CaliforniaFonts.pdb",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\security.config.cch",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\be01c2ddb0dc203874191905dc98e560fd37458af33a800b843628c7a823242d.bin.config",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\enterprisesec.config",
"C:\\Windows\\bin\\CaliforniaFonts.pdb",
"C:\\Windows\\CaliforniaFonts.pdb",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\security.config.cch",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\security.config",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\security.config"
],
"guid": [
"{713aacc8-3b71-435c-a3a1-be4e53621ab1}",
"{22e4c895-8ab9-40bb-b81a-001dd9b1f449}"
],
"file_read": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\be01c2ddb0dc203874191905dc98e560fd37458af33a800b843628c7a823242d.bin",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\machine.config",
"C:\\Windows\\win.ini"
],
"regkey_read": [
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Language Hotkey",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\LatestIndex",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\ILDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\profapi.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\MaxRpcSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\MaxArchiveCount",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\a5cd4db\\7e\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\LanguageProfile\\0x00000000\\{0001bea3-ed56-483d-a2e2-aeae25577436}\\Enable",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\QueuePesterInterval",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\UseDelayedAcceptance",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DisableQueue",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\Modules",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SecurityProviders\\SecurityProviders",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ConfigureArchive",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\ILDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Drawing,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultConsent",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System\\9e0a3b9b9f457233a335d7fba8f95419\\System.ni.dll",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\SystemSetupInProgress",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\ScrollDelay",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\1c83327b\\86\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\c991064\\2bd33e1c\\79\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Xml,2.0.0.0,,b77a5c561934e089,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\Status",
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Hotkey",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\ConfigString",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\SspiCli.dll",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\SendEFSFiles",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\CTF\\EnableAnchorContext",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\1c83327b\\86\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\163e1f5e\\80\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledProcesses\\44D72C57",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\2d382ce6\\85\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\ConfigString",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\CLR20r3",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\DisableArchive",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\EvalationData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\LoadAppInit_DLLs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\CLRLoadLogDir",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerPortNumber",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\1bd7b0d8\\87\\Status",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\LastWatsonCabUploaded",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\2d382ce6\\85\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\DevOverrideEnable",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerUseSSL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\EvalationData",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\HelperDllName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\LPK.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\a5cd4db\\7e\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\shell32.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerServer",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\ForceUserModeCabCollection",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ProxySettingsPerUser",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\2d382ce6\\85\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\EvalationData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NoClientChecks",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorjit.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\DownloadCacheQuotaInKB",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winsock\\Parameters\\Transports",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\41c04c7e\\7f3b6ac4\\78\\Modules",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SystemInformation\\BIOSVersion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\DisableConfigCache",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\ILDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\BuildLabEx",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\KERNELBASE.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\UseLegacyIdentityFormat",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\LoggingLevel",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\6f1da7aa\\88\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\ConfigString",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\\DefaultConnectionSettings",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\MaxQueueCount",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\ConfigMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultOverrideBehavior",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\CSDBuildNumber",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\CurrentType",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\MissingDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\mscorlib\\62a0b3e4b40ec0e8c5cfaa0c8848e64a\\mscorlib.ni.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\LogFailures",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\MissingDependencies",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\DontShowUI",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Deployment,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\DontSendAdditionalData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Segoe UI",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\ScrollInset",
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Layout Hotkey",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\NIDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\NIDependencies",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\ConfigureArchive",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\1b2590b1\\7c\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\NIDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\c991064\\2bd33e1c\\79\\DisplayName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Windows\\CSDBuildNumber",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\QueuePesterInterval",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\WinSxS\\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\\MSVCR80.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\1bd7b0d8\\87\\SIG",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Comment",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\GCStressStart",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\RPCRT4.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\\Server\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledSessions\\MachineThrottling",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\OnlyUseLatestCLR",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DisableArchive",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\6f1da7aa\\88\\Modules",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\MaxArchiveCount",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\EditionID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\index127\\ILUsageMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\2d382ce6\\85\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\KERNEL32.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\1b2590b1\\7c\\DisplayName",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultOverrideBehavior",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\HelperDllName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winsock\\Setup Migration\\Providers\\Tcpip6\\WinSock 2.0 Provider ID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\1c83327b\\86\\Status",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\ForceQueue",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Windows.Forms,2.0.0.0,,b77a5c561934e089,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\index127\\NIUsageMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\SysWOW64\\sechost.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\ConfigString",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\WpadOverride",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\Mapping",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Runtime.Serialization.Formatters.Soap,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Type",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\EvalationData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\uxtheme.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\163e1f5e\\80\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceUserModeCabCollection",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\6f1da7aa\\88\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LoggingDisabled",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\MVID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\VersioningLog",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\CRYPTBASE.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProductName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Users\\cuck\\AppData\\Local\\Temp\\be01c2ddb0dc203874191905dc98e560fd37458af33a800b843628c7a823242d.bin",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\CacheLocation",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\41c04c7e\\7f3b6ac4\\78\\LastModTime",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\LsaExtensionConfig\\SspiCli\\CheckSignatureRoutine",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\MachineID",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\MinSockaddrLength",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\California Fonts Loader",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceQueue",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\ScrollInterval",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\1c83327b\\86\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\MVID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\IMM32.DLL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\LegacyPolicyTimeStamp",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\MinSockaddrLength",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\LsaExtensionConfig\\SspiCli\\CheckSignatureDll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\6f1da7aa\\88\\SIG",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\OOBEInProgress",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\ole32.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\LastModTime",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\MaxQueueCount",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\USER32.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\2d382ce6\\85\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerUseAuthentication",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Name",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\41c04c7e\\7f3b6ac4\\78\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\MSCTF.dll",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\DragMinDist",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\mscorlib,2.0.0.0,,b77a5c561934e089,x86",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\SendEFSFiles",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DontShowUI",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\a5cd4db\\7e\\DisplayName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\MaxSockaddrLength",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\TurnOffSPIAnimations",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE\\PageAllocatorSystemHeapIsPrivate",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\ConfigMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\CLR20r3",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\1bd7b0d8\\87\\DisplayName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\MaxSockaddrLength",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\\InprocServer32\\(Default)",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SystemInformation\\SystemProductName",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\BypassDataThrottling",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\KnownManagedDebuggingDlls\\C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscordacwks.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Security,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\1b2590b1\\7c\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Drawing\\dbfe8642a8ed7b2b103ad28e0c96418a\\System.Drawing.ni.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\Latest",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\DragDelay",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\\WinHttpSettings",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\ADVAPI32.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\1b2590b1\\7c\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\MVID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\SourcePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\DevicePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\TokenSize",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\UseDelayedAcceptance",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\1bd7b0d8\\87\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Windows.Forms\\3afcd5168c7a6cb02eab99d7fd71e102\\System.Windows.Forms.ni.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE\\PageAllocatorUseSystemHeap",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\InstallRoot",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\Accessibility,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Disabled",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Capabilities",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\6f1da7aa\\88\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\163e1f5e\\80\\Modules",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\LoggingDisabled",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\ILDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\c991064\\2bd33e1c\\79\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\SYSTEM32\\MSCOREE.DLL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System,2.0.0.0,,b77a5c561934e089,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\1c83327b\\86\\LastModTime",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ShareCredsWithWinHttp",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\WinHttp\\Tracing\\Enabled",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SystemInformation\\SystemManufacturer",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\LogResourceBinds",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\apphelp.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\MissingDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassDataThrottling",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Configuration,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorwks.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\msvcrt.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Reliability Analysis\\RAC\\RacWerSampleTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\SysWOW64\\ntdll.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\ForceLog",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\MVID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledSessions\\GlobalSession",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\CurrentType",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\163e1f5e\\80\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\c991064\\2bd33e1c\\79\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\RestartRunTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\SHLWAPI.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\c991064\\2bd33e1c\\79\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\ConfigMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\MissingDependencies",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultConsent",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\WinHttp\\DisableBranchCache",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DontSendAdditionalData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CEIPEnable",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\41c04c7e\\7f3b6ac4\\78\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\USP10.dll",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Version",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\41c04c7e\\7f3b6ac4\\78\\DisplayName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\ComputerName\\ActiveComputerName\\ComputerName",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\RestartRunTime",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winsock\\Setup Migration\\Providers\\Tcpip\\WinSock 2.0 Provider ID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\1bd7b0d8\\87\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\GDI32.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\DisableMSIPeek",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\163e1f5e\\80\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\GCStressStartAtJit",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\ConfigMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE\\MaximumAllowedAllocationSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\a5cd4db\\7e\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\NIDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\a5cd4db\\7e\\Status",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\Mapping",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\EnableLog",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\RpcId",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\1b2590b1\\7c\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Disabled",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\DisableQueue",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\index4",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\VERSION.dll"
],
"directory_enumerated": [
"C:\\Windows\\System32\\apphelp.dll",
"C:\\Windows\\SysWOW64",
"C:\\Users\\cuck\\AppData",
"C:\\Windows\\SysWOW64\\user32.dll",
"C:\\Windows\\SysWOW64\\advapi32.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\mscorlib",
"C:\\Windows\\SysWOW64\\msctf.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp",
"C:\\Windows\\SysWOW64\\sspicli.dll",
"C:\\Windows\\SysWOW64\\kernel32.dll",
"C:\\Windows\\SysWOW64\\msvcrt.dll",
"C:\\Windows\\assembly",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\WER\\ReportArchive\\AppCrash_*_b9e83dc5ff41cd9ab6ca6b8ccb4a1bddecad908d_cab_*",
"C:\\Windows\\SysWOW64\\shlwapi.dll",
"C:\\Windows\\System32",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorjit.dll",
"C:\\Windows\\SysWOW64\\ole32.dll",
"C:\\Windows\\System32\\profapi.dll",
"C:\\Windows\\System32\\mscoree.dll",
"C:\\Windows\\SysWOW64\\shell32.dll",
"C:\\Windows\\SysWOW64\\lpk.dll",
"C:\\Windows\\System32\\version.dll",
"C:\\Users",
"C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\mscorlib.INI",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorwks.dll",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_*_b9e83dc5ff41cd9ab6ca6b8ccb4a1bddecad908d_cab_*",
"C:\\Windows\\Microsoft.NET\\Framework\\Upgrades.2.0.50727\\mscoreei.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscoreei.dll",
"C:\\Windows\\SysWOW64\\ntdll.dll",
"C:\\Users\\cuck",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\WER\\ReportQueue\\*_*_*_*",
"C:\\Windows\\SysWOW64\\sechost.dll",
"C:\\Users\\cuck\\AppData\\Local",
"C:\\Windows\\assembly\\GAC_MSIL\\System.Windows.Forms\\2.0.0.0__b77a5c561934e089\\System.Windows.Forms.INI",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System",
"C:\\Windows\\System32\\imm32.dll",
"C:\\Windows\\SysWOW64\\gdi32.dll",
"C:\\Windows\\winsxs\\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\\msvcr80.dll",
"C:\\Windows\\SysWOW64\\usp10.dll",
"C:\\Windows\\SysWOW64\\rpcrt4.dll",
"C:\\Windows\\System32\\drivers\\*.mrk",
"C:\\Windows",
"C:\\Windows\\winsxs",
"C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\System.INI",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\be01c2ddb0dc203874191905dc98e560fd37458af33a800b843628c7a823242d.INI",
"C:\\Windows\\assembly\\GAC_MSIL\\System.Drawing\\2.0.0.0__b03f5f7f11d50a3a\\System.Drawing.INI",
"C:\\Windows\\System32\\uxtheme.dll"
],
"regkey_written": [
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\California Fonts Loader"
]
}Dropped
[
{
"yara": [],
"sha1": "729af33eb0a28b59dba7847010bf6363ac935ae2",
"name": "f1a2fee4b878bbc2_WER5E31.tmp.WERInternalMetadata.xml",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\WER5E31.tmp.WERInternalMetadata.xml",
"type": "XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators",
"sha256": "f1a2fee4b878bbc22663be8e303da0203848aff65858ce625c8a76264f292a2f",
"urls": [],
"crc32": "A105A625",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/9400\/files\/f1a2fee4b878bbc2_WER5E31.tmp.WERInternalMetadata.xml",
"ssdeep": null,
"size": 2652,
"sha512": "719b38abea87833538c893a4ad119c406b8e48795c2cf110b02ee22fe6f3ae3856e4d9547dbb39b54147c0fc868073ab59521644c28c0c7395a6f942df7a4f18",
"pids": [
2588
],
"md5": "dfcd45334d6d209225c8cc27e2e16807"
},
{
"yara": [],
"sha1": "caddbb7883593a007b6dea521c5c691da66e34ec",
"name": "bc3c045d39caa738_report.wer",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_BU1QHQDW35ZOCD1J_b9e83dc5ff41cd9ab6ca6b8ccb4a1bddecad908d_cab_081f0da3\\Report.wer",
"type": "data",
"sha256": "bc3c045d39caa738382790311da5605a0fe69f9f57428fcf68a7f20fa9037b14",
"urls": [],
"crc32": "B031AD85",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/9400\/files\/bc3c045d39caa738_report.wer",
"ssdeep": null,
"size": 8198,
"sha512": "3a969bf61cad201e728a1c91a2714ded48554f5104e8cec024ce8f2a7d90947012fba7dcac8b09daf62976573fe047f18474f4dbeee19b699ca3f6b7975c674a",
"pids": [
2588
],
"md5": "90e30195d974c88f63b5043ea33acc2a"
},
{
"yara": [
{
"meta": {
"description": "Contains an embedded PE32 file",
"author": "nex"
},
"name": "embedded_pe",
"offsets": {
"a": [
[
32974307,
0
],
[
37306281,
0
]
],
"b": [
[
16471474,
1
]
]
},
"strings": [
"UEUzMg==",
"VGhpcyBwcm9ncmFt"
]
},
{
"meta": {
"description": "A non-Windows executable contains win32 API functions names",
"author": "nex"
},
"name": "embedded_win_api",
"offsets": {
"api6": [
[
21350496,
6
],
[
21551155,
6
],
[
24380751,
6
],
[
26968724,
6
],
[
30480964,
6
],
[
31786466,
6
],
[
33034344,
6
],
[
33062845,
6
]
],
"api7": [
[
6629059,
5
],
[
6629072,
5
],
[
11821885,
5
],
[
20171733,
5
],
[
20172209,
5
],
[
20172320,
5
],
[
20214411,
5
],
[
21197405,
5
],
[
21221470,
5
],
[
21257910,
5
],
[
21261470,
5
],
[
21364508,
5
],
[
21541428,
5
],
[
21542727,
5
],
[
21542748,
5
],
[
21544200,
5
],
[
21544768,
5
],
[
21544788,
5
],
[
21545138,
5
],
[
21952091,
5
],
[
24379131,
5
]
],
"api2": [
[
4325497,
0
],
[
6630707,
0
],
[
19997383,
0
],
[
21349908,
0
]
],
"api3": [
[
21568777,
3
],
[
24373689,
3
]
],
"api8": [
[
30478890,
1
],
[
31784380,
1
],
[
32994049,
1
],
[
33034422,
1
]
],
"api14": [
[
30478890,
1
],
[
31784380,
1
],
[
32994049,
1
],
[
33034422,
1
]
],
"api12": [
[
30480895,
4
],
[
33034300,
4
],
[
33034320,
4
]
],
"api13": [
[
7066464,
2
],
[
16885340,
2
],
[
21226372,
2
],
[
21561681,
2
],
[
30478972,
2
],
[
33033926,
2
]
]
},
"strings": [
"R2V0UHJvY0FkZHJlc3M=",
"R2V0V2luZG93c0RpcmVjdG9yeQ==",
"R2V0VGVtcFBhdGg=",
"TG9hZExpYnJhcnlB",
"U2V0RmlsZVBvaW50ZXI=",
"U2hlbGxFeGVjdXRl",
"V3JpdGVGaWxl"
]
},
{
"meta": {
"description": "Matched shellcode byte patterns",
"author": "nex"
},
"name": "shellcode",
"offsets": {
"shell7": [
[
3587647,
0
],
[
3651231,
0
],
[
3690943,
0
],
[
3720591,
0
],
[
3738223,
0
],
[
3739231,
0
],
[
3745391,
0
],
[
3749119,
0
],
[
3767727,
0
],
[
3783471,
0
],
[
3813807,
0
],
[
3820463,
0
],
[
3850159,
0
],
[
3946671,
0
],
[
3956159,
0
],
[
3974943,
0
],
[
9170943,
0
],
[
9250623,
0
],
[
9259215,
0
],
[
9262167,
0
],
[
9262199,
0
],
[
9262235,
0
],
[
9264667,
0
],
[
9265395,
0
],
[
9265663,
0
],
[
9265695,
0
],
[
9266875,
0
],
[
9266939,
0
],
[
9268607,
0
],
[
9274755,
0
],
[
9277315,
0
],
[
9277343,
0
],
[
9281471,
0
],
[
9304883,
0
],
[
9304911,
0
],
[
9305059,
0
],
[
9306175,
0
],
[
9306403,
0
],
[
9310411,
0
],
[
9310439,
0
],
[
9310467,
0
],
[
9337447,
0
],
[
9373039,
0
],
[
9454799,
0
],
[
9455399,
0
],
[
9456735,
0
],
[
9456899,
0
],
[
9456959,
0
],
[
9457107,
0
],
[
9457187,
0
],
[
9457271,
0
],
[
9457347,
0
],
[
9457411,
0
],
[
9457559,
0
],
[
9500447,
0
],
[
9500483,
0
],
[
9511451,
0
],
[
9514819,
0
],
[
9534395,
0
],
[
9534475,
0
],
[
9534923,
0
],
[
9534951,
0
],
[
9535031,
0
],
[
9587779,
0
],
[
9599143,
0
],
[
9626619,
0
],
[
9638559,
0
],
[
9642687,
0
],
[
9651503,
0
],
[
9652451,
0
],
[
9661359,
0
],
[
9661423,
0
],
[
9661451,
0
],
[
9661515,
0
],
[
9661583,
0
],
[
9661683,
0
],
[
9661751,
0
],
[
9661819,
0
],
[
9661887,
0
],
[
9661955,
0
],
[
9662019,
0
],
[
9662083,
0
],
[
9662151,
0
],
[
9662179,
0
],
[
9662243,
0
],
[
9663127,
0
],
[
9663155,
0
],
[
9663183,
0
],
[
9663211,
0
],
[
9663239,
0
],
[
9663267,
0
],
[
9663307,
0
],
[
9663383,
0
],
[
9663487,
0
],
[
9663519,
0
],
[
9663591,
0
],
[
9663619,
0
],
[
9663647,
0
],
[
9663775,
0
],
[
9663843,
0
],
[
9663907,
0
],
[
9663975,
0
],
[
9664043,
0
],
[
9668663,
0
],
[
9770783,
0
],
[
9784987,
0
],
[
9791987,
0
],
[
9793315,
0
],
[
9887439,
0
],
[
9887903,
0
],
[
9888619,
0
],
[
9894015,
0
],
[
9894723,
0
],
[
9922083,
0
],
[
9934351,
0
],
[
10318031,
0
],
[
10322819,
0
],
[
10372387,
0
],
[
10374535,
0
],
[
10708863,
0
],
[
10733743,
0
],
[
10734751,
0
],
[
10734931,
0
],
[
10806207,
0
],
[
10810471,
0
],
[
10822191,
0
],
[
10822223,
0
],
[
10822255,
0
],
[
10913555,
0
],
[
10918495,
0
],
[
10919427,
0
],
[
10960623,
0
],
[
11089247,
0
],
[
11089631,
0
],
[
11176363,
0
],
[
11193599,
0
],
[
11212579,
0
],
[
11372371,
0
],
[
11372527,
0
],
[
11375967,
0
],
[
11426355,
0
],
[
11426471,
0
],
[
11433919,
0
],
[
11433987,
0
],
[
11434015,
0
],
[
11434047,
0
],
[
11434307,
0
],
[
11434507,
0
],
[
11434571,
0
],
[
11434639,
0
],
[
11434667,
0
],
[
11434731,
0
],
[
11434891,
0
],
[
11434955,
0
],
[
11435019,
0
],
[
11435083,
0
],
[
11435147,
0
],
[
11435295,
0
],
[
11435327,
0
],
[
11435635,
0
],
[
11436063,
0
],
[
11436251,
0
],
[
11450143,
0
],
[
11451319,
0
],
[
11451919,
0
],
[
11456971,
0
],
[
11464703,
0
],
[
11466051,
0
],
[
11466079,
0
],
[
11469347,
0
],
[
11469975,
0
],
[
11470003,
0
],
[
11470127,
0
],
[
11470339,
0
],
[
11486563,
0
],
[
11486627,
0
],
[
11486691,
0
],
[
11486759,
0
],
[
11486823,
0
],
[
11486943,
0
],
[
11487135,
0
],
[
11487647,
0
],
[
11559903,
0
],
[
11560019,
0
],
[
11560943,
0
],
[
11561811,
0
],
[
11561839,
0
],
[
11608055,
0
],
[
11631743,
0
],
[
11721683,
0
],
[
11739751,
0
],
[
11742695,
0
],
[
11743807,
0
],
[
11744383,
0
],
[
11744671,
0
],
[
11745287,
0
],
[
11746519,
0
],
[
11748511,
0
],
[
11752339,
0
],
[
11753395,
0
],
[
11753759,
0
],
[
11757695,
0
],
[
11759691,
0
],
[
11763519,
0
],
[
11772563,
0
],
[
11773811,
0
],
[
19374008,
0
],
[
19451400,
0
],
[
19492728,
0
],
[
19523240,
0
],
[
22993428,
0
],
[
23041388,
0
],
[
23155708,
0
],
[
23202752,
0
],
[
23221976,
0
],
[
23256492,
0
],
[
23268528,
0
],
[
23268604,
0
],
[
23273952,
0
],
[
23274744,
0
],
[
23301048,
0
],
[
23392492,
0
],
[
23485324,
0
],
[
23505656,
0
],
[
23517752,
0
],
[
23729624,
0
],
[
23769048,
0
],
[
24040664,
0
],
[
24042180,
0
],
[
24058428,
0
],
[
24134948,
0
],
[
24155800,
0
],
[
24167996,
0
],
[
24200444,
0
],
[
24313656,
0
],
[
24319352,
0
],
[
24320568,
0
],
[
24323048,
0
],
[
24346456,
0
],
[
24348088,
0
],
[
27282840,
0
],
[
27381180,
0
],
[
27434940,
0
],
[
27506032,
0
],
[
27513056,
0
],
[
27556880,
0
],
[
27561488,
0
],
[
29643792,
0
],
[
29658144,
0
],
[
29658384,
0
],
[
29658432,
0
],
[
29659568,
0
],
[
29677872,
0
],
[
29758384,
0
],
[
29829616,
0
],
[
29829808,
0
],
[
29851280,
0
],
[
29879808,
0
],
[
29909040,
0
],
[
29929056,
0
],
[
29955920,
0
],
[
29974784,
0
],
[
30044240,
0
],
[
30083184,
0
],
[
30124752,
0
],
[
30143216,
0
],
[
30143280,
0
],
[
30187744,
0
],
[
30201424,
0
],
[
30203344,
0
],
[
30211344,
0
],
[
34699012,
0
],
[
34766756,
0
],
[
34766928,
0
],
[
34766956,
0
],
[
34766984,
0
],
[
34767060,
0
],
[
34783276,
0
],
[
34783904,
0
],
[
34818128,
0
],
[
34835536,
0
],
[
34855080,
0
],
[
34868108,
0
],
[
34933840,
0
],
[
34942840,
0
],
[
34986848,
0
],
[
34987308,
0
],
[
34990372,
0
],
[
34994800,
0
],
[
35033128,
0
],
[
35052796,
0
],
[
35052824,
0
],
[
35052852,
0
],
[
35055904,
0
],
[
35055940,
0
],
[
35056040,
0
],
[
35056076,
0
],
[
35056120,
0
],
[
35057296,
0
],
[
35057340,
0
],
[
35057380,
0
],
[
35058180,
0
],
[
35058216,
0
],
[
35383920,
0
],
[
35383984,
0
],
[
35384012,
0
],
[
35384384,
0
],
[
35384736,
0
],
[
35385152,
0
],
[
35385184,
0
],
[
35385600,
0
],
[
35385632,
0
],
[
35385920,
0
],
[
35385952,
0
],
[
35386020,
0
],
[
35386048,
0
],
[
35394368,
0
],
[
35394400,
0
],
[
35394432,
0
],
[
35394528,
0
],
[
35402336,
0
],
[
35402504,
0
],
[
35402720,
0
],
[
35408904,
0
],
[
35409304,
0
],
[
35410112,
0
],
[
35410376,
0
],
[
35465704,
0
],
[
35465760,
0
],
[
35641960,
0
],
[
35646112,
0
],
[
35651580,
0
],
[
35662776,
0
],
[
35668672,
0
],
[
35687264,
0
],
[
35704160,
0
],
[
35795692,
0
],
[
35838496,
0
],
[
35889412,
0
],
[
35889460,
0
],
[
35889616,
0
],
[
35889696,
0
],
[
35889744,
0
],
[
35905012,
0
],
[
35906716,
0
],
[
35923136,
0
],
[
35942040,
0
],
[
35979760,
0
],
[
36293472,
0
],
[
36293668,
0
],
[
36293856,
0
],
[
36294016,
0
],
[
36294112,
0
],
[
36294432,
0
],
[
36296496,
0
],
[
36297816,
0
],
[
36298644,
0
],
[
36298676,
0
],
[
36299936,
0
],
[
36300608,
0
],
[
36311644,
0
],
[
36313088,
0
],
[
36313184,
0
],
[
36314212,
0
],
[
36320184,
0
],
[
36323088,
0
],
[
36323204,
0
],
[
36325572,
0
],
[
36339808,
0
],
[
36350272,
0
],
[
36354432,
0
],
[
36354464,
0
],
[
36356064,
0
],
[
36358180,
0
],
[
36358656,
0
],
[
36359212,
0
],
[
36359804,
0
],
[
36360064,
0
],
[
36361036,
0
],
[
36361248,
0
],
[
36365568,
0
],
[
36365704,
0
],
[
36366028,
0
],
[
36366604,
0
],
[
36367736,
0
],
[
36368396,
0
],
[
36375216,
0
],
[
36381548,
0
],
[
36382688,
0
],
[
36382980,
0
],
[
36385972,
0
],
[
36389312,
0
],
[
36390016,
0
],
[
36391624,
0
],
[
36397440,
0
],
[
36397640,
0
],
[
36400864,
0
],
[
36400960,
0
],
[
36404068,
0
],
[
36404256,
0
],
[
36405088,
0
],
[
36405864,
0
],
[
36406192,
0
],
[
36408128,
0
],
[
36408556,
0
],
[
36410388,
0
],
[
36422240,
0
],
[
36423080,
0
],
[
36429820,
0
],
[
36434508,
0
],
[
36435740,
0
],
[
36435808,
0
],
[
36435976,
0
],
[
36436908,
0
],
[
36437440,
0
],
[
36442560,
0
],
[
36442808,
0
],
[
36451416,
0
],
[
36451744,
0
],
[
36455616,
0
],
[
36459328,
0
],
[
36459392,
0
],
[
36460416,
0
],
[
36461232,
0
],
[
36461976,
0
],
[
36462104,
0
],
[
36469668,
0
],
[
36469824,
0
],
[
36475912,
0
],
[
36477100,
0
],
[
36477184,
0
],
[
36477436,
0
],
[
36478544,
0
],
[
36478656,
0
],
[
36485500,
0
],
[
36488144,
0
],
[
36503460,
0
],
[
36506860,
0
],
[
36512660,
0
],
[
36513312,
0
],
[
36515724,
0
],
[
36517016,
0
],
[
36517184,
0
],
[
36517448,
0
],
[
36517508,
0
],
[
36518816,
0
],
[
36519276,
0
],
[
36520912,
0
],
[
36521360,
0
],
[
36530272,
0
],
[
36530464,
0
],
[
36532160,
0
],
[
36532576,
0
],
[
36533956,
0
],
[
36537540,
0
],
[
36538948,
0
],
[
36545664,
0
],
[
36549652,
0
],
[
36552164,
0
],
[
36554592,
0
],
[
36559936,
0
],
[
36560116,
0
],
[
36564516,
0
],
[
36565544,
0
],
[
36565600,
0
],
[
36566796,
0
],
[
36567464,
0
],
[
36568684,
0
],
[
36569484,
0
],
[
36579456,
0
],
[
36582624,
0
],
[
36582784,
0
],
[
36584016,
0
],
[
36585024,
0
],
[
36587860,
0
],
[
36588292,
0
],
[
36592284,
0
],
[
36592792,
0
],
[
36598816,
0
],
[
36599008,
0
],
[
36600672,
0
],
[
36601232,
0
],
[
36603056,
0
],
[
36605124,
0
],
[
36610216,
0
],
[
36613408,
0
],
[
36617152,
0
],
[
36617716,
0
],
[
36618648,
0
],
[
36618912,
0
],
[
36620064,
0
],
[
36620680,
0
],
[
36624448,
0
],
[
36624980,
0
],
[
36628424,
0
],
[
36628864,
0
],
[
36630152,
0
]
],
"shell1": [
[
31087509,
1
],
[
31098927,
1
],
[
31217241,
1
],
[
31391085,
1
],
[
31442689,
1
],
[
31484943,
1
],
[
31530839,
1
],
[
31557627,
1
],
[
31582357,
1
],
[
31627529,
1
]
]
},
"strings": [
"VYvs6A==",
"ZItk"
]
}
],
"sha1": "a67208a903dc9ca289e5004802002bd754b63026",
"name": "1b7d86507f46d246_WER68A2.tmp.hdmp",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\WER68A2.tmp.hdmp",
"type": "MDMP crash report data",
"sha256": "1b7d86507f46d246475a868131792594e67e591392c81179186d3770c4e8fccc",
"urls": [
"http:\/\/g",
"http:\/\/beta.visualstudio.net\/net\/sdk\/feedback.asp"
],
"crc32": "299C7387",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/9400\/files\/1b7d86507f46d246_WER68A2.tmp.hdmp",
"ssdeep": null,
"size": 39832194,
"sha512": "66b8b43892d7c83811f6b4a950a54c95cd1a5eb2e505040306e3a1e8832f49c4b943ad70eb760fa66aef20650288cc2394684ff2136831b4ef6b28cc459be48c",
"pids": [
2588
],
"md5": "a59963838aab9eddf4faf58d5fb8fc7c"
},
{
"yara": [],
"sha1": "e01c761ac0e24504dd4c8b68b6ca39f0ae81f2ec",
"name": "0a3ffdc4ce0d6640_WER3104.tmp.mdmp",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\WER3104.tmp.mdmp",
"type": "MDMP crash report data",
"sha256": "0a3ffdc4ce0d6640590faca3336893cb717f4ce7fc10aeaf9ca77dc8239221a0",
"urls": [
"http:\/\/g"
],
"crc32": "FE7F1D03",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/9400\/files\/0a3ffdc4ce0d6640_WER3104.tmp.mdmp",
"ssdeep": null,
"size": 5184568,
"sha512": "664883787dd8c90ea2e2324b49eb022007aafd7bf9465023139ddcc9000d91be2878b6d3ce9d9f13d5795c927a75583ccd60788c27ff0800338e1fb6dd579237",
"pids": [
2588
],
"md5": "4bbeb575b0d5bc27432fbcf1c276f8da"
},
{
"yara": [],
"sha1": "da39a3ee5e6b4b0d3255bfef95601890afd80709",
"name": "e3b0c44298fc1c14_WER5E31.tmp",
"type": "empty",
"sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"urls": [],
"crc32": "00000000",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/9400\/files\/e3b0c44298fc1c14_WER5E31.tmp",
"ssdeep": null,
"size": 0,
"sha512": "cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e",
"md5": "d41d8cd98f00b204e9800998ecf8427e"
}
]Generic
[
{
"process_path": "C:\\Users\\cuck\\AppData\\Local\\Temp\\be01c2ddb0dc203874191905dc98e560fd37458af33a800b843628c7a823242d.bin",
"process_name": "be01c2ddb0dc203874191905dc98e560fd37458af33a800b843628c7a823242d.bin",
"pid": 2800,
"summary": {
"regkey_written": [
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\California Fonts Loader"
],
"dll_loaded": [
"ntdll",
"gdi32.dll",
"kernel32.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Windows.Forms\\3afcd5168c7a6cb02eab99d7fd71e102\\System.Windows.Forms.ni.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System\\9e0a3b9b9f457233a335d7fba8f95419\\System.ni.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Drawing\\dbfe8642a8ed7b2b103ad28e0c96418a\\System.Drawing.ni.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\ole32.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\culture.dll",
"ADVAPI32.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorwks.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\VERSION.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorjit.dll",
"advapi32.dll",
"ole32.dll",
"SHLWAPI.dll",
"C:\\Windows\\system32\\IMM32.DLL",
"AdvApi32.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\diasymreader.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\mscorlib\\62a0b3e4b40ec0e8c5cfaa0c8848e64a\\mscorlib.ni.dll",
"VERSION.dll",
"mscoree.dll",
"shell32.dll"
],
"file_failed": [
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\enterprisesec.config.cch",
"C:\\Windows\\symbols\\bin\\CaliforniaFonts.pdb",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CaliforniaFonts.pdb",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\security.config.cch",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\be01c2ddb0dc203874191905dc98e560fd37458af33a800b843628c7a823242d.bin.config",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\enterprisesec.config",
"C:\\Windows\\bin\\CaliforniaFonts.pdb",
"C:\\Windows\\CaliforniaFonts.pdb",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\security.config.cch",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\security.config",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\security.config"
],
"regkey_opened": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.Accessibility__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\Managed\\S-1-5-21-699399860-4089948139-3198924279-1001\\Installer\\Assemblies\\Global",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83",
"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\41c04c7e\\7f3b6ac4\\78",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\1c83327b\\86",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Installer\\Assemblies\\C:|Users|cuck|AppData|Local|Temp|be01c2ddb0dc203874191905dc98e560fd37458af33a800b843628c7a823242d.bin",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Deployment__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\Policy\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Configuration__b03f5f7f11d50a3a",
"HKEY_CLASSES_ROOT\\CLSID\\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\\Server",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets\\LocalIntranet",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\Managed\\S-1-5-21-699399860-4089948139-3198924279-1001\\Installer\\Assemblies\\C:|Users|cuck|AppData|Local|Temp|be01c2ddb0dc203874191905dc98e560fd37458af33a800b843628c7a823242d.bin",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\AppPatch",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PCHealth\\ErrorReporting\\InclusionList",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PCHealth\\ErrorReporting\\ExclusionList",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\a5cd4db\\7e",
"HKEY_CURRENT_USER\\SOFTWARE\\Policies\\Microsoft\\PCHealth\\ErrorReporting\\InclusionList",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\2d382ce6\\85",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\163e1f5e\\80",
"HKEY_CLASSES_ROOT\\CLSID\\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\\InprocServer32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\1b2590b1\\7c",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PCHealth\\ErrorReporting",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\c991064\\2bd33e1c\\79",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Windows.Forms__b77a5c561934e089",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets\\Internet",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\index127",
"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\PCHealth\\ErrorReporting",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Installer\\Assemblies\\Global",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Security__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Installer\\Assemblies\\Global",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PCHealth\\ErrorReporting\\ExclusionList",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\Standards",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Drawing__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\Standards\\v2.0.50727",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-699399860-4089948139-3198924279-1001",
"HKEY_CURRENT_USER\\SOFTWARE\\Policies\\Microsoft\\PCHealth\\ErrorReporting\\ExclusionList",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\be01c2ddb0dc203874191905dc98e560fd37458af33a800b843628c7a823242d.bin",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\v2.0.50727\\Security\\Policy",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System__b77a5c561934e089",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\StrongName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Fusion",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion\\PublisherPolicy\\Default",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Xml__b77a5c561934e089",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\6f1da7aa\\88",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion\\GACChangeNotification\\Default",
"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\PCHealth\\ErrorReporting\\ExclusionList",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Installer\\Assemblies\\C:|Users|cuck|AppData|Local|Temp|be01c2ddb0dc203874191905dc98e560fd37458af33a800b843628c7a823242d.bin",
"HKEY_CURRENT_USER\\Software\\Microsoft\\.NETFramework",
"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\PCHealth\\ErrorReporting\\InclusionList",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PCHealth\\ErrorReporting",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\Upgrades",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\7f8d0f55\\f331913",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Runtime.Serialization.Formatters.Soap__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\Policy\\Standards",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PCHealth\\ErrorReporting\\InclusionList",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\1bd7b0d8\\87",
"HKEY_CURRENT_USER\\SOFTWARE\\Policies\\Microsoft\\PCHealth\\ErrorReporting",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\Policy\\APTCA",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\53bf642d\\216555e6",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\v2.0",
"HKEY_CURRENT_USER\\Software\\Microsoft\\.NETFramework\\Policy\\Standards",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064"
],
"file_exists": [
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\fusion.localgac",
"C:\\Windows\\winsxs\\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\\msvcr80.dll",
"C:\\Windows\\System32\\MSCOREE.DLL.local",
"C:\\Windows\\Globalization\\en-us.nlp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CaliforniaFontLibrary.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\be01c2ddb0dc203874191905dc98e560fd37458af33a800b843628c7a823242d.bin.config",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CaliforniaFontLibrary\\CaliforniaFontLibrary.exe",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\machine.config",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\be01c2ddb0dc203874191905dc98e560fd37458af33a800b843628c7a823242d.bin",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CaliforniaFontLibrary.dll",
"C:\\Windows\\assembly\\GAC\\PublisherPolicy.tme",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CaliforniaFontLibrary\\CaliforniaFontLibrary.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\be01c2ddb0dc203874191905dc98e560fd37458af33a800b843628c7a823242d.PDB"
],
"file_opened": [
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorrc.dll",
"C:\\Windows\\System32\\l_intl.nls",
"C:\\Windows\\assembly\\pubpol4.dat",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\index127.dat",
"C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\sortkey.nlp",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\machine.config",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\be01c2ddb0dc203874191905dc98e560fd37458af33a800b843628c7a823242d.bin",
"C:\\Windows\\SysWOW64\\en-US\\KERNELBASE.dll.mui",
"C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\sorttbls.nlp"
],
"command_line": [
"dw20.exe -x -s 424"
],
"file_read": [
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\machine.config",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\be01c2ddb0dc203874191905dc98e560fd37458af33a800b843628c7a823242d.bin"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\LatestIndex",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\ILDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\c991064\\2bd33e1c\\79\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\163e1f5e\\80\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Drawing,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\2d382ce6\\85\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\41c04c7e\\7f3b6ac4\\78\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\ConfigString",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\1c83327b\\86\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\ConfigString",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\LoadAppInit_DLLs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\CLRLoadLogDir",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\a5cd4db\\7e\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\2d382ce6\\85\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\DevOverrideEnable",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\EvalationData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\a5cd4db\\7e\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\2d382ce6\\85\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NoClientChecks",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\1b2590b1\\7c\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\DownloadCacheQuotaInKB",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\1b2590b1\\7c\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\LoggingLevel",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\6f1da7aa\\88\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\ConfigString",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\MVID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\ConfigMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\163e1f5e\\80\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\MissingDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Deployment,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\NIDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\NIDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\c991064\\2bd33e1c\\79\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\index127\\ILUsageMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\UseLegacyIdentityFormat",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\MissingDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\GCStressStart",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\1bd7b0d8\\87\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\\Server\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\OnlyUseLatestCLR",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\6f1da7aa\\88\\Modules",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\California Fonts Loader",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\2d382ce6\\85\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\1c83327b\\86\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Xml,2.0.0.0,,b77a5c561934e089,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\index127\\NIUsageMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\1c83327b\\86\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\NIDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\EvalationData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\163e1f5e\\80\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Security,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\6f1da7aa\\88\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\MVID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\2d382ce6\\85\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\CacheLocation",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\41c04c7e\\7f3b6ac4\\78\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\1c83327b\\86\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\LegacyPolicyTimeStamp",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\6f1da7aa\\88\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\EvalationData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\1bd7b0d8\\87\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\MVID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\41c04c7e\\7f3b6ac4\\78\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\VersioningLog",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\GCStressStartAtJit",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\mscorlib,2.0.0.0,,b77a5c561934e089,x86",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\a5cd4db\\7e\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\ILDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\c991064\\2bd33e1c\\79\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\ConfigMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\1bd7b0d8\\87\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\\InprocServer32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\1b2590b1\\7c\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\Latest",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\1b2590b1\\7c\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\MVID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\1bd7b0d8\\87\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\InstallRoot",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\Accessibility,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\MissingDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\6f1da7aa\\88\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\163e1f5e\\80\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\ILDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\c991064\\2bd33e1c\\79\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\LogResourceBinds",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System,2.0.0.0,,b77a5c561934e089,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\1c83327b\\86\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\EnableLog",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\ConfigMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\ConfigString",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Configuration,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\DisableConfigCache",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\ILDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\ForceLog",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\LogFailures",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\c991064\\2bd33e1c\\79\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\ConfigMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\MissingDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Windows.Forms,2.0.0.0,,b77a5c561934e089,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\NIDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\41c04c7e\\7f3b6ac4\\78\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\41c04c7e\\7f3b6ac4\\78\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\1bd7b0d8\\87\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\EvalationData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\DisableMSIPeek",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\163e1f5e\\80\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\a5cd4db\\7e\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Runtime.Serialization.Formatters.Soap,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\1b2590b1\\7c\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\a5cd4db\\7e\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\index4"
],
"directory_enumerated": [
"C:\\Users",
"C:\\Windows\\Microsoft.NET\\Framework\\Upgrades.2.0.50727\\mscoreei.dll",
"C:\\Users\\cuck\\AppData",
"C:\\Windows\\assembly\\GAC_MSIL\\System.Drawing\\2.0.0.0__b03f5f7f11d50a3a\\System.Drawing.INI",
"C:\\Windows\\winsxs\\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\\msvcr80.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp",
"C:\\Users\\cuck",
"C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\mscorlib.INI",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\be01c2ddb0dc203874191905dc98e560fd37458af33a800b843628c7a823242d.INI",
"C:\\Windows",
"C:\\Windows\\winsxs",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscoreei.dll",
"C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\System.INI",
"C:\\Users\\cuck\\AppData\\Local",
"C:\\Windows\\assembly\\GAC_MSIL\\System.Windows.Forms\\2.0.0.0__b77a5c561934e089\\System.Windows.Forms.INI",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorwks.dll"
]
},
"first_seen": 1599547987.609375,
"ppid": 2924
},
{
"process_path": "C:\\Windows\\System32\\lsass.exe",
"process_name": "lsass.exe",
"pid": 476,
"summary": {},
"first_seen": 1599547987.34375,
"ppid": 376
},
{
"process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\dw20.exe",
"process_name": "dw20.exe",
"pid": 2588,
"summary": {
"file_created": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER5E31.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER68A2.tmp.hdmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER3104.tmp.mdmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER3104.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER5E31.tmp.WERInternalMetadata.xml",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER68A2.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_BU1QHQDW35ZOCD1J_b9e83dc5ff41cd9ab6ca6b8ccb4a1bddecad908d_cab_081f0da3\\Report.wer"
],
"file_recreated": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER5E31.tmp.WERInternalMetadata.xml"
],
"directory_created": [
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_BU1QHQDW35ZOCD1J_b9e83dc5ff41cd9ab6ca6b8ccb4a1bddecad908d_cab_081f0da3",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\WER\\ReportQueue"
],
"dll_loaded": [
"dbghelp.dll",
"version.dll",
"C:\\Windows\\system32\\ole32.dll",
"CFGMGR32.dll",
"DUI70.dll",
"kernel32.dll",
"UxTheme.dll",
"SensApi.dll",
"werui.dll",
"dwmapi.dll",
"ntdll.dll",
"cryptsp.dll",
"winhttp.dll",
"verifier.dll",
"C:\\Windows\\system32\\RICHED20.DLL",
"API-MS-WIN-Service-Management-L2-1-0.dll",
"API-MS-WIN-Service-Management-L1-1-0.dll",
"C:\\Windows\\syswow64\\MSCTF.dll",
"API-MS-Win-Core-LocalRegistry-L1-1-0.dll",
"psapi.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscordacwks.dll",
"OLEAUT32.DLL",
"SspiCli.dll",
"C:\\Windows\\system32\\wer.dll",
"advapi32.dll",
"comctl32",
"ole32.dll",
"SHLWAPI.dll",
"CRYPTSP.dll",
"USER32.dll",
"Comctl32.dll",
"credssp.dll",
"API-MS-WIN-Service-winsvc-L1-1-0.dll",
"IPHLPAPI.DLL",
"C:\\Windows\\system32\\xmllite.dll",
"OLEAUT32.dll",
"SHELL32.dll",
"RPCRT4.dll",
"DNSAPI.dll",
"C:\\Windows\\System32\\wship6.dll",
"DUser.dll",
"comctl32.dll",
"NSI.dll",
"C:\\Windows\\system32\\DUser.dll",
"C:\\Windows\\system32\\mswsock.dll",
"powrprof.dll",
"ADVAPI32.dll",
"rpcrt4.dll",
"C:\\Windows\\System32\\wshtcpip.dll",
"WS2_32.dll",
"user32.dll",
"WINHTTP.dll"
],
"file_opened": [
"C:\\Windows\\System32\\apphelp.dll",
"C:\\Windows\\SysWOW64\\CRYPTBASE.dll",
"C:\\Windows\\System32\\mscoree.dll",
"C:\\Windows\\SysWOW64\\user32.dll",
"C:\\Windows\\SysWOW64\\advapi32.dll",
"C:\\Windows\\SysWOW64\\msctf.dll",
"C:\\Windows\\SysWOW64\\sspicli.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER68A2.tmp.hdmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\be01c2ddb0dc203874191905dc98e560fd37458af33a800b843628c7a823242d.bin",
"C:\\Windows\\SysWOW64\\msvcrt.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER5E31.tmp.WERInternalMetadata.xml",
"C:\\Windows\\SysWOW64\\shlwapi.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System\\9e0a3b9b9f457233a335d7fba8f95419\\System.ni.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Drawing\\dbfe8642a8ed7b2b103ad28e0c96418a\\System.Drawing.ni.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorwks.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorjit.dll",
"C:\\Windows\\SysWOW64\\ole32.dll",
"C:\\Windows\\System32\\profapi.dll",
"C:\\Windows\\SysWOW64\\shell32.dll",
"C:\\Windows\\SysWOW64\\lpk.dll",
"C:\\Windows\\System32\\version.dll",
"C:\\Windows\\win.ini",
"C:\\Windows\\System32\\en-US\\erofflps.txt",
"C:\\Windows\\SysWOW64\\ntdll.dll",
"C:\\Windows\\SysWOW64\\usp10.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER3104.tmp.mdmp",
"C:\\Windows\\SysWOW64\\sechost.dll",
"C:\\Windows\\System32\\imm32.dll",
"C:\\Windows\\SysWOW64\\gdi32.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\mscorlib\\62a0b3e4b40ec0e8c5cfaa0c8848e64a\\mscorlib.ni.dll",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Windows.Forms\\3afcd5168c7a6cb02eab99d7fd71e102\\System.Windows.Forms.ni.dll",
"C:\\Windows\\winsxs\\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\\msvcr80.dll",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\WER\\ReportQueue",
"C:\\Windows\\SysWOW64\\rpcrt4.dll",
"C:\\Windows\\SysWOW64\\kernel32.dll",
"C:\\Windows\\SysWOW64\\KERNELBASE.dll",
"C:\\Windows\\System32\\uxtheme.dll"
],
"file_copied": [
[
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER68A2.tmp.hdmp",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_BU1QHQDW35ZOCD1J_b9e83dc5ff41cd9ab6ca6b8ccb4a1bddecad908d_cab_081f0da3\\WER68A2.tmp.hdmp"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER5E31.tmp.WERInternalMetadata.xml",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_BU1QHQDW35ZOCD1J_b9e83dc5ff41cd9ab6ca6b8ccb4a1bddecad908d_cab_081f0da3\\WER5E31.tmp.WERInternalMetadata.xml"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER3104.tmp.mdmp",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_BU1QHQDW35ZOCD1J_b9e83dc5ff41cd9ab6ca6b8ccb4a1bddecad908d_cab_081f0da3\\WER3104.tmp.mdmp"
]
],
"regkey_opened": [
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\LsaExtensionConfig\\SspiCli",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\Rpc",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Reliability Analysis\\RAC",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip6\\Parameters\\Winsock",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Winsock",
"HKEY_CURRENT_USER\\Software\\Microsoft\\windows\\CurrentVersion\\Internet Settings\\Connections",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\OLE\\Tracing",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\Windows Error Reporting",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Setup",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Throttling\\CLR20r3",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Consent",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\LanguageProfile\\0x00000000\\{0001bea3-ed56-483d-a2e2-aeae25577436}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\DebugApplications",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\SecurityProviders",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\KnownClasses",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\windows\\CurrentVersion\\Internet Settings\\Connections",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\CEIPRole\\RolesInWER",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winsock\\Setup Migration\\Providers\\Tcpip6",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\Windows Error Reporting",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Rpc",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\Compatibility\\dw20.exe",
"HKEY_CURRENT_USER\\Software\\Microsoft\\CTF\\DirectSwitchHotkeys",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\SecurityProviders\\SaslProfiles",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\SystemInformation",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\ExcludedApplications",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Winsock\\Setup Migration\\Providers",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\WinHttp\\Tracing",
"HKEY_CURRENT_USER\\Software\\Microsoft\\CTF\\LayoutIcon\\0409\\0000041d",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\KnownManagedDebuggingDlls",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\DirectUI",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLEAUT",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{3697C5FA-60DD-4B56-92D4-74A569205C16}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DebugApplications",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Debug",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winsock\\Setup Migration\\Providers\\Tcpip",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\Windows Error Reporting\\HeapControlledList\\be01c2ddb0dc203874191905dc98e560fd37458af33a800b843628c7a823242d.bin",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion",
"HKEY_CURRENT_USER\\Software\\Microsoft\\windows\\CurrentVersion\\Internet Settings\\Wpad",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Class\\{4d36e972-e325-11ce-bfc1-08002be10318}",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\Windows Error Reporting",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Ole",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\WinHttp",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ExcludedApplications",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Windows",
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\SspiCache",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Winsock\\Parameters"
],
"resolves_host": [
"watson.microsoft.com"
],
"file_written": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER68A2.tmp.hdmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER3104.tmp.mdmp",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_BU1QHQDW35ZOCD1J_b9e83dc5ff41cd9ab6ca6b8ccb4a1bddecad908d_cab_081f0da3\\Report.wer",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER5E31.tmp.WERInternalMetadata.xml"
],
"file_deleted": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER5E31.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER68A2.tmp.hdmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER3104.tmp.mdmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER3104.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER5E31.tmp.WERInternalMetadata.xml",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER68A2.tmp"
],
"file_exists": [
"C:\\Windows\\System32\\apphelp.dll",
"C:\\Windows\\SysWOW64\\CRYPTBASE.dll",
"C:\\Windows\\System32\\mscoree.dll",
"C:\\Windows\\SysWOW64\\user32.dll",
"C:\\Windows\\SysWOW64\\advapi32.dll",
"C:\\Windows\\SysWOW64\\msctf.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp",
"C:\\Windows\\SysWOW64\\sspicli.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER68A2.tmp.hdmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\be01c2ddb0dc203874191905dc98e560fd37458af33a800b843628c7a823242d.bin",
"C:\\Windows\\SysWOW64\\msvcrt.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER5E31.tmp.WERInternalMetadata.xml",
"C:\\Windows\\SysWOW64\\shlwapi.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System\\9e0a3b9b9f457233a335d7fba8f95419\\System.ni.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Drawing\\dbfe8642a8ed7b2b103ad28e0c96418a\\System.Drawing.ni.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorwks.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorjit.dll",
"C:\\Windows\\SysWOW64\\ole32.dll",
"C:\\Windows\\System32\\profapi.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\",
"C:\\Windows\\SysWOW64\\shell32.dll",
"C:\\Windows\\SysWOW64\\lpk.dll",
"C:\\Windows\\System32\\version.dll",
"C:\\Windows\\System32\\en-US\\erofflps.txt",
"C:\\Windows\\SysWOW64\\ntdll.dll",
"C:\\Windows\\SysWOW64\\usp10.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER3104.tmp.mdmp",
"C:\\Windows\\SysWOW64\\sechost.dll",
"C:\\Windows\\System32\\imm32.dll",
"C:\\Windows\\SysWOW64\\gdi32.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\mscorlib\\62a0b3e4b40ec0e8c5cfaa0c8848e64a\\mscorlib.ni.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Windows.Forms\\3afcd5168c7a6cb02eab99d7fd71e102\\System.Windows.Forms.ni.dll",
"C:\\Windows\\winsxs\\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\\msvcr80.dll",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\WER\\ReportQueue",
"C:\\Windows\\SysWOW64\\rpcrt4.dll",
"C:\\Windows\\SysWOW64\\kernel32.dll",
"C:\\Windows\\SysWOW64\\KERNELBASE.dll",
"C:\\Windows\\System32\\uxtheme.dll"
],
"mutex": [
"Global\\2fabc4e8-f18f-11ea-8829-08002749d99b"
],
"guid": [
"{713aacc8-3b71-435c-a3a1-be4e53621ab1}",
"{22e4c895-8ab9-40bb-b81a-001dd9b1f449}"
],
"file_read": [
"C:\\Windows\\win.ini"
],
"regkey_read": [
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Language Hotkey",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\profapi.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\MaxRpcSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\MaxArchiveCount",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\LanguageProfile\\0x00000000\\{0001bea3-ed56-483d-a2e2-aeae25577436}\\Enable",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\QueuePesterInterval",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\UseDelayedAcceptance",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DisableQueue",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SecurityProviders\\SecurityProviders",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ConfigureArchive",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultConsent",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System\\9e0a3b9b9f457233a335d7fba8f95419\\System.ni.dll",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\SystemSetupInProgress",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\ScrollDelay",
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Hotkey",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\SspiCli.dll",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\SendEFSFiles",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\CTF\\EnableAnchorContext",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledProcesses\\44D72C57",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\CLR20r3",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\DisableArchive",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerPortNumber",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\LastWatsonCabUploaded",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerUseSSL",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\HelperDllName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\LPK.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\shell32.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerServer",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\ForceUserModeCabCollection",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ProxySettingsPerUser",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorjit.dll",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winsock\\Parameters\\Transports",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SystemInformation\\BIOSVersion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\BuildLabEx",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\KERNELBASE.dll",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\\DefaultConnectionSettings",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\MaxQueueCount",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultOverrideBehavior",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\CSDBuildNumber",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\CurrentType",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\mscorlib\\62a0b3e4b40ec0e8c5cfaa0c8848e64a\\mscorlib.ni.dll",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\DontShowUI",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\DontSendAdditionalData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Segoe UI",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\ScrollInset",
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Layout Hotkey",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\ConfigureArchive",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Windows\\CSDBuildNumber",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\QueuePesterInterval",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\WinSxS\\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\\MSVCR80.dll",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Comment",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\RPCRT4.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledSessions\\MachineThrottling",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DisableArchive",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\MaxArchiveCount",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\EditionID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\KERNEL32.dll",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultOverrideBehavior",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\HelperDllName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winsock\\Setup Migration\\Providers\\Tcpip6\\WinSock 2.0 Provider ID",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\ForceQueue",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\SysWOW64\\sechost.dll",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\WpadOverride",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\Mapping",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Type",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\uxtheme.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceUserModeCabCollection",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LoggingDisabled",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\CRYPTBASE.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProductName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Users\\cuck\\AppData\\Local\\Temp\\be01c2ddb0dc203874191905dc98e560fd37458af33a800b843628c7a823242d.bin",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\LsaExtensionConfig\\SspiCli\\CheckSignatureRoutine",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\MachineID",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\MinSockaddrLength",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceQueue",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\ScrollInterval",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\IMM32.DLL",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\MinSockaddrLength",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\LsaExtensionConfig\\SspiCli\\CheckSignatureDll",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\OOBEInProgress",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\ole32.dll",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\MaxQueueCount",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\USER32.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerUseAuthentication",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Name",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\MSCTF.dll",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\DragMinDist",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\SendEFSFiles",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DontShowUI",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\MaxSockaddrLength",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\TurnOffSPIAnimations",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE\\PageAllocatorSystemHeapIsPrivate",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\CLR20r3",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\MaxSockaddrLength",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SystemInformation\\SystemProductName",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\BypassDataThrottling",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\KnownManagedDebuggingDlls\\C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscordacwks.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Drawing\\dbfe8642a8ed7b2b103ad28e0c96418a\\System.Drawing.ni.dll",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\DragDelay",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\\WinHttpSettings",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\ADVAPI32.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\SourcePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\DevicePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\TokenSize",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\UseDelayedAcceptance",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Windows.Forms\\3afcd5168c7a6cb02eab99d7fd71e102\\System.Windows.Forms.ni.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE\\PageAllocatorUseSystemHeap",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Disabled",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Capabilities",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\LoggingDisabled",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\SYSTEM32\\MSCOREE.DLL",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ShareCredsWithWinHttp",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\WinHttp\\Tracing\\Enabled",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SystemInformation\\SystemManufacturer",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\apphelp.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassDataThrottling",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorwks.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\msvcrt.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Reliability Analysis\\RAC\\RacWerSampleTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\SysWOW64\\ntdll.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledSessions\\GlobalSession",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\CurrentType",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\RestartRunTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\SHLWAPI.dll",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultConsent",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\WinHttp\\DisableBranchCache",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DontSendAdditionalData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CEIPEnable",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\USP10.dll",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Version",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\ComputerName\\ActiveComputerName\\ComputerName",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\RestartRunTime",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winsock\\Setup Migration\\Providers\\Tcpip\\WinSock 2.0 Provider ID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\GDI32.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE\\MaximumAllowedAllocationSize",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\Mapping",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\RpcId",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Disabled",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\DisableQueue",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\VERSION.dll"
],
"directory_enumerated": [
"C:\\Windows\\System32\\apphelp.dll",
"C:\\Windows\\SysWOW64",
"C:\\Users\\cuck\\AppData",
"C:\\Windows\\SysWOW64\\user32.dll",
"C:\\Windows\\SysWOW64\\advapi32.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\mscorlib",
"C:\\Windows\\SysWOW64\\msctf.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp",
"C:\\Windows\\SysWOW64\\sspicli.dll",
"C:\\Windows\\SysWOW64\\kernel32.dll",
"C:\\Windows\\SysWOW64\\msvcrt.dll",
"C:\\Windows\\assembly",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\WER\\ReportArchive\\AppCrash_*_b9e83dc5ff41cd9ab6ca6b8ccb4a1bddecad908d_cab_*",
"C:\\Windows\\SysWOW64\\shlwapi.dll",
"C:\\Windows\\System32",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorjit.dll",
"C:\\Windows\\SysWOW64\\ole32.dll",
"C:\\Windows\\System32\\profapi.dll",
"C:\\Windows\\System32\\mscoree.dll",
"C:\\Windows\\SysWOW64\\shell32.dll",
"C:\\Windows\\SysWOW64\\lpk.dll",
"C:\\Windows\\System32\\version.dll",
"C:\\Users",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorwks.dll",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_*_b9e83dc5ff41cd9ab6ca6b8ccb4a1bddecad908d_cab_*",
"C:\\Windows\\SysWOW64\\ntdll.dll",
"C:\\Users\\cuck",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\WER\\ReportQueue\\*_*_*_*",
"C:\\Windows\\SysWOW64\\sechost.dll",
"C:\\Users\\cuck\\AppData\\Local",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System",
"C:\\Windows\\System32\\imm32.dll",
"C:\\Windows\\SysWOW64\\gdi32.dll",
"C:\\Windows\\winsxs\\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\\msvcr80.dll",
"C:\\Windows\\SysWOW64\\usp10.dll",
"C:\\Windows\\SysWOW64\\rpcrt4.dll",
"C:\\Windows\\System32\\drivers\\*.mrk",
"C:\\Windows",
"C:\\Windows\\winsxs",
"C:\\Windows\\System32\\uxtheme.dll"
]
},
"first_seen": 1599547987.96875,
"ppid": 2800
}
]Signatures
[
{
"markcount": 2,
"families": [],
"description": "Queries for the computername",
"severity": 1,
"marks": [
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "GetComputerNameA",
"return_value": 1,
"arguments": {
"computer_name": "CUCKPC"
},
"time": 1599548045.89075,
"tid": 2496,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 661033
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "GetComputerNameW",
"return_value": 1,
"arguments": {
"computer_name": "CUCKPC"
},
"time": 1599548045.89075,
"tid": 2496,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 661034
}
],
"references": [],
"name": "antivm_queries_computername"
},
{
"markcount": 2,
"families": [],
"description": "Checks if process is being debugged by a debugger",
"severity": 1,
"marks": [
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": -1073741700,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1599547987.780375,
"tid": 2816,
"flags": {}
},
"pid": 2800,
"type": "call",
"cid": 365
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": -1073741809,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1599547987.874375,
"tid": 2816,
"flags": {}
},
"pid": 2800,
"type": "call",
"cid": 893
}
],
"references": [],
"name": "checks_debugger"
},
{
"markcount": 1,
"families": [],
"description": "This executable has a PDB path",
"severity": 1,
"marks": [
{
"category": "pdb_path",
"ioc": "C:\\Users\\Anders\\Documents\\Visual Studio 2008\\Projects\\CaliforniaFonts\\CaliforniaFonts\\obj\\Release\\CaliforniaFonts.pdb",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "has_pdb"
},
{
"markcount": 1,
"families": [],
"description": "Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available",
"severity": 1,
"marks": [
{
"call": {
"category": "system",
"status": 1,
"stacktrace": [],
"api": "GlobalMemoryStatusEx",
"return_value": 1,
"arguments": {},
"time": 1599547988.06275,
"tid": 2820,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 51
}
],
"references": [],
"name": "antivm_memory_available"
},
{
"markcount": 24,
"families": [],
"description": "Allocates read-write-execute memory (usually to unpack itself)",
"severity": 2,
"marks": [
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2800,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffff",
"base_address": "0x749f1000"
},
"time": 1599547987.765375,
"tid": 2816,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2800,
"type": "call",
"cid": 255
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2800,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x003aa000"
},
"time": 1599547987.780375,
"tid": 2816,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2800,
"type": "call",
"cid": 377
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2800,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 8192,
"protection": 64,
"process_handle": "0xffffffff",
"base_address": "0x749f2000"
},
"time": 1599547987.780375,
"tid": 2816,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2800,
"type": "call",
"cid": 378
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2800,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x003a2000"
},
"time": 1599547987.780375,
"tid": 2816,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2800,
"type": "call",
"cid": 379
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2800,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x003b2000"
},
"time": 1599547987.796375,
"tid": 2816,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2800,
"type": "call",
"cid": 507
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2800,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x003b3000"
},
"time": 1599547987.796375,
"tid": 2816,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2800,
"type": "call",
"cid": 594
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2800,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x003eb000"
},
"time": 1599547987.796375,
"tid": 2816,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2800,
"type": "call",
"cid": 595
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2800,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x003e7000"
},
"time": 1599547987.796375,
"tid": 2816,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2800,
"type": "call",
"cid": 596
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2800,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x003bc000"
},
"time": 1599547987.796375,
"tid": 2816,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2800,
"type": "call",
"cid": 626
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2800,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x003b4000"
},
"time": 1599547987.827375,
"tid": 2816,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2800,
"type": "call",
"cid": 821
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2800,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x003b5000"
},
"time": 1599547987.827375,
"tid": 2816,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2800,
"type": "call",
"cid": 822
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2800,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x003b6000"
},
"time": 1599547987.827375,
"tid": 2816,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2800,
"type": "call",
"cid": 830
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2800,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00950000"
},
"time": 1599547987.827375,
"tid": 2816,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2800,
"type": "call",
"cid": 832
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2800,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x003da000"
},
"time": 1599547987.843375,
"tid": 2816,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2800,
"type": "call",
"cid": 842
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2800,
"region_size": 851968,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 8192,
"base_address": "0x04800000"
},
"time": 1599547987.874375,
"tid": 2816,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_RESERVE"
}
},
"pid": 2800,
"type": "call",
"cid": 941
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2800,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x04890000"
},
"time": 1599547987.874375,
"tid": 2816,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2800,
"type": "call",
"cid": 943
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2800,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x04891000"
},
"time": 1599547987.874375,
"tid": 2816,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2800,
"type": "call",
"cid": 944
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2800,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x003d2000"
},
"time": 1599548045.905375,
"tid": 2816,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2800,
"type": "call",
"cid": 966
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2800,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x003e5000"
},
"time": 1599548045.905375,
"tid": 2816,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2800,
"type": "call",
"cid": 977
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2588,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x02650000"
},
"time": 1599547988.18775,
"tid": 2952,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2588,
"type": "call",
"cid": 1164
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2588,
"region_size": 1638400,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 8192,
"base_address": "0x04490000"
},
"time": 1599547992.54675,
"tid": 2820,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_RESERVE"
}
},
"pid": 2588,
"type": "call",
"cid": 6055
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2588,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x045e0000"
},
"time": 1599547992.54675,
"tid": 2820,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2588,
"type": "call",
"cid": 6057
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2588,
"region_size": 917504,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 8192,
"base_address": "0x04490000"
},
"time": 1599548043.74975,
"tid": 2820,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_RESERVE"
}
},
"pid": 2588,
"type": "call",
"cid": 651637
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2588,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x04530000"
},
"time": 1599548043.74975,
"tid": 2820,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2588,
"type": "call",
"cid": 651639
}
],
"references": [],
"name": "allocates_rwx"
},
{
"markcount": 1,
"families": [],
"description": "Checks adapter addresses which can be used to detect virtual network interfaces",
"severity": 2,
"marks": [
{
"call": {
"category": "network",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": -1073741772,
"api": "GetAdaptersAddresses",
"return_value": 111,
"arguments": {
"flags": 15,
"family": 0
},
"time": 1599547989.65575,
"tid": 2056,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 2378
}
],
"references": [],
"name": "antivm_network_adapters"
},
{
"markcount": 5,
"families": [],
"description": "Potentially malicious URLs were found in the process memory dump",
"severity": 2,
"marks": [
{
"category": "url",
"ioc": "http:\/\/www.microsoft.com\/pki\/certs\/CSPCA.crt0",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/g",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/www.microsoft.com\/pki\/certs\/tspca.crt0",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/microsoft.com0",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/beta.visualstudio.net\/net\/sdk\/feedback.asp",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "memdump_urls"
},
{
"markcount": 1,
"families": [],
"description": "Installs itself for autorun at Windows startup",
"severity": 3,
"marks": [
{
"type": "generic",
"reg_key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\California Fonts Loader",
"reg_value": "\"C:\\Users\\cuck\\AppData\\Local\\Temp\\be01c2ddb0dc203874191905dc98e560fd37458af33a800b843628c7a823242d.bin\" \/scanfolder"
}
],
"references": [],
"name": "persistence_autorun"
},
{
"markcount": 7,
"families": [],
"description": "Resumed a suspended thread in a remote process potentially indicative of process injection",
"severity": 3,
"marks": [
{
"category": "Process injection",
"ioc": "Process 2588 resumed a thread in remote process 2800",
"type": "ioc",
"description": null
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtResumeThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x000002f0",
"suspend_count": 1,
"process_identifier": 2800
},
"time": 1599548042.78075,
"tid": 2820,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 649625
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtResumeThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x000002f8",
"suspend_count": 1,
"process_identifier": 2800
},
"time": 1599548042.99975,
"tid": 2820,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 649627
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtResumeThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x000002fc",
"suspend_count": 1,
"process_identifier": 2800
},
"time": 1599548043.21875,
"tid": 2820,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 649631
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtResumeThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x000002fc",
"suspend_count": 1,
"process_identifier": 2800
},
"time": 1599548044.84375,
"tid": 2820,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 660592
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtResumeThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x000002f0",
"suspend_count": 1,
"process_identifier": 2800
},
"time": 1599548045.24975,
"tid": 2820,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 660598
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtResumeThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x000002f4",
"suspend_count": 1,
"process_identifier": 2800
},
"time": 1599548045.49975,
"tid": 2820,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 660600
}
],
"references": [
"www.endgame.com\/blog\/technical-blog\/ten-process-injection-techniques-technical-survey-common-and-trending-process"
],
"name": "injection_resumethread"
}
]Yara
The Yara rules did not detect anything in the file.
Network
{
"tls": [],
"udp": [
{
"src": "192.168.56.101",
"dst": "192.168.56.255",
"offset": 662,
"time": 6.22619891166687,
"dport": 137,
"sport": 137
},
{
"src": "192.168.56.101",
"dst": "192.168.56.255",
"offset": 5990,
"time": 12.226167917251587,
"dport": 138,
"sport": 138
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 7834,
"time": 6.173041105270386,
"dport": 5355,
"sport": 51001
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 8162,
"time": 4.1657209396362305,
"dport": 5355,
"sport": 53595
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 8490,
"time": 6.182363986968994,
"dport": 5355,
"sport": 53848
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 8818,
"time": 4.6659159660339355,
"dport": 5355,
"sport": 54255
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 9146,
"time": 3.0625641345977783,
"dport": 5355,
"sport": 55314
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 9474,
"time": 7.007672071456909,
"dport": 5355,
"sport": 55880
},
{
"src": "192.168.56.101",
"dst": "239.255.255.250",
"offset": 9794,
"time": 4.680410146713257,
"dport": 1900,
"sport": 1900
},
{
"src": "192.168.56.101",
"dst": "239.255.255.250",
"offset": 29204,
"time": 4.197885990142822,
"dport": 3702,
"sport": 49152
},
{
"src": "192.168.56.101",
"dst": "239.255.255.250",
"offset": 37588,
"time": 6.258476972579956,
"dport": 1900,
"sport": 53598
}
],
"dns_servers": [],
"http": [],
"icmp": [],
"smtp": [],
"tcp": [],
"smtp_ex": [],
"mitm": [],
"hosts": [],
"pcap_sha256": "6d8b3b61cf46af5450b6745f5ad2887a7b557aefe5d009c4ef601ef3480ffdf5",
"dns": [],
"http_ex": [],
"domains": [],
"dead_hosts": [],
"sorted_pcap_sha256": "3b7e026f5b131811ffab45c33d34f39d7e94fa8cb2129a04e24491d4a6aeb18d",
"irc": [],
"https_ex": []
}Screenshots
Hashes [?]
| Property | Value |
|---|---|
| MD5 | 472bf3e2c5cde8ee3e87cbada7983841 |
| SHA256 | be01c2ddb0dc203874191905dc98e560fd37458af33a800b843628c7a823242d |
Error Messages
These are some of the error messages that can appear related to californiafonts.exe:
californiafonts.exe has encountered a problem and needs to close. We are sorry for the inconvenience.
californiafonts.exe - Application Error. The instruction at "0xXXXXXXXX" referenced memory at "0xXXXXXXXX". The memory could not be "read/written". Click on OK to terminate the program.
California Fonts Manager has stopped working.
End Program - californiafonts.exe. This program is not responding.
californiafonts.exe is not a valid Win32 application.
californiafonts.exe - Application Error. The application failed to initialize properly (0xXXXXXXXX). Click OK to terminate the application.
What will you do with the file?
To help other users, please let us know what you will do with the file:
What did other users do?
The poll result listed below shows what users chose to do with the file. 0% have voted for removal. Based on votes from 1 user.
| Votes | |||
|---|---|---|---|
| Keep | 100 % | 1 | |
| Remove | 0 % | 0 |
Malware or legitimate?
If you feel that you need more information to determine if your should keep this file or remove it, please read this guide.
And now some shameless self promotion ;)
Hi, my name is Roger Karlsson. I've been running this website since 2006. I want to let you know about the FreeFixer program. FreeFixer is a freeware tool that analyzes your system and let you manually identify unwanted programs. Once you've identified some malware files, FreeFixer is pretty good at removing them. You can download FreeFixer here. It runs on Windows 2000/XP/2003/2008/2016/2019/Vista/7/8/8.1/10. Supports both 32- and 64-bit Windows.
If you have questions, feedback on FreeFixer or the freefixer.com website, need help analyzing FreeFixer's scan result or just want to say hello, please contact me. You can find my email address at the contact page.
Comments
Please share with the other users what you think about this file. What does this file do? Is it legitimate or something that your computer is better without? Do you know how it was installed on your system? Did you install it yourself or did it come bundled with some other software? Is it running smoothly or do you get some error message? Any information that will help to document this file is welcome. Thank you for your contributions.
I'm reading all new comments so don't hesitate to post a question about the file. If I don't have the answer perhaps another user can help you.
Pete writes