What is FreeAdminTools_ME_Task.exe?
FreeAdminTools_ME_Task.exe is part of FreeAdminTools_METracking according to the FreeAdminTools_ME_Task.exe version information.
FreeAdminTools_ME_Task.exe's description is "FreeAdminTools_METracking"
FreeAdminTools_ME_Task.exe is digitally signed by ZOHO Corporation private Limited.
FreeAdminTools_ME_Task.exe is usually located in the 'C:\ManageEngine\ManageEngine Free Tools\DesktopCentral Free Windows Admin Tools\' folder.
None of the anti-virus scanners at VirusTotal reports anything malicious about FreeAdminTools_ME_Task.exe.
If you have additional information about the file, please share it with the FreeFixer users by posting a comment at the bottom of this page.
Vendor and version information [?]
The following is the available information on FreeAdminTools_ME_Task.exe:
| Property | Value |
|---|---|
| Product name | FreeAdminTools_METracking |
| File description | FreeAdminTools_METracking |
| Internal name | FreeAdminTools_METracking.exe |
| Original filename | FreeAdminTools_METracking.exe |
| Legal copyright | Copyright © 2016 |
| Product version | 1.0.0.0 |
| File version | 1.0.0.0 |
Here's a screenshot of the file properties when displayed by Windows Explorer:
| Product name | FreeAdminTools_METracking |
| File description | FreeAdminTools_METracking |
| Internal name | FreeAdminTools_METracking.exe |
| Original filename | FreeAdminTools_METracking.exe |
| Legal copyright | Copyright © 2016 |
| Product version | 1.0.0.0 |
| File version | 1.0.0.0 |
Digital signatures [?]
FreeAdminTools_ME_Task.exe has a valid digital signature.
| Property | Value |
|---|---|
| Signer name | ZOHO Corporation private Limited |
| Certificate issuer name | COMODO RSA Code Signing CA |
| Certificate serial number | 1669307084df0cb34e9f4c610e87d97d |
VirusTotal report
None of the 71 anti-virus programs at VirusTotal detected the FreeAdminTools_ME_Task.exe file.
Sandbox Report
The following information was gathered by executing the file inside Cuckoo Sandbox.
Summary
Successfully executed process in sandbox.
Summary
{
"file_created": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabAC3E.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab97B8.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WERDD51.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab5A68.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WERDD51.tmp.mdmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarD4E7.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar5A8A.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarAC3F.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WERFDFC.tmp.hdmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar8352.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab97E9.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WERF39B.tmp.WERInternalMetadata.xml",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar8373.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_KTWZHKCV4A0UBO1Q_6cfd744755a0da7fd476773027fb19631a5d6716_cab_07dbc153\\Report.wer",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WERF39B.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab8372.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar97C8.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabD517.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab8351.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar5A69.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WERFDFC.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar97F9.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab5A89.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarD518.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabD4E6.tmp"
],
"file_recreated": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabAC3E.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab8351.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar5A69.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar5A8A.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab97E9.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab97B8.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarAC3F.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarD518.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar97F9.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabD517.tmp",
"\\Device\\KsecDD",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab5A89.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab8372.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab5A68.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar8352.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar97C8.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WERF39B.tmp.WERInternalMetadata.xml",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabD4E6.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar8373.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarD4E7.tmp"
],
"directory_created": [
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_KTWZHKCV4A0UBO1Q_6cfd744755a0da7fd476773027fb19631a5d6716_cab_07dbc153",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\WER\\ReportQueue"
],
"dll_loaded": [
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Data\\1e85062785e286cd9eae9c26d2c61f73\\System.Data.ni.dll",
"imagehlp.dll",
"API-MS-Win-Security-LSALookup-L1-1-0.dll",
"DNSAPI.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\diasymreader.dll",
"UxTheme.dll",
"C:\\Windows\\system32\\ole32.dll",
"dwmapi.dll",
"cryptsp.dll",
"ADVAPI32.dll",
"ncrypt.dll",
"C:\\Windows\\system32\\RICHED20.DLL",
"API-MS-WIN-Service-Management-L2-1-0.dll",
"C:\\Windows\\SysWOW64\\bcryptprimitives.dll",
"SspiCli.dll",
"advapi32.dll",
"comctl32",
"psapi.dll",
"SHLWAPI.dll",
"USER32.dll",
"C:\\Windows\\syswow64\\CRYPT32.dll",
"SHELL32.dll",
"C:\\Windows\\System32\\wship6.dll",
"setupapi.dll",
"CFGMGR32.dll",
"rpcrt4.dll",
"C:\\Windows\\System32\\wshtcpip.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Xml\\461d3b6b3f43e6fbe6c897d5936e17e4\\System.Xml.ni.dll",
"ntdll",
"kernel32.dll",
"C:\\Windows\\system32\\IMM32.DLL",
"SensApi.dll",
"ntdll.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\ole32.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\culture.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorwks.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\VERSION.dll",
"API-MS-Win-Core-LocalRegistry-L1-1-0.dll",
"C:\\Windows\\system32\\wer.dll",
"C:\\Windows\\assembly\\GAC_32\\System.Data\\2.0.0.0__b77a5c561934e089\\System.Data.dll",
"Comctl32.dll",
"IPHLPAPI.DLL",
"RichEd20.dll",
"profapi.dll",
"comctl32.dll",
"VERSION.dll",
"WINTRUST.DLL",
"C:\\Windows\\system32\\cryptnet.dll",
"DEVRTL.dll",
"Cabinet.dll",
"user32.dll",
"WINHTTP.dll",
"gdi32.dll",
"verifier.dll",
"bcrypt.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorjit.dll",
"C:\\Windows\\syswow64\\MSCTF.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorsec.dll",
"CRYPTSP.dll",
"credssp.dll",
"API-MS-WIN-Service-winsvc-L1-1-0.dll",
"C:\\Windows\\system32\\xmllite.dll",
"ole32.dll",
"DUser.dll",
"NSI.dll",
"mscorsec.dll",
"C:\\Windows\\system32\\DUser.dll",
"powrprof.dll",
"shell32.dll",
"WS2_32.dll",
"dbghelp.dll",
"werui.dll",
"DUI70.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System\\9e0a3b9b9f457233a335d7fba8f95419\\System.ni.dll",
"imm32.dll",
"API-MS-WIN-Service-Management-L1-1-0.dll",
"cryptnet.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscordacwks.dll",
"OLEAUT32.DLL",
"winhttp.dll",
"API-MS-Win-Security-SDDL-L1-1-0.dll",
"version.dll",
"OLEAUT32.dll",
"RPCRT4.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\mscorlib\\62a0b3e4b40ec0e8c5cfaa0c8848e64a\\mscorlib.ni.dll",
"mscoree.dll",
"C:\\Windows\\system32\\mswsock.dll",
"AdvApi32.dll"
],
"file_opened": [
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Data\\1e85062785e286cd9eae9c26d2c61f73\\System.Data.ni.dll",
"C:\\Windows\\System32\\mscoree.dll",
"C:\\Windows\\SysWOW64\\user32.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\index127.dat",
"C:\\Windows\\SysWOW64\\sspicli.dll",
"C:\\Windows\\System32\\cabinet.dll",
"C:\\Windows\\SysWOW64\\sechost.dll",
"C:\\Windows\\System32\\gpapi.dll",
"C:\\Windows\\System32\\netmsg.dll",
"C:\\Windows\\SysWOW64\\ole32.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WERFDFC.tmp.hdmp",
"C:\\Windows\\System32\\profapi.dll",
"C:\\Windows\\System32\\IPHLPAPI.DLL",
"C:\\Windows\\System32\\en-US\\WINHTTP.dll.mui",
"C:\\Windows\\SysWOW64\\bcryptprimitives.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar8352.tmp",
"C:\\Windows\\SysWOW64\\lpk.dll",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\94308059B57B3142E455B38A6EB92015",
"C:\\Windows\\System32\\rasadhlp.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab8372.tmp",
"C:\\Windows\\SysWOW64\\usp10.dll",
"C:\\Windows\\System32\\mswsock.dll",
"C:\\Windows\\System32\\WSHTCPIP.DLL",
"C:\\Windows\\System32\\wship6.dll",
"C:\\Windows\\System32\\credssp.dll",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\WER\\ReportQueue",
"C:\\Windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\\comctl32.dll",
"C:\\Windows\\SysWOW64\\Wldap32.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabD4E6.tmp",
"C:\\Windows\\SysWOW64\\CRYPTBASE.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\machine.config",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab5A68.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WERDD51.tmp.mdmp",
"C:\\Windows\\System32\\winnsi.dll",
"C:\\Windows\\SysWOW64\\rpcrt4.dll",
"C:\\Windows\\System32\\webio.dll",
"C:\\Windows\\System32\\devrtl.dll",
"C:\\Windows\\SysWOW64\\shell32.dll",
"C:\\Windows\\SysWOW64\\wintrust.dll",
"C:\\Windows\\System32\\version.dll",
"C:\\Windows\\assembly\\GAC_32\\System.Data\\2.0.0.0__b77a5c561934e089\\System.Data.dll",
"C:\\Windows\\win.ini",
"C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\sortkey.nlp",
"C:\\Windows\\System32\\dnsapi.dll",
"C:\\Windows\\SysWOW64\\ws2_32.dll",
"C:\\Windows\\assembly\\pubpol4.dat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab8351.tmp",
"C:\\Windows\\SysWOW64\\gdi32.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorjit.dll",
"C:\\Windows\\System32\\rsaenh.dll",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\94308059B57B3142E455B38A6EB92015",
"C:\\Windows\\System32\\SensApi.dll",
"C:\\Windows\\System32\\cryptnet.dll",
"C:\\Windows\\SysWOW64\\kernel32.dll",
"C:\\Windows\\SysWOW64\\msvcrt.dll",
"C:\\Windows\\SysWOW64\\shlwapi.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarD4E7.tmp",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Xml\\461d3b6b3f43e6fbe6c897d5936e17e4\\System.Xml.ni.dll",
"C:\\Windows\\System32\\dhcpcsvc6.DLL",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorsec.dll",
"C:\\Windows\\System32\\winhttp.dll",
"C:\\Windows\\SysWOW64\\ntdll.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar97C8.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WERF39B.tmp.WERInternalMetadata.xml",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabD517.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar5A69.tmp",
"C:\\Windows\\System32\\imm32.dll",
"C:\\Windows\\winsxs\\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\\msvcr80.dll",
"C:\\Windows\\SysWOW64\\cfgmgr32.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabAC3E.tmp",
"C:\\Windows\\System32\\apphelp.dll",
"C:\\Users\\cuck\\AppData\\LocalLow",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab97B8.tmp",
"C:\\Windows\\SysWOW64\\advapi32.dll",
"C:\\Windows\\SysWOW64\\msctf.dll",
"C:\\Windows\\System32\\userenv.dll",
"C:\\Windows\\System32\\bcrypt.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System\\9e0a3b9b9f457233a335d7fba8f95419\\System.ni.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorwks.dll",
"C:\\Windows\\System32\\cryptsp.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar5A8A.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarAC3F.tmp",
"C:\\Windows\\SysWOW64\\nsi.dll",
"C:\\Windows\\System32\\l_intl.nls",
"C:\\Windows\\SysWOW64\\crypt32.dll",
"C:\\Windows\\SysWOW64\\msasn1.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab97E9.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\bba758133516e9de0d4cb03e93c53fbdb057eee82eb74f1b1ea4dbe23c1e0099.bin",
"C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\sorttbls.nlp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar8373.tmp",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorrc.dll",
"C:\\Windows\\System32\\dhcpcsvc.dll",
"C:\\Windows\\System32\\en-US\\erofflps.txt",
"C:\\Windows\\System32\\ncrypt.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\mscorlib\\62a0b3e4b40ec0e8c5cfaa0c8848e64a\\mscorlib.ni.dll",
"C:\\Windows\\SysWOW64\\imagehlp.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar97F9.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab5A89.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarD518.tmp",
"C:\\Windows\\SysWOW64\\KERNELBASE.dll"
],
"file_copied": [
[
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WERDD51.tmp.mdmp",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_KTWZHKCV4A0UBO1Q_6cfd744755a0da7fd476773027fb19631a5d6716_cab_07dbc153\\WERDD51.tmp.mdmp"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WERF39B.tmp.WERInternalMetadata.xml",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_KTWZHKCV4A0UBO1Q_6cfd744755a0da7fd476773027fb19631a5d6716_cab_07dbc153\\WERF39B.tmp.WERInternalMetadata.xml"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WERFDFC.tmp.hdmp",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_KTWZHKCV4A0UBO1Q_6cfd744755a0da7fd476773027fb19631a5d6716_cab_07dbc153\\WERFDFC.tmp.hdmp"
]
],
"regkey_opened": [
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Winsock",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\Managed\\S-1-5-21-699399860-4089948139-3198924279-1001\\Installer\\Assemblies\\C:|Users|cuck|AppData|Local|Temp|bba758133516e9de0d4cb03e93c53fbdb057eee82eb74f1b1ea4dbe23c1e0099.bin",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\LanguageProfile\\0x00000000\\{0001bea3-ed56-483d-a2e2-aeae25577436}",
"HKEY_CLASSES_ROOT\\CLSID\\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\\InprocServer32",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\DebugApplications",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\SecurityProviders",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\KnownClasses",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets\\LocalIntranet",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\index127",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CLASSES_ROOT\\CLSID\\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\\Server",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\SecurityProviders\\SaslProfiles",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PCHealth\\ErrorReporting\\ExclusionList",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.1.0.System.Data.SQLite__db937bc2d44ff139",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\Standards\\v2.0.50727",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-699399860-4089948139-3198924279-1001",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.EnterpriseServices__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System__b77a5c561934e089",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\6f1da7aa\\88",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\226b2009\\5b43ba09\\72",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\Upgrades",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ExcludedApplications",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\Policy\\Standards",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\LsaExtensionConfig\\SspiCli",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\1c83327b\\86",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\Policy\\",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\OLE\\Tracing",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\Windows Error Reporting",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PCHealth\\ErrorReporting\\ExclusionList",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip6\\Parameters\\Winsock",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32",
"HKEY_CURRENT_USER\\SOFTWARE\\Policies\\Microsoft\\PCHealth\\ErrorReporting\\InclusionList",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\SspiCache",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Fusion",
"HKEY_CURRENT_USER\\Software\\Microsoft\\windows\\CurrentVersion\\Internet Settings\\Connections",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\Compatibility\\dw20.exe",
"HKEY_CURRENT_USER\\Software\\Microsoft\\CTF\\DirectSwitchHotkeys",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\WinHttp\\Tracing",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\CEIPRole\\RolesInWER",
"HKEY_CURRENT_USER\\SOFTWARE\\Policies\\Microsoft\\PCHealth\\ErrorReporting\\ExclusionList",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\v2.0.50727\\Security\\Policy",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Xml__b77a5c561934e089",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DebugApplications",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winsock\\Setup Migration\\Providers\\Tcpip",
"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\PCHealth\\ErrorReporting\\ExclusionList",
"HKEY_CURRENT_USER\\Software\\Microsoft\\windows\\CurrentVersion\\Internet Settings\\Wpad",
"HKEY_CURRENT_USER\\Software\\Microsoft\\CTF\\LayoutIcon\\0409\\0000041d",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Class\\{4d36e972-e325-11ce-bfc1-08002be10318}",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\Windows Error Reporting",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\5cb12312\\41250a31",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\Windows Error Reporting\\HeapControlledList\\bba758133516e9de0d4cb03e93c53fbdb057eee82eb74f1b1ea4dbe23c1e0099.bin",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\WinHttp",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\1bd7b0d8\\87",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Windows",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Transactions__b77a5c561934e089",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\Rpc",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Installer\\Assemblies\\C:|Users|cuck|AppData|Local|Temp|bba758133516e9de0d4cb03e93c53fbdb057eee82eb74f1b1ea4dbe23c1e0099.bin",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Setup",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\bba758133516e9de0d4cb03e93c53fbdb057eee82eb74f1b1ea4dbe23c1e0099.bin",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PCHealth\\ErrorReporting\\InclusionList",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Throttling\\CLR20r3",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Consent",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\75638fee\\7566cac\\84",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PCHealth\\ErrorReporting",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Installer\\Assemblies\\Global",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\5b43ba09\\48ffecdd\\76",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\Standards",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\5a352ef7\\4e2774b5",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\Windows Error Reporting",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\ExcludedApplications",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\85e83df\\4c239d82\\71",
"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\PCHealth\\ErrorReporting\\InclusionList",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\BidInterface\\Loader",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\DirectUI",
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Debug",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion\\GACChangeNotification\\Default",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\.NETFramework",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Installer\\Assemblies\\Global",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.8.0.Microsoft.VisualC__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PCHealth\\ErrorReporting\\InclusionList",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\Policy\\APTCA",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\v2.0",
"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\PCHealth\\ErrorReporting",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\Managed\\S-1-5-21-699399860-4089948139-3198924279-1001\\Installer\\Assemblies\\Global",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Reliability Analysis\\RAC",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Data.SqlXml__b77a5c561934e089",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\SystemInformation",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\AppPatch",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Installer\\Assemblies\\C:|Users|cuck|AppData|Local|Temp|bba758133516e9de0d4cb03e93c53fbdb057eee82eb74f1b1ea4dbe23c1e0099.bin",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\windows\\CurrentVersion\\Internet Settings\\Connections",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\.NETFramework\\Policy\\Standards",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winsock\\Setup Migration\\Providers\\Tcpip6",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets\\Internet",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Rpc",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\StrongName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Configuration__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Winsock\\Setup Migration\\Providers",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\KnownManagedDebuggingDlls",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3b249b34\\531d6b08\\70",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLEAUT",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion\\PublisherPolicy\\Default",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{3697C5FA-60DD-4B56-92D4-74A569205C16}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Winsock\\Parameters",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3d590c3f\\59f3b67b\\82",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\226b2009\\5b43ba09",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Data__b77a5c561934e089",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PCHealth\\ErrorReporting",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Ole",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\SOFTWARE\\Policies\\Microsoft\\PCHealth\\ErrorReporting"
],
"resolves_host": [
"www.download.windowsupdate.com",
"watson.microsoft.com",
"crt.comodoca.com"
],
"file_written": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabAC3E.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab97B8.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab5A68.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WERDD51.tmp.mdmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarD4E7.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar5A8A.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarAC3F.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WERFDFC.tmp.hdmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar8352.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab97E9.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WERF39B.tmp.WERInternalMetadata.xml",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar8373.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_KTWZHKCV4A0UBO1Q_6cfd744755a0da7fd476773027fb19631a5d6716_cab_07dbc153\\Report.wer",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab8372.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar97C8.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabD517.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab8351.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar5A69.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar97F9.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab5A89.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarD518.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabD4E6.tmp"
],
"regkey_deleted": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\8F43288AD272F3103B6FB1428485EA3014C0BCFE"
],
"file_deleted": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabAC3E.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab97B8.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WERDD51.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab5A68.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WERDD51.tmp.mdmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarD4E7.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar5A8A.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarAC3F.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WERFDFC.tmp.hdmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar8352.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab97E9.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WERF39B.tmp.WERInternalMetadata.xml",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar8373.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WERF39B.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab8372.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar97C8.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabD517.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab8351.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar5A69.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WERFDFC.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar97F9.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab5A89.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarD518.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabD4E6.tmp"
],
"file_exists": [
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Data\\1e85062785e286cd9eae9c26d2c61f73\\System.Data.ni.dll",
"C:\\Windows\\System32\\mscoree.dll",
"C:\\Windows\\SysWOW64\\user32.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp",
"C:\\Windows\\SysWOW64\\sspicli.dll",
"C:\\Windows\\System32\\cabinet.dll",
"C:\\Windows\\SysWOW64\\sechost.dll",
"C:\\Windows\\System32\\gpapi.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\fusion.localgac",
"C:\\Windows\\SysWOW64\\ole32.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WERFDFC.tmp.hdmp",
"C:\\Windows\\System32\\profapi.dll",
"C:\\Windows\\Globalization\\en-us.nlp",
"C:\\Windows\\System32\\qagentrt.dll",
"C:\\Windows\\System32\\IPHLPAPI.DLL",
"C:\\Windows\\SysWOW64\\bcryptprimitives.dll",
"C:\\Windows\\SysWOW64\\lpk.dll",
"C:\\Windows\\System32\\rasadhlp.dll",
"C:\\Windows\\SysWOW64\\usp10.dll",
"C:\\Windows\\System32\\mswsock.dll",
"C:\\Windows\\System32\\WSHTCPIP.DLL",
"C:\\Windows\\System32\\wship6.dll",
"C:\\Windows\\System32\\credssp.dll",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\WER\\ReportQueue",
"C:\\Windows\\assembly\\GAC\\System.Data.SQLite\\1.0.97.0__db937bc2d44ff139",
"C:\\Windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\\comctl32.dll",
"C:\\Windows\\SysWOW64\\Wldap32.dll",
"C:\\Windows\\SysWOW64\\CRYPTBASE.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\machine.config",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WERDD51.tmp.mdmp",
"C:\\Windows\\System32\\winnsi.dll",
"C:\\Windows\\SysWOW64\\rpcrt4.dll",
"C:\\Windows\\System32\\webio.dll",
"C:\\Windows\\System32\\devrtl.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\bba758133516e9de0d4cb03e93c53fbdb057eee82eb74f1b1ea4dbe23c1e0099.PDB",
"C:\\Windows\\SysWOW64\\shell32.dll",
"C:\\Windows\\SysWOW64\\wintrust.dll",
"C:\\Windows\\System32\\version.dll",
"C:\\Windows\\assembly\\GAC_32\\System.Data\\2.0.0.0__b77a5c561934e089\\System.Data.dll",
"C:\\Windows\\System32\\dnsapi.dll",
"C:\\Windows\\SysWOW64\\ws2_32.dll",
"C:\\Windows\\System32\\p2pcollab.dll",
"C:\\Windows\\SysWOW64\\gdi32.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorjit.dll",
"C:\\Windows\\System32\\rsaenh.dll",
"C:\\Windows\\assembly\\GAC\\PublisherPolicy.tme",
"C:\\Windows\\System32\\SensApi.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\System.Data.SQLite\\System.Data.SQLite.exe",
"C:\\Windows\\System32\\cryptnet.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\System.Data.SQLite\\System.Data.SQLite.dll",
"C:\\Windows\\SysWOW64\\kernel32.dll",
"C:\\Windows\\SysWOW64\\msvcrt.dll",
"C:\\Windows\\SysWOW64\\shlwapi.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Xml\\461d3b6b3f43e6fbe6c897d5936e17e4\\System.Xml.ni.dll",
"C:\\Windows\\System32\\dhcpcsvc6.DLL",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorsec.dll",
"C:\\Windows\\System32\\winhttp.dll",
"C:\\Windows\\SysWOW64\\ntdll.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WERF39B.tmp.WERInternalMetadata.xml",
"C:\\Windows\\System32\\imm32.dll",
"C:\\Windows\\winsxs\\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\\msvcr80.dll",
"C:\\Windows\\SysWOW64\\cfgmgr32.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\FreeWindowsAdminTools.db",
"C:\\Windows\\assembly\\GAC_MSIL\\System.Data.SQLite\\1.0.97.0__db937bc2d44ff139",
"C:\\Windows\\System32\\apphelp.dll",
"C:\\Users\\cuck\\AppData\\LocalLow",
"C:\\Windows\\SysWOW64\\advapi32.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\System.Data.SQLite.exe",
"C:\\Windows\\SysWOW64\\msctf.dll",
"C:\\Windows\\System32\\userenv.dll",
"C:\\Windows\\System32\\bcrypt.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System\\9e0a3b9b9f457233a335d7fba8f95419\\System.ni.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\bba758133516e9de0d4cb03e93c53fbdb057eee82eb74f1b1ea4dbe23c1e0099.config",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorwks.dll",
"C:\\Windows\\System32\\cryptsp.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\System.Data.SQLite.dll",
"C:\\Windows\\SysWOW64\\nsi.dll",
"C:\\Windows\\SysWOW64\\crypt32.dll",
"C:\\Windows\\SysWOW64\\msasn1.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\bba758133516e9de0d4cb03e93c53fbdb057eee82eb74f1b1ea4dbe23c1e0099.bin",
"C:\\Windows\\inf\\",
"C:\\Windows\\System32\\MSCOREE.DLL.local",
"C:\\Windows\\System32\\dhcpcsvc.dll",
"C:\\Windows\\System32\\en-US\\erofflps.txt",
"C:\\Windows\\System32\\ncrypt.dll",
"C:\\Windows\\assembly\\GAC_32\\System.Data.SQLite\\1.0.97.0__db937bc2d44ff139",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\DCFreeWindowsAdminTools.db",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\FreeWindowsTools.db",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\mscorlib\\62a0b3e4b40ec0e8c5cfaa0c8848e64a\\mscorlib.ni.dll",
"C:\\Windows\\SysWOW64\\imagehlp.dll",
"C:\\Windows\\SysWOW64\\KERNELBASE.dll"
],
"command_line": [
"dw20.exe -x -s 1100"
],
"mutex": [
"Global\\0a759c6c-ab95-11e9-8829-08002749d99b"
],
"file_failed": [
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\enterprisesec.config.cch",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\74FBF93595CFC8459196065CE54AD928",
"C:\\Windows\\symbols\\bin\\FreeAdminTools_METracking.pdb",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\security.config.cch",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\BF4F70F5959F0AEBFB03EDDC210D5768",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\enterprisesec.config",
"C:\\Windows\\FreeAdminTools_METracking.pdb",
"C:\\Windows\\bin\\FreeAdminTools_METracking.pdb",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\FreeAdminTools_METracking.pdb",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\bba758133516e9de0d4cb03e93c53fbdb057eee82eb74f1b1ea4dbe23c1e0099.bin.config",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\security.config",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\security.config",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\46D7547AA7F9B9DA290D5C19668E04C1",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\security.config.cch"
],
"guid": [
"{713aacc8-3b71-435c-a3a1-be4e53621ab1}",
"{22e4c895-8ab9-40bb-b81a-001dd9b1f449}"
],
"file_read": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabAC3E.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab97B8.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\bba758133516e9de0d4cb03e93c53fbdb057eee82eb74f1b1ea4dbe23c1e0099.bin",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\machine.config",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab5A68.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarD4E7.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar5A8A.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarAC3F.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar8352.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab97E9.tmp",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\94308059B57B3142E455B38A6EB92015",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar8373.tmp",
"C:\\Windows\\win.ini",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab8372.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar97C8.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabD517.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab8351.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar5A69.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar97F9.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab5A89.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarD518.tmp",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\94308059B57B3142E455B38A6EB92015",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabD4E6.tmp"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\MaxRpcSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\SspiCli.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Initialization\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$Function",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\QueuePesterInterval",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\System32\\wshtcpip.dll",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SecurityProviders\\SecurityProviders",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-699399860-4089948139-3198924279-1001\\ProfileImagePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultConsent",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\ScrollDelay",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.44.3.4!7\\Name",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\crypt32\\DiagMatchAnyMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\75638fee\\7566cac\\84\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86\\EvalationData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\DevOverrideEnable",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerUseSSL",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\WinSock2\\Parameters\\Protocol_Catalog9\\Serial_Access_Num",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\CertCheck\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$DLL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NoClientChecks",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\DownloadCacheQuotaInKB",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\EditionID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Data\\1e85062785e286cd9eae9c26d2c61f73\\System.Data.ni.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\MaxQueueCount",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\NSI.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\imagehlp.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\6f1da7aa\\88\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\5b43ba09\\48ffecdd\\76\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86\\MVID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\MaxAIAUrlRetrievalCertCount",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\ConfigureArchive",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\QueuePesterInterval",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Signature\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$DLL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\1bd7b0d8\\87\\SIG",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Comment",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\DisableUnsupportedCriticalExtensions",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\FinalPolicy\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$Function",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3d590c3f\\59f3b67b\\82\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\index127\\NIUsageMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\assembly\\GAC_32\\System.Data\\2.0.0.0__b77a5c561934e089\\System.Data.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\1c83327b\\86\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\Status",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Type",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3b249b34\\531d6b08\\70\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\MVID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Data,2.0.0.0,,b77a5c561934e089,x86",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86\\ConfigMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\LegacyPolicyTimeStamp",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\6f1da7aa\\88\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\SysWOW64\\sechost.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\Cabinet.dll",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\DragMinDist",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\mscorlib,2.0.0.0,,b77a5c561934e089,x86",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\GPAPI.dll",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\MaxSockaddrLength",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Xml\\461d3b6b3f43e6fbe6c897d5936e17e4\\System.Xml.ni.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\\InprocServer32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\Latest",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\DevicePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\TokenSize",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\crypt32\\DebugFlags",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Initialization\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$DLL",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\CertCheck\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$Function",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\dhcpcsvc.DLL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ShareCredsWithWinHttp",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\EnableLog",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SystemInformation\\SystemManufacturer",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\crypt32\\DiagLevel",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassDataThrottling",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\msvcrt.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\SysWOW64\\ntdll.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Users\\cuck\\AppData\\Local\\Temp\\bba758133516e9de0d4cb03e93c53fbdb057eee82eb74f1b1ea4dbe23c1e0099.bin",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\75638fee\\7566cac\\84\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\IMM32.DLL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\VersioningLog",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\DisableMSIPeek",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.47.1.1!7\\Name",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE\\MaximumAllowedAllocationSize",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Version",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\226b2009\\5b43ba09\\72\\NIDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\VERSION.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\MaxArchiveCount",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\LanguageProfile\\0x00000000\\{0001bea3-ed56-483d-a2e2-aeae25577436}\\Enable",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\cryptnet.dll",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\SystemSetupInProgress",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\5b43ba09\\48ffecdd\\76\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Message\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$Function",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\226b2009\\5b43ba09\\72\\ConfigMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Data.SqlXml,2.0.0.0,,b77a5c561934e089,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\WS2_32.dll",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\SendEFSFiles",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\1c83327b\\86\\DisplayName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\UseOldHostResolutionOrder",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\IPHLPAPI.DLL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\CLRLoadLogDir",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SystemInformation\\BIOSVersion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\KERNELBASE.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46\\Blob",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\ChainCacheResyncFiletime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Certificate\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$DLL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\CertCheck\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$DLL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\CurrentType",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\\COMCTL32.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\mscorlib\\62a0b3e4b40ec0e8c5cfaa0c8848e64a\\mscorlib.ni.dll",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\WpadOverride",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorjit.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86\\ILDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\CRYPT32.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Initialization\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$Function",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Windows\\CSDBuildNumber",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\MachineID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\WINTRUST.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86\\MissingDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\GCStressStart",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\RPCRT4.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\Microsoft.VisualC,8.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledSessions\\MachineThrottling",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DisableArchive",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3d590c3f\\59f3b67b\\82\\DisplayName",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultOverrideBehavior",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\p2pcollab.dll,-8042",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\ConfigString",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\ncrypt.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceUserModeCabCollection",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\5b43ba09\\48ffecdd\\76\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\8F43288AD272F3103B6FB1428485EA3014C0BCFE",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\ScrollInterval",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.64.1.1!7\\Name",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3b249b34\\531d6b08\\70\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\1bd7b0d8\\87\\Status",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Name",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\GDI32.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\SendEFSFiles",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\226b2009\\5b43ba09\\72\\MissingDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\ConfigMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\CLR20r3",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\MVID",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SystemInformation\\SystemProductName",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing\\State",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\ADVAPI32.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\InstallRoot",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Disabled",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\MaxSockaddrLength",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\dhcpcsvc6.DLL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\MaxAIAUrlCountInCert",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86\\Status",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winsock\\Setup Migration\\Providers\\Tcpip\\WinSock 2.0 Provider ID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\CRYPTSP.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerPortNumber",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Cleanup\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$Function",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Configuration,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorwks.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\ILDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\ForceLog",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\RestartRunTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86\\ConfigString",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\LogMaxFileSize",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultConsent",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DontSendAdditionalData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\mswsock.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3d590c3f\\59f3b67b\\82\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\MSCTF.dll",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\Enabled",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\75638fee\\7566cac\\84\\SIG",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Security\\Safety Warning Level",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\StringCacheSettings\\StringCacheGeneration",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\RpcId",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\profapi.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3b249b34\\531d6b08\\70\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\FinalPolicy\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$Function",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\NIDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ConfigureArchive",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\85e83df\\4c239d82\\71\\LastModTime",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\ForceQueue",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\1c83327b\\86\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\CTF\\EnableAnchorContext",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledProcesses\\44D72C57",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\CryptnetPreFetchTriggerPeriodSeconds",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\DisableArchive",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\WLDAP32.dll",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\LastWatsonCabUploaded",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\MaxAIAUrlRetrievalCountPerChain",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\credssp.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\LPK.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\shell32.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\ILDependencies",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\ForceUserModeCabCollection",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ProxySettingsPerUser",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winsock\\Parameters\\Transports",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\LoggingLevel",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Signature\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$Function",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\\DefaultConnectionSettings",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.EnterpriseServices,2.0.0.0,,b03f5f7f11d50a3a,x86",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\CSDBuildNumber",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3d590c3f\\59f3b67b\\82\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\226b2009\\5b43ba09\\72\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\MissingDependencies",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\UseHostnameAsAlias",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\DontSendAdditionalData",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\crypt32\\DebugHeapFlags",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\ScrollInset",
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Layout Hotkey",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Local AppData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\index127\\ILUsageMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\webio.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\OnlyUseLatestCLR",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\CRYPTBASE.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\85e83df\\4c239d82\\71\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\KERNEL32.dll",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\HelperDllName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Xml,2.0.0.0,,b77a5c561934e089,MSIL",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\Mapping",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\CFGMGR32.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LoggingDisabled",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorsec.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProductName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\LsaExtensionConfig\\SspiCli\\CheckSignatureRoutine",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\MinSockaddrLength",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\LsaExtensionConfig\\SspiCli\\CheckSignatureDll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86\\NIDependencies",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\OOBEInProgress",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\ole32.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\EvalationData",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\MaxQueueCount",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerUseAuthentication",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DontShowUI",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\TurnOffSPIAnimations",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System\\9e0a3b9b9f457233a335d7fba8f95419\\System.ni.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\MSASN1.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\1bd7b0d8\\87\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\DNSAPI.dll",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\BypassDataThrottling",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\DragDelay",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\\WinHttpSettings",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\226b2009\\5b43ba09\\72\\EvalationData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\SourcePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\85e83df\\4c239d82\\71\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\1bd7b0d8\\87\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE\\PageAllocatorUseSystemHeap",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\MissingDependencies",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Capabilities",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\LogResourceBinds",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System,2.0.0.0,,b77a5c561934e089,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\1c83327b\\86\\LastModTime",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\SysWOW64\\bcryptprimitives.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\226b2009\\5b43ba09\\72\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\226b2009\\5b43ba09\\72\\ILDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\LogMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\DisableConfigCache",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Reliability Analysis\\RAC\\RacWerSampleTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledSessions\\GlobalSession",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\ConfigString",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\SHLWAPI.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\\Server\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\85e83df\\4c239d82\\71\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Message\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$DLL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\rsaenh.dll",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\UseDelayedAcceptance",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\RestartRunTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\EvalationData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\bcrypt.dll",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\DontShowUI",
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Language Hotkey",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\LatestIndex",
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Hotkey",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\UseDelayedAcceptance",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DisableQueue",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\DEVRTL.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\8F43288AD272F3103B6FB1428485EA3014C0BCFE\\Blob",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3b249b34\\531d6b08\\70\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\System32\\wship6.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\CertCheck\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$Function",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\CLR20r3",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\75638fee\\7566cac\\84\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\LoadAppInit_DLLs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Signature\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$Function",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerServer",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\IJWEntrypointCompatMode",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\BuildLabEx",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\6f1da7aa\\88\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\5b43ba09\\48ffecdd\\76\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\ConfigMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultOverrideBehavior",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\LogFailures",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Segoe UI",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\DisableQueue",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\NIDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\MaxAIAUrlRetrievalByteCount",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\75638fee\\7566cac\\84\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\UseLegacyIdentityFormat",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\LogLevel",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\WINHTTP.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Message\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$DLL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\6f1da7aa\\88\\Modules",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\MaxArchiveCount",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\LdapClientIntegrity",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\KnownManagedDebuggingDlls\\C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscordacwks.dll",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winsock\\Setup Migration\\Providers\\Tcpip6\\WinSock 2.0 Provider ID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\1c83327b\\86\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Certificate\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$Function",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Cleanup\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$DLL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\85e83df\\4c239d82\\71\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\6f1da7aa\\88\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\EnableInetUnknownAuth",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\CacheLocation",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\USP10.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Transactions,2.0.0.0,,b77a5c561934e089,x86",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\DisableCANameConstraints",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\WinSxS\\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\\MSVCR80.dll",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\MinSockaddrLength",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceQueue",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Initialization\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$DLL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\USERENV.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\USER32.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Signature\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$DLL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\GCStressStartAtJit",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\226b2009\\5b43ba09\\72\\MVID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\FinalPolicy\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$DLL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE\\PageAllocatorSystemHeapIsPrivate",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\HelperDllName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\5b43ba09\\48ffecdd\\76\\DisplayName",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\dnsapi.dll,-103",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Certificate\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$DLL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\MaxUrlRetrievalByteCount",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\LoggingDisabled",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\SYSTEM32\\MSCOREE.DLL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Message\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$Function",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\WinHttp\\Tracing\\Enabled",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\WINNSI.DLL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\apphelp.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3d590c3f\\59f3b67b\\82\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\FinalPolicy\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$DLL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\226b2009\\5b43ba09\\72\\ConfigString",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\CurrentType",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Certificate\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$Function",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\WinHttp\\DisableBranchCache",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CEIPEnable",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\DisableMandatoryBasicConstraints",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\ComputerName\\ActiveComputerName\\ComputerName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\1bd7b0d8\\87\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\EnableWeakSignatureFlags",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\rasadhlp.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3b249b34\\531d6b08\\70\\SIG",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\Mapping",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\SensApi.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Disabled",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\index4"
],
"directory_enumerated": [
"C:\\Windows\\System32\\apphelp.dll",
"C:\\Windows\\SysWOW64",
"C:\\Users\\cuck\\AppData",
"C:\\Windows\\SysWOW64\\user32.dll",
"C:\\Windows\\assembly\\GAC_MSIL\\System.Xml\\2.0.0.0__b77a5c561934e089\\System.Xml.INI",
"C:\\Windows\\SysWOW64\\advapi32.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\mscorlib",
"C:\\Windows\\SysWOW64\\msctf.dll",
"C:\\Windows\\System32\\devrtl.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp",
"C:\\Windows\\SysWOW64\\sspicli.dll",
"C:\\Windows\\System32\\cabinet.dll",
"C:\\Windows\\System32\\winhttp.dll",
"C:\\Windows\\SysWOW64\\kernel32.dll",
"C:\\Windows\\SysWOW64\\msvcrt.dll",
"C:\\Windows\\assembly",
"C:\\Windows\\System32\\winnsi.dll",
"C:\\Windows\\SysWOW64\\shlwapi.dll",
"C:\\Windows\\System32\\bcrypt.dll",
"C:\\Windows\\SysWOW64\\cfgmgr32.dll",
"C:\\Windows\\System32\\WSHTCPIP.DLL",
"C:\\Windows\\System32",
"C:\\Windows\\System32\\cryptsp.dll",
"C:\\Windows\\System32\\webio.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorjit.dll",
"C:\\Windows\\SysWOW64\\ole32.dll",
"C:\\Windows\\SysWOW64\\nsi.dll",
"C:\\Windows\\System32\\profapi.dll",
"C:\\Windows\\System32\\mscoree.dll",
"C:\\Windows\\SysWOW64\\crypt32.dll",
"C:\\Windows\\SysWOW64\\msasn1.dll",
"C:\\Windows\\System32\\IPHLPAPI.DLL",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorsec.dll",
"C:\\Windows\\SysWOW64\\shell32.dll",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_*_6cfd744755a0da7fd476773027fb19631a5d6716_cab_*",
"C:\\Windows\\SysWOW64\\lpk.dll",
"C:\\Windows\\System32\\version.dll",
"C:\\Users",
"C:\\Windows\\SysWOW64\\wintrust.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorwks.dll",
"C:\\Windows\\System32\\gpapi.dll",
"C:\\Windows\\System32\\userenv.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\Upgrades.2.0.50727\\mscoreei.dll",
"C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\mscorlib.INI",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscoreei.dll",
"C:\\Windows\\System32\\rasadhlp.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\bba758133516e9de0d4cb03e93c53fbdb057eee82eb74f1b1ea4dbe23c1e0099.INI",
"C:\\Windows\\System32\\dhcpcsvc.dll",
"C:\\Windows\\System32\\ncrypt.dll",
"C:\\Windows\\SysWOW64\\ntdll.dll",
"C:\\Users\\cuck",
"C:\\Windows\\System32\\dnsapi.dll",
"C:\\Windows\\SysWOW64\\ws2_32.dll",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\WER\\ReportQueue\\*_*_*_*",
"C:\\Windows\\SysWOW64\\sechost.dll",
"C:\\Windows\\System32\\cryptnet.dll",
"C:\\Users\\cuck\\AppData\\Local",
"C:\\Windows\\System32\\wship6.dll",
"C:\\Windows\\System32\\credssp.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System",
"C:\\Windows\\System32\\imm32.dll",
"C:\\Windows\\SysWOW64\\gdi32.dll",
"C:\\Windows\\assembly\\GAC_32\\System.Data\\2.0.0.0__b77a5c561934e089\\System.Data.INI",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\WER\\ReportArchive\\AppCrash_*_6cfd744755a0da7fd476773027fb19631a5d6716_cab_*",
"C:\\Windows\\assembly\\GAC_32",
"C:\\Windows\\System32\\mswsock.dll",
"C:\\Windows\\SysWOW64\\imagehlp.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Xml",
"C:\\Windows\\winsxs\\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\\msvcr80.dll",
"C:\\Windows\\SysWOW64\\usp10.dll",
"C:\\Windows\\SysWOW64\\rpcrt4.dll",
"C:\\Windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\\comctl32.dll",
"C:\\Windows\\System32\\drivers\\*.mrk",
"C:\\Windows\\System32\\rsaenh.dll",
"C:\\Windows",
"C:\\Windows\\winsxs",
"C:\\Windows\\SysWOW64\\Wldap32.dll",
"C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\System.INI",
"C:\\Windows\\System32\\SensApi.dll"
],
"regkey_written": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\8F43288AD272F3103B6FB1428485EA3014C0BCFE\\Blob",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\LanguageList",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46\\Blob"
]
}Dropped
[
{
"yara": [
{
"meta": {
"description": "Contains an embedded Mach-O file",
"author": "nex"
},
"name": "embedded_macho",
"offsets": {
"magic1": [
[
25854895,
0
]
]
},
"strings": [
"yv66vg=="
]
},
{
"meta": {
"description": "Contains an embedded PE32 file",
"author": "nex"
},
"name": "embedded_pe",
"offsets": {
"a": [
[
31016226,
0
],
[
35348200,
0
]
],
"b": [
[
5527949,
1
]
]
},
"strings": [
"UEUzMg==",
"VGhpcyBwcm9ncmFt"
]
},
{
"meta": {
"description": "A non-Windows executable contains win32 API functions names",
"author": "nex"
},
"name": "embedded_win_api",
"offsets": {
"api6": [
[
18966324,
6
],
[
19166983,
6
],
[
21996579,
6
],
[
28522883,
6
],
[
29828385,
6
],
[
31076263,
6
],
[
31104764,
6
]
],
"api7": [
[
17787561,
5
],
[
17788037,
5
],
[
17788148,
5
],
[
17830239,
5
],
[
18813233,
5
],
[
18837298,
5
],
[
18873738,
5
],
[
18877298,
5
],
[
18980336,
5
],
[
19157256,
5
],
[
19158555,
5
],
[
19158576,
5
],
[
19160028,
5
],
[
19160596,
5
],
[
19160616,
5
],
[
19160966,
5
],
[
19567919,
5
],
[
21994959,
5
]
],
"api2": [
[
8294506,
0
],
[
9423123,
0
],
[
17613211,
0
],
[
18965736,
0
]
],
"api3": [
[
19184605,
3
],
[
21989517,
3
]
],
"api8": [
[
28520809,
1
],
[
29826299,
1
],
[
31035968,
1
],
[
31076341,
1
]
],
"api14": [
[
28520809,
1
],
[
29826299,
1
],
[
31035968,
1
],
[
31076341,
1
]
],
"api12": [
[
28522814,
4
],
[
31076219,
4
],
[
31076239,
4
]
],
"api13": [
[
964387,
2
],
[
979850,
2
],
[
1732445,
2
],
[
18842200,
2
],
[
19177509,
2
],
[
28520891,
2
],
[
31075845,
2
]
]
},
"strings": [
"R2V0UHJvY0FkZHJlc3M=",
"R2V0V2luZG93c0RpcmVjdG9yeQ==",
"R2V0VGVtcFBhdGg=",
"TG9hZExpYnJhcnlB",
"U2V0RmlsZVBvaW50ZXI=",
"U2hlbGxFeGVjdXRl",
"V3JpdGVGaWxl"
]
},
{
"meta": {
"description": "Matched shellcode byte patterns",
"author": "nex"
},
"name": "shellcode",
"offsets": {
"shell7": [
[
656559,
0
],
[
2818551,
0
],
[
2818747,
0
],
[
2819059,
0
],
[
2884223,
0
],
[
3139099,
0
],
[
3792263,
0
],
[
3805719,
0
],
[
3859507,
0
],
[
3859535,
0
],
[
3859567,
0
],
[
3991891,
0
],
[
4184907,
0
],
[
4185991,
0
],
[
4192203,
0
],
[
4198027,
0
],
[
4199343,
0
],
[
4203355,
0
],
[
4207067,
0
],
[
4216575,
0
],
[
4217371,
0
],
[
4219703,
0
],
[
4220047,
0
],
[
4222147,
0
],
[
4222207,
0
],
[
4222351,
0
],
[
4222607,
0
],
[
4224143,
0
],
[
4224607,
0
],
[
4225415,
0
],
[
4225807,
0
],
[
4226719,
0
],
[
4227831,
0
],
[
4228547,
0
],
[
4228815,
0
],
[
4229847,
0
],
[
4230499,
0
],
[
4232275,
0
],
[
4232583,
0
],
[
8106343,
0
],
[
8106407,
0
],
[
8134263,
0
],
[
8134295,
0
],
[
8134327,
0
],
[
8182615,
0
],
[
10902395,
0
],
[
10902427,
0
],
[
10916099,
0
],
[
11095047,
0
],
[
11095079,
0
],
[
11135127,
0
],
[
11135155,
0
],
[
11135183,
0
],
[
11136831,
0
],
[
11167727,
0
],
[
11173159,
0
],
[
11173195,
0
],
[
11173231,
0
],
[
11173267,
0
],
[
11173303,
0
],
[
11173643,
0
],
[
11220287,
0
],
[
11245563,
0
],
[
11245591,
0
],
[
11246119,
0
],
[
11269875,
0
],
[
11271851,
0
],
[
11633411,
0
],
[
11803783,
0
],
[
11803879,
0
],
[
11978555,
0
],
[
11978583,
0
],
[
11979067,
0
],
[
11979367,
0
],
[
11980679,
0
],
[
12017671,
0
],
[
12027691,
0
],
[
12121571,
0
],
[
12122531,
0
],
[
12122559,
0
],
[
12123483,
0
],
[
12123511,
0
],
[
12136763,
0
],
[
12142195,
0
],
[
12159771,
0
],
[
12159815,
0
],
[
12221095,
0
],
[
12302695,
0
],
[
12302727,
0
],
[
12302791,
0
],
[
12302823,
0
],
[
12303631,
0
],
[
12321991,
0
],
[
12511943,
0
],
[
12513863,
0
],
[
12516331,
0
],
[
12517303,
0
],
[
12521975,
0
],
[
12527071,
0
],
[
12529287,
0
],
[
12532383,
0
],
[
16989836,
0
],
[
17067228,
0
],
[
17108556,
0
],
[
17139068,
0
],
[
20609256,
0
],
[
20657216,
0
],
[
20771536,
0
],
[
20818580,
0
],
[
20837804,
0
],
[
20872320,
0
],
[
20884356,
0
],
[
20884432,
0
],
[
20889780,
0
],
[
20890572,
0
],
[
20916876,
0
],
[
21008320,
0
],
[
21101152,
0
],
[
21121484,
0
],
[
21133580,
0
],
[
21345452,
0
],
[
21384876,
0
],
[
21656492,
0
],
[
21658008,
0
],
[
21674256,
0
],
[
21750776,
0
],
[
21771628,
0
],
[
21783824,
0
],
[
21816272,
0
],
[
21929484,
0
],
[
21935180,
0
],
[
21936396,
0
],
[
21938876,
0
],
[
21962284,
0
],
[
21963916,
0
],
[
27685711,
0
],
[
27700063,
0
],
[
27700303,
0
],
[
27700351,
0
],
[
27701487,
0
],
[
27719791,
0
],
[
27800303,
0
],
[
27871535,
0
],
[
27871727,
0
],
[
27893199,
0
],
[
27921727,
0
],
[
27950959,
0
],
[
27970975,
0
],
[
27997839,
0
],
[
28016703,
0
],
[
28086159,
0
],
[
28125103,
0
],
[
28166671,
0
],
[
28185135,
0
],
[
28185199,
0
],
[
28229663,
0
],
[
28243343,
0
],
[
28245263,
0
],
[
28253263,
0
],
[
32740931,
0
],
[
32808675,
0
],
[
32808847,
0
],
[
32808875,
0
],
[
32808903,
0
],
[
32808979,
0
],
[
32825195,
0
],
[
32825823,
0
],
[
32860047,
0
],
[
32877455,
0
],
[
32896999,
0
],
[
32910027,
0
],
[
32975759,
0
],
[
32984759,
0
],
[
33028767,
0
],
[
33029227,
0
],
[
33032291,
0
],
[
33036719,
0
],
[
33075047,
0
],
[
33094715,
0
],
[
33094743,
0
],
[
33094771,
0
],
[
33097823,
0
],
[
33097859,
0
],
[
33097959,
0
],
[
33097995,
0
],
[
33098039,
0
],
[
33099215,
0
],
[
33099259,
0
],
[
33099299,
0
],
[
33100099,
0
],
[
33100135,
0
],
[
33425839,
0
],
[
33425903,
0
],
[
33425931,
0
],
[
33426303,
0
],
[
33426655,
0
],
[
33427071,
0
],
[
33427103,
0
],
[
33427519,
0
],
[
33427551,
0
],
[
33427839,
0
],
[
33427871,
0
],
[
33427939,
0
],
[
33427967,
0
],
[
33436287,
0
],
[
33436319,
0
],
[
33436351,
0
],
[
33436447,
0
],
[
33444255,
0
],
[
33444423,
0
],
[
33444639,
0
],
[
33450823,
0
],
[
33451223,
0
],
[
33452031,
0
],
[
33452295,
0
],
[
33507623,
0
],
[
33507679,
0
],
[
33683879,
0
],
[
33688031,
0
],
[
33693499,
0
],
[
33704695,
0
],
[
33710591,
0
],
[
33729183,
0
],
[
33746079,
0
],
[
33837611,
0
],
[
33880415,
0
],
[
33931331,
0
],
[
33931379,
0
],
[
33931535,
0
],
[
33931615,
0
],
[
33931663,
0
],
[
33946931,
0
],
[
33948635,
0
],
[
33965055,
0
],
[
33983959,
0
],
[
34021679,
0
],
[
34335391,
0
],
[
34335587,
0
],
[
34335775,
0
],
[
34335935,
0
],
[
34336031,
0
],
[
34336351,
0
],
[
34338415,
0
],
[
34339735,
0
],
[
34340563,
0
],
[
34340595,
0
],
[
34341855,
0
],
[
34342527,
0
],
[
34353563,
0
],
[
34355007,
0
],
[
34355103,
0
],
[
34356131,
0
],
[
34362103,
0
],
[
34365007,
0
],
[
34365123,
0
],
[
34367491,
0
],
[
34381727,
0
],
[
34392191,
0
],
[
34396351,
0
],
[
34396383,
0
],
[
34397983,
0
],
[
34400099,
0
],
[
34400575,
0
],
[
34401131,
0
],
[
34401723,
0
],
[
34401983,
0
],
[
34402955,
0
],
[
34403167,
0
],
[
34407487,
0
],
[
34407623,
0
],
[
34407947,
0
],
[
34408523,
0
],
[
34409655,
0
],
[
34410315,
0
],
[
34417135,
0
],
[
34423467,
0
],
[
34424607,
0
],
[
34424899,
0
],
[
34427891,
0
],
[
34431231,
0
],
[
34431935,
0
],
[
34433543,
0
],
[
34439359,
0
],
[
34439559,
0
],
[
34442783,
0
],
[
34442879,
0
],
[
34445987,
0
],
[
34446175,
0
],
[
34447007,
0
],
[
34447783,
0
],
[
34448111,
0
],
[
34450047,
0
],
[
34450475,
0
],
[
34452307,
0
],
[
34464159,
0
],
[
34464999,
0
],
[
34471739,
0
],
[
34476427,
0
],
[
34477659,
0
],
[
34477727,
0
],
[
34477895,
0
],
[
34478827,
0
],
[
34479359,
0
],
[
34484479,
0
],
[
34484727,
0
],
[
34493335,
0
],
[
34493663,
0
],
[
34497535,
0
],
[
34501247,
0
],
[
34501311,
0
],
[
34502335,
0
],
[
34503151,
0
],
[
34503895,
0
],
[
34504023,
0
],
[
34511587,
0
],
[
34511743,
0
],
[
34517831,
0
],
[
34519019,
0
],
[
34519103,
0
],
[
34519355,
0
],
[
34520463,
0
],
[
34520575,
0
],
[
34527419,
0
],
[
34530063,
0
],
[
34545379,
0
],
[
34548779,
0
],
[
34554579,
0
],
[
34555231,
0
],
[
34557643,
0
],
[
34558935,
0
],
[
34559103,
0
],
[
34559367,
0
],
[
34559427,
0
],
[
34560735,
0
],
[
34561195,
0
],
[
34562831,
0
],
[
34563279,
0
],
[
34572191,
0
],
[
34572383,
0
],
[
34574079,
0
],
[
34574495,
0
],
[
34575875,
0
],
[
34579459,
0
],
[
34580867,
0
],
[
34587583,
0
],
[
34591571,
0
],
[
34594083,
0
],
[
34596511,
0
],
[
34601855,
0
],
[
34602035,
0
],
[
34606435,
0
],
[
34607463,
0
],
[
34607519,
0
],
[
34608715,
0
],
[
34609383,
0
],
[
34610603,
0
],
[
34611403,
0
],
[
34621375,
0
],
[
34624543,
0
],
[
34624703,
0
],
[
34625935,
0
],
[
34626943,
0
],
[
34629779,
0
],
[
34630211,
0
],
[
34634203,
0
],
[
34634711,
0
],
[
34640735,
0
],
[
34640927,
0
],
[
34642591,
0
],
[
34643151,
0
],
[
34644975,
0
],
[
34647043,
0
],
[
34652135,
0
],
[
34655327,
0
],
[
34659071,
0
],
[
34659635,
0
],
[
34660567,
0
],
[
34660831,
0
],
[
34661983,
0
],
[
34662599,
0
],
[
34666367,
0
],
[
34666899,
0
],
[
34670343,
0
],
[
34670783,
0
],
[
34672071,
0
]
],
"shell1": [
[
29129428,
1
],
[
29140846,
1
],
[
29259160,
1
],
[
29433004,
1
],
[
29484608,
1
],
[
29526862,
1
],
[
29572758,
1
],
[
29599546,
1
],
[
29624276,
1
],
[
29669448,
1
]
]
},
"strings": [
"VYvs6A==",
"ZItk"
]
}
],
"sha1": "ba338a338a01ab29728c4e7a2b05a1fbf2047efb",
"name": "e6766542a2c53922_WERFDFC.tmp.hdmp",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\WERFDFC.tmp.hdmp",
"type": "MDMP crash report data",
"sha256": "e6766542a2c539221e71da99c114c619706fa1f831049930f6b22d4ae7812c2a",
"urls": [
"http:\/\/www.d-trust.net0",
"http:\/\/www.microsoft.com\/pki\/certs\/MicRooCerAut_2010-06-23.crt07",
"http:\/\/www.e-certchile.cl\/html\/productos\/download\/CPSv1.7.pdf01",
"http:\/\/users.ocsp.d-trust.net03",
"http:\/\/www.trustcenter.de\/guidelines0",
"http:\/\/www.usertrust.com1",
"https:\/\/sectigo.com\/CPS0B",
"http:\/\/crl.verisign.com\/pca3.crl0",
"https:\/\/www.verisign.com\/rpa0",
"http:\/\/www.xmlspy.com",
"http:\/\/crl.usertrust.com\/UTN-USERFirst-Object.crl0)",
"http:\/\/www.e-me.lv\/repository0",
"http:\/\/www.pk",
"http:\/\/www.entrust.net\/CRL\/Client1.crl0",
"http:\/\/www.microsoft.com\/pki\/certs\/MicrosoftRootCert.crt0",
"https:\/\/www.verisign.com\/CPS04",
"http:\/\/ocsp.infonotary.com\/responder.cgi0V",
"http:\/\/www.certicamara.com0",
"http:\/\/www.informatik.admin.ch\/PKI\/links\/CPS_2_16_756_1_17_3_1_0.pdf0",
"http:\/\/acraiz.icpbrasil.gov.br\/LCRacraiz.crl0",
"http:\/\/www.certplus.com\/CRL\/class2.crl0",
"https:\/\/www.verisign.com\/repository\/verisignlogo.gif0D",
"http:\/\/fedir.comsign.co.il\/crl\/ComSignCA.crl0",
"http:\/\/acraiz.icpbrasil.gov.br\/DPCacraiz.pdf0=",
"http:\/\/www.microsoft.com\/pki\/certs\/MicCerLisCA2011_2011-03-29.crt0",
"http:\/\/www.microsoft.com\/pkiops\/certs\/Microsoft%20Certificate%20Trust%20List%20PCA(3).crt0",
"http:\/\/crl.sectigo.com\/COMODOTimeStampingCA_2.crl0r",
"http:\/\/www.quovadisglobal.com\/cps0",
"https:\/\/www.verisign.com",
"http:\/\/ca.sia.it\/secsrv\/repository\/CRL.der0J",
"http:\/\/www.crc.bg0",
"http:\/\/www.post.trust.ie\/reposit\/cps.html0",
"http:\/\/www.certplus.com\/CRL\/class3P.crl0",
"https:\/\/www.netlock.net\/docs",
"http:\/\/www.d-trust.net\/crl\/d-trust_root_class_3_ca_2007.crl0",
"http:\/\/ocsp.pki.gva.es0",
"http:\/\/www.rootca.or.kr\/rca\/cps.html0",
"http:\/\/pki-root.ecertpki.cl\/CertEnrol",
"https:\/\/www.catcert.net\/verarrel",
"http:\/\/crt.sectigo.com\/COMODOTimeStampingCA_2.crt0",
"https:\/\/www.verisign.com\/repository\/CPS",
"http:\/\/ocsp.sectigo.com0",
"http:\/\/crl.usertrust.com\/UTN-USERFirst-Hardware.crl01",
"http:\/\/g",
"http:\/\/www.valicert.com\/1",
"https:\/\/www.catcert.net\/verarrel05",
"http:\/\/www.certificadodigital.com.br\/repositorio\/serasaca\/crl\/SerasaCAI.crl0",
"http:\/\/repository.infonotary.com\/cps\/qcps.html0",
"http:\/\/www.ancert.com\/cps0",
"https:\/\/ca.sia.it\/secsrv\/repository\/CPS0",
"http:\/\/www.microsoft.com\/pkiops\/crl\/Microsoft%20Certificate%20Trust%20List%20PCA(3).crl0u",
"http:\/\/www.certificadodigital.com.br\/repositorio\/serasaca\/crl\/SerasaCAIII.crl0",
"http:\/\/crl.globalsign.net\/root-r2.crl0",
"http:\/\/crl.comodoca.com\/COMODOCertificationAuthority.crl0",
"http:\/\/certificates.starfieldtech.com\/repository\/1604",
"http:\/\/www.entrust.net\/CRL\/net1.crl0"
],
"crc32": "0AA80921",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/1194\/files\/e6766542a2c53922_WERFDFC.tmp.hdmp",
"ssdeep": null,
"size": 42178572,
"sha512": "1ef8a9fd48c3044b63bb391354a3237f39c93cbc207f71497020737c12276a8cc8cf4fce2954caac25968896eea8113c37f788387d4da9381b02235561eb339f",
"pids": [
1496
],
"md5": "45557efa1419f8ed40e83d2bfeed1541"
},
{
"yara": [],
"sha1": "cf925fc512b936fe7d44ceb6e999e4a020ed6ff0",
"name": "4c9c4d831d61c8c3_Cab5A68.tmp",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab5A68.tmp",
"type": "Microsoft Cabinet archive data, 56952 bytes, 1 file",
"sha256": "4c9c4d831d61c8c38b2513f9b431ef4f4cf6af9fb18a2317cd2178d6e0997822",
"urls": [],
"crc32": "5168F337",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/1194\/files\/4c9c4d831d61c8c3_Cab5A68.tmp",
"ssdeep": null,
"size": 56952,
"sha512": "65dc435f6d3e1afd347ba1617a3eee59c6660f221faa36456a09e307d434d7276e8095e8aa34d59933e685a9f84564ec783e59ae9658791f7ebdbbc2eda32f7a",
"pids": [
2124
],
"md5": "04d79a0dc77a8f449cbff6252862d398"
},
{
"yara": [
{
"meta": {
"description": "Contains an embedded Mach-O file",
"author": "nex"
},
"name": "embedded_macho",
"offsets": {
"magic1": [
[
4195240,
0
]
]
},
"strings": [
"yv66vg=="
]
}
],
"sha1": "ed6c9db2d800787447a62984daf9319fbe5a8b22",
"name": "d6717ae7d08a1de7_WERDD51.tmp.mdmp",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\WERDD51.tmp.mdmp",
"type": "MDMP crash report data",
"sha256": "d6717ae7d08a1de7091ab8f3860d3b06b3788e807f02360c1a385807c1731b3f",
"urls": [
"http:\/\/g"
],
"crc32": "D8EFFFEE",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/1194\/files\/d6717ae7d08a1de7_WERDD51.tmp.mdmp",
"ssdeep": null,
"size": 4698252,
"sha512": "67920aadba2fd09d345cf780e063e3fb77ae2b685dbda0d2415d73534f80a2c88927bf1f1acad800c9f045280d253eadf8fd647107a876bb0ecc45692a13ee44",
"pids": [
1496
],
"md5": "06c6e8dcf2bb21a3b0edab30c7a741c2"
},
{
"yara": [],
"sha1": "3d24dab7b56b63a6520d70e5c9308267e020677d",
"name": "10a2c4cb6e09c895_WERF39B.tmp.WERInternalMetadata.xml",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\WERF39B.tmp.WERInternalMetadata.xml",
"type": "XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators",
"sha256": "10a2c4cb6e09c8953712b2a370e86e1dd1cc34a5c1b33141300889f66b28bd37",
"urls": [],
"crc32": "97795BEE",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/1194\/files\/10a2c4cb6e09c895_WERF39B.tmp.WERInternalMetadata.xml",
"ssdeep": null,
"size": 2672,
"sha512": "42ccf5214195b8c7aeb3255bf02e4d7c3d7330bc9a15cdd57032762c146425e142b0330d2bb05c55ca21667d80c61fefe9e98e0d9d95986c446cc365d19c74bf",
"pids": [
1496
],
"md5": "6d641a718fb12adba2b6d0f98ae787b7"
},
{
"yara": [],
"sha1": "c64ad224b877cd5bbdcdb1799b71f3682602d231",
"name": "b0a39e28d93f7822_Tar5A69.tmp",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar5A69.tmp",
"type": "data",
"sha256": "b0a39e28d93f7822fe6cac1e082c7adc581dcd2b61eb9f536e74bd14a75b27bc",
"urls": [
"http:\/\/www.microsoft.com\/pkiops\/certs\/Microsoft%20Certificate%20Trust%20List%20PCA(3).crt0",
"http:\/\/www.microsoft.com\/pki\/certs\/MicRooCerAut_2010-06-23.crt07",
"http:\/\/www.microsoft.com\/pki\/certs\/MicCerLisCA2011_2011-03-29.crt0",
"http:\/\/www.microsoft.com\/pki\/certs\/MicrosoftRootCert.crt0",
"http:\/\/www.microsoft.com\/pkiops\/crl\/Microsoft%20Certificate%20Trust%20List%20PCA(3).crl0u"
],
"crc32": "B495BE07",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/1194\/files\/b0a39e28d93f7822_Tar5A69.tmp",
"ssdeep": null,
"size": 138525,
"sha512": "0663fb22bcefd0ac5f090104322a8c0dc1ceb77a168b589d7dbb9a74d109daf38beac97dab715220abab08c355496f5719159e17995248caa19eff45bc2a5d46",
"pids": [
2124
],
"md5": "0e34ebf89b843b303f0fb5f194be9d28"
},
{
"yara": [],
"sha1": "da39a3ee5e6b4b0d3255bfef95601890afd80709",
"name": "e3b0c44298fc1c14_WERF39B.tmp",
"type": "empty",
"sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"urls": [],
"crc32": "00000000",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/1194\/files\/e3b0c44298fc1c14_WERF39B.tmp",
"ssdeep": null,
"size": 0,
"sha512": "cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e",
"md5": "d41d8cd98f00b204e9800998ecf8427e"
},
{
"yara": [],
"sha1": "022b9c9abc5c5ad2fa134972d25dbbbd93164dea",
"name": "ba2bf857ef7f9b7b_report.wer",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_KTWZHKCV4A0UBO1Q_6cfd744755a0da7fd476773027fb19631a5d6716_cab_07dbc153\\Report.wer",
"type": "data",
"sha256": "ba2bf857ef7f9b7bc5ae073b6561dd02e56289389711d0b1eeb173decac9b3a6",
"urls": [],
"crc32": "5CF273DE",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/1194\/files\/ba2bf857ef7f9b7b_report.wer",
"ssdeep": null,
"size": 11810,
"sha512": "aed82bd54d8a7beb160b87194e46329ff0e16f65d31f6d216ff886e1159e0d1e2cff2af984f28f43864ab960e681b6ab6ef676916f53cfff2a5fbf651d3408f3",
"pids": [
1496
],
"md5": "7a2ed88b76e49b76b761e3d2e40f2001"
}
]Generic
[
{
"process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\dw20.exe",
"process_name": "dw20.exe",
"pid": 1496,
"summary": {
"file_created": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WERFDFC.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_KTWZHKCV4A0UBO1Q_6cfd744755a0da7fd476773027fb19631a5d6716_cab_07dbc153\\Report.wer",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WERFDFC.tmp.hdmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WERF39B.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WERDD51.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WERDD51.tmp.mdmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WERF39B.tmp.WERInternalMetadata.xml"
],
"file_recreated": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WERF39B.tmp.WERInternalMetadata.xml"
],
"directory_created": [
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_KTWZHKCV4A0UBO1Q_6cfd744755a0da7fd476773027fb19631a5d6716_cab_07dbc153",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\WER\\ReportQueue"
],
"dll_loaded": [
"dbghelp.dll",
"version.dll",
"C:\\Windows\\system32\\ole32.dll",
"CFGMGR32.dll",
"DUI70.dll",
"kernel32.dll",
"UxTheme.dll",
"SensApi.dll",
"werui.dll",
"dwmapi.dll",
"ntdll.dll",
"cryptsp.dll",
"winhttp.dll",
"verifier.dll",
"C:\\Windows\\system32\\RICHED20.DLL",
"API-MS-WIN-Service-Management-L2-1-0.dll",
"API-MS-WIN-Service-Management-L1-1-0.dll",
"C:\\Windows\\syswow64\\MSCTF.dll",
"API-MS-Win-Core-LocalRegistry-L1-1-0.dll",
"psapi.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscordacwks.dll",
"OLEAUT32.DLL",
"SspiCli.dll",
"C:\\Windows\\system32\\wer.dll",
"advapi32.dll",
"comctl32",
"ole32.dll",
"SHLWAPI.dll",
"CRYPTSP.dll",
"USER32.dll",
"Comctl32.dll",
"credssp.dll",
"API-MS-WIN-Service-winsvc-L1-1-0.dll",
"IPHLPAPI.DLL",
"C:\\Windows\\system32\\xmllite.dll",
"OLEAUT32.dll",
"SHELL32.dll",
"RPCRT4.dll",
"DNSAPI.dll",
"C:\\Windows\\System32\\wship6.dll",
"DUser.dll",
"comctl32.dll",
"NSI.dll",
"C:\\Windows\\system32\\DUser.dll",
"C:\\Windows\\system32\\mswsock.dll",
"powrprof.dll",
"ADVAPI32.dll",
"rpcrt4.dll",
"C:\\Windows\\System32\\wshtcpip.dll",
"WS2_32.dll",
"user32.dll",
"WINHTTP.dll"
],
"file_opened": [
"C:\\Windows\\System32\\apphelp.dll",
"C:\\Windows\\SysWOW64\\wintrust.dll",
"C:\\Windows\\System32\\mswsock.dll",
"C:\\Windows\\SysWOW64\\CRYPTBASE.dll",
"C:\\Windows\\System32\\mscoree.dll",
"C:\\Windows\\SysWOW64\\user32.dll",
"C:\\Windows\\SysWOW64\\advapi32.dll",
"C:\\Windows\\SysWOW64\\msctf.dll",
"C:\\Windows\\System32\\cryptnet.dll",
"C:\\Windows\\SysWOW64\\sspicli.dll",
"C:\\Windows\\System32\\cabinet.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Data\\1e85062785e286cd9eae9c26d2c61f73\\System.Data.ni.dll",
"C:\\Windows\\System32\\winhttp.dll",
"C:\\Windows\\SysWOW64\\kernel32.dll",
"C:\\Windows\\SysWOW64\\msvcrt.dll",
"C:\\Windows\\System32\\winnsi.dll",
"C:\\Windows\\SysWOW64\\shlwapi.dll",
"C:\\Windows\\System32\\bcrypt.dll",
"C:\\Windows\\SysWOW64\\cfgmgr32.dll",
"C:\\Windows\\System32\\WSHTCPIP.DLL",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorwks.dll",
"C:\\Windows\\System32\\cryptsp.dll",
"C:\\Windows\\System32\\webio.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Xml\\461d3b6b3f43e6fbe6c897d5936e17e4\\System.Xml.ni.dll",
"C:\\Windows\\System32\\dhcpcsvc6.DLL",
"C:\\Windows\\SysWOW64\\ole32.dll",
"C:\\Windows\\SysWOW64\\nsi.dll",
"C:\\Windows\\System32\\profapi.dll",
"C:\\Windows\\SysWOW64\\crypt32.dll",
"C:\\Windows\\SysWOW64\\msasn1.dll",
"C:\\Windows\\System32\\IPHLPAPI.DLL",
"C:\\Windows\\SysWOW64\\bcryptprimitives.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorsec.dll",
"C:\\Windows\\SysWOW64\\shell32.dll",
"C:\\Windows\\SysWOW64\\lpk.dll",
"C:\\Windows\\System32\\version.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WERFDFC.tmp.hdmp",
"C:\\Windows\\System32\\rasadhlp.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WERF39B.tmp.WERInternalMetadata.xml",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\bba758133516e9de0d4cb03e93c53fbdb057eee82eb74f1b1ea4dbe23c1e0099.bin",
"C:\\Windows\\assembly\\GAC_32\\System.Data\\2.0.0.0__b77a5c561934e089\\System.Data.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorjit.dll",
"C:\\Windows\\System32\\gpapi.dll",
"C:\\Windows\\System32\\userenv.dll",
"C:\\Windows\\System32\\dhcpcsvc.dll",
"C:\\Windows\\win.ini",
"C:\\Windows\\System32\\en-US\\erofflps.txt",
"C:\\Windows\\System32\\ncrypt.dll",
"C:\\Windows\\SysWOW64\\ntdll.dll",
"C:\\Windows\\SysWOW64\\usp10.dll",
"C:\\Windows\\System32\\dnsapi.dll",
"C:\\Windows\\SysWOW64\\ws2_32.dll",
"C:\\Windows\\SysWOW64\\sechost.dll",
"C:\\Windows\\System32\\wship6.dll",
"C:\\Windows\\System32\\credssp.dll",
"C:\\Windows\\System32\\imm32.dll",
"C:\\Windows\\SysWOW64\\gdi32.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\mscorlib\\62a0b3e4b40ec0e8c5cfaa0c8848e64a\\mscorlib.ni.dll",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls",
"C:\\Windows\\SysWOW64\\imagehlp.dll",
"C:\\Windows\\winsxs\\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\\msvcr80.dll",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\WER\\ReportQueue",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System\\9e0a3b9b9f457233a335d7fba8f95419\\System.ni.dll",
"C:\\Windows\\SysWOW64\\rpcrt4.dll",
"C:\\Windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\\comctl32.dll",
"C:\\Windows\\System32\\rsaenh.dll",
"C:\\Windows\\System32\\devrtl.dll",
"C:\\Windows\\SysWOW64\\Wldap32.dll",
"C:\\Windows\\System32\\SensApi.dll",
"C:\\Windows\\SysWOW64\\KERNELBASE.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WERDD51.tmp.mdmp"
],
"file_copied": [
[
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WERDD51.tmp.mdmp",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_KTWZHKCV4A0UBO1Q_6cfd744755a0da7fd476773027fb19631a5d6716_cab_07dbc153\\WERDD51.tmp.mdmp"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WERF39B.tmp.WERInternalMetadata.xml",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_KTWZHKCV4A0UBO1Q_6cfd744755a0da7fd476773027fb19631a5d6716_cab_07dbc153\\WERF39B.tmp.WERInternalMetadata.xml"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WERFDFC.tmp.hdmp",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_KTWZHKCV4A0UBO1Q_6cfd744755a0da7fd476773027fb19631a5d6716_cab_07dbc153\\WERFDFC.tmp.hdmp"
]
],
"regkey_opened": [
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\LsaExtensionConfig\\SspiCli",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\Rpc",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Reliability Analysis\\RAC",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip6\\Parameters\\Winsock",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Winsock",
"HKEY_CURRENT_USER\\Software\\Microsoft\\windows\\CurrentVersion\\Internet Settings\\Connections",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\OLE\\Tracing",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\Windows Error Reporting",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Setup",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Throttling\\CLR20r3",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Consent",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\LanguageProfile\\0x00000000\\{0001bea3-ed56-483d-a2e2-aeae25577436}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\DebugApplications",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\SecurityProviders",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\KnownClasses",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\windows\\CurrentVersion\\Internet Settings\\Connections",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\CEIPRole\\RolesInWER",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winsock\\Setup Migration\\Providers\\Tcpip6",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\Windows Error Reporting",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Rpc",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\Compatibility\\dw20.exe",
"HKEY_CURRENT_USER\\Software\\Microsoft\\CTF\\DirectSwitchHotkeys",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\SecurityProviders\\SaslProfiles",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\SystemInformation",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\ExcludedApplications",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Winsock\\Setup Migration\\Providers",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\WinHttp\\Tracing",
"HKEY_CURRENT_USER\\Software\\Microsoft\\CTF\\LayoutIcon\\0409\\0000041d",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\KnownManagedDebuggingDlls",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\DirectUI",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLEAUT",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{3697C5FA-60DD-4B56-92D4-74A569205C16}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DebugApplications",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Debug",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winsock\\Setup Migration\\Providers\\Tcpip",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion",
"HKEY_CURRENT_USER\\Software\\Microsoft\\windows\\CurrentVersion\\Internet Settings\\Wpad",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Class\\{4d36e972-e325-11ce-bfc1-08002be10318}",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\Windows Error Reporting",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Ole",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\Windows Error Reporting\\HeapControlledList\\bba758133516e9de0d4cb03e93c53fbdb057eee82eb74f1b1ea4dbe23c1e0099.bin",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\WinHttp",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ExcludedApplications",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Windows",
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\SspiCache",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Winsock\\Parameters"
],
"resolves_host": [
"watson.microsoft.com"
],
"file_written": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WERF39B.tmp.WERInternalMetadata.xml",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WERDD51.tmp.mdmp",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_KTWZHKCV4A0UBO1Q_6cfd744755a0da7fd476773027fb19631a5d6716_cab_07dbc153\\Report.wer",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WERFDFC.tmp.hdmp"
],
"file_deleted": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WERFDFC.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WERFDFC.tmp.hdmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WERF39B.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WERDD51.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WERDD51.tmp.mdmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WERF39B.tmp.WERInternalMetadata.xml"
],
"file_exists": [
"C:\\Windows\\System32\\apphelp.dll",
"C:\\Windows\\SysWOW64\\wintrust.dll",
"C:\\Windows\\System32\\mswsock.dll",
"C:\\Windows\\SysWOW64\\CRYPTBASE.dll",
"C:\\Windows\\System32\\mscoree.dll",
"C:\\Windows\\SysWOW64\\user32.dll",
"C:\\Windows\\SysWOW64\\advapi32.dll",
"C:\\Windows\\SysWOW64\\msctf.dll",
"C:\\Windows\\System32\\devrtl.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp",
"C:\\Windows\\SysWOW64\\sspicli.dll",
"C:\\Windows\\System32\\cabinet.dll",
"C:\\Windows\\System32\\winhttp.dll",
"C:\\Windows\\SysWOW64\\kernel32.dll",
"C:\\Windows\\SysWOW64\\msvcrt.dll",
"C:\\Windows\\System32\\winnsi.dll",
"C:\\Windows\\SysWOW64\\shlwapi.dll",
"C:\\Windows\\System32\\bcrypt.dll",
"C:\\Windows\\SysWOW64\\cfgmgr32.dll",
"C:\\Windows\\System32\\WSHTCPIP.DLL",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorwks.dll",
"C:\\Windows\\System32\\cryptsp.dll",
"C:\\Windows\\SysWOW64\\bcryptprimitives.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Xml\\461d3b6b3f43e6fbe6c897d5936e17e4\\System.Xml.ni.dll",
"C:\\Windows\\System32\\dhcpcsvc6.DLL",
"C:\\Windows\\SysWOW64\\ole32.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WERFDFC.tmp.hdmp",
"C:\\Windows\\System32\\profapi.dll",
"C:\\Windows\\SysWOW64\\crypt32.dll",
"C:\\Windows\\SysWOW64\\msasn1.dll",
"C:\\Windows\\System32\\IPHLPAPI.DLL",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorsec.dll",
"C:\\Windows\\SysWOW64\\shell32.dll",
"C:\\Windows\\SysWOW64\\lpk.dll",
"C:\\Windows\\System32\\version.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WERF39B.tmp.WERInternalMetadata.xml",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\bba758133516e9de0d4cb03e93c53fbdb057eee82eb74f1b1ea4dbe23c1e0099.bin",
"C:\\Windows\\assembly\\GAC_32\\System.Data\\2.0.0.0__b77a5c561934e089\\System.Data.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorjit.dll",
"C:\\Windows\\System32\\gpapi.dll",
"C:\\Windows\\System32\\userenv.dll",
"C:\\Windows\\System32\\webio.dll",
"C:\\Windows\\System32\\rasadhlp.dll",
"C:\\Windows\\System32\\dhcpcsvc.dll",
"C:\\Windows\\System32\\en-US\\erofflps.txt",
"C:\\Windows\\System32\\ncrypt.dll",
"C:\\Windows\\SysWOW64\\ntdll.dll",
"C:\\Windows\\SysWOW64\\usp10.dll",
"C:\\Windows\\System32\\dnsapi.dll",
"C:\\Windows\\SysWOW64\\ws2_32.dll",
"C:\\Windows\\SysWOW64\\sechost.dll",
"C:\\Windows\\System32\\cryptnet.dll",
"C:\\Windows\\System32\\wship6.dll",
"C:\\Windows\\System32\\credssp.dll",
"C:\\Windows\\System32\\imm32.dll",
"C:\\Windows\\SysWOW64\\gdi32.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\mscorlib\\62a0b3e4b40ec0e8c5cfaa0c8848e64a\\mscorlib.ni.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Data\\1e85062785e286cd9eae9c26d2c61f73\\System.Data.ni.dll",
"C:\\Windows\\SysWOW64\\imagehlp.dll",
"C:\\Windows\\winsxs\\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\\msvcr80.dll",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\WER\\ReportQueue",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System\\9e0a3b9b9f457233a335d7fba8f95419\\System.ni.dll",
"C:\\Windows\\SysWOW64\\rpcrt4.dll",
"C:\\Windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\\comctl32.dll",
"C:\\Windows\\System32\\rsaenh.dll",
"C:\\Windows\\SysWOW64\\nsi.dll",
"C:\\Windows\\SysWOW64\\Wldap32.dll",
"C:\\Windows\\System32\\SensApi.dll",
"C:\\Windows\\SysWOW64\\KERNELBASE.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WERDD51.tmp.mdmp"
],
"mutex": [
"Global\\0a759c6c-ab95-11e9-8829-08002749d99b"
],
"guid": [
"{713aacc8-3b71-435c-a3a1-be4e53621ab1}",
"{22e4c895-8ab9-40bb-b81a-001dd9b1f449}"
],
"file_read": [
"C:\\Windows\\win.ini"
],
"regkey_read": [
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Language Hotkey",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\GPAPI.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\profapi.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\MaxRpcSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\MaxArchiveCount",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\LanguageProfile\\0x00000000\\{0001bea3-ed56-483d-a2e2-aeae25577436}\\Enable",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\QueuePesterInterval",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\System32\\wshtcpip.dll",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\UseDelayedAcceptance",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DisableQueue",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\DEVRTL.dll",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SecurityProviders\\SecurityProviders",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ConfigureArchive",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultConsent",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System\\9e0a3b9b9f457233a335d7fba8f95419\\System.ni.dll",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\SystemSetupInProgress",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\ScrollDelay",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\WS2_32.dll",
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Hotkey",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\MSASN1.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\SspiCli.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\System32\\wship6.dll",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\SendEFSFiles",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\CTF\\EnableAnchorContext",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledProcesses\\44D72C57",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\CLR20r3",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\DisableArchive",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\WLDAP32.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\IPHLPAPI.DLL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerPortNumber",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\LastWatsonCabUploaded",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\credssp.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerUseSSL",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\HelperDllName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\LPK.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\shell32.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerServer",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\ForceUserModeCabCollection",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ProxySettingsPerUser",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Xml\\461d3b6b3f43e6fbe6c897d5936e17e4\\System.Xml.ni.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorjit.dll",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winsock\\Parameters\\Transports",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SystemInformation\\BIOSVersion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\BuildLabEx",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\KERNELBASE.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Data\\1e85062785e286cd9eae9c26d2c61f73\\System.Data.ni.dll",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\\DefaultConnectionSettings",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\MaxQueueCount",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\NSI.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultOverrideBehavior",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\CSDBuildNumber",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\CurrentType",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\imagehlp.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\\COMCTL32.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\mscorlib\\62a0b3e4b40ec0e8c5cfaa0c8848e64a\\mscorlib.ni.dll",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\DontShowUI",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\DontSendAdditionalData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Segoe UI",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\ScrollInset",
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Layout Hotkey",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\webio.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\CRYPT32.dll",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\ConfigureArchive",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\WINTRUST.dll",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Windows\\CSDBuildNumber",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\QueuePesterInterval",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\WinSxS\\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\\MSVCR80.dll",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Comment",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\RPCRT4.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledSessions\\MachineThrottling",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\WINHTTP.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\SensApi.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DisableArchive",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\MaxArchiveCount",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\EditionID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\KERNEL32.dll",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultOverrideBehavior",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\HelperDllName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winsock\\Setup Migration\\Providers\\Tcpip6\\WinSock 2.0 Provider ID",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\ForceQueue",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\SysWOW64\\sechost.dll",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\WpadOverride",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\Mapping",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\CFGMGR32.dll",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Type",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\ncrypt.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceUserModeCabCollection",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\cryptnet.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LoggingDisabled",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorsec.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\CRYPTBASE.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProductName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\LsaExtensionConfig\\SspiCli\\CheckSignatureRoutine",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\MachineID",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\MinSockaddrLength",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\rsaenh.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceQueue",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\ScrollInterval",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\IMM32.DLL",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\MinSockaddrLength",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\LsaExtensionConfig\\SspiCli\\CheckSignatureDll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\USERENV.dll",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\OOBEInProgress",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\ole32.dll",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\MaxQueueCount",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\USER32.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerUseAuthentication",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Name",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\MSCTF.dll",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\DragMinDist",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\SendEFSFiles",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DontShowUI",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\MaxSockaddrLength",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\TurnOffSPIAnimations",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE\\PageAllocatorSystemHeapIsPrivate",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\CLR20r3",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\MaxSockaddrLength",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SystemInformation\\SystemProductName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\DNSAPI.dll",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\BypassDataThrottling",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\KnownManagedDebuggingDlls\\C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscordacwks.dll",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\DragDelay",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\\WinHttpSettings",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\ADVAPI32.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\SourcePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\DevicePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\TokenSize",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\UseDelayedAcceptance",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE\\PageAllocatorUseSystemHeap",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Disabled",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Capabilities",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\dhcpcsvc6.DLL",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\LoggingDisabled",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\dhcpcsvc.DLL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\SYSTEM32\\MSCOREE.DLL",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ShareCredsWithWinHttp",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\WinHttp\\Tracing\\Enabled",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\CRYPTSP.dll",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SystemInformation\\SystemManufacturer",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\assembly\\GAC_32\\System.Data\\2.0.0.0__b77a5c561934e089\\System.Data.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\apphelp.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassDataThrottling",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorwks.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\msvcrt.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Reliability Analysis\\RAC\\RacWerSampleTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\SysWOW64\\ntdll.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\Cabinet.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledSessions\\GlobalSession",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\CurrentType",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\RestartRunTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\SHLWAPI.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Users\\cuck\\AppData\\Local\\Temp\\bba758133516e9de0d4cb03e93c53fbdb057eee82eb74f1b1ea4dbe23c1e0099.bin",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultConsent",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\WinHttp\\DisableBranchCache",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DontSendAdditionalData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CEIPEnable",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\mswsock.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\USP10.dll",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Version",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\ComputerName\\ActiveComputerName\\ComputerName",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\RestartRunTime",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winsock\\Setup Migration\\Providers\\Tcpip\\WinSock 2.0 Provider ID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\GDI32.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\SysWOW64\\bcryptprimitives.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE\\MaximumAllowedAllocationSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\rasadhlp.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\WINNSI.DLL",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\Mapping",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\bcrypt.dll",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\RpcId",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Disabled",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\DisableQueue",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\VERSION.dll"
],
"directory_enumerated": [
"C:\\Windows\\System32\\apphelp.dll",
"C:\\Windows\\SysWOW64",
"C:\\Users\\cuck\\AppData",
"C:\\Windows\\SysWOW64\\user32.dll",
"C:\\Windows\\SysWOW64\\advapi32.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\mscorlib",
"C:\\Windows\\SysWOW64\\msctf.dll",
"C:\\Windows\\System32\\devrtl.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp",
"C:\\Windows\\SysWOW64\\sspicli.dll",
"C:\\Windows\\System32\\cabinet.dll",
"C:\\Windows\\System32\\winhttp.dll",
"C:\\Windows\\SysWOW64\\kernel32.dll",
"C:\\Windows\\SysWOW64\\msvcrt.dll",
"C:\\Windows\\assembly",
"C:\\Windows\\System32\\winnsi.dll",
"C:\\Windows\\SysWOW64\\shlwapi.dll",
"C:\\Windows\\System32\\bcrypt.dll",
"C:\\Windows\\SysWOW64\\cfgmgr32.dll",
"C:\\Windows\\System32\\WSHTCPIP.DLL",
"C:\\Windows\\System32",
"C:\\Windows\\System32\\cryptsp.dll",
"C:\\Windows\\System32\\webio.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorjit.dll",
"C:\\Windows\\SysWOW64\\ole32.dll",
"C:\\Windows\\SysWOW64\\nsi.dll",
"C:\\Windows\\System32\\profapi.dll",
"C:\\Windows\\System32\\mscoree.dll",
"C:\\Windows\\SysWOW64\\crypt32.dll",
"C:\\Windows\\SysWOW64\\msasn1.dll",
"C:\\Windows\\System32\\IPHLPAPI.DLL",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorsec.dll",
"C:\\Windows\\SysWOW64\\shell32.dll",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_*_6cfd744755a0da7fd476773027fb19631a5d6716_cab_*",
"C:\\Windows\\SysWOW64\\lpk.dll",
"C:\\Windows\\System32\\version.dll",
"C:\\Users",
"C:\\Windows\\SysWOW64\\wintrust.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorwks.dll",
"C:\\Windows\\System32\\gpapi.dll",
"C:\\Windows\\System32\\userenv.dll",
"C:\\Windows\\System32\\rasadhlp.dll",
"C:\\Windows\\System32\\dhcpcsvc.dll",
"C:\\Windows\\System32\\ncrypt.dll",
"C:\\Windows\\SysWOW64\\ntdll.dll",
"C:\\Users\\cuck",
"C:\\Windows\\System32\\dnsapi.dll",
"C:\\Windows\\SysWOW64\\ws2_32.dll",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\WER\\ReportQueue\\*_*_*_*",
"C:\\Windows\\SysWOW64\\sechost.dll",
"C:\\Windows\\System32\\cryptnet.dll",
"C:\\Users\\cuck\\AppData\\Local",
"C:\\Windows\\System32\\wship6.dll",
"C:\\Windows\\System32\\credssp.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System",
"C:\\Windows\\System32\\imm32.dll",
"C:\\Windows\\SysWOW64\\gdi32.dll",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\WER\\ReportArchive\\AppCrash_*_6cfd744755a0da7fd476773027fb19631a5d6716_cab_*",
"C:\\Windows\\assembly\\GAC_32",
"C:\\Windows\\System32\\mswsock.dll",
"C:\\Windows\\SysWOW64\\imagehlp.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Xml",
"C:\\Windows\\winsxs\\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\\msvcr80.dll",
"C:\\Windows\\SysWOW64\\usp10.dll",
"C:\\Windows\\SysWOW64\\rpcrt4.dll",
"C:\\Windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\\comctl32.dll",
"C:\\Windows\\System32\\drivers\\*.mrk",
"C:\\Windows\\System32\\rsaenh.dll",
"C:\\Windows",
"C:\\Windows\\winsxs",
"C:\\Windows\\SysWOW64\\Wldap32.dll",
"C:\\Windows\\System32\\SensApi.dll"
]
},
"first_seen": 1563706423.4218,
"ppid": 2124
},
{
"process_path": "C:\\Users\\cuck\\AppData\\Local\\Temp\\bba758133516e9de0d4cb03e93c53fbdb057eee82eb74f1b1ea4dbe23c1e0099.bin",
"process_name": "bba758133516e9de0d4cb03e93c53fbdb057eee82eb74f1b1ea4dbe23c1e0099.bin",
"pid": 2124,
"summary": {
"file_created": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabAC3E.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab8351.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar5A69.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar5A8A.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab97E9.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab97B8.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarAC3F.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarD518.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar97F9.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabD517.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab5A89.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab8372.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab5A68.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar8352.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar97C8.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabD4E6.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar8373.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarD4E7.tmp"
],
"file_recreated": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabAC3E.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab8351.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar5A69.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar5A8A.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab97E9.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab97B8.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarAC3F.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarD518.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar97F9.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabD517.tmp",
"\\Device\\KsecDD",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab5A89.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab8372.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab5A68.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar8352.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar97C8.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabD4E6.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar8373.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarD4E7.tmp"
],
"regkey_written": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\8F43288AD272F3103B6FB1428485EA3014C0BCFE\\Blob",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\LanguageList",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46\\Blob"
],
"dll_loaded": [
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Data\\1e85062785e286cd9eae9c26d2c61f73\\System.Data.ni.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\culture.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Xml\\461d3b6b3f43e6fbe6c897d5936e17e4\\System.Xml.ni.dll",
"imagehlp.dll",
"API-MS-Win-Security-LSALookup-L1-1-0.dll",
"credssp.dll",
"ntdll",
"API-MS-WIN-Service-Management-L2-1-0.dll",
"gdi32.dll",
"DNSAPI.dll",
"kernel32.dll",
"API-MS-Win-Security-SDDL-L1-1-0.dll",
"SensApi.dll",
"ntdll.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\ole32.dll",
"cryptsp.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System\\9e0a3b9b9f457233a335d7fba8f95419\\System.ni.dll",
"imm32.dll",
"ADVAPI32.dll",
"ncrypt.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorwks.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\VERSION.dll",
"bcrypt.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorjit.dll",
"API-MS-WIN-Service-Management-L1-1-0.dll",
"cryptnet.dll",
"setupapi.dll",
"C:\\Windows\\SysWOW64\\bcryptprimitives.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorsec.dll",
"API-MS-Win-Core-LocalRegistry-L1-1-0.dll",
"AdvApi32.dll",
"SspiCli.dll",
"advapi32.dll",
"ole32.dll",
"SHLWAPI.dll",
"CRYPTSP.dll",
"USER32.dll",
"C:\\Windows\\system32\\IMM32.DLL",
"API-MS-WIN-Service-winsvc-L1-1-0.dll",
"IPHLPAPI.DLL",
"C:\\Windows\\syswow64\\CRYPT32.dll",
"RichEd20.dll",
"winhttp.dll",
"profapi.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\diasymreader.dll",
"RPCRT4.dll",
"C:\\Windows\\System32\\wship6.dll",
"NSI.dll",
"mscorsec.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\mscorlib\\62a0b3e4b40ec0e8c5cfaa0c8848e64a\\mscorlib.ni.dll",
"C:\\Windows\\assembly\\GAC_32\\System.Data\\2.0.0.0__b77a5c561934e089\\System.Data.dll",
"mscoree.dll",
"CFGMGR32.dll",
"WINTRUST.DLL",
"C:\\Windows\\system32\\cryptnet.dll",
"DEVRTL.dll",
"C:\\Windows\\system32\\mswsock.dll",
"VERSION.dll",
"shell32.dll",
"C:\\Windows\\System32\\wshtcpip.dll",
"WS2_32.dll",
"Cabinet.dll",
"WINHTTP.dll"
],
"file_failed": [
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\enterprisesec.config.cch",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\74FBF93595CFC8459196065CE54AD928",
"C:\\Windows\\symbols\\bin\\FreeAdminTools_METracking.pdb",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\security.config.cch",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\BF4F70F5959F0AEBFB03EDDC210D5768",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\enterprisesec.config",
"C:\\Windows\\FreeAdminTools_METracking.pdb",
"C:\\Windows\\bin\\FreeAdminTools_METracking.pdb",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\FreeAdminTools_METracking.pdb",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\bba758133516e9de0d4cb03e93c53fbdb057eee82eb74f1b1ea4dbe23c1e0099.bin.config",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\security.config",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\security.config",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\46D7547AA7F9B9DA290D5C19668E04C1",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\security.config.cch"
],
"regkey_opened": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\Managed\\S-1-5-21-699399860-4089948139-3198924279-1001\\Installer\\Assemblies\\Global",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.8.0.Microsoft.VisualC__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Data.SqlXml__b77a5c561934e089",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\1c83327b\\86",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.EnterpriseServices__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\Policy\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Configuration__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\bba758133516e9de0d4cb03e93c53fbdb057eee82eb74f1b1ea4dbe23c1e0099.bin",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets\\LocalIntranet",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\AppPatch",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\Managed\\S-1-5-21-699399860-4089948139-3198924279-1001\\Installer\\Assemblies\\C:|Users|cuck|AppData|Local|Temp|bba758133516e9de0d4cb03e93c53fbdb057eee82eb74f1b1ea4dbe23c1e0099.bin",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PCHealth\\ErrorReporting\\InclusionList",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PCHealth\\ErrorReporting\\ExclusionList",
"HKEY_CURRENT_USER\\SOFTWARE\\Policies\\Microsoft\\PCHealth\\ErrorReporting\\InclusionList",
"HKEY_CLASSES_ROOT\\CLSID\\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\\InprocServer32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Installer\\Assemblies\\C:|Users|cuck|AppData|Local|Temp|bba758133516e9de0d4cb03e93c53fbdb057eee82eb74f1b1ea4dbe23c1e0099.bin",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\75638fee\\7566cac\\84",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PCHealth\\ErrorReporting",
"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\PCHealth\\ErrorReporting",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Installer\\Assemblies\\Global",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets\\Internet",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\index127",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\5b43ba09\\48ffecdd\\76",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\5a352ef7\\4e2774b5",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PCHealth\\ErrorReporting\\ExclusionList",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\226b2009\\5b43ba09\\72",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Installer\\Assemblies\\Global",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Installer\\Assemblies\\C:|Users|cuck|AppData|Local|Temp|bba758133516e9de0d4cb03e93c53fbdb057eee82eb74f1b1ea4dbe23c1e0099.bin",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.1.0.System.Data.SQLite__db937bc2d44ff139",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\Standards",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\Standards\\v2.0.50727",
"HKEY_CLASSES_ROOT\\CLSID\\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\\Server",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-699399860-4089948139-3198924279-1001",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\BidInterface\\Loader",
"HKEY_CURRENT_USER\\SOFTWARE\\Policies\\Microsoft\\PCHealth\\ErrorReporting\\ExclusionList",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\226b2009\\5b43ba09",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\v2.0.50727\\Security\\Policy",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System__b77a5c561934e089",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\StrongName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Fusion",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion\\PublisherPolicy\\Default",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Xml__b77a5c561934e089",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3b249b34\\531d6b08\\70",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3d590c3f\\59f3b67b\\82",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion\\GACChangeNotification\\Default",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Transactions__b77a5c561934e089",
"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\PCHealth\\ErrorReporting\\ExclusionList",
"HKEY_CURRENT_USER\\Software\\Microsoft\\.NETFramework",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Data__b77a5c561934e089",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\85e83df\\4c239d82\\71",
"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\PCHealth\\ErrorReporting\\InclusionList",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PCHealth\\ErrorReporting",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Class\\{4d36e972-e325-11ce-bfc1-08002be10318}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\Upgrades",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\5cb12312\\41250a31",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\Policy\\Standards",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PCHealth\\ErrorReporting\\InclusionList",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\1bd7b0d8\\87",
"HKEY_CURRENT_USER\\SOFTWARE\\Policies\\Microsoft\\PCHealth\\ErrorReporting",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\Policy\\APTCA",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\v2.0",
"HKEY_CURRENT_USER\\Software\\Microsoft\\.NETFramework\\Policy\\Standards",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\6f1da7aa\\88"
],
"resolves_host": [
"www.download.windowsupdate.com",
"crt.comodoca.com"
],
"file_written": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabAC3E.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab8351.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar5A69.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar5A8A.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab97E9.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab97B8.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarAC3F.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarD518.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar97F9.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabD517.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab5A89.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab8372.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab5A68.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar8352.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar97C8.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabD4E6.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar8373.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarD4E7.tmp"
],
"regkey_deleted": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\8F43288AD272F3103B6FB1428485EA3014C0BCFE"
],
"file_deleted": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabAC3E.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab8351.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar5A69.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar5A8A.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab97E9.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab97B8.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarAC3F.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarD518.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar97F9.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabD517.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab5A89.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab8372.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab5A68.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar8352.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar97C8.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabD4E6.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar8373.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarD4E7.tmp"
],
"file_exists": [
"C:\\Users\\cuck\\AppData\\LocalLow",
"C:\\Windows\\Globalization\\en-us.nlp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\System.Data.SQLite\\System.Data.SQLite.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\System.Data.SQLite\\System.Data.SQLite.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\machine.config",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\System.Data.SQLite.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\bba758133516e9de0d4cb03e93c53fbdb057eee82eb74f1b1ea4dbe23c1e0099.config",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\fusion.localgac",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\System.Data.SQLite.dll",
"C:\\Windows\\System32\\qagentrt.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\bba758133516e9de0d4cb03e93c53fbdb057eee82eb74f1b1ea4dbe23c1e0099.PDB",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\bba758133516e9de0d4cb03e93c53fbdb057eee82eb74f1b1ea4dbe23c1e0099.bin",
"C:\\Windows\\inf\\",
"C:\\Windows\\System32\\MSCOREE.DLL.local",
"C:\\Windows\\assembly\\GAC_32\\System.Data.SQLite\\1.0.97.0__db937bc2d44ff139",
"C:\\Windows\\System32\\dnsapi.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\DCFreeWindowsAdminTools.db",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\FreeWindowsTools.db",
"C:\\Windows\\System32\\p2pcollab.dll",
"C:\\Windows\\winsxs\\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\\msvcr80.dll",
"C:\\Windows\\assembly\\GAC\\System.Data.SQLite\\1.0.97.0__db937bc2d44ff139",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\FreeWindowsAdminTools.db",
"C:\\Windows\\assembly\\GAC\\PublisherPolicy.tme",
"C:\\Windows\\assembly\\GAC_MSIL\\System.Data.SQLite\\1.0.97.0__db937bc2d44ff139"
],
"file_opened": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabAC3E.tmp",
"C:\\Users\\cuck\\AppData\\LocalLow",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab97B8.tmp",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\index127.dat",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\machine.config",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab5A68.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarD4E7.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar5A8A.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarAC3F.tmp",
"C:\\Windows\\System32\\l_intl.nls",
"C:\\Windows\\System32\\en-US\\WINHTTP.dll.mui",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabD517.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar8352.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab97E9.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\bba758133516e9de0d4cb03e93c53fbdb057eee82eb74f1b1ea4dbe23c1e0099.bin",
"C:\\Windows\\assembly\\GAC_32\\System.Data\\2.0.0.0__b77a5c561934e089\\System.Data.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar8373.tmp",
"C:\\Windows\\assembly\\pubpol4.dat",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorrc.dll",
"C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\sortkey.nlp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab8372.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar97C8.tmp",
"C:\\Windows\\System32\\netmsg.dll",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\94308059B57B3142E455B38A6EB92015",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab8351.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar5A69.tmp",
"C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\sorttbls.nlp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar97F9.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab5A89.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarD518.tmp",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\94308059B57B3142E455B38A6EB92015",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabD4E6.tmp"
],
"command_line": [
"dw20.exe -x -s 1100"
],
"file_read": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabAC3E.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab97B8.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\bba758133516e9de0d4cb03e93c53fbdb057eee82eb74f1b1ea4dbe23c1e0099.bin",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\machine.config",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab5A68.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarD4E7.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar5A8A.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarAC3F.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar8352.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab97E9.tmp",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\94308059B57B3142E455B38A6EB92015",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar8373.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab8372.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar97C8.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabD517.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab8351.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar5A69.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar97F9.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab5A89.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarD518.tmp",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\94308059B57B3142E455B38A6EB92015",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabD4E6.tmp"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86\\ILDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\LatestIndex",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\\DefaultConnectionSettings",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Initialization\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$Function",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\1c83327b\\86\\LastModTime",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\WinSock2\\Parameters\\Protocol_Catalog9\\Serial_Access_Num",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\85e83df\\4c239d82\\71\\Modules",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\UseDelayedAcceptance",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\UseHostnameAsAlias",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\226b2009\\5b43ba09\\72\\MVID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\Modules",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SecurityProviders\\SecurityProviders",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-699399860-4089948139-3198924279-1001\\ProfileImagePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\85e83df\\4c239d82\\71\\LastModTime",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\SystemSetupInProgress",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\MaxAIAUrlRetrievalCertCount",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.44.3.4!7\\Name",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\226b2009\\5b43ba09\\72\\ILDependencies",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\crypt32\\DiagMatchAnyMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Message\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$Function",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\226b2009\\5b43ba09\\72\\ConfigMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Data.SqlXml,2.0.0.0,,b77a5c561934e089,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3b249b34\\531d6b08\\70\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\75638fee\\7566cac\\84\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\SourcePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\1c83327b\\86\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\CertCheck\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$Function",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\CryptnetPreFetchTriggerPeriodSeconds",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\6f1da7aa\\88\\LastModTime",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\UseOldHostResolutionOrder",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Message\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$DLL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\5b43ba09\\48ffecdd\\76\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\LoadAppInit_DLLs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\1bd7b0d8\\87\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\CLRLoadLogDir",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\DevOverrideEnable",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Signature\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$Function",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\MaxAIAUrlRetrievalCountPerChain",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\5b43ba09\\48ffecdd\\76\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\CertCheck\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$DLL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\ILDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ProxySettingsPerUser",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\IJWEntrypointCompatMode",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NoClientChecks",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\DownloadCacheQuotaInKB",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winsock\\Parameters\\Transports",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\75638fee\\7566cac\\84\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3b249b34\\531d6b08\\70\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.64.1.1!7\\Name",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\LoggingLevel",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\6f1da7aa\\88\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\5b43ba09\\48ffecdd\\76\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Signature\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$Function",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46\\Blob",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\MVID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\ConfigMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\CertCheck\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$DLL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.EnterpriseServices,2.0.0.0,,b03f5f7f11d50a3a,x86",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3d590c3f\\59f3b67b\\82\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\226b2009\\5b43ba09\\72\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\5b43ba09\\48ffecdd\\76\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\LogFailures",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\MissingDependencies",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\WpadOverride",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3d590c3f\\59f3b67b\\82\\SIG",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\Enabled",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86\\MVID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\NIDependencies",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Local AppData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Initialization\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$Function",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\NIDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\MaxAIAUrlRetrievalByteCount",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\75638fee\\7566cac\\84\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Data,2.0.0.0,,b77a5c561934e089,x86",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\index127\\ILUsageMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\UseLegacyIdentityFormat",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\8F43288AD272F3103B6FB1428485EA3014C0BCFE\\Blob",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\DisableUnsupportedCriticalExtensions",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Comment",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86\\MissingDependencies",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\crypt32\\DebugFlags",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\Microsoft.VisualC,8.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\LogLevel",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Certificate\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$DLL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Message\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$DLL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\OnlyUseLatestCLR",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\85e83df\\4c239d82\\71\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\6f1da7aa\\88\\Modules",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\LdapClientIntegrity",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\FinalPolicy\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$Function",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3d590c3f\\59f3b67b\\82\\LastModTime",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\HelperDllName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winsock\\Setup Migration\\Providers\\Tcpip6\\WinSock 2.0 Provider ID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\1c83327b\\86\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Xml,2.0.0.0,,b77a5c561934e089,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\85e83df\\4c239d82\\71\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\index127\\NIUsageMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Certificate\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$Function",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86\\EvalationData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\ConfigString",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\Status",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\Mapping",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Type",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Cleanup\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$DLL",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\MaxSockaddrLength",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3b249b34\\531d6b08\\70\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\6f1da7aa\\88\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\EnableInetUnknownAuth",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\CacheLocation",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\LsaExtensionConfig\\SspiCli\\CheckSignatureRoutine",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Transactions,2.0.0.0,,b77a5c561934e089,x86",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\DisableCANameConstraints",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\LegacyPolicyTimeStamp",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\MinSockaddrLength",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86\\ConfigMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\8F43288AD272F3103B6FB1428485EA3014C0BCFE",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\1c83327b\\86\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3b249b34\\531d6b08\\70\\Modules",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\p2pcollab.dll,-8042",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Initialization\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$DLL",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\MinSockaddrLength",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\6f1da7aa\\88\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86\\NIDependencies",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\LsaExtensionConfig\\SspiCli\\CheckSignatureDll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\1bd7b0d8\\87\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Signature\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$DLL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Signature\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$DLL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\VersioningLog",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\GCStressStartAtJit",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\mscorlib,2.0.0.0,,b77a5c561934e089,x86",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\75638fee\\7566cac\\84\\SIG",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Capabilities",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\MaxSockaddrLength",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\FinalPolicy\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$Function",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\FinalPolicy\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$DLL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\226b2009\\5b43ba09\\72\\MissingDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\ConfigMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\DisableMSIPeek",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\1bd7b0d8\\87\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\ChainCacheResyncFiletime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\\InprocServer32\\(Default)",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\HelperDllName",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing\\State",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\5b43ba09\\48ffecdd\\76\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Certificate\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$DLL",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\dnsapi.dll,-103",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\Latest",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\\WinHttpSettings",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\EvalationData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\226b2009\\5b43ba09\\72\\EvalationData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\DevicePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\TokenSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\MaxUrlRetrievalByteCount",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\85e83df\\4c239d82\\71\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\1bd7b0d8\\87\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\InstallRoot",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3b249b34\\531d6b08\\70\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Initialization\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$DLL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\MaxAIAUrlCountInCert",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\CertCheck\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$Function",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\LogResourceBinds",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System,2.0.0.0,,b77a5c561934e089,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3d590c3f\\59f3b67b\\82\\DisplayName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winsock\\Setup Migration\\Providers\\Tcpip\\WinSock 2.0 Provider ID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ShareCredsWithWinHttp",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\226b2009\\5b43ba09\\72\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\EnableLog",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\75638fee\\7566cac\\84\\LastModTime",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\crypt32\\DiagLevel",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\1c83327b\\86\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\MissingDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3d590c3f\\59f3b67b\\82\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Cleanup\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$Function",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Configuration,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\LogMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\DisableConfigCache",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\ILDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\FinalPolicy\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$DLL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\ForceLog",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Name",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\GCStressStart",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\226b2009\\5b43ba09\\72\\ConfigString",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\ConfigString",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Certificate\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$Function",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86\\ConfigString",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\\Server\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\LogMaxFileSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\WinHttp\\DisableBranchCache",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CEIPEnable",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Version",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\MVID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\DisableMandatoryBasicConstraints",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\UseDelayedAcceptance",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Message\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$Function",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\1bd7b0d8\\87\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\EvalationData",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\crypt32\\DebugHeapFlags",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\EnableWeakSignatureFlags",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.47.1.1!7\\Name",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE\\MaximumAllowedAllocationSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\DisplayName",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Security\\Safety Warning Level",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\226b2009\\5b43ba09\\72\\NIDependencies",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\Mapping",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\WinHttp\\Tracing\\Enabled",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\StringCacheSettings\\StringCacheGeneration",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\RpcId",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\index4"
],
"directory_enumerated": [
"C:\\Users",
"C:\\Windows\\Microsoft.NET\\Framework\\Upgrades.2.0.50727\\mscoreei.dll",
"C:\\Windows\\assembly\\GAC_32\\System.Data\\2.0.0.0__b77a5c561934e089\\System.Data.INI",
"C:\\Users\\cuck\\AppData",
"C:\\Windows\\winsxs\\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\\msvcr80.dll",
"C:\\Windows\\assembly\\GAC_MSIL\\System.Xml\\2.0.0.0__b77a5c561934e089\\System.Xml.INI",
"C:\\Users\\cuck\\AppData\\Local\\Temp",
"C:\\Users\\cuck",
"C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\mscorlib.INI",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\bba758133516e9de0d4cb03e93c53fbdb057eee82eb74f1b1ea4dbe23c1e0099.INI",
"C:\\Windows",
"C:\\Windows\\winsxs",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscoreei.dll",
"C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\System.INI",
"C:\\Users\\cuck\\AppData\\Local",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorwks.dll"
]
},
"first_seen": 1563706385.6094,
"ppid": 2504
},
{
"process_path": "C:\\Windows\\System32\\lsass.exe",
"process_name": "lsass.exe",
"pid": 476,
"summary": {},
"first_seen": 1563706385.3438,
"ppid": 376
}
]Signatures
[
{
"markcount": 2,
"families": [],
"description": "Queries for the computername",
"severity": 1,
"marks": [
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "GetComputerNameA",
"return_value": 1,
"arguments": {
"computer_name": "CUCKPC"
},
"time": 1563706489.9688,
"tid": 2556,
"flags": {}
},
"pid": 1496,
"type": "call",
"cid": 671174
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "GetComputerNameW",
"return_value": 1,
"arguments": {
"computer_name": "CUCKPC"
},
"time": 1563706489.9688,
"tid": 2556,
"flags": {}
},
"pid": 1496,
"type": "call",
"cid": 671175
}
],
"references": [],
"name": "antivm_queries_computername"
},
{
"markcount": 2,
"families": [],
"description": "Checks if process is being debugged by a debugger",
"severity": 1,
"marks": [
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": -1073741700,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1563706385.7494,
"tid": 2800,
"flags": {}
},
"pid": 2124,
"type": "call",
"cid": 365
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 2,
"nt_status": -1073741772,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1563706423.3274,
"tid": 2800,
"flags": {}
},
"pid": 2124,
"type": "call",
"cid": 6203
}
],
"references": [],
"name": "checks_debugger"
},
{
"markcount": 1,
"families": [],
"description": "This executable has a PDB path",
"severity": 1,
"marks": [
{
"category": "pdb_path",
"ioc": "D:\\File_Transfer\\29-May-19\\dcfreetools\\2279098\\DC_FREETOOLS\\FreeAdminTools_METracking\\obj\\x86\\Release\\FreeAdminTools_METracking.pdb",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "has_pdb"
},
{
"markcount": 1,
"families": [],
"description": "Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available",
"severity": 1,
"marks": [
{
"call": {
"category": "system",
"status": 1,
"stacktrace": [],
"api": "GlobalMemoryStatusEx",
"return_value": 1,
"arguments": {},
"time": 1563706423.5468,
"tid": 2268,
"flags": {}
},
"pid": 1496,
"type": "call",
"cid": 51
}
],
"references": [],
"name": "antivm_memory_available"
},
{
"markcount": 27,
"families": [],
"description": "Allocates read-write-execute memory (usually to unpack itself)",
"severity": 2,
"marks": [
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2124,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffff",
"base_address": "0x749f1000"
},
"time": 1563706385.7344,
"tid": 2800,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2124,
"type": "call",
"cid": 255
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2124,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x0045a000"
},
"time": 1563706385.7494,
"tid": 2800,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2124,
"type": "call",
"cid": 377
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2124,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 8192,
"protection": 64,
"process_handle": "0xffffffff",
"base_address": "0x749f2000"
},
"time": 1563706385.7494,
"tid": 2800,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2124,
"type": "call",
"cid": 378
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2124,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00452000"
},
"time": 1563706385.7494,
"tid": 2800,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2124,
"type": "call",
"cid": 379
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2124,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00462000"
},
"time": 1563706385.7654,
"tid": 2800,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2124,
"type": "call",
"cid": 507
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2124,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00463000"
},
"time": 1563706423.2024,
"tid": 2800,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2124,
"type": "call",
"cid": 5857
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2124,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x0049b000"
},
"time": 1563706423.2184,
"tid": 2800,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2124,
"type": "call",
"cid": 5864
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2124,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00497000"
},
"time": 1563706423.2184,
"tid": 2800,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2124,
"type": "call",
"cid": 5865
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2124,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x0046c000"
},
"time": 1563706423.2184,
"tid": 2800,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2124,
"type": "call",
"cid": 5906
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2124,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x05b00000"
},
"time": 1563706423.2344,
"tid": 2800,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2124,
"type": "call",
"cid": 5916
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2124,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00464000"
},
"time": 1563706423.2494,
"tid": 2800,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2124,
"type": "call",
"cid": 6053
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2124,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x05e00000"
},
"time": 1563706423.2654,
"tid": 2800,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2124,
"type": "call",
"cid": 6090
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2124,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x0046a000"
},
"time": 1563706423.2654,
"tid": 2800,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2124,
"type": "call",
"cid": 6091
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2124,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x05b01000"
},
"time": 1563706423.2964,
"tid": 2800,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2124,
"type": "call",
"cid": 6140
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2124,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00465000"
},
"time": 1563706423.2964,
"tid": 2800,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2124,
"type": "call",
"cid": 6160
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2124,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x0048a000"
},
"time": 1563706423.3124,
"tid": 2800,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2124,
"type": "call",
"cid": 6200
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2124,
"region_size": 1441792,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 8192,
"base_address": "0x05ed0000"
},
"time": 1563706423.3274,
"tid": 2800,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_RESERVE"
}
},
"pid": 2124,
"type": "call",
"cid": 6251
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2124,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x05ff0000"
},
"time": 1563706423.3274,
"tid": 2800,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2124,
"type": "call",
"cid": 6253
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2124,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x05ff1000"
},
"time": 1563706423.3274,
"tid": 2800,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2124,
"type": "call",
"cid": 6254
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2124,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00482000"
},
"time": 1563706489.9994,
"tid": 2800,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2124,
"type": "call",
"cid": 6344
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2124,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00495000"
},
"time": 1563706489.9994,
"tid": 2800,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2124,
"type": "call",
"cid": 6355
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2124,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x05ff2000"
},
"time": 1563706489.9994,
"tid": 2800,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2124,
"type": "call",
"cid": 6357
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1496,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x02650000"
},
"time": 1563706423.9848,
"tid": 1996,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 1496,
"type": "call",
"cid": 2876
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1496,
"region_size": 1966080,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 8192,
"base_address": "0x04a60000"
},
"time": 1563706429.1718,
"tid": 2268,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_RESERVE"
}
},
"pid": 1496,
"type": "call",
"cid": 11744
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1496,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x04c00000"
},
"time": 1563706429.1718,
"tid": 2268,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 1496,
"type": "call",
"cid": 11746
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1496,
"region_size": 1769472,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 8192,
"base_address": "0x04880000"
},
"time": 1563706485.9848,
"tid": 2268,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_RESERVE"
}
},
"pid": 1496,
"type": "call",
"cid": 659678
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1496,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x049f0000"
},
"time": 1563706485.9848,
"tid": 2268,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 1496,
"type": "call",
"cid": 659680
}
],
"references": [],
"name": "allocates_rwx"
},
{
"markcount": 1,
"families": [],
"description": "Checks adapter addresses which can be used to detect virtual network interfaces",
"severity": 2,
"marks": [
{
"call": {
"category": "network",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": -1073741772,
"api": "GetAdaptersAddresses",
"return_value": 111,
"arguments": {
"flags": 15,
"family": 0
},
"time": 1563706385.9374,
"tid": 3016,
"flags": {}
},
"pid": 2124,
"type": "call",
"cid": 2080
}
],
"references": [],
"name": "antivm_network_adapters"
},
{
"markcount": 513,
"families": [],
"description": "Potentially malicious URLs were found in the process memory dump",
"severity": 2,
"marks": [
{
"category": "url",
"ioc": "http:\/\/www.expedia.com\/favicon.ico",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/uk.ask.com\/favicon.ico",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/www.priceminister.com\/",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/www.iask.com\/favicon.ico",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/ocsp.infonotary.com\/responder.cgi0V",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/www.merlin.com.pl\/favicon.ico",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/www.cnet.com\/favicon.ico",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/www.certificadodigital.com.br\/repositorio\/serasaca\/crl\/SerasaCAII.crl0",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/search.nifty.com\/",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/ns.adobe.com\/exif\/1.0\/",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/www.etmall.com.tw\/",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/crl.chambersign.org\/publicnotaryroot.crl0",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/search.goo.ne.jp\/",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/fr.wikipedia.org\/favicon.ico",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/busca.estadao.com.br\/favicon.ico",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/search.hanafos.com\/favicon.ico",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/search.chol.com\/favicon.ico",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/search.interpark.com\/",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/amazon.fr\/",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/www.amazon.co.jp\/",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/www.mtv.com\/favicon.ico",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/busqueda.aol.com.mx\/",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/search.live.com\/results.aspx?FORM=SOLTDF",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/msdn.microsoft.com\/",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/www.sogou.com\/favicon.ico",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/www.sify.com\/favicon.ico",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/yellowpages.superpages.com\/",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/suche.freenet.de\/",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/crl.chambersign.org\/chambersroot.crl0",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/search.aol.com\/",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/browse.guardian.co.uk\/",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/www.mercadolibre.com.mx\/",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/www.asharqalawsat.com\/",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/www.facebook.com\/",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/si.wikipedia.org\/favicon.ico",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/www.rtl.de\/favicon.ico",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/search.msn.com\/results.aspx?q=",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/www.microsoft.com.",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/search.naver.com\/favicon.ico",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/fedir.comsign.co.il\/cacert\/ComSignAdvancedSecurityCA.crt0",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "https:\/\/www.verisign.com\/repository\/verisignlogo.gif0D",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/crl.usertrust.com\/UTN-USERFirst-NetworkApplications.crl0",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "https:\/\/www.netlock.net\/docs",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/en.wikipedia.org\/favicon.ico",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/si.wikipedia.org\/w\/api.php?action=opensearch",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/www.signatur.rtr.at\/de\/directory\/cps.html0",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/udn.com\/favicon.ico",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/rover.ebay.com",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/search.ebay.fr\/",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/www.univision.com\/",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "memdump_urls"
},
{
"markcount": 2,
"families": [],
"description": "Attempts to create or modify system certificates",
"severity": 3,
"marks": [
{
"category": "registry",
"ioc": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\8F43288AD272F3103B6FB1428485EA3014C0BCFE\\Blob",
"type": "ioc",
"description": null
},
{
"category": "registry",
"ioc": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46\\Blob",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "modifies_certificates"
},
{
"markcount": 18,
"families": [],
"description": "Resumed a suspended thread in a remote process potentially indicative of process injection",
"severity": 3,
"marks": [
{
"category": "Process injection",
"ioc": "Process 1496 resumed a thread in remote process 2124",
"type": "ioc",
"description": null
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtResumeThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x000002d4",
"suspend_count": 1,
"process_identifier": 2124
},
"time": 1563706482.4378,
"tid": 2268,
"flags": {}
},
"pid": 1496,
"type": "call",
"cid": 655466
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtResumeThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x000002dc",
"suspend_count": 1,
"process_identifier": 2124
},
"time": 1563706482.7498,
"tid": 2268,
"flags": {}
},
"pid": 1496,
"type": "call",
"cid": 655469
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtResumeThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x000002e0",
"suspend_count": 1,
"process_identifier": 2124
},
"time": 1563706483.3598,
"tid": 2268,
"flags": {}
},
"pid": 1496,
"type": "call",
"cid": 655472
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtResumeThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x000002e4",
"suspend_count": 1,
"process_identifier": 2124
},
"time": 1563706483.6408,
"tid": 2268,
"flags": {}
},
"pid": 1496,
"type": "call",
"cid": 655474
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtResumeThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x000002e8",
"suspend_count": 1,
"process_identifier": 2124
},
"time": 1563706483.9848,
"tid": 2268,
"flags": {}
},
"pid": 1496,
"type": "call",
"cid": 655478
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtResumeThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x000002ec",
"suspend_count": 1,
"process_identifier": 2124
},
"time": 1563706484.2658,
"tid": 2268,
"flags": {}
},
"pid": 1496,
"type": "call",
"cid": 655481
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtResumeThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x000002f0",
"suspend_count": 1,
"process_identifier": 2124
},
"time": 1563706484.5468,
"tid": 2268,
"flags": {}
},
"pid": 1496,
"type": "call",
"cid": 655483
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtResumeThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x000002f4",
"suspend_count": 1,
"process_identifier": 2124
},
"time": 1563706485.0938,
"tid": 2268,
"flags": {}
},
"pid": 1496,
"type": "call",
"cid": 655488
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtResumeThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x000002f8",
"suspend_count": 1,
"process_identifier": 2124
},
"time": 1563706485.3748,
"tid": 2268,
"flags": {}
},
"pid": 1496,
"type": "call",
"cid": 655490
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtResumeThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x000002fc",
"suspend_count": 1,
"process_identifier": 2124
},
"time": 1563706485.6558,
"tid": 2268,
"flags": {}
},
"pid": 1496,
"type": "call",
"cid": 655492
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtResumeThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x000002fc",
"suspend_count": 1,
"process_identifier": 2124
},
"time": 1563706487.3128,
"tid": 2268,
"flags": {}
},
"pid": 1496,
"type": "call",
"cid": 670591
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtResumeThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x000002f4",
"suspend_count": 1,
"process_identifier": 2124
},
"time": 1563706487.5938,
"tid": 2268,
"flags": {}
},
"pid": 1496,
"type": "call",
"cid": 670593
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtResumeThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x000002f0",
"suspend_count": 1,
"process_identifier": 2124
},
"time": 1563706488.3278,
"tid": 2268,
"flags": {}
},
"pid": 1496,
"type": "call",
"cid": 670599
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtResumeThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x000002ec",
"suspend_count": 1,
"process_identifier": 2124
},
"time": 1563706488.5938,
"tid": 2268,
"flags": {}
},
"pid": 1496,
"type": "call",
"cid": 670601
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtResumeThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x000002e8",
"suspend_count": 1,
"process_identifier": 2124
},
"time": 1563706488.8908,
"tid": 2268,
"flags": {}
},
"pid": 1496,
"type": "call",
"cid": 670603
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtResumeThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x000002e4",
"suspend_count": 1,
"process_identifier": 2124
},
"time": 1563706489.2498,
"tid": 2268,
"flags": {}
},
"pid": 1496,
"type": "call",
"cid": 670609
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtResumeThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x000002e0",
"suspend_count": 1,
"process_identifier": 2124
},
"time": 1563706489.5158,
"tid": 2268,
"flags": {}
},
"pid": 1496,
"type": "call",
"cid": 670611
}
],
"references": [
"www.endgame.com\/blog\/technical-blog\/ten-process-injection-techniques-technical-survey-common-and-trending-process"
],
"name": "injection_resumethread"
}
]Yara
The Yara rules did not detect anything in the file.
Network
{
"tls": [],
"udp": [
{
"src": "192.168.56.101",
"dst": "192.168.56.255",
"offset": 546,
"time": 3.0784001350403,
"dport": 137,
"sport": 137
},
{
"src": "192.168.56.101",
"dst": "192.168.56.255",
"offset": 14946,
"time": 9.0789470672607,
"dport": 138,
"sport": 138
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 16790,
"time": 34.237498044968,
"dport": 5355,
"sport": 49556
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 17110,
"time": 3.0112700462341,
"dport": 5355,
"sport": 49840
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 17438,
"time": 28.970502138138,
"dport": 5355,
"sport": 50202
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 17758,
"time": 2.1489260196686,
"dport": 5355,
"sport": 51001
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 18078,
"time": 5.4806380271912,
"dport": 5355,
"sport": 52259
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 18398,
"time": 1.0209641456604,
"dport": 5355,
"sport": 53595
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 18726,
"time": 2.4990630149841,
"dport": 5355,
"sport": 53848
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 19046,
"time": 18.624531030655,
"dport": 5355,
"sport": 54237
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 19366,
"time": 1.5375249385834,
"dport": 5355,
"sport": 54255
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 19694,
"time": 10.673653125763,
"dport": 5355,
"sport": 54335
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 20014,
"time": -0.090632915496826,
"dport": 5355,
"sport": 55314
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 20342,
"time": 2.87540102005,
"dport": 5355,
"sport": 55880
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 20662,
"time": 42.114354133606,
"dport": 5355,
"sport": 56347
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 20982,
"time": 31.571068048477,
"dport": 5355,
"sport": 56353
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 21302,
"time": 15.949412107468,
"dport": 5355,
"sport": 58989
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 21622,
"time": 13.346660137177,
"dport": 5355,
"sport": 59548
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 21942,
"time": 23.799562931061,
"dport": 5355,
"sport": 60071
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 22262,
"time": 36.813924074173,
"dport": 5355,
"sport": 60575
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 22582,
"time": 26.386224985123,
"dport": 5355,
"sport": 62601
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 22902,
"time": 8.0943541526794,
"dport": 5355,
"sport": 63506
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 23222,
"time": 21.195649147034,
"dport": 5355,
"sport": 63646
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 23542,
"time": 3.0184390544891,
"dport": 5355,
"sport": 64017
},
{
"src": "192.168.56.101",
"dst": "239.255.255.250",
"offset": 23870,
"time": 1.5337719917297,
"dport": 1900,
"sport": 1900
},
{
"src": "192.168.56.101",
"dst": "239.255.255.250",
"offset": 43280,
"time": 1.0419881343842,
"dport": 3702,
"sport": 49152
},
{
"src": "192.168.56.101",
"dst": "239.255.255.250",
"offset": 51664,
"time": 3.1251261234283,
"dport": 1900,
"sport": 53598
}
],
"dns_servers": [],
"http": [],
"icmp": [],
"smtp": [],
"tcp": [],
"smtp_ex": [],
"mitm": [],
"hosts": [],
"pcap_sha256": "f1ceea7f9f42c855f8216794ed48ed6953415844d8b3d13d06b4ae56725ef77d",
"dns": [],
"http_ex": [],
"domains": [],
"dead_hosts": [],
"sorted_pcap_sha256": "713efcb68d387dd4cef692f9e24dab66787510ed76df6ff2d2e95e80e1ca7d3f",
"irc": [],
"https_ex": []
}Screenshots
Hashes [?]
| Property | Value |
|---|---|
| MD5 | f25ffc81134c986694d3fb062b521b1d |
| SHA256 | bba758133516e9de0d4cb03e93c53fbdb057eee82eb74f1b1ea4dbe23c1e0099 |
Error Messages
These are some of the error messages that can appear related to freeadmintools_me_task.exe:
freeadmintools_me_task.exe has encountered a problem and needs to close. We are sorry for the inconvenience.
freeadmintools_me_task.exe - Application Error. The instruction at "0xXXXXXXXX" referenced memory at "0xXXXXXXXX". The memory could not be "read/written". Click on OK to terminate the program.
FreeAdminTools_METracking has stopped working.
End Program - freeadmintools_me_task.exe. This program is not responding.
freeadmintools_me_task.exe is not a valid Win32 application.
freeadmintools_me_task.exe - Application Error. The application failed to initialize properly (0xXXXXXXXX). Click OK to terminate the application.
What will you do with the file?
To help other users, please let us know what you will do with the file:
Malware or legitimate?
If you feel that you need more information to determine if your should keep this file or remove it, please read this guide.
And now some shameless self promotion ;)
Hi, my name is Roger Karlsson. I've been running this website since 2006. I want to let you know about the FreeFixer program. FreeFixer is a freeware tool that analyzes your system and let you manually identify unwanted programs. Once you've identified some malware files, FreeFixer is pretty good at removing them. You can download FreeFixer here. It runs on Windows 2000/XP/2003/2008/2016/2019/Vista/7/8/8.1/10. Supports both 32- and 64-bit Windows.
If you have questions, feedback on FreeFixer or the freefixer.com website, need help analyzing FreeFixer's scan result or just want to say hello, please contact me. You can find my email address at the contact page.
Comments
Please share with the other users what you think about this file. What does this file do? Is it legitimate or something that your computer is better without? Do you know how it was installed on your system? Did you install it yourself or did it come bundled with some other software? Is it running smoothly or do you get some error message? Any information that will help to document this file is welcome. Thank you for your contributions.
I'm reading all new comments so don't hesitate to post a question about the file. If I don't have the answer perhaps another user can help you.
No comments posted yet.