What is OverwolfUpdater.exe?
OverwolfUpdater.exe is part of Overwolf and developed by Overwolf LTD according to the OverwolfUpdater.exe version information.
OverwolfUpdater.exe's description is "OverwolfUpdater"
OverwolfUpdater.exe is digitally signed by Overwolf Ltd.
OverwolfUpdater.exe is usually located in the 'C:\Program Files (x86)\Overwolf\' folder.
Some of the anti-virus scanners at VirusTotal detected OverwolfUpdater.exe.
If you have additional information about the file, please share it with the FreeFixer users by posting a comment at the bottom of this page.
Vendor and version information [?]
The following is the available information on OverwolfUpdater.exe:
| Property | Value |
|---|---|
| Product name | Overwolf |
| Company name | Overwolf LTD |
| File description | OverwolfUpdater |
| Internal name | OverwolfUpdater.exe |
| Original filename | OverwolfUpdater.exe |
| Comments | The Overwolf service |
| Legal copyright | Copyright Overwolf © 2019 |
| Product version | 0.134.0.26 |
| File version | 0.134.0.26 |
Here's a screenshot of the file properties when displayed by Windows Explorer:
| Product name | Overwolf |
| Company name | Overwolf LTD |
| File description | OverwolfUpdater |
| Internal name | OverwolfUpdater.exe |
| Original filename | OverwolfUpdater.exe |
| Comments | The Overwolf service |
| Legal copyright | Copyright Overwolf © 2019 |
| Product version | 0.134.0.26 |
| File version | 0.134.0.26 |
Digital signatures [?]
OverwolfUpdater.exe has a valid digital signature.
| Property | Value |
|---|---|
| Signer name | Overwolf Ltd |
| Certificate issuer name | Symantec Class 3 SHA256 Code Signing CA |
| Certificate serial number | 4fd6c5fe16ab00f702179d23b4372ebc |
VirusTotal report
1 of the 70 anti-virus programs at VirusTotal detected the OverwolfUpdater.exe file. That's a 1% detection rate.
| Scanner | Detection Name |
|---|---|
| AhnLab-V3 | Trojan/Win32.Generic.C3366797 |
Sandbox Report
The following information was gathered by executing the file inside Cuckoo Sandbox.
Summary
Successfully executed process in sandbox.
Summary
{
"file_created": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarEF37.tmp",
"C:\\ProgramData\\Overwolf\\OverwolfUpdater\\UpdatesInfo.json",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab624E.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarC274.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar78C7.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabF052.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar3A6D.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab6509.tmp",
"C:\\ProgramData\\Overwolf\\Log\\OverwolfUpdater.log",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab3A5D.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar625E.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabEDCD.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabC273.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabC340.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabEF27.tmp",
"C:\\ProgramData\\Overwolf\\OverwolfUpdater\\ftw.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar650A.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarC351.tmp",
"C:\\ProgramData\\Overwolf\\OverwolfUpdater\\owver64.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab6171.tmp",
"C:\\ProgramData\\Overwolf\\OverwolfUpdater\\nsis7z64.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab6056.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar6057.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar5F0D.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarF062.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab78B6.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarEDCE.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar6182.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab5EFC.tmp"
],
"file_recreated": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarEF37.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab624E.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarC274.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar78C7.tmp",
"\\Device\\KsecDD",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabF052.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar3A6D.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab6509.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab3A5D.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar625E.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabEDCD.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabC273.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabC340.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabEF27.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar650A.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarC351.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab6171.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab6056.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar6057.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar5F0D.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarF062.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab78B6.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarEDCE.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar6182.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab5EFC.tmp"
],
"regkey_written": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\8F43288AD272F3103B6FB1428485EA3014C0BCFE\\Blob",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\RASMANCS\\FileDirectory",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\RASMANCS\\EnableFileTracing",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\RASMANCS\\MaxFileSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\RASMANCS\\FileTracingMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\RASAPI32\\MaxFileSize",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\LanguageList",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\RASAPI32\\EnableConsoleTracing",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\RASAPI32\\EnableFileTracing",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\RASAPI32\\ConsoleTracingMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\RASAPI32\\FileDirectory",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\\Blob",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\RASMANCS\\EnableConsoleTracing",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\RASMANCS\\ConsoleTracingMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\RASAPI32\\FileTracingMask"
],
"dll_loaded": [
"C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\ws2_32.dll",
"C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\culture.dll",
"imagehlp.dll",
"kernel32",
"API-MS-Win-Security-LSALookup-L1-1-0.dll",
"credssp.dll",
"ntdll",
"API-MS-WIN-Service-Management-L2-1-0.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_64\\System.Configuration\\091b931d0f6408001747dbbbb05dbe66\\System.Configuration.ni.dll",
"gdi32.dll",
"CFGMGR32.dll",
"DNSAPI.dll",
"C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\VERSION.dll",
"kernel32.dll",
"API-MS-Win-Security-SDDL-L1-1-0.dll",
"CRYPTBASE.dll",
"C:\\Windows\\system32\\rsaenh.dll",
"SensApi.dll",
"C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\iphlpapi.dll",
"ntdll.dll",
"ws2_32.dll",
"cryptsp.dll",
"shfolder.dll",
"imm32.dll",
"C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\ntdll.dll",
"ncrypt.dll",
"rasapi32.dll",
"bcrypt.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_64\\System\\adff7dd9fe8e541775c46b6363401b22\\System.ni.dll",
"API-MS-WIN-Service-Management-L1-1-0.dll",
"cryptnet.dll",
"C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\rasapi32.dll",
"C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\winhttp.dll",
"crypt32.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_64\\System.Runtime.Seri#\\52bdf474b237d949c5b2b407ebec8f1e\\System.Runtime.Serialization.ni.dll",
"API-MS-Win-Core-LocalRegistry-L1-1-0.dll",
"AdvApi32.dll",
"SspiCli.dll",
"version.dll",
"advapi32.dll",
"ole32.dll",
"SHLWAPI.dll",
"CRYPTSP.dll",
"USER32.dll",
"DEVRTL.dll",
"C:\\Windows\\system32\\IMM32.DLL",
"API-MS-WIN-Service-winsvc-L1-1-0.dll",
"RASMAN.DLL",
"rtutils.dll",
"IPHLPAPI.DLL",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_64\\System.Data\\accc3a5269658c8c47fe3e402ac4ac1c\\System.Data.ni.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_64\\System.ServiceProce#\\df4cc33bfe326b259eeef086451a2528\\System.ServiceProcess.ni.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_64\\System.Core\\83e2f6909980da7347e7806d8c26670e\\System.Core.ni.dll",
"ADVAPI32.dll",
"C:\\Windows\\system32\\CRYPT32.dll",
"NSI.dll",
"winhttp.dll",
"profapi.dll",
"RPCRT4.dll",
"C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\mscorwks.dll",
"ntmarta.dll",
"C:\\Windows\\System32\\wship6.dll",
"C:\\Windows\\assembly\\GAC_64\\System.Data\\2.0.0.0__b77a5c561934e089\\System.Data.dll",
"USERENV.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_64\\System.Configuratio#\\fcf35536476614410e0b0bd0e412199e\\System.Configuration.Install.ni.dll",
"setupapi.dll",
"mscorsec.dll",
"RichEd20.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_64\\System.Xml\\ee795155543768ea67eecddc686a1e9e\\System.Xml.ni.dll",
"mscoree.dll",
"C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\mscorsec.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_64\\mscorlib\\9469491f37d9c35b596968b206615309\\mscorlib.ni.dll",
"C:\\Windows\\system32\\cryptnet.dll",
"WINTRUST.DLL",
"C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\ole32.dll",
"C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\mscorjit.dll",
"C:\\Windows\\system32\\bcryptprimitives.dll",
"C:\\Windows\\system32\\mswsock.dll",
"VERSION.dll",
"shell32.dll",
"C:\\Windows\\System32\\wshtcpip.dll",
"WS2_32.dll",
"Cabinet.dll",
"iphlpapi.dll",
"WINHTTP.dll"
],
"file_opened": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarEF37.tmp",
"C:\\ProgramData\\Overwolf\\Temp\\",
"C:\\Users\\cuck\\AppData\\LocalLow",
"C:\\",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarC274.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\daf6bce66c3697be3c8a1aa077143515dda5453aa07dfe6914465bfb7e51a3bc.bin",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar78C7.tmp",
"C:\\Users\\cuck\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\",
"C:\\Windows\\System32\\en-US\\WINHTTP.dll.mui",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab6509.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab3A5D.tmp",
"C:\\ProgramData\\Overwolf",
"C:\\Windows\\assembly\\GAC_MSIL\\System.Runtime.Serialization\\3.0.0.0__b77a5c561934e089\\",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab624E.tmp",
"C:\\Windows\\",
"C:\\Windows\\System32\\netmsg.dll",
"C:\\Windows\\assembly\\GAC_64\\mscorlib\\2.0.0.0__b77a5c561934e089\\sorttbls.nlp",
"C:\\Users\\",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar625E.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabEDCD.tmp",
"C:\\Windows\\System32\\l_intl.nls",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_64\\index143.dat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\",
"C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabC273.tmp",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\94308059B57B3142E455B38A6EB92015",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarEDCE.tmp",
"C:\\ProgramData\\Overwolf\\Setup\\",
"C:\\Windows\\winsxs\\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\\",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar650A.tmp",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\",
"C:\\Windows\\assembly\\GAC_MSIL\\System.Configuration\\2.0.0.0__b03f5f7f11d50a3a\\",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarC351.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab6171.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar3A6D.tmp",
"C:\\Windows\\System32\\en-US\\KERNELBASE.dll.mui",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab6056.tmp",
"C:\\Users\\cuck\\AppData\\Local\\",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\",
"C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\mscorrc.dll",
"C:\\Windows\\assembly\\pubpol4.dat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar5F0D.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabF052.tmp",
"C:\\Windows\\assembly\\GAC_MSIL\\System.Configuration.Install\\2.0.0.0__b03f5f7f11d50a3a\\",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabC340.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarF062.tmp",
"C:\\Windows\\assembly\\GAC_MSIL\\System.Xml\\2.0.0.0__b77a5c561934e089\\",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab78B6.tmp",
"C:\\Windows\\assembly\\GAC_MSIL\\System.ServiceProcess\\2.0.0.0__b03f5f7f11d50a3a\\",
"C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabEF27.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar6182.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar6057.tmp",
"C:\\Windows\\assembly\\GAC_64\\mscorlib\\2.0.0.0__b77a5c561934e089\\",
"C:\\Windows\\System32\\rsaenh.dll",
"C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\CONFIG\\machine.config",
"C:\\Windows\\assembly\\GAC_64\\System.Data\\2.0.0.0__b77a5c561934e089\\System.Data.dll",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\94308059B57B3142E455B38A6EB92015",
"C:\\Windows\\assembly\\GAC_64\\mscorlib\\2.0.0.0__b77a5c561934e089\\sortkey.nlp",
"C:\\Windows\\assembly\\GAC_MSIL\\System.Core\\3.5.0.0__b77a5c561934e089\\",
"C:\\Users\\cuck\\AppData\\",
"C:\\Windows\\assembly\\GAC_64\\System.Data\\2.0.0.0__b77a5c561934e089\\",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab5EFC.tmp"
],
"regkey_opened": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\181938c6\\7950e2c5",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\6faf58\\19ab8d57",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\19ab8d57\\1bd7b0d8\\8f",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\7f0603e4\\73843e06\\6e",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.EnterpriseServices__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\181938c6\\7950e2c5\\82",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\7f0603e4\\73843e06",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\671e24da\\6c7c7a84",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\30bc7c4f\\3f50fe4f",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{0398A685-FD8D-46B3-9816-C47319B0CF5f}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\3c9c8d7b\\46b95040\\74",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\AddressBook",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\671e24da\\5599aea8",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\3d590c3f\\59f3b67b\\89",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\41c04c7e\\7f3b6ac4\\80",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Installer\\Assemblies\\Global",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\Policy\\standards",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Fusion",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\IE5BAKEX",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\6dc7d4c0\\a5cd4db\\87",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-699399860-4089948139-3198924279-1001",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Installer\\Assemblies\\C:|Users|cuck|AppData|Local|Temp|daf6bce66c3697be3c8a1aa077143515dda5453aa07dfe6914465bfb7e51a3bc.bin",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\WIC",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\5fcea75a\\3c9c8d7b",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\77a2835c\\36d9491a",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Installer\\Assemblies\\C:|Users|cuck|AppData|Local|Temp|daf6bce66c3697be3c8a1aa077143515dda5453aa07dfe6914465bfb7e51a3bc.bin",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\Managed\\S-1-5-21-699399860-4089948139-3198924279-1001\\Installer\\Assemblies\\C:|Users|cuck|AppData|Local|Temp|daf6bce66c3697be3c8a1aa077143515dda5453aa07dfe6914465bfb7e51a3bc.bin",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\35df3f71\\6cb3f6b9\\65",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\73843e06\\43a920ef\\6e",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\Policy\\Standards",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\IEData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Fontcore",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\IE5BAKEX",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\5fcea75a\\3c9c8d7b\\6f",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\77a2835c\\36d9491a\\66",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Connection Manager",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Fontcore",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\Policy\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\5b43ba09\\4355c2d6\\7e",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\SchedulingAgent",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.10.0.Newtonsoft.Json__30ad4fe6b2a6aeed",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\DirectDrawEx",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\330068b6\\545f374a",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\85e83df\\2c4cd1a4\\79",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\3b249b34\\157e0c82\\78",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Security__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\WIC",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.3.0.System.Runtime.Serialization__b77a5c561934e089",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\index143",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\Policy\\standards\\v2.0.50727",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\v2.0.50727\\Security\\Policy",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System__b77a5c561934e089",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\StrongName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\AddressBook",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Xml__b77a5c561934e089",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\7ac727df\\7b5311d7\\69",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-20",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\c991064\\2bd33e1c\\81",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Class\\{4d36e972-e325-11ce-bfc1-08002be10318}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-699399860-4089948139-3198924279-1001",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Runtime.Serialization.Formatters.Soap__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.3.5.System.Core__b77a5c561934e089",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Configuration.Install__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets\\LocalIntranet",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\DXM_Runtime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\36d9491a\\3fb203dc\\67",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Installer\\Assemblies\\Global",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\75638fee\\7566cac\\8c",
"HKEY_LOCAL_MACHINE\\Software\\Overwolf",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\3175ab79\\3f7d0977",
"HKEY_CURRENT_USER\\Control Panel\\International",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\.NET CLR Networking\\Performance",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\Policy\\AppPatch",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Drawing__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.3.0.SMDiagnostics__b77a5c561934e089",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\MPlayer2",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\BidInterface\\Loader",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\226b2009\\5b43ba09",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\MozillaMaintenanceService",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion\\GACChangeNotification\\Default",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\6faf58\\19ab8d57\\8e",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\Policy\\v2.0",
"HKEY_CURRENT_USER\\Software\\Microsoft\\.NETFramework",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\226b2009\\5b43ba09\\7a",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\MobileOptionPack",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\IE4Data",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.8.0.Microsoft.VisualC__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\159a66b8\\424bd4d8",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\475dce40\\2d382ce6\\8d",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\7ac727df\\7b5311d7",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\Policy\\APTCA",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\7b5311d7\\1b0ed4d\\69",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\424bd4d8\\1c83327b\\8e",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\daf6bce66c3697be3c8a1aa077143515dda5453aa07dfe6914465bfb7e51a3bc.bin",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\Managed\\S-1-5-21-699399860-4089948139-3198924279-1001\\Installer\\Assemblies\\Global",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Data.SqlXml__b77a5c561934e089",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\IE40",
"HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Overwolf",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-18",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-19",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Mozilla Firefox 60.0.2 (x86 sv-SE)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\IE4Data",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\MobileOptionPack",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Connection Manager",
"HKEY_CURRENT_USER\\Software\\Microsoft\\.NETFramework\\Policy\\Standards",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Windows.Forms__b77a5c561934e089",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\IEData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\6b257144\\191518a4",
"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections",
"HKEY_CURRENT_USER\\Software\\OverwolfTesting",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\Policy\\Upgrades",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Configuration__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\IE40",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\SchedulingAgent",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\3f50fe4f\\6f1da7aa\\90",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\DirectDrawEx",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion\\PublisherPolicy\\Default",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Transactions__b77a5c561934e089",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\30bc7c4f\\3f50fe4f\\90",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Data__b77a5c561934e089",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\7950e2c5\\19b8f67f\\82",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\.net clr networking\\Performance",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.ServiceProcess__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets\\Internet",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\internal\\jit\\Perf",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\159a66b8\\424bd4d8\\8f"
],
"resolves_host": [
"s1.symcb.com",
"www.download.windowsupdate.com",
"s2.symcb.com",
"sv.symcb.com",
"usersconfig.overwolf.com",
"wpad",
"sv.symcd.com"
],
"file_written": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarEF37.tmp",
"C:\\ProgramData\\Overwolf\\OverwolfUpdater\\UpdatesInfo.json",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab624E.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarC274.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar78C7.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabF052.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar3A6D.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab6509.tmp",
"C:\\ProgramData\\Overwolf\\Log\\OverwolfUpdater.log",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab3A5D.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar625E.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabEDCD.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabC273.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabC340.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabEF27.tmp",
"C:\\ProgramData\\Overwolf\\OverwolfUpdater\\ftw.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar650A.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarC351.tmp",
"C:\\ProgramData\\Overwolf\\OverwolfUpdater\\owver64.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab6171.tmp",
"C:\\ProgramData\\Overwolf\\OverwolfUpdater\\nsis7z64.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab6056.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar6057.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar5F0D.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarF062.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab78B6.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarEDCE.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar6182.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab5EFC.tmp"
],
"regkey_deleted": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\8F43288AD272F3103B6FB1428485EA3014C0BCFE"
],
"file_deleted": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarEF37.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab624E.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarC274.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar78C7.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabF052.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar3A6D.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab6509.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab3A5D.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar625E.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabEDCD.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabC273.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabC340.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabEF27.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar650A.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarC351.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab6171.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab6056.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar6057.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar5F0D.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarF062.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab78B6.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarEDCE.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar6182.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab5EFC.tmp"
],
"file_exists": [
"C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\Local\\Overwolf",
"C:\\Windows\\assembly\\GAC_64\\Newtonsoft.Json\\10.0.0.0__30ad4fe6b2a6aeed",
"C:\\ProgramData\\Overwolf\\OverwolfUpdater\\UpdatesInfo.json",
"C:\\Users\\cuck\\AppData\\LocalLow",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Newtonsoft.Json.dll",
"C:\\Windows\\Globalization\\en-us.nlp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\daf6bce66c3697be3c8a1aa077143515dda5453aa07dfe6914465bfb7e51a3bc.bin",
"C:\\Windows\\assembly",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\daf6bce66c3697be3c8a1aa077143515dda5453aa07dfe6914465bfb7e51a3bc.config",
"C:\\Users\\cuck\\AppData\\Local\\Temp",
"C:\\ProgramData\\Overwolf\\Temp",
"C:\\Windows\\System32\\kernel32.dll",
"C:\\Windows\\assembly\\GAC_MSIL\\Newtonsoft.Json\\10.0.0.0__30ad4fe6b2a6aeed",
"C:\\ProgramData\\Overwolf\\OverwolfUpdater\\owver64.exe",
"C:\\ProgramData\\Overwolf",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\RestSharp\\RestSharp.exe",
"C:\\ProgramData",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\en\\OverwolfUpdater.resources\\OverwolfUpdater.resources.dll",
"C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Overwolf",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Newtonsoft.Json\\Newtonsoft.Json.exe",
"C:\\ProgramData\\Overwolf\\Log",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\en\\OverwolfUpdater.resources.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\en-US\\OverwolfUpdater.resources\\OverwolfUpdater.resources.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Newtonsoft.Json\\Newtonsoft.Json.dll",
"C:\\Windows\\System32\\config\\systemprofile\\AppData\\Local\\Overwolf",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\en-US\\OverwolfUpdater.resources.exe",
"C:\\Users\\cuck\\AppData\\Local\\Overwolf",
"C:\\Program Files (x86)\\Common Files\\Overwolf",
"C:\\ProgramData\\Overwolf\\OverwolfUpdater\\ftw.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\en\\OverwolfUpdater.resources\\OverwolfUpdater.resources.exe",
"C:\\Windows\\inf\\",
"C:\\Windows\\winsxs\\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\\msvcr80.dll",
"C:\\Windows\\assembly\\Desktop.ini",
"C:\\Windows\\System32\\fveui.dll",
"C:\\Windows\\assembly\\GAC\\PublisherPolicy.tme",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\RestSharp.dll",
"C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\fusion.localgac",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\en-US\\OverwolfUpdater.resources.dll",
"C:\\Windows\\System32\\QAGENTRT.DLL",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Newtonsoft.Json.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\owUpdater.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\RestSharp\\RestSharp.dll",
"C:\\Windows\\System32\\dnsapi.dll",
"C:\\ProgramData\\Overwolf\\OverwolfUpdater",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\RestSharp.exe",
"C:\\Windows\\System32\\p2pcollab.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\en\\OverwolfUpdater.resources.dll",
"C:\\Program Files\\Common Files\\Overwolf",
"C:\\Windows\\System32\\MSCOREE.DLL.local",
"C:\\Windows\\Globalization\\en.nlp",
"C:\\Windows\\assembly\\GAC\\Newtonsoft.Json\\10.0.0.0__30ad4fe6b2a6aeed",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\en-US\\OverwolfUpdater.resources\\OverwolfUpdater.resources.dll",
"C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\CONFIG\\machine.config",
"C:\\ProgramData\\Overwolf\\OverwolfUpdater\\nsis7z64.dll",
"C:\\ProgramData\\Overwolf\\Setup"
],
"mutex": [
"Global\\.net clr networking",
"RasPbFile"
],
"file_failed": [
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\FA47BF11E3FC6DA7A80A2910535F021F",
"C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\CONFIG\\enterprisesec.config.cch",
"C:\\ProgramData\\Overwolf\\Store\\appstore.json",
"C:\\Windows\\Microsoft.NET\\Framework64\\Upgrades.2.0.50727\\",
"C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\CONFIG\\security.config",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\64bit\\security.config",
"C:\\Program Files (x86)\\Overwolf",
"C:\\Program Files (x86)\\Common Files\\Overwolf",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\64bit\\security.config.cch",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\EA618097E393409AFA316F0F87E2C202_D94919F5C9D661B9006200EEB2F86C8E",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\ECF3006D44DA211141391220EE5049F4",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\EA618097E393409AFA316F0F87E2C202_BA5199A95DEC7127C65C4EF95B29E480",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\C46E7B0F942663A1EDC8D9D6D7869173_DF4CA81DC775CDA9B3214BDB5B55900E",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\40C68D5626484A90937F0752C8B950AB",
"C:\\ProgramData\\Overwolf\\Setup\\SetupInfo.ini",
"C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\CONFIG\\enterprisesec.config",
"C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\CONFIG\\security.config.cch",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\daf6bce66c3697be3c8a1aa077143515dda5453aa07dfe6914465bfb7e51a3bc.bin.config"
],
"file_read": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarEF37.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab624E.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarC274.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar78C7.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabF052.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar3A6D.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab6509.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab3A5D.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar625E.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabEDCD.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabC273.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabC340.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabEF27.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar650A.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarC351.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab6171.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab6056.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar6057.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar5F0D.tmp",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\94308059B57B3142E455B38A6EB92015",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarF062.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab78B6.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarEDCE.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar6182.tmp",
"C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\CONFIG\\machine.config",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\94308059B57B3142E455B38A6EB92015",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab5EFC.tmp"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Providers\\Trust\\Initialization\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$Function",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\SchedulingAgent\\DisplayName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\WinSock2\\Parameters\\Protocol_Catalog9\\Serial_Access_Num",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{0398A685-FD8D-46B3-9816-C47319B0CF5f}\\DisplayName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\MaxSockaddrLength",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\159a66b8\\424bd4d8\\8f\\EvalationData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\3c9c8d7b\\46b95040\\74\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Connection Manager\\DisplayName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SecurityProviders\\SecurityProviders",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-699399860-4089948139-3198924279-1001\\ProfileImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Interfaces\\{EF381EA0-4D07-418D-A490-68AF67CE948B}\\EnableMulticast",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\UpdateSecurityLevel",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\ROOT\\Certificates\\A43489159A520F0D93D032CCAF37E7FE20A8B419\\Blob",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\5fcea75a\\3c9c8d7b\\6f\\ConfigString",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\crypt32\\DiagMatchAnyMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\77a2835c\\36d9491a\\66\\NIDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\IE4Data\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\475dce40\\2d382ce6\\8d\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\7b5311d7\\1b0ed4d\\69\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\7b5311d7\\1b0ed4d\\69\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\226b2009\\5b43ba09\\7a\\EvalationData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\19ab8d57\\1bd7b0d8\\8f\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\7b5311d7\\1b0ed4d\\69\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\DevOverrideEnable",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\7f0603e4\\73843e06\\6e\\EvalationData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\3d590c3f\\59f3b67b\\89\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NoClientChecks",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\DownloadCacheQuotaInKB",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Providers\\Trust\\Message\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$Function",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\RegistrationTtl",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\.NET CLR Networking\\Performance\\IsMultiInstance",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\ROOT\\Certificates\\18F7C1FCC3090203FD5BAA2F861A754976C8DD25\\Blob",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\6faf58\\19ab8d57\\8e\\MVID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\c991064\\2bd33e1c\\81\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\MaxAIAUrlRetrievalCertCount",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\DnsSecureNameQueryFallback",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Type",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\159a66b8\\424bd4d8\\8f\\ConfigMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\mscorlib,2.0.0.0,,b77a5c561934e089,AMD64",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\36d9491a\\3fb203dc\\67\\SIG",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Comment",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\DisableUnsupportedCriticalExtensions",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\.NET CLR Networking\\Performance\\Library",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Interfaces\\{EF381EA0-4D07-418D-A490-68AF67CE948B}\\RegistrationEnabled",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\75638fee\\7566cac\\8c\\Modules",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Hostname",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\RegistrationEnabled",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Providers\\Trust\\Certificate\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$Function",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\LogLevel",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\c991064\\2bd33e1c\\81\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\CA\\Certificates\\FEE449EE0E3965A5246F000E87FDE2A065FD89D4\\Blob",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\CA\\Certificates\\109F1CAED645BB78B3EA2B94C0697C740733031C\\Blob",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\6dc7d4c0\\a5cd4db\\87\\LastModTime",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\UseDelayedAcceptance",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\5fcea75a\\3c9c8d7b\\6f\\ConfigMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\GCStressStart",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\742C3192E607E424EB4549542BE1BBC53E6174E2\\Blob",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\DevicePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\TokenSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates\\7D7F4414CCEF168ADF6BF40753B5BECD78375931\\Blob",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\7950e2c5\\19b8f67f\\82\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\181938c6\\7950e2c5\\82\\ILDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\75638fee\\7566cac\\8c\\LastModTime",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\RegistrationMaxAddressCount",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\NetBT\\Parameters\\NodeType",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\LegacyPolicyTimeStamp",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Core,3.5.0.0,,b77a5c561934e089,MSIL",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\PrioritizeRecordData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\3b249b34\\157e0c82\\78\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\WIC\\DisplayName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\UseHostsFile",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\DnsQueryTimeouts",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Providers\\Trust\\Certificate\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$Function",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\7b5311d7\\1b0ed4d\\69\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\77a2835c\\36d9491a\\66\\MissingDependencies",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\NetBT\\Parameters\\EnableProxy",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Base Cryptographic Provider v1.0\\Image Path",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\73843e06\\43a920ef\\6e\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\5fcea75a\\3c9c8d7b\\6f\\NIDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Providers\\Trust\\Certificate\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$DLL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\CA\\CRLs\\A377D1B1C0538833035211F4083D00FECC414DAB\\Blob",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\5fcea75a\\3c9c8d7b\\6f\\Status",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Capabilities",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\NetBT\\Parameters\\DhcpNodeType",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\RASMANCS\\FileDirectory",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\RASAPI32\\EnableFileTracing",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\Latest",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\c991064\\2bd33e1c\\81\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Providers\\Trust\\FinalPolicy\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$DLL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\36d9491a\\3fb203dc\\67\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\\Blob",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\LatestIndex",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\TURNOFFDEBUGINFO",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\85e83df\\2c4cd1a4\\79\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\7f0603e4\\73843e06\\6e\\ConfigMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\7ac727df\\7b5311d7\\69\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\EnableLog",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\WaitForNameErrorOnAll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\6faf58\\19ab8d57\\8e\\ILDependencies",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\crypt32\\DiagLevel",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-20\\ProfileImagePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\IE4Data\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\CA\\Certificates\\D559A586669B08F46A30A133F8A9ED3D038E2EA8\\Blob",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\DnsTest",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\77a2835c\\36d9491a\\66\\DisplayName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\QueryIpMatching",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\CseOn",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Interfaces\\{EF381EA0-4D07-418D-A490-68AF67CE948B}\\DhcpDomain",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Cryptography\\PrivKeyCachePurgeIntervalSeconds",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\3f50fe4f\\6f1da7aa\\90\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\6dc7d4c0\\a5cd4db\\87\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\RASAPI32\\FileDirectory",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\7ac727df\\7b5311d7\\69\\DisplayName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\Enabled",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\VersioningLog",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\DisableMSIPeek",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\DirectAccessQueryOrder",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Providers\\Trust\\Initialization\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$DLL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE\\MaximumAllowedAllocationSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\6dc7d4c0\\a5cd4db\\87\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\30bc7c4f\\3f50fe4f\\90\\MVID",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Version",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\PrioritizeRecordData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\RASAPI32\\ConsoleTracingMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.44.3.4!7\\Name",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\5fcea75a\\3c9c8d7b\\6f\\MVID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\c991064\\2bd33e1c\\81\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\7f0603e4\\73843e06\\6e\\MissingDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\475dce40\\2d382ce6\\8d\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\RASAPI32\\EnableConsoleTracing",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\RegisterAdapterName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\CryptnetCachedOcspSwitchToCrlCount",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\IJWEntrypointCompatMode",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\SystemSetupInProgress",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\181938c6\\7950e2c5\\82\\ConfigMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\97817950D81C9670CC34D809CF794431367EF474\\Blob",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\SourcePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\MulticastResponderFlags",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\36d9491a\\3fb203dc\\67\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\181938c6\\7950e2c5\\82\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\6faf58\\19ab8d57\\8e\\NIDependencies",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\UseOldHostResolutionOrder",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\30bc7c4f\\3f50fe4f\\90\\ILDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\159a66b8\\424bd4d8\\8f\\ILDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\7ac727df\\7b5311d7\\69\\ILDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\AddressBook\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\424bd4d8\\1c83327b\\8e\\Modules",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\NetBT\\Parameters\\ScopeId",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\OnlyUseLatestCLR",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\181938c6\\7950e2c5\\82\\MissingDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\ChainCacheResyncFiletime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\PInvokeCalliOpt",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\7f0603e4\\73843e06\\6e\\MVID",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\UseDomainNameDevolution",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\WpadOverride",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\3c9c8d7b\\46b95040\\74\\LastModTime",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Interfaces\\{EF381EA0-4D07-418D-A490-68AF67CE948B}\\MaxNumberOfAddressesToRegister",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\7ac727df\\7b5311d7\\69\\EvalationData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\30bc7c4f\\3f50fe4f\\90\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\AddressBook\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\159a66b8\\424bd4d8\\8f\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-19\\ProfileImagePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\IEData\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\7ac727df\\7b5311d7\\69\\ConfigString",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\crypt32\\DebugFlags",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\Microsoft.VisualC,8.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Enhanced RSA and AES Cryptographic Provider\\Type",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\424bd4d8\\1c83327b\\8e\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Configuration.Install,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\EnableConsoleTracing",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\MulticastSenderFlags",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\RASMANCS\\EnableFileTracing",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\73843e06\\43a920ef\\6e\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.64.1.1!7\\Name",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\475dce40\\2d382ce6\\8d\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\7950e2c5\\19b8f67f\\82\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\GCStressStartAtJit",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\\Blob",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\7ac727df\\7b5311d7\\69\\MVID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\5fcea75a\\3c9c8d7b\\6f\\MissingDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\8F43288AD272F3103B6FB1428485EA3014C0BCFE",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\ROOT\\Certificates\\BE36A4562FB2EE05DBB3D32323ADF445084ED656\\Blob",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\DnsQuickQueryTimeouts",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Providers\\Trust\\Cleanup\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$DLL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\5b43ba09\\4355c2d6\\7e\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.EnterpriseServices,2.0.0.0,,b03f5f7f11d50a3a,AMD64",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\AllowUnqualifiedQuery",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\DnsQuickQueryTimeouts",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\DXM_Runtime\\DisplayName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\RegistrationRefreshInterval",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\85e83df\\2c4cd1a4\\79\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\SMDiagnostics,3.0.0.0,,b77a5c561934e089,MSIL",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Name",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\73843e06\\43a920ef\\6e\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\159a66b8\\424bd4d8\\8f\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\MozillaMaintenanceService\\DisplayName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\AccessProviders\\MartaExtension",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\6dc7d4c0\\a5cd4db\\87\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Base Cryptographic Provider v1.0\\Type",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing\\State",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\DefaultRegistrationRefreshInterval",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\7950e2c5\\19b8f67f\\82\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\3b249b34\\157e0c82\\78\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\3d590c3f\\59f3b67b\\89\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Security,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\5b43ba09\\4355c2d6\\7e\\Modules",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\MaxSockaddrLength",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\DisableWanDynamicUpdate",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\MaxAIAUrlCountInCert",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\181938c6\\7950e2c5\\82\\ConfigString",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\226b2009\\5b43ba09\\7a\\ConfigMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\RASMANCS\\EnableConsoleTracing",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\19ab8d57\\1bd7b0d8\\8f\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\159a66b8\\424bd4d8\\8f\\NIDependencies",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\AdapterTimeoutLimit",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winsock\\Setup Migration\\Providers\\Tcpip\\WinSock 2.0 Provider ID",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\.NET CLR Networking\\Performance\\Counter Names",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\DowncaseSpnCauseApiOwnerIsTooLazy",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Providers\\Trust\\Cleanup\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$Function",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\5b43ba09\\4355c2d6\\7e\\LastModTime",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\AppendToMultiLabelName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\EnableAdapterDomainNameRegistration",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\30bc7c4f\\3f50fe4f\\90\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Configuration,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\ResolverRegistrationOnly",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\ForceLog",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\ROOT\\Certificates\\7F88CD7223F3C813818C994614A89C99FA3B5247\\Blob",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\LogMaxFileSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\6faf58\\19ab8d57\\8e\\EvalationData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\ROOT\\Certificates\\CDD4EEAE6000AC7F40C3802C171E30148030C072\\Blob",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Connection Manager\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\MobileOptionPack\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\LoadAppInit_DLLs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Providers\\Trust\\Certificate\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$DLL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Providers\\Trust\\FinalPolicy\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$Function",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Security\\Safety Warning Level",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Runtime.Serialization.Formatters.Soap,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\StringCacheSettings\\StringCacheGeneration",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\RpcId",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\226b2009\\5b43ba09\\7a\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Runtime.Serialization,3.0.0.0,,b77a5c561934e089,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\SchedulingAgent\\DisplayName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\DefaultRegistrationTTL",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\UseCompartments",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\PInvokeInline",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\\Blob",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\41c04c7e\\7f3b6ac4\\80\\DisplayName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\MaxCacheTtl",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\UpdateSecurityLevel",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\41c04c7e\\7f3b6ac4\\80\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\3f50fe4f\\6f1da7aa\\90\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\RASAPI32\\FileTracingMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Transactions,2.0.0.0,,b77a5c561934e089,AMD64",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\475dce40\\2d382ce6\\8d\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\85e83df\\2c4cd1a4\\79\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ShareCredsWithWinHttp",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\DnsQueryTimeouts",
"HKEY_CURRENT_USER\\Control Panel\\International\\sYearMonth",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\CryptnetPreFetchTriggerPeriodSeconds",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\19ab8d57\\1bd7b0d8\\8f\\SIG",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\.NET CLR Networking\\Performance\\First Counter",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\MaxAIAUrlRetrievalCountPerChain",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Providers\\Trust\\Signature\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$DLL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ProxySettingsPerUser",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winsock\\Parameters\\Transports",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\7f0603e4\\73843e06\\6e\\Status",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\qagentrt.dll,-10",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\73843e06\\43a920ef\\6e\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\LoggingLevel",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\c991064\\2bd33e1c\\81\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\75E0ABB6138512271C04F85FDDDE38E4B7242EFE\\Blob",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\\DefaultConnectionSettings",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\159a66b8\\424bd4d8\\8f\\MissingDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\5fcea75a\\3c9c8d7b\\6f\\EvalationData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Providers\\Trust\\Signature\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$DLL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\226b2009\\5b43ba09\\7a\\ILDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\DirectDrawEx\\DisplayName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\crypt32\\DebugHeapFlags",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Providers\\Trust\\Initialization\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$DLL",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Local AppData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Providers\\Trust\\CertCheck\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$Function",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Mozilla Firefox 60.0.2 (x86 sv-SE)\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\3b249b34\\157e0c82\\78\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Data,2.0.0.0,,b77a5c561934e089,AMD64",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\77a2835c\\36d9491a\\66\\ConfigMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\73843e06\\43a920ef\\6e\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\5b43ba09\\4355c2d6\\7e\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\.NET CLR Networking\\Performance\\CategoryOptions",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\19ab8d57\\1bd7b0d8\\8f\\Status",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\ResolverRegistration",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SESSION MANAGER\\SafeProcessSearchMode",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\5fcea75a\\3c9c8d7b\\6f\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\35df3f71\\6cb3f6b9\\65\\LastModTime",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\RegistrationOverwrite",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\35df3f71\\6cb3f6b9\\65\\Modules",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\HelperDllName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Xml,2.0.0.0,,b77a5c561934e089,MSIL",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\EnableMulticast",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\RegisterPrimaryName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\Mapping",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\77a2835c\\36d9491a\\66\\MVID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\3c9c8d7b\\46b95040\\74\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Providers\\Trust\\CertCheck\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$Function",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\IE5BAKEX\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates\\637162CC59A3A1E25956FA5FA8F60D2E1C52EAC6\\Blob",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\30bc7c4f\\3f50fe4f\\90\\MissingDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Enhanced RSA and AES Cryptographic Provider\\Image Path",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\424bd4d8\\1c83327b\\8e\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\7950e2c5\\19b8f67f\\82\\LastModTime",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\EnableDAForAllNetworks",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\6faf58\\19ab8d57\\8e\\MissingDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\36d9491a\\3fb203dc\\67\\Status",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\LsaExtensionConfig\\SspiCli\\CheckSignatureRoutine",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Interfaces\\{EF381EA0-4D07-418D-A490-68AF67CE948B}\\RegistrationMaxAddressCount",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Interfaces\\{EF381EA0-4D07-418D-A490-68AF67CE948B}\\RegisterAdapterName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\CLRLoadLogDir",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Providers\\Trust\\Signature\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$Function",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Data.SqlXml,2.0.0.0,,b77a5c561934e089,MSIL",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\DisableAdapterDomainName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\LsaExtensionConfig\\SspiCli\\CheckSignatureDll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\MPlayer2\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\NewGCCalc",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Providers\\Trust\\Message\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$DLL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.67.1.2!7\\Name",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Providers\\Trust\\FinalPolicy\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$Function",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\RASMANCS\\MaxFileSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\3f50fe4f\\6f1da7aa\\90\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\77a2835c\\36d9491a\\66\\Status",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\RegisterWanAdapters",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\3d590c3f\\59f3b67b\\89\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\7950e2c5\\19b8f67f\\82\\Modules",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\MaxNumberOfAddressesToRegister",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\MobileOptionPack\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\DisableConfigCache",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\181938c6\\7950e2c5\\82\\EvalationData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\\WinHttpSettings",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Providers\\Trust\\Signature\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$Function",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\InstallationType",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\System32\\fveui.dll,-844",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\System32\\fveui.dll,-843",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\LogResourceBinds",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System,2.0.0.0,,b77a5c561934e089,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\7ac727df\\7b5311d7\\69\\NIDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\5fcea75a\\3c9c8d7b\\6f\\ILDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\LogMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Cryptography\\PrivKeyCacheMaxItems",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\IE5BAKEX\\DisplayName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\MaxNegativeCacheTtl",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\41c04c7e\\7f3b6ac4\\80\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\6faf58\\19ab8d57\\8e\\ConfigMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\RASAPI32\\MaxFileSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Windows.Forms,2.0.0.0,,b77a5c561934e089,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\3c9c8d7b\\46b95040\\74\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\226b2009\\5b43ba09\\7a\\ConfigString",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\181938c6\\7950e2c5\\82\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\DisableHotCold",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\85e83df\\2c4cd1a4\\79\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\WIC\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\75638fee\\7566cac\\8c\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\5b43ba09\\4355c2d6\\7e\\SIG",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\NetBT\\Parameters\\DhcpScopeId",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\RASMANCS\\FileTracingMask",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\UseEdns",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\UseDelayedAcceptance",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\TailCallOpt",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\UseHostnameAsAlias",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\7f0603e4\\73843e06\\6e\\ConfigString",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\8F43288AD272F3103B6FB1428485EA3014C0BCFE\\Blob",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Drawing,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\6faf58\\19ab8d57\\8e\\ConfigString",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\6dc7d4c0\\a5cd4db\\87\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Providers\\Trust\\Message\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$Function",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\MulticastSenderMaxTimeout",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\ScreenDefaultServers",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\77a2835c\\36d9491a\\66\\ConfigString",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\7ac727df\\7b5311d7\\69\\ConfigMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.47.1.1!7\\Name",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\index143\\ILUsageMask",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\CacheAllCompartments",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\6faf58\\19ab8d57\\8e\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\226b2009\\5b43ba09\\7a\\NIDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\3f50fe4f\\6f1da7aa\\90\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Fontcore\\DisplayName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\RegisterReverseLookup",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\7b5311d7\\1b0ed4d\\69\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\3d590c3f\\59f3b67b\\89\\SIG",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\FilterClusterIp",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\159a66b8\\424bd4d8\\8f\\MVID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\475dce40\\2d382ce6\\8d\\SIG",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\SearchList",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\41c04c7e\\7f3b6ac4\\80\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\3b249b34\\157e0c82\\78\\Status",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Interfaces\\{EF381EA0-4D07-418D-A490-68AF67CE948B}\\Domain",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\75638fee\\7566cac\\8c\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\424bd4d8\\1c83327b\\8e\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\IEData\\DisplayName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\MaxCachedSockets",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\ServerPriorityTimeLimit",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\LogFailures",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Providers\\Trust\\Message\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$DLL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\75638fee\\7566cac\\8c\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\30bc7c4f\\3f50fe4f\\90\\ConfigMask",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Domain",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\19ab8d57\\1bd7b0d8\\8f\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Providers\\Trust\\CertCheck\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$DLL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\MachineGuid",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\.NET CLR Networking\\Performance\\FileMappingSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\MaxAIAUrlRetrievalByteCount",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Providers\\Trust\\CertCheck\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$DLL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\ROOT\\Certificates\\245C97DF7514E7CF2DF8BE72AE957B9E04741E85\\Blob",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\UseLegacyIdentityFormat",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\MaxCacheSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\\Blob",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Cryptography\\PrivateKeyLifetimeSeconds",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\ScreenBadTlds",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\LdapClientIntegrity",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Interfaces\\{EF381EA0-4D07-418D-A490-68AF67CE948B}\\QueryAdapterName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\CryptnetMaxCachedOcspPerCrlCount",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\424bd4d8\\1c83327b\\8e\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.67.1.1!7\\Name",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winsock\\Setup Migration\\Providers\\Tcpip6\\WinSock 2.0 Provider ID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\index143\\NIUsageMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\6faf58\\19ab8d57\\8e\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\7f0603e4\\73843e06\\6e\\ILDependencies",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\UpdateTopLevelDomainZones",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\3d590c3f\\59f3b67b\\89\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\\Blob",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\QueryAdapterName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Providers\\Trust\\FinalPolicy\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$DLL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\36d9491a\\3fb203dc\\67\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\30bc7c4f\\3f50fe4f\\90\\ConfigString",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\EnableInetUnknownAuth",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\30bc7c4f\\3f50fe4f\\90\\EvalationData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\226b2009\\5b43ba09\\7a\\MissingDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\CacheLocation",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\NetBT\\Parameters\\EnableDns",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\DisableCANameConstraints",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\p2pcollab.dll,-8042",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\MinSockaddrLength",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\DisableMandatoryBasicConstraints",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\77a2835c\\36d9491a\\66\\EvalationData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\IE40\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\226b2009\\5b43ba09\\7a\\MVID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\IE40\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\181938c6\\7950e2c5\\82\\MVID",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\UseDomainNameDevolution",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Fontcore\\DisplayName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\MinSockaddrLength",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\35df3f71\\6cb3f6b9\\65\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-18\\ProfileImagePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\41c04c7e\\7f3b6ac4\\80\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\226b2009\\5b43ba09\\7a\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\WinHttp\\DisableBranchCache",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\InstallRoot",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\3c9c8d7b\\46b95040\\74\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\159a66b8\\424bd4d8\\8f\\ConfigString",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\RASMANCS\\ConsoleTracingMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\85e83df\\2c4cd1a4\\79\\LastModTime",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\HelperDllName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\DynamicServerQueryOrder",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\dnsapi.dll,-103",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\77a2835c\\36d9491a\\66\\ILDependencies",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\UseNewRegistration",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\3b249b34\\157e0c82\\78\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\35df3f71\\6cb3f6b9\\65\\Status",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\ScreenUnreachableServers",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\MaxUrlRetrievalByteCount",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\DisableReverseAddressRegistrations",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\181938c6\\7950e2c5\\82\\NIDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\30bc7c4f\\3f50fe4f\\90\\NIDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\DirectDrawEx\\DisplayName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\DisableDynamicUpdate",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\DomainNameDevolutionLevel",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Interfaces\\{EF381EA0-4D07-418D-A490-68AF67CE948B}\\DisableAdapterDomainName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\AllowUnqualifiedQuery",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\7f0603e4\\73843e06\\6e\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\WinHttp\\Tracing\\Enabled",
"HKEY_CURRENT_USER\\Software\\Microsoft\\SystemCertificates\\Root\\ProtectedRoots\\Certificates",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CEIPEnable",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Providers\\Trust\\Initialization\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$Function",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\7f0603e4\\73843e06\\6e\\NIDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\3f50fe4f\\6f1da7aa\\90\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\35df3f71\\6cb3f6b9\\65\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\EnableWeakSignatureFlags",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\AddrConfigControl",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.ServiceProcess,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\Mapping",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\7ac727df\\7b5311d7\\69\\MissingDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\index4"
],
"directory_created": [
"C:\\ProgramData\\Overwolf\\Temp",
"C:\\ProgramData\\Overwolf",
"C:\\ProgramData\\Overwolf\\OverwolfUpdater",
"C:\\ProgramData\\Overwolf\\Log",
"C:\\ProgramData\\Overwolf\\Setup"
]
}Dropped
[
{
"yara": [
{
"meta": {
"description": "Contains an embedded Mach-O file",
"author": "nex"
},
"name": "embedded_macho",
"offsets": {
"magic3": [
[
127109,
0
]
],
"magic2": [
[
127131,
1
]
]
},
"strings": [
"\/u36zg==",
"zvrt\/g=="
]
}
],
"sha1": "76b1a782ccb87fb2cb47420a56c0d41376f65622",
"name": "d8fa3335757227fa_nsis7z64.dll",
"filepath": "C:\\ProgramData\\Overwolf\\OverwolfUpdater\\nsis7z64.dll",
"type": "PE32+ executable (DLL) (GUI) x86-64, for MS Windows",
"sha256": "d8fa3335757227fab155b0198ea2abed93da5afc10fcd6e44cfd6ccef33a154b",
"urls": [],
"crc32": "EC8FD61F",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/2333\/files\/d8fa3335757227fa_nsis7z64.dll",
"ssdeep": null,
"size": 519680,
"sha512": "6b7006c3edde5ff478105694b02ab2f804ddae115a59faf4e0e24ed20b281b9ccb653e70f5e1a9b124e46c3717874dd150b70a6bb85ac72c5ae66a07e92f8e26",
"pids": [
1664
],
"md5": "fe15b7cdc543354207ac45c6e5a2f464"
},
{
"yara": [],
"sha1": "461ac3e1fb8c312457b79cce4a783edb0bf65735",
"name": "a2191c3b741c5d29_updatesinfo.json",
"filepath": "C:\\ProgramData\\Overwolf\\OverwolfUpdater\\UpdatesInfo.json",
"type": "ASCII text, with no line terminators",
"sha256": "a2191c3b741c5d2909875a83e423881ec927ba54b512ca2fc0bfbda9a54fdc04",
"urls": [],
"crc32": "1DF264B1",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/2333\/files\/a2191c3b741c5d29_updatesinfo.json",
"ssdeep": null,
"size": 95,
"sha512": "65a5f13f16f5384ac6e879298a14011e35edec16114b501d2224eb9f927298589722333123513a0c7f3d78e90da10f2b80482db3f1af523f04e055d85956dac2",
"pids": [
1664
],
"md5": "bccd4918f853db974aa931ab49047213"
},
{
"yara": [],
"sha1": "cf925fc512b936fe7d44ceb6e999e4a020ed6ff0",
"name": "4c9c4d831d61c8c3_Cab5EFC.tmp",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab5EFC.tmp",
"type": "Microsoft Cabinet archive data, 56952 bytes, 1 file",
"sha256": "4c9c4d831d61c8c38b2513f9b431ef4f4cf6af9fb18a2317cd2178d6e0997822",
"urls": [],
"crc32": "5168F337",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/2333\/files\/4c9c4d831d61c8c3_Cab5EFC.tmp",
"ssdeep": null,
"size": 56952,
"sha512": "65dc435f6d3e1afd347ba1617a3eee59c6660f221faa36456a09e307d434d7276e8095e8aa34d59933e685a9f84564ec783e59ae9658791f7ebdbbc2eda32f7a",
"pids": [
1664
],
"md5": "04d79a0dc77a8f449cbff6252862d398"
},
{
"yara": [],
"sha1": "34e63f62cab0ecece817f3c20dc060708c6b1658",
"name": "5baf5c6b56b69e17_owver64.exe",
"filepath": "C:\\ProgramData\\Overwolf\\OverwolfUpdater\\owver64.exe",
"type": "PE32+ executable (console) x86-64, for MS Windows",
"sha256": "5baf5c6b56b69e17debbb03df474e8f4f1777ba49b67633a354a9e938a57e68c",
"urls": [
"http:\/\/s.symcb.com\/universal-root.crl0",
"http:\/\/s2.symcb.com0",
"https:\/\/d.symcb.com\/cps0%",
"http:\/\/sv.symcb.com\/sv.crt0",
"http:\/\/ts-ocsp.ws.symantec.com0",
"http:\/\/sv.symcb.com\/sv.crl0a",
"http:\/\/s.symcd.com06",
"http:\/\/ts-aia.ws.symantec.com\/sha256-tss-ca.cer0(",
"http:\/\/sv.symcd.com0",
"http:\/\/www.symauth.com\/rpa00",
"http:\/\/s1.symcb.com\/pca3-g5.crl0",
"http:\/\/www.symauth.com\/cps0(",
"https:\/\/d.symcb.com\/rpa0.",
"https:\/\/d.symcb.com\/rpa0",
"http:\/\/ts-crl.ws.symantec.com\/sha256-tss-ca.crl0"
],
"crc32": "E3F992F9",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/2333\/files\/5baf5c6b56b69e17_owver64.exe",
"ssdeep": null,
"size": 624968,
"sha512": "45c79d04a1c2fe1d1b36a68ee74ea76df5a6e9cf796a5fee43811cdf7e083019eacd5fbbec63618b199c1accaad56849fa5a879009a434c980d7d6a1917b5b33",
"pids": [
1664
],
"md5": "93fd5f7d96ac2ee25284852c1e5c73bc"
},
{
"yara": [],
"sha1": "904777d97865efdfd883aa5e9126752c97995586",
"name": "ca8346686f16170b_ftw.dll",
"filepath": "C:\\ProgramData\\Overwolf\\OverwolfUpdater\\ftw.dll",
"type": "PE32 executable (DLL) (GUI) Intel 80386, for MS Windows",
"sha256": "ca8346686f16170b894351c0cdc623d2ec199ca2840eeaf5c72afa2b5fad2a06",
"urls": [
"https:\/\/www.verisign.com\/cps0",
"http:\/\/ts-crl.ws.symantec.com\/tss-ca-g2.crl0(",
"http:\/\/crl.thawte.com\/ThawteTimestampingCA.crl0",
"http:\/\/ocsp.verisign.com0",
"https:\/\/www.verisign.com\/rpa",
"http:\/\/crl.verisign.com\/pca3-g5.crl04",
"https:\/\/www.verisign.com\/rpa0",
"http:\/\/ocsp.thawte.com0",
"http:\/\/logo.verisign.com\/vslogo.gif04",
"http:\/\/ts-aia.ws.symantec.com\/tss-ca-g2.cer0",
"http:\/\/csc3-2010-aia.verisign.com\/CSC3-2010.cer0",
"http:\/\/csc3-2010-crl.verisign.com\/CSC3-2010.crl0D",
"http:\/\/ts-ocsp.ws.symantec.com07"
],
"crc32": "3F41C77E",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/2333\/files\/ca8346686f16170b_ftw.dll",
"ssdeep": null,
"size": 274208,
"sha512": "019bc020bc113cae40843eb3a620fd8bb6f523f1488a725332aea881a9161ac85a209f5ab9fd371f6875d455096e861cc4b9bdb3a6d883f74b3ac17068278838",
"pids": [
1664
],
"md5": "ea0802e99c58ea50c7d9935859a3ffdb"
},
{
"yara": [],
"sha1": "5fbbe310bb70071bc01899d272fd3e2f4c9e9c63",
"name": "e5e4fe87ea14cdee_overwolfupdater.log",
"filepath": "C:\\ProgramData\\Overwolf\\Log\\OverwolfUpdater.log",
"type": "UTF-8 Unicode (with BOM) text, with CRLF line terminators",
"sha256": "e5e4fe87ea14cdee2271afba979e8b1f30510cd4213ffc5520572a045b69ffce",
"urls": [],
"crc32": "0D0E833F",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/2333\/files\/e5e4fe87ea14cdee_overwolfupdater.log",
"ssdeep": null,
"size": 6294,
"sha512": "cedd568522223a666961a883f1782088f1d0614ac5a21ac0ce775a201cd6851a411b6ecf0e2752e86c3a06ebcd8d3758a5a08cf8d365fb52ed04b75796ef9efc",
"pids": [
1664
],
"md5": "43fa813471eb5f4bb2570a8f39a9aeac"
},
{
"yara": [],
"sha1": "c64ad224b877cd5bbdcdb1799b71f3682602d231",
"name": "b0a39e28d93f7822_Tar5F0D.tmp",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar5F0D.tmp",
"type": "data",
"sha256": "b0a39e28d93f7822fe6cac1e082c7adc581dcd2b61eb9f536e74bd14a75b27bc",
"urls": [
"http:\/\/www.microsoft.com\/pkiops\/certs\/Microsoft%20Certificate%20Trust%20List%20PCA(3).crt0",
"http:\/\/www.microsoft.com\/pki\/certs\/MicRooCerAut_2010-06-23.crt07",
"http:\/\/www.microsoft.com\/pki\/certs\/MicCerLisCA2011_2011-03-29.crt0",
"http:\/\/www.microsoft.com\/pki\/certs\/MicrosoftRootCert.crt0",
"http:\/\/www.microsoft.com\/pkiops\/crl\/Microsoft%20Certificate%20Trust%20List%20PCA(3).crl0u"
],
"crc32": "B495BE07",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/2333\/files\/b0a39e28d93f7822_Tar5F0D.tmp",
"ssdeep": null,
"size": 138525,
"sha512": "0663fb22bcefd0ac5f090104322a8c0dc1ceb77a168b589d7dbb9a74d109daf38beac97dab715220abab08c355496f5719159e17995248caa19eff45bc2a5d46",
"pids": [
1664
],
"md5": "0e34ebf89b843b303f0fb5f194be9d28"
}
]Generic
[
{
"process_path": "C:\\Users\\cuck\\AppData\\Local\\Temp\\daf6bce66c3697be3c8a1aa077143515dda5453aa07dfe6914465bfb7e51a3bc.bin",
"process_name": "daf6bce66c3697be3c8a1aa077143515dda5453aa07dfe6914465bfb7e51a3bc.bin",
"pid": 1664,
"summary": {
"file_created": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarEF37.tmp",
"C:\\ProgramData\\Overwolf\\OverwolfUpdater\\UpdatesInfo.json",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab624E.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarC274.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar78C7.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabF052.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar3A6D.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab6509.tmp",
"C:\\ProgramData\\Overwolf\\Log\\OverwolfUpdater.log",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab3A5D.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar625E.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabEDCD.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabC273.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabC340.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabEF27.tmp",
"C:\\ProgramData\\Overwolf\\OverwolfUpdater\\ftw.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar650A.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarC351.tmp",
"C:\\ProgramData\\Overwolf\\OverwolfUpdater\\owver64.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab6171.tmp",
"C:\\ProgramData\\Overwolf\\OverwolfUpdater\\nsis7z64.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab6056.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar6057.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar5F0D.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarF062.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab78B6.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarEDCE.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar6182.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab5EFC.tmp"
],
"file_recreated": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarEF37.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab624E.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarC274.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar78C7.tmp",
"\\Device\\KsecDD",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabF052.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar3A6D.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab6509.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab3A5D.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar625E.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabEDCD.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabC273.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabC340.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabEF27.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar650A.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarC351.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab6171.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab6056.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar6057.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar5F0D.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarF062.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab78B6.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarEDCE.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar6182.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab5EFC.tmp"
],
"regkey_written": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\8F43288AD272F3103B6FB1428485EA3014C0BCFE\\Blob",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\RASMANCS\\FileDirectory",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\RASMANCS\\EnableFileTracing",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\RASMANCS\\MaxFileSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\RASMANCS\\FileTracingMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\RASAPI32\\MaxFileSize",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\LanguageList",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\RASAPI32\\EnableConsoleTracing",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\RASAPI32\\EnableFileTracing",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\RASAPI32\\ConsoleTracingMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\RASAPI32\\FileDirectory",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\\Blob",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\RASMANCS\\EnableConsoleTracing",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\RASMANCS\\ConsoleTracingMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\RASAPI32\\FileTracingMask"
],
"dll_loaded": [
"C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\ws2_32.dll",
"C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\culture.dll",
"imagehlp.dll",
"kernel32",
"API-MS-Win-Security-LSALookup-L1-1-0.dll",
"credssp.dll",
"ntdll",
"API-MS-WIN-Service-Management-L2-1-0.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_64\\System.Configuration\\091b931d0f6408001747dbbbb05dbe66\\System.Configuration.ni.dll",
"gdi32.dll",
"CFGMGR32.dll",
"DNSAPI.dll",
"C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\VERSION.dll",
"kernel32.dll",
"API-MS-Win-Security-SDDL-L1-1-0.dll",
"CRYPTBASE.dll",
"C:\\Windows\\system32\\rsaenh.dll",
"SensApi.dll",
"C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\iphlpapi.dll",
"ntdll.dll",
"ws2_32.dll",
"cryptsp.dll",
"shfolder.dll",
"imm32.dll",
"C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\ntdll.dll",
"ncrypt.dll",
"rasapi32.dll",
"bcrypt.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_64\\System\\adff7dd9fe8e541775c46b6363401b22\\System.ni.dll",
"API-MS-WIN-Service-Management-L1-1-0.dll",
"cryptnet.dll",
"C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\rasapi32.dll",
"C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\winhttp.dll",
"crypt32.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_64\\System.Runtime.Seri#\\52bdf474b237d949c5b2b407ebec8f1e\\System.Runtime.Serialization.ni.dll",
"API-MS-Win-Core-LocalRegistry-L1-1-0.dll",
"AdvApi32.dll",
"SspiCli.dll",
"version.dll",
"advapi32.dll",
"ole32.dll",
"SHLWAPI.dll",
"CRYPTSP.dll",
"USER32.dll",
"DEVRTL.dll",
"C:\\Windows\\system32\\IMM32.DLL",
"API-MS-WIN-Service-winsvc-L1-1-0.dll",
"RASMAN.DLL",
"rtutils.dll",
"IPHLPAPI.DLL",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_64\\System.Data\\accc3a5269658c8c47fe3e402ac4ac1c\\System.Data.ni.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_64\\System.ServiceProce#\\df4cc33bfe326b259eeef086451a2528\\System.ServiceProcess.ni.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_64\\System.Core\\83e2f6909980da7347e7806d8c26670e\\System.Core.ni.dll",
"ADVAPI32.dll",
"C:\\Windows\\system32\\CRYPT32.dll",
"NSI.dll",
"winhttp.dll",
"profapi.dll",
"RPCRT4.dll",
"C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\mscorwks.dll",
"ntmarta.dll",
"C:\\Windows\\System32\\wship6.dll",
"C:\\Windows\\assembly\\GAC_64\\System.Data\\2.0.0.0__b77a5c561934e089\\System.Data.dll",
"USERENV.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_64\\System.Configuratio#\\fcf35536476614410e0b0bd0e412199e\\System.Configuration.Install.ni.dll",
"setupapi.dll",
"mscorsec.dll",
"RichEd20.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_64\\System.Xml\\ee795155543768ea67eecddc686a1e9e\\System.Xml.ni.dll",
"mscoree.dll",
"C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\mscorsec.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_64\\mscorlib\\9469491f37d9c35b596968b206615309\\mscorlib.ni.dll",
"C:\\Windows\\system32\\cryptnet.dll",
"WINTRUST.DLL",
"C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\ole32.dll",
"C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\mscorjit.dll",
"C:\\Windows\\system32\\bcryptprimitives.dll",
"C:\\Windows\\system32\\mswsock.dll",
"VERSION.dll",
"shell32.dll",
"C:\\Windows\\System32\\wshtcpip.dll",
"WS2_32.dll",
"Cabinet.dll",
"iphlpapi.dll",
"WINHTTP.dll"
],
"file_opened": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarEF37.tmp",
"C:\\ProgramData\\Overwolf\\Temp\\",
"C:\\Users\\cuck\\AppData\\LocalLow",
"C:\\",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarC274.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\daf6bce66c3697be3c8a1aa077143515dda5453aa07dfe6914465bfb7e51a3bc.bin",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar78C7.tmp",
"C:\\Users\\cuck\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\",
"C:\\Windows\\System32\\en-US\\WINHTTP.dll.mui",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab6509.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab3A5D.tmp",
"C:\\ProgramData\\Overwolf",
"C:\\Windows\\assembly\\GAC_MSIL\\System.Runtime.Serialization\\3.0.0.0__b77a5c561934e089\\",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab624E.tmp",
"C:\\Windows\\",
"C:\\Windows\\System32\\netmsg.dll",
"C:\\Windows\\assembly\\GAC_64\\mscorlib\\2.0.0.0__b77a5c561934e089\\sorttbls.nlp",
"C:\\Users\\",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar625E.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabEDCD.tmp",
"C:\\Windows\\System32\\l_intl.nls",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_64\\index143.dat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\",
"C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabC273.tmp",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\94308059B57B3142E455B38A6EB92015",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarEDCE.tmp",
"C:\\ProgramData\\Overwolf\\Setup\\",
"C:\\Windows\\winsxs\\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\\",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar650A.tmp",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\",
"C:\\Windows\\assembly\\GAC_MSIL\\System.Configuration\\2.0.0.0__b03f5f7f11d50a3a\\",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarC351.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab6171.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar3A6D.tmp",
"C:\\Windows\\System32\\en-US\\KERNELBASE.dll.mui",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab6056.tmp",
"C:\\Users\\cuck\\AppData\\Local\\",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\",
"C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\mscorrc.dll",
"C:\\Windows\\assembly\\pubpol4.dat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar5F0D.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabF052.tmp",
"C:\\Windows\\assembly\\GAC_MSIL\\System.Configuration.Install\\2.0.0.0__b03f5f7f11d50a3a\\",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabC340.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarF062.tmp",
"C:\\Windows\\assembly\\GAC_MSIL\\System.Xml\\2.0.0.0__b77a5c561934e089\\",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab78B6.tmp",
"C:\\Windows\\assembly\\GAC_MSIL\\System.ServiceProcess\\2.0.0.0__b03f5f7f11d50a3a\\",
"C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabEF27.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar6182.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar6057.tmp",
"C:\\Windows\\assembly\\GAC_64\\mscorlib\\2.0.0.0__b77a5c561934e089\\",
"C:\\Windows\\System32\\rsaenh.dll",
"C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\CONFIG\\machine.config",
"C:\\Windows\\assembly\\GAC_64\\System.Data\\2.0.0.0__b77a5c561934e089\\System.Data.dll",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\94308059B57B3142E455B38A6EB92015",
"C:\\Windows\\assembly\\GAC_64\\mscorlib\\2.0.0.0__b77a5c561934e089\\sortkey.nlp",
"C:\\Windows\\assembly\\GAC_MSIL\\System.Core\\3.5.0.0__b77a5c561934e089\\",
"C:\\Users\\cuck\\AppData\\",
"C:\\Windows\\assembly\\GAC_64\\System.Data\\2.0.0.0__b77a5c561934e089\\",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab5EFC.tmp"
],
"regkey_opened": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\181938c6\\7950e2c5",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\6faf58\\19ab8d57",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\19ab8d57\\1bd7b0d8\\8f",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\7f0603e4\\73843e06\\6e",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.EnterpriseServices__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\181938c6\\7950e2c5\\82",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\7f0603e4\\73843e06",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\671e24da\\6c7c7a84",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\30bc7c4f\\3f50fe4f",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{0398A685-FD8D-46B3-9816-C47319B0CF5f}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\3c9c8d7b\\46b95040\\74",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\AddressBook",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\671e24da\\5599aea8",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\3d590c3f\\59f3b67b\\89",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\41c04c7e\\7f3b6ac4\\80",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Installer\\Assemblies\\Global",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\Policy\\standards",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Fusion",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\IE5BAKEX",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\6dc7d4c0\\a5cd4db\\87",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-699399860-4089948139-3198924279-1001",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Installer\\Assemblies\\C:|Users|cuck|AppData|Local|Temp|daf6bce66c3697be3c8a1aa077143515dda5453aa07dfe6914465bfb7e51a3bc.bin",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\WIC",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\5fcea75a\\3c9c8d7b",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\77a2835c\\36d9491a",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Installer\\Assemblies\\C:|Users|cuck|AppData|Local|Temp|daf6bce66c3697be3c8a1aa077143515dda5453aa07dfe6914465bfb7e51a3bc.bin",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\Managed\\S-1-5-21-699399860-4089948139-3198924279-1001\\Installer\\Assemblies\\C:|Users|cuck|AppData|Local|Temp|daf6bce66c3697be3c8a1aa077143515dda5453aa07dfe6914465bfb7e51a3bc.bin",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\35df3f71\\6cb3f6b9\\65",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\73843e06\\43a920ef\\6e",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\Policy\\Standards",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\IEData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Fontcore",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\IE5BAKEX",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\5fcea75a\\3c9c8d7b\\6f",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\77a2835c\\36d9491a\\66",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Connection Manager",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Fontcore",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\Policy\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\5b43ba09\\4355c2d6\\7e",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\SchedulingAgent",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.10.0.Newtonsoft.Json__30ad4fe6b2a6aeed",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\DirectDrawEx",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\330068b6\\545f374a",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\85e83df\\2c4cd1a4\\79",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\3b249b34\\157e0c82\\78",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Security__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\WIC",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.3.0.System.Runtime.Serialization__b77a5c561934e089",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\index143",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\Policy\\standards\\v2.0.50727",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\v2.0.50727\\Security\\Policy",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System__b77a5c561934e089",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\StrongName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\AddressBook",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Xml__b77a5c561934e089",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\7ac727df\\7b5311d7\\69",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-20",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\c991064\\2bd33e1c\\81",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Class\\{4d36e972-e325-11ce-bfc1-08002be10318}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-699399860-4089948139-3198924279-1001",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Runtime.Serialization.Formatters.Soap__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.3.5.System.Core__b77a5c561934e089",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Configuration.Install__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets\\LocalIntranet",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\DXM_Runtime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\36d9491a\\3fb203dc\\67",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Installer\\Assemblies\\Global",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\75638fee\\7566cac\\8c",
"HKEY_LOCAL_MACHINE\\Software\\Overwolf",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\3175ab79\\3f7d0977",
"HKEY_CURRENT_USER\\Control Panel\\International",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\.NET CLR Networking\\Performance",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\Policy\\AppPatch",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Drawing__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.3.0.SMDiagnostics__b77a5c561934e089",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\MPlayer2",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\BidInterface\\Loader",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\226b2009\\5b43ba09",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\MozillaMaintenanceService",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion\\GACChangeNotification\\Default",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\6faf58\\19ab8d57\\8e",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\Policy\\v2.0",
"HKEY_CURRENT_USER\\Software\\Microsoft\\.NETFramework",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\226b2009\\5b43ba09\\7a",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\MobileOptionPack",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\IE4Data",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.8.0.Microsoft.VisualC__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\159a66b8\\424bd4d8",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\475dce40\\2d382ce6\\8d",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\7ac727df\\7b5311d7",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\Policy\\APTCA",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\7b5311d7\\1b0ed4d\\69",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\424bd4d8\\1c83327b\\8e",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\daf6bce66c3697be3c8a1aa077143515dda5453aa07dfe6914465bfb7e51a3bc.bin",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\Managed\\S-1-5-21-699399860-4089948139-3198924279-1001\\Installer\\Assemblies\\Global",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Data.SqlXml__b77a5c561934e089",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\IE40",
"HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Overwolf",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-18",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-19",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Mozilla Firefox 60.0.2 (x86 sv-SE)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\IE4Data",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\MobileOptionPack",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Connection Manager",
"HKEY_CURRENT_USER\\Software\\Microsoft\\.NETFramework\\Policy\\Standards",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Windows.Forms__b77a5c561934e089",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\IEData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\6b257144\\191518a4",
"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections",
"HKEY_CURRENT_USER\\Software\\OverwolfTesting",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\Policy\\Upgrades",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Configuration__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\IE40",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\SchedulingAgent",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\3f50fe4f\\6f1da7aa\\90",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\DirectDrawEx",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion\\PublisherPolicy\\Default",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Transactions__b77a5c561934e089",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\30bc7c4f\\3f50fe4f\\90",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Data__b77a5c561934e089",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\7950e2c5\\19b8f67f\\82",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\.net clr networking\\Performance",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.ServiceProcess__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets\\Internet",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\internal\\jit\\Perf",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\159a66b8\\424bd4d8\\8f"
],
"resolves_host": [
"s1.symcb.com",
"www.download.windowsupdate.com",
"s2.symcb.com",
"sv.symcb.com",
"usersconfig.overwolf.com",
"wpad",
"sv.symcd.com"
],
"file_written": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarEF37.tmp",
"C:\\ProgramData\\Overwolf\\OverwolfUpdater\\UpdatesInfo.json",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab624E.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarC274.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar78C7.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabF052.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar3A6D.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab6509.tmp",
"C:\\ProgramData\\Overwolf\\Log\\OverwolfUpdater.log",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab3A5D.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar625E.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabEDCD.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabC273.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabC340.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabEF27.tmp",
"C:\\ProgramData\\Overwolf\\OverwolfUpdater\\ftw.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar650A.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarC351.tmp",
"C:\\ProgramData\\Overwolf\\OverwolfUpdater\\owver64.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab6171.tmp",
"C:\\ProgramData\\Overwolf\\OverwolfUpdater\\nsis7z64.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab6056.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar6057.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar5F0D.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarF062.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab78B6.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarEDCE.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar6182.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab5EFC.tmp"
],
"regkey_deleted": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\8F43288AD272F3103B6FB1428485EA3014C0BCFE"
],
"file_deleted": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarEF37.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab624E.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarC274.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar78C7.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabF052.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar3A6D.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab6509.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab3A5D.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar625E.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabEDCD.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabC273.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabC340.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabEF27.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar650A.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarC351.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab6171.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab6056.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar6057.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar5F0D.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarF062.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab78B6.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarEDCE.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar6182.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab5EFC.tmp"
],
"file_exists": [
"C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\Local\\Overwolf",
"C:\\Windows\\assembly\\GAC_64\\Newtonsoft.Json\\10.0.0.0__30ad4fe6b2a6aeed",
"C:\\ProgramData\\Overwolf\\OverwolfUpdater\\UpdatesInfo.json",
"C:\\Users\\cuck\\AppData\\LocalLow",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Newtonsoft.Json.dll",
"C:\\Windows\\Globalization\\en-us.nlp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\daf6bce66c3697be3c8a1aa077143515dda5453aa07dfe6914465bfb7e51a3bc.bin",
"C:\\Windows\\assembly",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\daf6bce66c3697be3c8a1aa077143515dda5453aa07dfe6914465bfb7e51a3bc.config",
"C:\\Users\\cuck\\AppData\\Local\\Temp",
"C:\\ProgramData\\Overwolf\\Temp",
"C:\\Windows\\System32\\kernel32.dll",
"C:\\Windows\\assembly\\GAC_MSIL\\Newtonsoft.Json\\10.0.0.0__30ad4fe6b2a6aeed",
"C:\\ProgramData\\Overwolf\\OverwolfUpdater\\owver64.exe",
"C:\\ProgramData\\Overwolf",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\RestSharp\\RestSharp.exe",
"C:\\ProgramData",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\en\\OverwolfUpdater.resources\\OverwolfUpdater.resources.dll",
"C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Overwolf",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Newtonsoft.Json\\Newtonsoft.Json.exe",
"C:\\ProgramData\\Overwolf\\Log",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\en\\OverwolfUpdater.resources.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\en-US\\OverwolfUpdater.resources\\OverwolfUpdater.resources.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Newtonsoft.Json\\Newtonsoft.Json.dll",
"C:\\Windows\\System32\\config\\systemprofile\\AppData\\Local\\Overwolf",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\en-US\\OverwolfUpdater.resources.exe",
"C:\\Users\\cuck\\AppData\\Local\\Overwolf",
"C:\\Program Files (x86)\\Common Files\\Overwolf",
"C:\\ProgramData\\Overwolf\\OverwolfUpdater\\ftw.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\en\\OverwolfUpdater.resources\\OverwolfUpdater.resources.exe",
"C:\\Windows\\inf\\",
"C:\\Windows\\winsxs\\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\\msvcr80.dll",
"C:\\Windows\\assembly\\Desktop.ini",
"C:\\Windows\\System32\\fveui.dll",
"C:\\Windows\\assembly\\GAC\\PublisherPolicy.tme",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\RestSharp.dll",
"C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\fusion.localgac",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\en-US\\OverwolfUpdater.resources.dll",
"C:\\Windows\\System32\\QAGENTRT.DLL",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Newtonsoft.Json.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\owUpdater.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\RestSharp\\RestSharp.dll",
"C:\\Windows\\System32\\dnsapi.dll",
"C:\\ProgramData\\Overwolf\\OverwolfUpdater",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\RestSharp.exe",
"C:\\Windows\\System32\\p2pcollab.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\en\\OverwolfUpdater.resources.dll",
"C:\\Program Files\\Common Files\\Overwolf",
"C:\\Windows\\System32\\MSCOREE.DLL.local",
"C:\\Windows\\Globalization\\en.nlp",
"C:\\Windows\\assembly\\GAC\\Newtonsoft.Json\\10.0.0.0__30ad4fe6b2a6aeed",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\en-US\\OverwolfUpdater.resources\\OverwolfUpdater.resources.dll",
"C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\CONFIG\\machine.config",
"C:\\ProgramData\\Overwolf\\OverwolfUpdater\\nsis7z64.dll",
"C:\\ProgramData\\Overwolf\\Setup"
],
"mutex": [
"Global\\.net clr networking",
"RasPbFile"
],
"file_failed": [
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\FA47BF11E3FC6DA7A80A2910535F021F",
"C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\CONFIG\\enterprisesec.config.cch",
"C:\\ProgramData\\Overwolf\\Store\\appstore.json",
"C:\\Windows\\Microsoft.NET\\Framework64\\Upgrades.2.0.50727\\",
"C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\CONFIG\\security.config",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\64bit\\security.config",
"C:\\Program Files (x86)\\Overwolf",
"C:\\Program Files (x86)\\Common Files\\Overwolf",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\64bit\\security.config.cch",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\EA618097E393409AFA316F0F87E2C202_D94919F5C9D661B9006200EEB2F86C8E",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\ECF3006D44DA211141391220EE5049F4",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\EA618097E393409AFA316F0F87E2C202_BA5199A95DEC7127C65C4EF95B29E480",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\C46E7B0F942663A1EDC8D9D6D7869173_DF4CA81DC775CDA9B3214BDB5B55900E",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\40C68D5626484A90937F0752C8B950AB",
"C:\\ProgramData\\Overwolf\\Setup\\SetupInfo.ini",
"C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\CONFIG\\enterprisesec.config",
"C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\CONFIG\\security.config.cch",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\daf6bce66c3697be3c8a1aa077143515dda5453aa07dfe6914465bfb7e51a3bc.bin.config"
],
"file_read": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarEF37.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab624E.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarC274.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar78C7.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabF052.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar3A6D.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab6509.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab3A5D.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar625E.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabEDCD.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabC273.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabC340.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabEF27.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar650A.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarC351.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab6171.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab6056.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar6057.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar5F0D.tmp",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\94308059B57B3142E455B38A6EB92015",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarF062.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab78B6.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarEDCE.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Tar6182.tmp",
"C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\CONFIG\\machine.config",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\94308059B57B3142E455B38A6EB92015",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Cab5EFC.tmp"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Providers\\Trust\\Initialization\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$Function",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\SchedulingAgent\\DisplayName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\WinSock2\\Parameters\\Protocol_Catalog9\\Serial_Access_Num",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{0398A685-FD8D-46B3-9816-C47319B0CF5f}\\DisplayName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\MaxSockaddrLength",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\159a66b8\\424bd4d8\\8f\\EvalationData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\3c9c8d7b\\46b95040\\74\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Connection Manager\\DisplayName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SecurityProviders\\SecurityProviders",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-699399860-4089948139-3198924279-1001\\ProfileImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Interfaces\\{EF381EA0-4D07-418D-A490-68AF67CE948B}\\EnableMulticast",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\UpdateSecurityLevel",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\ROOT\\Certificates\\A43489159A520F0D93D032CCAF37E7FE20A8B419\\Blob",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\5fcea75a\\3c9c8d7b\\6f\\ConfigString",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\crypt32\\DiagMatchAnyMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\77a2835c\\36d9491a\\66\\NIDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\IE4Data\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\475dce40\\2d382ce6\\8d\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\7b5311d7\\1b0ed4d\\69\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\7b5311d7\\1b0ed4d\\69\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\226b2009\\5b43ba09\\7a\\EvalationData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\19ab8d57\\1bd7b0d8\\8f\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\7b5311d7\\1b0ed4d\\69\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\DevOverrideEnable",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\7f0603e4\\73843e06\\6e\\EvalationData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\3d590c3f\\59f3b67b\\89\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NoClientChecks",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\DownloadCacheQuotaInKB",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Providers\\Trust\\Message\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$Function",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\RegistrationTtl",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\.NET CLR Networking\\Performance\\IsMultiInstance",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\ROOT\\Certificates\\18F7C1FCC3090203FD5BAA2F861A754976C8DD25\\Blob",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\6faf58\\19ab8d57\\8e\\MVID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\c991064\\2bd33e1c\\81\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\MaxAIAUrlRetrievalCertCount",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\DnsSecureNameQueryFallback",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Type",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\159a66b8\\424bd4d8\\8f\\ConfigMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\mscorlib,2.0.0.0,,b77a5c561934e089,AMD64",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\36d9491a\\3fb203dc\\67\\SIG",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Comment",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\DisableUnsupportedCriticalExtensions",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\.NET CLR Networking\\Performance\\Library",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Interfaces\\{EF381EA0-4D07-418D-A490-68AF67CE948B}\\RegistrationEnabled",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\75638fee\\7566cac\\8c\\Modules",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Hostname",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\RegistrationEnabled",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Providers\\Trust\\Certificate\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$Function",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\LogLevel",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\c991064\\2bd33e1c\\81\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\CA\\Certificates\\FEE449EE0E3965A5246F000E87FDE2A065FD89D4\\Blob",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\CA\\Certificates\\109F1CAED645BB78B3EA2B94C0697C740733031C\\Blob",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\6dc7d4c0\\a5cd4db\\87\\LastModTime",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\UseDelayedAcceptance",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\5fcea75a\\3c9c8d7b\\6f\\ConfigMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\GCStressStart",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\742C3192E607E424EB4549542BE1BBC53E6174E2\\Blob",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\DevicePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\TokenSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates\\7D7F4414CCEF168ADF6BF40753B5BECD78375931\\Blob",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\7950e2c5\\19b8f67f\\82\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\181938c6\\7950e2c5\\82\\ILDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\75638fee\\7566cac\\8c\\LastModTime",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\RegistrationMaxAddressCount",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\NetBT\\Parameters\\NodeType",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\LegacyPolicyTimeStamp",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Core,3.5.0.0,,b77a5c561934e089,MSIL",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\PrioritizeRecordData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\3b249b34\\157e0c82\\78\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\WIC\\DisplayName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\UseHostsFile",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\DnsQueryTimeouts",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Providers\\Trust\\Certificate\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$Function",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\7b5311d7\\1b0ed4d\\69\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\77a2835c\\36d9491a\\66\\MissingDependencies",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\NetBT\\Parameters\\EnableProxy",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Base Cryptographic Provider v1.0\\Image Path",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\73843e06\\43a920ef\\6e\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\5fcea75a\\3c9c8d7b\\6f\\NIDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Providers\\Trust\\Certificate\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$DLL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\CA\\CRLs\\A377D1B1C0538833035211F4083D00FECC414DAB\\Blob",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\5fcea75a\\3c9c8d7b\\6f\\Status",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Capabilities",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\NetBT\\Parameters\\DhcpNodeType",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\RASMANCS\\FileDirectory",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\RASAPI32\\EnableFileTracing",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\Latest",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\c991064\\2bd33e1c\\81\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Providers\\Trust\\FinalPolicy\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$DLL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\36d9491a\\3fb203dc\\67\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\\Blob",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\LatestIndex",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\TURNOFFDEBUGINFO",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\85e83df\\2c4cd1a4\\79\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\7f0603e4\\73843e06\\6e\\ConfigMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\7ac727df\\7b5311d7\\69\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\EnableLog",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\WaitForNameErrorOnAll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\6faf58\\19ab8d57\\8e\\ILDependencies",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\crypt32\\DiagLevel",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-20\\ProfileImagePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\IE4Data\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\CA\\Certificates\\D559A586669B08F46A30A133F8A9ED3D038E2EA8\\Blob",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\DnsTest",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\77a2835c\\36d9491a\\66\\DisplayName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\QueryIpMatching",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\CseOn",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Interfaces\\{EF381EA0-4D07-418D-A490-68AF67CE948B}\\DhcpDomain",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Cryptography\\PrivKeyCachePurgeIntervalSeconds",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\3f50fe4f\\6f1da7aa\\90\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\6dc7d4c0\\a5cd4db\\87\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\RASAPI32\\FileDirectory",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\7ac727df\\7b5311d7\\69\\DisplayName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\Enabled",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\VersioningLog",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\DisableMSIPeek",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\DirectAccessQueryOrder",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Providers\\Trust\\Initialization\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$DLL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE\\MaximumAllowedAllocationSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\6dc7d4c0\\a5cd4db\\87\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\30bc7c4f\\3f50fe4f\\90\\MVID",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Version",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\PrioritizeRecordData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\RASAPI32\\ConsoleTracingMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.44.3.4!7\\Name",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\5fcea75a\\3c9c8d7b\\6f\\MVID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\c991064\\2bd33e1c\\81\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\7f0603e4\\73843e06\\6e\\MissingDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\475dce40\\2d382ce6\\8d\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\RASAPI32\\EnableConsoleTracing",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\RegisterAdapterName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\CryptnetCachedOcspSwitchToCrlCount",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\IJWEntrypointCompatMode",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\SystemSetupInProgress",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\181938c6\\7950e2c5\\82\\ConfigMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\97817950D81C9670CC34D809CF794431367EF474\\Blob",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\SourcePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\MulticastResponderFlags",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\36d9491a\\3fb203dc\\67\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\181938c6\\7950e2c5\\82\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\6faf58\\19ab8d57\\8e\\NIDependencies",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\UseOldHostResolutionOrder",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\30bc7c4f\\3f50fe4f\\90\\ILDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\159a66b8\\424bd4d8\\8f\\ILDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\7ac727df\\7b5311d7\\69\\ILDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\AddressBook\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\424bd4d8\\1c83327b\\8e\\Modules",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\NetBT\\Parameters\\ScopeId",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\OnlyUseLatestCLR",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\181938c6\\7950e2c5\\82\\MissingDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\ChainCacheResyncFiletime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\PInvokeCalliOpt",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\7f0603e4\\73843e06\\6e\\MVID",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\UseDomainNameDevolution",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\WpadOverride",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\3c9c8d7b\\46b95040\\74\\LastModTime",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Interfaces\\{EF381EA0-4D07-418D-A490-68AF67CE948B}\\MaxNumberOfAddressesToRegister",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\7ac727df\\7b5311d7\\69\\EvalationData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\30bc7c4f\\3f50fe4f\\90\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\AddressBook\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\159a66b8\\424bd4d8\\8f\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-19\\ProfileImagePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\IEData\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\7ac727df\\7b5311d7\\69\\ConfigString",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\crypt32\\DebugFlags",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\Microsoft.VisualC,8.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Enhanced RSA and AES Cryptographic Provider\\Type",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\424bd4d8\\1c83327b\\8e\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Configuration.Install,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\EnableConsoleTracing",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\MulticastSenderFlags",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\RASMANCS\\EnableFileTracing",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\73843e06\\43a920ef\\6e\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.64.1.1!7\\Name",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\475dce40\\2d382ce6\\8d\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\7950e2c5\\19b8f67f\\82\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\GCStressStartAtJit",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\\Blob",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\7ac727df\\7b5311d7\\69\\MVID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\5fcea75a\\3c9c8d7b\\6f\\MissingDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\8F43288AD272F3103B6FB1428485EA3014C0BCFE",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\ROOT\\Certificates\\BE36A4562FB2EE05DBB3D32323ADF445084ED656\\Blob",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\DnsQuickQueryTimeouts",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Providers\\Trust\\Cleanup\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$DLL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\5b43ba09\\4355c2d6\\7e\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.EnterpriseServices,2.0.0.0,,b03f5f7f11d50a3a,AMD64",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\AllowUnqualifiedQuery",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\DnsQuickQueryTimeouts",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\DXM_Runtime\\DisplayName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\RegistrationRefreshInterval",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\85e83df\\2c4cd1a4\\79\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\SMDiagnostics,3.0.0.0,,b77a5c561934e089,MSIL",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Name",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\73843e06\\43a920ef\\6e\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\159a66b8\\424bd4d8\\8f\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\MozillaMaintenanceService\\DisplayName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\AccessProviders\\MartaExtension",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\6dc7d4c0\\a5cd4db\\87\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Base Cryptographic Provider v1.0\\Type",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing\\State",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\DefaultRegistrationRefreshInterval",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\7950e2c5\\19b8f67f\\82\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\3b249b34\\157e0c82\\78\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\3d590c3f\\59f3b67b\\89\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Security,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\5b43ba09\\4355c2d6\\7e\\Modules",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\MaxSockaddrLength",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\DisableWanDynamicUpdate",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\MaxAIAUrlCountInCert",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\181938c6\\7950e2c5\\82\\ConfigString",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\226b2009\\5b43ba09\\7a\\ConfigMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\RASMANCS\\EnableConsoleTracing",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\19ab8d57\\1bd7b0d8\\8f\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\159a66b8\\424bd4d8\\8f\\NIDependencies",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\AdapterTimeoutLimit",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winsock\\Setup Migration\\Providers\\Tcpip\\WinSock 2.0 Provider ID",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\.NET CLR Networking\\Performance\\Counter Names",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\DowncaseSpnCauseApiOwnerIsTooLazy",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Providers\\Trust\\Cleanup\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$Function",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\5b43ba09\\4355c2d6\\7e\\LastModTime",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\AppendToMultiLabelName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\EnableAdapterDomainNameRegistration",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\30bc7c4f\\3f50fe4f\\90\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Configuration,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\ResolverRegistrationOnly",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\ForceLog",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\ROOT\\Certificates\\7F88CD7223F3C813818C994614A89C99FA3B5247\\Blob",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\LogMaxFileSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\6faf58\\19ab8d57\\8e\\EvalationData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\ROOT\\Certificates\\CDD4EEAE6000AC7F40C3802C171E30148030C072\\Blob",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Connection Manager\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\MobileOptionPack\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\LoadAppInit_DLLs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Providers\\Trust\\Certificate\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$DLL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Providers\\Trust\\FinalPolicy\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$Function",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Security\\Safety Warning Level",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Runtime.Serialization.Formatters.Soap,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\StringCacheSettings\\StringCacheGeneration",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\RpcId",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\226b2009\\5b43ba09\\7a\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Runtime.Serialization,3.0.0.0,,b77a5c561934e089,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\SchedulingAgent\\DisplayName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\DefaultRegistrationTTL",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\UseCompartments",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\PInvokeInline",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\\Blob",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\41c04c7e\\7f3b6ac4\\80\\DisplayName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\MaxCacheTtl",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\UpdateSecurityLevel",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\41c04c7e\\7f3b6ac4\\80\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\3f50fe4f\\6f1da7aa\\90\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\RASAPI32\\FileTracingMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Transactions,2.0.0.0,,b77a5c561934e089,AMD64",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\475dce40\\2d382ce6\\8d\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\85e83df\\2c4cd1a4\\79\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ShareCredsWithWinHttp",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\DnsQueryTimeouts",
"HKEY_CURRENT_USER\\Control Panel\\International\\sYearMonth",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\CryptnetPreFetchTriggerPeriodSeconds",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\19ab8d57\\1bd7b0d8\\8f\\SIG",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\.NET CLR Networking\\Performance\\First Counter",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\MaxAIAUrlRetrievalCountPerChain",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Providers\\Trust\\Signature\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$DLL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ProxySettingsPerUser",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winsock\\Parameters\\Transports",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\7f0603e4\\73843e06\\6e\\Status",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\qagentrt.dll,-10",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\73843e06\\43a920ef\\6e\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\LoggingLevel",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\c991064\\2bd33e1c\\81\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\75E0ABB6138512271C04F85FDDDE38E4B7242EFE\\Blob",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\\DefaultConnectionSettings",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\159a66b8\\424bd4d8\\8f\\MissingDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\5fcea75a\\3c9c8d7b\\6f\\EvalationData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Providers\\Trust\\Signature\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$DLL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\226b2009\\5b43ba09\\7a\\ILDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\DirectDrawEx\\DisplayName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\crypt32\\DebugHeapFlags",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Providers\\Trust\\Initialization\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$DLL",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Local AppData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Providers\\Trust\\CertCheck\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$Function",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Mozilla Firefox 60.0.2 (x86 sv-SE)\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\3b249b34\\157e0c82\\78\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Data,2.0.0.0,,b77a5c561934e089,AMD64",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\77a2835c\\36d9491a\\66\\ConfigMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\73843e06\\43a920ef\\6e\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\5b43ba09\\4355c2d6\\7e\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\.NET CLR Networking\\Performance\\CategoryOptions",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\19ab8d57\\1bd7b0d8\\8f\\Status",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\ResolverRegistration",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SESSION MANAGER\\SafeProcessSearchMode",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\5fcea75a\\3c9c8d7b\\6f\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\35df3f71\\6cb3f6b9\\65\\LastModTime",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\RegistrationOverwrite",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\35df3f71\\6cb3f6b9\\65\\Modules",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\HelperDllName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Xml,2.0.0.0,,b77a5c561934e089,MSIL",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\EnableMulticast",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\RegisterPrimaryName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\Mapping",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\77a2835c\\36d9491a\\66\\MVID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\3c9c8d7b\\46b95040\\74\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Providers\\Trust\\CertCheck\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$Function",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\IE5BAKEX\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates\\637162CC59A3A1E25956FA5FA8F60D2E1C52EAC6\\Blob",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\30bc7c4f\\3f50fe4f\\90\\MissingDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Enhanced RSA and AES Cryptographic Provider\\Image Path",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\424bd4d8\\1c83327b\\8e\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\7950e2c5\\19b8f67f\\82\\LastModTime",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\EnableDAForAllNetworks",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\6faf58\\19ab8d57\\8e\\MissingDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\36d9491a\\3fb203dc\\67\\Status",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\LsaExtensionConfig\\SspiCli\\CheckSignatureRoutine",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Interfaces\\{EF381EA0-4D07-418D-A490-68AF67CE948B}\\RegistrationMaxAddressCount",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Interfaces\\{EF381EA0-4D07-418D-A490-68AF67CE948B}\\RegisterAdapterName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\CLRLoadLogDir",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Providers\\Trust\\Signature\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$Function",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Data.SqlXml,2.0.0.0,,b77a5c561934e089,MSIL",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\DisableAdapterDomainName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\LsaExtensionConfig\\SspiCli\\CheckSignatureDll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\MPlayer2\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\NewGCCalc",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Providers\\Trust\\Message\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$DLL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.67.1.2!7\\Name",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Providers\\Trust\\FinalPolicy\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$Function",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\RASMANCS\\MaxFileSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\3f50fe4f\\6f1da7aa\\90\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\77a2835c\\36d9491a\\66\\Status",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\RegisterWanAdapters",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\3d590c3f\\59f3b67b\\89\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\7950e2c5\\19b8f67f\\82\\Modules",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\MaxNumberOfAddressesToRegister",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\MobileOptionPack\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\DisableConfigCache",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\181938c6\\7950e2c5\\82\\EvalationData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\\WinHttpSettings",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Providers\\Trust\\Signature\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$Function",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\InstallationType",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\System32\\fveui.dll,-844",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\System32\\fveui.dll,-843",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\LogResourceBinds",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System,2.0.0.0,,b77a5c561934e089,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\7ac727df\\7b5311d7\\69\\NIDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\5fcea75a\\3c9c8d7b\\6f\\ILDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\LogMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Cryptography\\PrivKeyCacheMaxItems",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\IE5BAKEX\\DisplayName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\MaxNegativeCacheTtl",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\41c04c7e\\7f3b6ac4\\80\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\6faf58\\19ab8d57\\8e\\ConfigMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\RASAPI32\\MaxFileSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Windows.Forms,2.0.0.0,,b77a5c561934e089,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\3c9c8d7b\\46b95040\\74\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\226b2009\\5b43ba09\\7a\\ConfigString",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\181938c6\\7950e2c5\\82\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\DisableHotCold",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\85e83df\\2c4cd1a4\\79\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\WIC\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\75638fee\\7566cac\\8c\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\5b43ba09\\4355c2d6\\7e\\SIG",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\NetBT\\Parameters\\DhcpScopeId",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\RASMANCS\\FileTracingMask",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\UseEdns",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\UseDelayedAcceptance",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\TailCallOpt",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\UseHostnameAsAlias",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\7f0603e4\\73843e06\\6e\\ConfigString",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\8F43288AD272F3103B6FB1428485EA3014C0BCFE\\Blob",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Drawing,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\6faf58\\19ab8d57\\8e\\ConfigString",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\6dc7d4c0\\a5cd4db\\87\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Providers\\Trust\\Message\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$Function",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\MulticastSenderMaxTimeout",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\ScreenDefaultServers",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\77a2835c\\36d9491a\\66\\ConfigString",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\7ac727df\\7b5311d7\\69\\ConfigMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.47.1.1!7\\Name",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\index143\\ILUsageMask",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\CacheAllCompartments",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\6faf58\\19ab8d57\\8e\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\226b2009\\5b43ba09\\7a\\NIDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\3f50fe4f\\6f1da7aa\\90\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Fontcore\\DisplayName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\RegisterReverseLookup",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\7b5311d7\\1b0ed4d\\69\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\3d590c3f\\59f3b67b\\89\\SIG",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\FilterClusterIp",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\159a66b8\\424bd4d8\\8f\\MVID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\475dce40\\2d382ce6\\8d\\SIG",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\SearchList",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\41c04c7e\\7f3b6ac4\\80\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\3b249b34\\157e0c82\\78\\Status",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Interfaces\\{EF381EA0-4D07-418D-A490-68AF67CE948B}\\Domain",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\75638fee\\7566cac\\8c\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\424bd4d8\\1c83327b\\8e\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\IEData\\DisplayName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\MaxCachedSockets",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\ServerPriorityTimeLimit",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\LogFailures",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Providers\\Trust\\Message\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$DLL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\75638fee\\7566cac\\8c\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\30bc7c4f\\3f50fe4f\\90\\ConfigMask",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Domain",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\19ab8d57\\1bd7b0d8\\8f\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Providers\\Trust\\CertCheck\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$DLL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\MachineGuid",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\.NET CLR Networking\\Performance\\FileMappingSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\MaxAIAUrlRetrievalByteCount",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Providers\\Trust\\CertCheck\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$DLL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\ROOT\\Certificates\\245C97DF7514E7CF2DF8BE72AE957B9E04741E85\\Blob",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\UseLegacyIdentityFormat",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\MaxCacheSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\\Blob",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Cryptography\\PrivateKeyLifetimeSeconds",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\ScreenBadTlds",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\LdapClientIntegrity",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Interfaces\\{EF381EA0-4D07-418D-A490-68AF67CE948B}\\QueryAdapterName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\CryptnetMaxCachedOcspPerCrlCount",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\424bd4d8\\1c83327b\\8e\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.67.1.1!7\\Name",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winsock\\Setup Migration\\Providers\\Tcpip6\\WinSock 2.0 Provider ID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\index143\\NIUsageMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\6faf58\\19ab8d57\\8e\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\7f0603e4\\73843e06\\6e\\ILDependencies",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\UpdateTopLevelDomainZones",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\3d590c3f\\59f3b67b\\89\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\\Blob",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\QueryAdapterName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Providers\\Trust\\FinalPolicy\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$DLL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\36d9491a\\3fb203dc\\67\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\30bc7c4f\\3f50fe4f\\90\\ConfigString",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\EnableInetUnknownAuth",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\30bc7c4f\\3f50fe4f\\90\\EvalationData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\226b2009\\5b43ba09\\7a\\MissingDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\CacheLocation",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\NetBT\\Parameters\\EnableDns",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\DisableCANameConstraints",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\p2pcollab.dll,-8042",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\MinSockaddrLength",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\DisableMandatoryBasicConstraints",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\77a2835c\\36d9491a\\66\\EvalationData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\IE40\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\226b2009\\5b43ba09\\7a\\MVID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\IE40\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\181938c6\\7950e2c5\\82\\MVID",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\UseDomainNameDevolution",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Fontcore\\DisplayName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\MinSockaddrLength",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\35df3f71\\6cb3f6b9\\65\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-18\\ProfileImagePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\41c04c7e\\7f3b6ac4\\80\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\226b2009\\5b43ba09\\7a\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\WinHttp\\DisableBranchCache",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\InstallRoot",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\3c9c8d7b\\46b95040\\74\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\159a66b8\\424bd4d8\\8f\\ConfigString",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\\RASMANCS\\ConsoleTracingMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\85e83df\\2c4cd1a4\\79\\LastModTime",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\HelperDllName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\DynamicServerQueryOrder",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\dnsapi.dll,-103",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\77a2835c\\36d9491a\\66\\ILDependencies",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\UseNewRegistration",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\3b249b34\\157e0c82\\78\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\35df3f71\\6cb3f6b9\\65\\Status",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\ScreenUnreachableServers",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\MaxUrlRetrievalByteCount",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\DisableReverseAddressRegistrations",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\181938c6\\7950e2c5\\82\\NIDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\30bc7c4f\\3f50fe4f\\90\\NIDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\DirectDrawEx\\DisplayName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\DisableDynamicUpdate",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\DomainNameDevolutionLevel",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Interfaces\\{EF381EA0-4D07-418D-A490-68AF67CE948B}\\DisableAdapterDomainName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\AllowUnqualifiedQuery",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\7f0603e4\\73843e06\\6e\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\WinHttp\\Tracing\\Enabled",
"HKEY_CURRENT_USER\\Software\\Microsoft\\SystemCertificates\\Root\\ProtectedRoots\\Certificates",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CEIPEnable",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Providers\\Trust\\Initialization\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$Function",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\7f0603e4\\73843e06\\6e\\NIDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\3f50fe4f\\6f1da7aa\\90\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\IL\\35df3f71\\6cb3f6b9\\65\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\EnableWeakSignatureFlags",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\AddrConfigControl",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.ServiceProcess,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\Mapping",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_64\\NI\\7ac727df\\7b5311d7\\69\\MissingDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\index4"
],
"directory_created": [
"C:\\ProgramData\\Overwolf\\Temp",
"C:\\ProgramData\\Overwolf",
"C:\\ProgramData\\Overwolf\\OverwolfUpdater",
"C:\\ProgramData\\Overwolf\\Log",
"C:\\ProgramData\\Overwolf\\Setup"
]
},
"first_seen": 1567806785.5,
"ppid": 2448
},
{
"process_path": "C:\\Windows\\System32\\lsass.exe",
"process_name": "lsass.exe",
"pid": 476,
"summary": {},
"first_seen": 1567806785.3281,
"ppid": 376
}
]Signatures
[
{
"markcount": 1,
"families": [],
"description": "Queries for the computername",
"severity": 1,
"marks": [
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "GetComputerNameW",
"return_value": 1,
"arguments": {
"computer_name": "CUCKPC"
},
"time": 1567806429.1283,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 13541
}
],
"references": [],
"name": "antivm_queries_computername"
},
{
"markcount": 1,
"families": [],
"description": "Checks if process is being debugged by a debugger",
"severity": 1,
"marks": [
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": -1073741700,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1567806356.3783,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 372
}
],
"references": [],
"name": "checks_debugger"
},
{
"markcount": 3,
"families": [
"generic"
],
"description": "Uses Windows APIs to generate a cryptographic key",
"severity": 1,
"marks": [
{
"call": {
"category": "crypto",
"status": 1,
"stacktrace": [],
"api": "CryptExportKey",
"return_value": 1,
"arguments": {
"crypto_handle": "0x000000001cdda890",
"crypto_export_handle": "0x0000000000000000",
"buffer": "",
"blob_type": 6,
"flags": 0
},
"time": 1567806427.9413,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 12541
},
{
"call": {
"category": "crypto",
"status": 1,
"stacktrace": [],
"api": "CryptExportKey",
"return_value": 1,
"arguments": {
"crypto_handle": "0x000000001cdda890",
"crypto_export_handle": "0x0000000000000000",
"buffer": "",
"blob_type": 6,
"flags": 0
},
"time": 1567806427.9413,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 12548
},
{
"call": {
"category": "crypto",
"status": 1,
"stacktrace": [],
"api": "CryptExportKey",
"return_value": 1,
"arguments": {
"crypto_handle": "0x000000001cddae40",
"crypto_export_handle": "0x0000000000000000",
"buffer": "",
"blob_type": 6,
"flags": 0
},
"time": 1567806427.9883,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 12566
}
],
"references": [],
"name": "generates_crypto_key"
},
{
"markcount": 1,
"families": [],
"description": "Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate)",
"severity": 1,
"marks": [
{
"category": "registry",
"ioc": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\MachineGuid",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "recon_fingerprint"
},
{
"markcount": 1,
"families": [],
"description": "This executable has a PDB path",
"severity": 1,
"marks": [
{
"category": "pdb_path",
"ioc": "E:\\Jenkins\\workspace\\overwolf-client\\OverwolfUpdater\\obj\\x64\\Release\\OverwolfUpdater.pdb",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "has_pdb"
},
{
"markcount": 1,
"families": [],
"description": "Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available",
"severity": 1,
"marks": [
{
"call": {
"category": "system",
"status": 1,
"stacktrace": [],
"api": "GlobalMemoryStatusEx",
"return_value": 1,
"arguments": {},
"time": 1567806356.5973,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 475
}
],
"references": [],
"name": "antivm_memory_available"
},
{
"markcount": 1,
"families": [],
"description": "One or more processes crashed",
"severity": 1,
"marks": [
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "0\nx\n7\nf\nf\n0\n0\n1\na\n2\n7\n5\n3\n\n\n0\nx\n7\nf\nf\n0\n0\n1\na\n2\n3\n5\nc\n\n\n0\nx\n7\nf\nf\n0\n0\n1\n9\nd\n6\n6\nb\n\n\n0\nx\n7\nf\nf\n0\n0\n1\n8\n6\na\nc\n7\n\n\n0\nx\n7\nf\nf\n0\n0\n1\n8\n3\n4\n5\n3\n\n\n0\nx\n7\nf\nf\n0\n0\n1\n8\n0\n1\nb\n9\n\n\nI\nE\nE\n+\n0\nx\nd\na\n1\n6\n \nG\ne\nt\nU\ns\ne\nr\nS\nt\no\nr\ne\n-\n0\nx\na\n7\ne\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\n2\nc\n1\n6\n1\n2\n \n@\n \n0\nx\n7\nf\ne\ne\nf\na\na\n1\n6\n1\n2\n\n\nC\nr\ne\na\nt\ne\nA\ns\ns\ne\nm\nb\nl\ny\nN\na\nm\ne\nO\nb\nj\ne\nc\nt\n+\n0\nx\n5\nc\nb\nb\n \nC\no\nm\np\na\nr\ne\nA\ns\ns\ne\nm\nb\nl\ny\nI\nd\ne\nn\nt\ni\nt\ny\n-\n0\nx\n6\nf\nf\n9\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\n1\ne\ne\ne\n1\n3\n \n@\n \n0\nx\n7\nf\ne\ne\nf\n9\nc\ne\ne\n1\n3\n\n\nP\nr\ne\nB\ni\nn\nd\nA\ns\ns\ne\nm\nb\nl\ny\n+\n0\nx\n7\n9\na\n9\n1\n \nL\no\na\nd\nS\nt\nr\ni\nn\ng\nR\nC\n-\n0\nx\n2\n5\n4\n4\nf\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\n6\n9\nb\nc\n5\n1\n \n@\n \n0\nx\n7\nf\ne\ne\nf\ne\n7\nb\nc\n5\n1\n\n\nG\ne\nt\nC\nL\nR\nF\nu\nn\nc\nt\ni\no\nn\n+\n0\nx\nc\nc\na\nf\n \nC\nr\ne\na\nt\ne\nA\np\np\nl\ni\nc\na\nt\ni\no\nn\nC\no\nn\nt\ne\nx\nt\n-\n0\nx\na\n2\n1\n1\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\n1\n1\n7\nd\nc\n7\n \n@\n \n0\nx\n7\nf\ne\ne\nf\n8\nf\n7\nd\nc\n7\n\n\nS\nt\nr\no\nn\ng\nN\na\nm\ne\nE\nr\nr\no\nr\nI\nn\nf\no\n-\n0\nx\n3\n1\nf\n0\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\nf\n4\n1\n1\n8\n \n@\n \n0\nx\n7\nf\ne\ne\nf\n8\nd\n4\n1\n1\n8\n\n\nG\ne\nt\nA\ns\ns\ne\nm\nb\nl\ny\nI\nd\ne\nn\nt\ni\nt\ny\nF\nr\no\nm\nF\ni\nl\ne\n+\n0\nx\n1\n9\n5\nb\nd\n \nL\ne\ng\na\nc\ny\nN\nG\ne\nn\nF\nr\ne\ne\nZ\na\np\np\ne\nr\n-\n0\nx\n1\n7\na\nf\n3\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\n7\n8\n7\ne\n3\nd\n \n@\n \n0\nx\n7\nf\ne\ne\nf\nf\n6\n7\ne\n3\nd\n\n\nS\nt\nr\no\nn\ng\nN\na\nm\ne\nE\nr\nr\no\nr\nI\nn\nf\no\n-\n0\nx\n1\n0\nd\ne\nd\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\ne\n6\n5\n1\nb\n \n@\n \n0\nx\n7\nf\ne\ne\nf\n8\nc\n6\n5\n1\nb\n\n\n_\nC\no\nr\nE\nx\ne\nM\na\ni\nn\n+\n0\nx\na\nc\n \nG\ne\nt\nC\nL\nR\nF\nu\nn\nc\nt\ni\no\nn\n-\n0\nx\n7\n2\nb\n8\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\n1\n0\n3\ne\n6\n0\n \n@\n \n0\nx\n7\nf\ne\ne\nf\n8\ne\n3\ne\n6\n0\n\n\n_\nC\no\nr\nE\nx\ne\nM\na\ni\nn\n+\n0\nx\n6\n9\n \nN\nD\n_\nR\nU\n1\n-\n0\nx\n1\n7\n0\n7\n \nm\ns\nc\no\nr\ne\ne\n+\n0\nx\n5\nb\n2\n1\n \n@\n \n0\nx\n7\nf\ne\nf\n1\na\n7\n5\nb\n2\n1\n\n\nB\na\ns\ne\nT\nh\nr\ne\na\nd\nI\nn\ni\nt\nT\nh\nu\nn\nk\n+\n0\nx\nd\n \nC\nr\ne\na\nt\ne\nT\nh\nr\ne\na\nd\n-\n0\nx\n5\n3\n \nk\ne\nr\nn\ne\nl\n3\n2\n+\n0\nx\n1\n6\n5\n2\nd\n \n@\n \n0\nx\n7\n7\n7\na\n6\n5\n2\nd\n\n\nR\nt\nl\nU\ns\ne\nr\nT\nh\nr\ne\na\nd\nS\nt\na\nr\nt\n+\n0\nx\n2\n1\n \ns\nt\nr\nc\nh\nr\n-\n0\nx\n3\nd\nf\n \nn\nt\nd\nl\nl\n+\n0\nx\n2\nc\n5\n2\n1\n \n@\n \n0\nx\n7\n7\n9\nd\nc\n5\n2\n1",
"registers": {
"r14": 0,
"r9": 0,
"rcx": 5727664,
"rsi": 0,
"r10": 0,
"rbx": 0,
"rdi": 0,
"r11": 5038424,
"r8": 5039360,
"rdx": 46146920,
"rbp": 0,
"r15": 0,
"r12": 0,
"rsp": 5045056,
"rax": 0,
"r13": 0
},
"exception": {
"instruction_r": "80 38 00 48 8b c8 e8 e2 f4 8a ee 48 89 45 10 eb",
"instruction": "cmp byte ptr [rax], 0",
"exception_code": "0xc0000005",
"symbol": "",
"address": "0x7ff001a2753"
}
},
"time": 1567806432.8003,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 14385
}
],
"references": [],
"name": "raises_exception"
},
{
"markcount": 204,
"families": [],
"description": "Allocates read-write-execute memory (usually to unpack itself)",
"severity": 2,
"marks": [
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1664,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x000007feef821000"
},
"time": 1567806356.2843,
"tid": 2736,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 1664,
"type": "call",
"cid": 254
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1664,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x000007feefa9e000"
},
"time": 1567806356.3473,
"tid": 2736,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 1664,
"type": "call",
"cid": 329
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1664,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x000007feefa9e000"
},
"time": 1567806356.3473,
"tid": 2736,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 1664,
"type": "call",
"cid": 331
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1664,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x000007feefa9f000"
},
"time": 1567806356.3943,
"tid": 2736,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 1664,
"type": "call",
"cid": 385
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1664,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x000007feefa9f000"
},
"time": 1567806356.3943,
"tid": 2736,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 1664,
"type": "call",
"cid": 387
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1664,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x000007feefa9f000"
},
"time": 1567806356.3943,
"tid": 2736,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 1664,
"type": "call",
"cid": 389
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1664,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x000007feefa9f000"
},
"time": 1567806356.3943,
"tid": 2736,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 1664,
"type": "call",
"cid": 391
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1664,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x000007feefa9f000"
},
"time": 1567806356.3943,
"tid": 2736,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 1664,
"type": "call",
"cid": 393
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1664,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x000007feefa9f000"
},
"time": 1567806356.3943,
"tid": 2736,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 1664,
"type": "call",
"cid": 395
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1664,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x000007feefa9f000"
},
"time": 1567806356.3943,
"tid": 2736,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 1664,
"type": "call",
"cid": 397
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1664,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x000007feefa9f000"
},
"time": 1567806356.3943,
"tid": 2736,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 1664,
"type": "call",
"cid": 399
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1664,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x000007feefaa0000"
},
"time": 1567806356.3943,
"tid": 2736,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 1664,
"type": "call",
"cid": 401
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1664,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x000007feefaa0000"
},
"time": 1567806356.3943,
"tid": 2736,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 1664,
"type": "call",
"cid": 403
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1664,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x000007feefaa0000"
},
"time": 1567806356.3943,
"tid": 2736,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 1664,
"type": "call",
"cid": 405
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1664,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x000007feefaa0000"
},
"time": 1567806356.3943,
"tid": 2736,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 1664,
"type": "call",
"cid": 407
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1664,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x000007feefaa0000"
},
"time": 1567806356.3943,
"tid": 2736,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 1664,
"type": "call",
"cid": 409
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1664,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x000007feefaa1000"
},
"time": 1567806356.3943,
"tid": 2736,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 1664,
"type": "call",
"cid": 411
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1664,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x000007feefaa1000"
},
"time": 1567806356.3943,
"tid": 2736,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 1664,
"type": "call",
"cid": 413
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1664,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x000007feefaa1000"
},
"time": 1567806356.3943,
"tid": 2736,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 1664,
"type": "call",
"cid": 415
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1664,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x000007feefaa1000"
},
"time": 1567806356.3943,
"tid": 2736,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 1664,
"type": "call",
"cid": 417
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1664,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x000007feefa9e000"
},
"time": 1567806356.3943,
"tid": 2736,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 1664,
"type": "call",
"cid": 419
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1664,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"allocation_type": 4096,
"base_address": "0x000007ff00042000"
},
"time": 1567806356.6283,
"tid": 2736,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 1664,
"type": "call",
"cid": 539
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1664,
"region_size": 589824,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"allocation_type": 1056768,
"base_address": "0x000007fffff10000"
},
"time": 1567806394.7533,
"tid": 2736,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_RESERVE|MEM_TOP_DOWN"
}
},
"pid": 1664,
"type": "call",
"cid": 7626
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1664,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"allocation_type": 4096,
"base_address": "0x000007fffff10000"
},
"time": 1567806394.7533,
"tid": 2736,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 1664,
"type": "call",
"cid": 7627
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1664,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"allocation_type": 4096,
"base_address": "0x000007fffff10000"
},
"time": 1567806394.7533,
"tid": 2736,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 1664,
"type": "call",
"cid": 7628
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1664,
"region_size": 65536,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"allocation_type": 1056768,
"base_address": "0x000007fffff00000"
},
"time": 1567806394.7533,
"tid": 2736,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_RESERVE|MEM_TOP_DOWN"
}
},
"pid": 1664,
"type": "call",
"cid": 7629
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1664,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"allocation_type": 4096,
"base_address": "0x000007fffff00000"
},
"time": 1567806394.7533,
"tid": 2736,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 1664,
"type": "call",
"cid": 7630
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1664,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"allocation_type": 4096,
"base_address": "0x000007ff000fa000"
},
"time": 1567806394.7533,
"tid": 2736,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 1664,
"type": "call",
"cid": 7631
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1664,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"allocation_type": 4096,
"base_address": "0x000007ff00032000"
},
"time": 1567806394.7533,
"tid": 2736,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 1664,
"type": "call",
"cid": 7632
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1664,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"allocation_type": 4096,
"base_address": "0x000007ff00043000"
},
"time": 1567806425.2693,
"tid": 2736,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 1664,
"type": "call",
"cid": 10984
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1664,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"allocation_type": 4096,
"base_address": "0x000007ff0010a000"
},
"time": 1567806425.2843,
"tid": 2736,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 1664,
"type": "call",
"cid": 10996
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1664,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"allocation_type": 4096,
"base_address": "0x000007ff00132000"
},
"time": 1567806425.2843,
"tid": 2736,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 1664,
"type": "call",
"cid": 10997
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1664,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"allocation_type": 4096,
"base_address": "0x000007ff0010d000"
},
"time": 1567806425.2843,
"tid": 2736,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 1664,
"type": "call",
"cid": 10998
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1664,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"allocation_type": 4096,
"base_address": "0x000007ff0004c000"
},
"time": 1567806425.3313,
"tid": 2736,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 1664,
"type": "call",
"cid": 11039
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1664,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"allocation_type": 4096,
"base_address": "0x000007ff00180000"
},
"time": 1567806425.3783,
"tid": 2736,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 1664,
"type": "call",
"cid": 11083
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1664,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"allocation_type": 4096,
"base_address": "0x000007ff00044000"
},
"time": 1567806425.3783,
"tid": 2736,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 1664,
"type": "call",
"cid": 11086
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1664,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"allocation_type": 4096,
"base_address": "0x000007ff0005f000"
},
"time": 1567806425.3783,
"tid": 2736,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 1664,
"type": "call",
"cid": 11087
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1664,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"allocation_type": 4096,
"base_address": "0x000007ff000f2000"
},
"time": 1567806425.4253,
"tid": 2736,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 1664,
"type": "call",
"cid": 11103
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1664,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"allocation_type": 4096,
"base_address": "0x000007ff00045000"
},
"time": 1567806425.4563,
"tid": 2736,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 1664,
"type": "call",
"cid": 11113
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1664,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"allocation_type": 4096,
"base_address": "0x000007ff00046000"
},
"time": 1567806425.5503,
"tid": 2736,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 1664,
"type": "call",
"cid": 11196
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1664,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"allocation_type": 4096,
"base_address": "0x000007ff00047000"
},
"time": 1567806425.6133,
"tid": 2736,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 1664,
"type": "call",
"cid": 11244
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1664,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"allocation_type": 4096,
"base_address": "0x000007ff00181000"
},
"time": 1567806425.6133,
"tid": 2736,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 1664,
"type": "call",
"cid": 11245
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1664,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"allocation_type": 4096,
"base_address": "0x000007ff000fb000"
},
"time": 1567806425.7063,
"tid": 2736,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 1664,
"type": "call",
"cid": 11273
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1664,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"allocation_type": 4096,
"base_address": "0x000007ff0004d000"
},
"time": 1567806425.7223,
"tid": 2736,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 1664,
"type": "call",
"cid": 11287
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1664,
"region_size": 8192,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"allocation_type": 4096,
"base_address": "0x00000000007b2000"
},
"time": 1567806425.7223,
"tid": 2736,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 1664,
"type": "call",
"cid": 11288
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1664,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"allocation_type": 4096,
"base_address": "0x000007ff001c0000"
},
"time": 1567806425.7383,
"tid": 2736,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 1664,
"type": "call",
"cid": 11291
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1664,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"allocation_type": 4096,
"base_address": "0x000007ff00048000"
},
"time": 1567806425.7383,
"tid": 2736,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 1664,
"type": "call",
"cid": 11292
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1664,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"allocation_type": 4096,
"base_address": "0x000007ff00182000"
},
"time": 1567806425.7383,
"tid": 2736,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 1664,
"type": "call",
"cid": 11293
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1664,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"allocation_type": 4096,
"base_address": "0x000007ff00094000"
},
"time": 1567806425.7533,
"tid": 2736,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 1664,
"type": "call",
"cid": 11305
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1664,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"allocation_type": 4096,
"base_address": "0x000007ff00063000"
},
"time": 1567806425.7533,
"tid": 2736,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 1664,
"type": "call",
"cid": 11306
}
],
"references": [],
"name": "allocates_rwx"
},
{
"markcount": 1,
"families": [],
"description": "Checks adapter addresses which can be used to detect virtual network interfaces",
"severity": 2,
"marks": [
{
"call": {
"category": "network",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": -1073741772,
"api": "GetAdaptersAddresses",
"return_value": 111,
"arguments": {
"flags": 15,
"family": 0
},
"time": 1567806359.1593,
"tid": 2820,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 4158
}
],
"references": [],
"name": "antivm_network_adapters"
},
{
"markcount": 1,
"families": [],
"description": "Checks for the Locally Unique Identifier on the system for a suspicious privilege",
"severity": 2,
"marks": [
{
"call": {
"category": "system",
"status": 1,
"stacktrace": [],
"api": "LookupPrivilegeValueW",
"return_value": 1,
"arguments": {
"system_name": "",
"privilege_name": "SeDebugPrivilege"
},
"time": 1567806426.8313,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 12001
}
],
"references": [],
"name": "privilege_luid_check"
},
{
"markcount": 29,
"families": [],
"description": "Queries for potentially installed applications",
"severity": 2,
"marks": [
{
"call": {
"category": "registry",
"status": 1,
"stacktrace": [],
"api": "RegOpenKeyExW",
"return_value": 0,
"arguments": {
"access": "0x00020019",
"base_handle": "0xffffffff80000002",
"key_handle": "0x0000000000000408",
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall",
"regkey_r": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall",
"options": 0
},
"time": 1567806426.9413,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 12088
},
{
"call": {
"category": "registry",
"status": 1,
"stacktrace": [],
"api": "RegOpenKeyExW",
"return_value": 0,
"arguments": {
"access": "0x00020019",
"base_handle": "0x0000000000000408",
"key_handle": "0x0000000000000480",
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\AddressBook",
"regkey_r": "AddressBook",
"options": 0
},
"time": 1567806426.9563,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 12109
},
{
"call": {
"category": "registry",
"status": 1,
"stacktrace": [],
"api": "RegOpenKeyExW",
"return_value": 0,
"arguments": {
"access": "0x00020019",
"base_handle": "0x0000000000000408",
"key_handle": "0x0000000000000470",
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Connection Manager",
"regkey_r": "Connection Manager",
"options": 0
},
"time": 1567806426.9563,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 12113
},
{
"call": {
"category": "registry",
"status": 1,
"stacktrace": [],
"api": "RegOpenKeyExW",
"return_value": 0,
"arguments": {
"access": "0x00020019",
"base_handle": "0x0000000000000408",
"key_handle": "0x0000000000000468",
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\DirectDrawEx",
"regkey_r": "DirectDrawEx",
"options": 0
},
"time": 1567806426.9563,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 12115
},
{
"call": {
"category": "registry",
"status": 1,
"stacktrace": [],
"api": "RegOpenKeyExW",
"return_value": 0,
"arguments": {
"access": "0x00020019",
"base_handle": "0x0000000000000408",
"key_handle": "0x000000000000047c",
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\DXM_Runtime",
"regkey_r": "DXM_Runtime",
"options": 0
},
"time": 1567806426.9563,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 12117
},
{
"call": {
"category": "registry",
"status": 1,
"stacktrace": [],
"api": "RegOpenKeyExW",
"return_value": 0,
"arguments": {
"access": "0x00020019",
"base_handle": "0x0000000000000408",
"key_handle": "0x0000000000000484",
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Fontcore",
"regkey_r": "Fontcore",
"options": 0
},
"time": 1567806426.9563,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 12119
},
{
"call": {
"category": "registry",
"status": 1,
"stacktrace": [],
"api": "RegOpenKeyExW",
"return_value": 0,
"arguments": {
"access": "0x00020019",
"base_handle": "0x0000000000000408",
"key_handle": "0x0000000000000488",
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\IE40",
"regkey_r": "IE40",
"options": 0
},
"time": 1567806426.9723,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 12121
},
{
"call": {
"category": "registry",
"status": 1,
"stacktrace": [],
"api": "RegOpenKeyExW",
"return_value": 0,
"arguments": {
"access": "0x00020019",
"base_handle": "0x0000000000000408",
"key_handle": "0x000000000000048c",
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\IE4Data",
"regkey_r": "IE4Data",
"options": 0
},
"time": 1567806426.9723,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 12123
},
{
"call": {
"category": "registry",
"status": 1,
"stacktrace": [],
"api": "RegOpenKeyExW",
"return_value": 0,
"arguments": {
"access": "0x00020019",
"base_handle": "0x0000000000000408",
"key_handle": "0x0000000000000490",
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\IE5BAKEX",
"regkey_r": "IE5BAKEX",
"options": 0
},
"time": 1567806426.9723,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 12125
},
{
"call": {
"category": "registry",
"status": 1,
"stacktrace": [],
"api": "RegOpenKeyExW",
"return_value": 0,
"arguments": {
"access": "0x00020019",
"base_handle": "0x0000000000000408",
"key_handle": "0x0000000000000494",
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\IEData",
"regkey_r": "IEData",
"options": 0
},
"time": 1567806426.9723,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 12127
},
{
"call": {
"category": "registry",
"status": 1,
"stacktrace": [],
"api": "RegOpenKeyExW",
"return_value": 0,
"arguments": {
"access": "0x00020019",
"base_handle": "0x0000000000000408",
"key_handle": "0x0000000000000498",
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\MobileOptionPack",
"regkey_r": "MobileOptionPack",
"options": 0
},
"time": 1567806426.9723,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 12129
},
{
"call": {
"category": "registry",
"status": 1,
"stacktrace": [],
"api": "RegOpenKeyExW",
"return_value": 0,
"arguments": {
"access": "0x00020019",
"base_handle": "0x0000000000000408",
"key_handle": "0x000000000000049c",
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\MozillaMaintenanceService",
"regkey_r": "MozillaMaintenanceService",
"options": 0
},
"time": 1567806426.9723,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 12132
},
{
"call": {
"category": "registry",
"status": 1,
"stacktrace": [],
"api": "RegOpenKeyExW",
"return_value": 0,
"arguments": {
"access": "0x00020019",
"base_handle": "0x0000000000000408",
"key_handle": "0x00000000000004a0",
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\MPlayer2",
"regkey_r": "MPlayer2",
"options": 0
},
"time": 1567806426.9883,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 12137
},
{
"call": {
"category": "registry",
"status": 1,
"stacktrace": [],
"api": "RegOpenKeyExW",
"return_value": 0,
"arguments": {
"access": "0x00020019",
"base_handle": "0x0000000000000408",
"key_handle": "0x00000000000004a4",
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\SchedulingAgent",
"regkey_r": "SchedulingAgent",
"options": 0
},
"time": 1567806426.9883,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 12139
},
{
"call": {
"category": "registry",
"status": 1,
"stacktrace": [],
"api": "RegOpenKeyExW",
"return_value": 0,
"arguments": {
"access": "0x00020019",
"base_handle": "0x0000000000000408",
"key_handle": "0x00000000000004a8",
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\WIC",
"regkey_r": "WIC",
"options": 0
},
"time": 1567806426.9883,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 12141
},
{
"call": {
"category": "registry",
"status": 1,
"stacktrace": [],
"api": "RegOpenKeyExW",
"return_value": 0,
"arguments": {
"access": "0x00020019",
"base_handle": "0x0000000000000408",
"key_handle": "0x00000000000004ac",
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{0398A685-FD8D-46B3-9816-C47319B0CF5f}",
"regkey_r": "{0398A685-FD8D-46B3-9816-C47319B0CF5f}",
"options": 0
},
"time": 1567806426.9883,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 12143
},
{
"call": {
"category": "registry",
"status": 1,
"stacktrace": [],
"api": "RegOpenKeyExW",
"return_value": 0,
"arguments": {
"access": "0x00020019",
"base_handle": "0xffffffff80000002",
"key_handle": "0x00000000000004b0",
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall",
"regkey_r": "SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall",
"options": 0
},
"time": 1567806426.9883,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 12146
},
{
"call": {
"category": "registry",
"status": 1,
"stacktrace": [],
"api": "RegOpenKeyExW",
"return_value": 0,
"arguments": {
"access": "0x00020019",
"base_handle": "0x00000000000004b0",
"key_handle": "0x00000000000004b4",
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\AddressBook",
"regkey_r": "AddressBook",
"options": 0
},
"time": 1567806427.0033,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 12160
},
{
"call": {
"category": "registry",
"status": 1,
"stacktrace": [],
"api": "RegOpenKeyExW",
"return_value": 0,
"arguments": {
"access": "0x00020019",
"base_handle": "0x00000000000004b0",
"key_handle": "0x00000000000004b8",
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Connection Manager",
"regkey_r": "Connection Manager",
"options": 0
},
"time": 1567806427.0033,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 12162
},
{
"call": {
"category": "registry",
"status": 1,
"stacktrace": [],
"api": "RegOpenKeyExW",
"return_value": 0,
"arguments": {
"access": "0x00020019",
"base_handle": "0x00000000000004b0",
"key_handle": "0x00000000000004bc",
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\DirectDrawEx",
"regkey_r": "DirectDrawEx",
"options": 0
},
"time": 1567806427.0033,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 12164
},
{
"call": {
"category": "registry",
"status": 1,
"stacktrace": [],
"api": "RegOpenKeyExW",
"return_value": 0,
"arguments": {
"access": "0x00020019",
"base_handle": "0x00000000000004b0",
"key_handle": "0x00000000000004c0",
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Fontcore",
"regkey_r": "Fontcore",
"options": 0
},
"time": 1567806427.0033,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 12166
},
{
"call": {
"category": "registry",
"status": 1,
"stacktrace": [],
"api": "RegOpenKeyExW",
"return_value": 0,
"arguments": {
"access": "0x00020019",
"base_handle": "0x00000000000004b0",
"key_handle": "0x00000000000004c4",
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\IE40",
"regkey_r": "IE40",
"options": 0
},
"time": 1567806427.0033,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 12168
},
{
"call": {
"category": "registry",
"status": 1,
"stacktrace": [],
"api": "RegOpenKeyExW",
"return_value": 0,
"arguments": {
"access": "0x00020019",
"base_handle": "0x00000000000004b0",
"key_handle": "0x00000000000004c8",
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\IE4Data",
"regkey_r": "IE4Data",
"options": 0
},
"time": 1567806427.0033,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 12170
},
{
"call": {
"category": "registry",
"status": 1,
"stacktrace": [],
"api": "RegOpenKeyExW",
"return_value": 0,
"arguments": {
"access": "0x00020019",
"base_handle": "0x00000000000004b0",
"key_handle": "0x00000000000004cc",
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\IE5BAKEX",
"regkey_r": "IE5BAKEX",
"options": 0
},
"time": 1567806427.0193,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 12172
},
{
"call": {
"category": "registry",
"status": 1,
"stacktrace": [],
"api": "RegOpenKeyExW",
"return_value": 0,
"arguments": {
"access": "0x00020019",
"base_handle": "0x00000000000004b0",
"key_handle": "0x00000000000004d0",
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\IEData",
"regkey_r": "IEData",
"options": 0
},
"time": 1567806427.0193,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 12174
},
{
"call": {
"category": "registry",
"status": 1,
"stacktrace": [],
"api": "RegOpenKeyExW",
"return_value": 0,
"arguments": {
"access": "0x00020019",
"base_handle": "0x00000000000004b0",
"key_handle": "0x00000000000004d4",
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\MobileOptionPack",
"regkey_r": "MobileOptionPack",
"options": 0
},
"time": 1567806427.0193,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 12176
},
{
"call": {
"category": "registry",
"status": 1,
"stacktrace": [],
"api": "RegOpenKeyExW",
"return_value": 0,
"arguments": {
"access": "0x00020019",
"base_handle": "0x00000000000004b0",
"key_handle": "0x00000000000004d8",
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Mozilla Firefox 60.0.2 (x86 sv-SE)",
"regkey_r": "Mozilla Firefox 60.0.2 (x86 sv-SE)",
"options": 0
},
"time": 1567806427.0193,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 12178
},
{
"call": {
"category": "registry",
"status": 1,
"stacktrace": [],
"api": "RegOpenKeyExW",
"return_value": 0,
"arguments": {
"access": "0x00020019",
"base_handle": "0x00000000000004b0",
"key_handle": "0x00000000000004dc",
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\SchedulingAgent",
"regkey_r": "SchedulingAgent",
"options": 0
},
"time": 1567806427.0193,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 12181
},
{
"call": {
"category": "registry",
"status": 1,
"stacktrace": [],
"api": "RegOpenKeyExW",
"return_value": 0,
"arguments": {
"access": "0x00020019",
"base_handle": "0x00000000000004b0",
"key_handle": "0x00000000000004e0",
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\WIC",
"regkey_r": "WIC",
"options": 0
},
"time": 1567806427.0193,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 12183
}
],
"references": [],
"name": "queries_programs"
},
{
"markcount": 3,
"families": [],
"description": "Collects information about installed applications",
"severity": 3,
"marks": [
{
"call": {
"category": "registry",
"status": 1,
"stacktrace": [],
"api": "RegQueryValueExW",
"return_value": 0,
"arguments": {
"key_handle": "0x000000000000049c",
"value": "Mozilla Maintenance Service",
"regkey_r": "DisplayName",
"reg_type": 1,
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\MozillaMaintenanceService\\DisplayName"
},
"time": 1567806426.9723,
"tid": 2736,
"flags": {
"reg_type": "REG_SZ"
}
},
"pid": 1664,
"type": "call",
"cid": 12136
},
{
"call": {
"category": "registry",
"status": 1,
"stacktrace": [],
"api": "RegQueryValueExW",
"return_value": 0,
"arguments": {
"key_handle": "0x00000000000004ac",
"value": "Python 2.7.14 (64-bit)",
"regkey_r": "DisplayName",
"reg_type": 1,
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{0398A685-FD8D-46B3-9816-C47319B0CF5f}\\DisplayName"
},
"time": 1567806426.9883,
"tid": 2736,
"flags": {
"reg_type": "REG_SZ"
}
},
"pid": 1664,
"type": "call",
"cid": 12145
},
{
"call": {
"category": "registry",
"status": 1,
"stacktrace": [],
"api": "RegQueryValueExW",
"return_value": 0,
"arguments": {
"key_handle": "0x00000000000004d8",
"value": "Mozilla Firefox 60.0.2 (x86 sv-SE)",
"regkey_r": "DisplayName",
"reg_type": 1,
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Mozilla Firefox 60.0.2 (x86 sv-SE)\\DisplayName"
},
"time": 1567806427.0193,
"tid": 2736,
"flags": {
"reg_type": "REG_SZ"
}
},
"pid": 1664,
"type": "call",
"cid": 12180
}
],
"references": [],
"name": "recon_programs"
},
{
"markcount": 2,
"families": [],
"description": "Attempts to create or modify system certificates",
"severity": 3,
"marks": [
{
"category": "registry",
"ioc": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\\Blob",
"type": "ioc",
"description": null
},
{
"category": "registry",
"ioc": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\8F43288AD272F3103B6FB1428485EA3014C0BCFE\\Blob",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "modifies_certificates"
}
] Yara
[
{
"meta": {
"description": "Contains an embedded Mach-O file",
"author": "nex"
},
"name": "embedded_macho",
"offsets": {
"magic3": [
[
1376569,
0
]
],
"magic2": [
[
1376591,
1
]
]
},
"strings": [
"\/u36zg==",
"zvrt\/g=="
]
}
]Network
{
"tls": [],
"udp": [
{
"src": "192.168.56.101",
"dst": "192.168.56.255",
"offset": 662,
"time": 6.2194249629974,
"dport": 137,
"sport": 137
},
{
"src": "192.168.56.101",
"dst": "192.168.56.255",
"offset": 28022,
"time": 12.245730161667,
"dport": 138,
"sport": 138
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 29866,
"time": 44.667315006256,
"dport": 5355,
"sport": 49556
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 30186,
"time": 10.957574129105,
"dport": 5355,
"sport": 49840
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 30506,
"time": 38.367208957672,
"dport": 5355,
"sport": 50202
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 30826,
"time": 63.492047071457,
"dport": 5355,
"sport": 50952
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 31146,
"time": 6.1705870628357,
"dport": 5355,
"sport": 51001
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 31474,
"time": 79.186776161194,
"dport": 5355,
"sport": 51670
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 31794,
"time": 16.738965034485,
"dport": 5355,
"sport": 52259
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 32114,
"time": 4.150367975235,
"dport": 5355,
"sport": 53595
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 32442,
"time": 6.2030839920044,
"dport": 5355,
"sport": 53848
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 32770,
"time": 58.64301109314,
"dport": 5355,
"sport": 54025
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 33090,
"time": 31.037568092346,
"dport": 5355,
"sport": 54237
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 33410,
"time": 4.6559240818024,
"dport": 5355,
"sport": 54255
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 33738,
"time": 24.273052930832,
"dport": 5355,
"sport": 54335
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 34058,
"time": 3.0486431121826,
"dport": 5355,
"sport": 55314
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 34386,
"time": 71.545896053314,
"dport": 5355,
"sport": 55385
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 34706,
"time": 8.3088591098785,
"dport": 5355,
"sport": 55880
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 35026,
"time": 52.20939707756,
"dport": 5355,
"sport": 56347
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 35346,
"time": 41.024352073669,
"dport": 5355,
"sport": 56353
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 35666,
"time": 61.654994010925,
"dport": 5355,
"sport": 56388
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 35986,
"time": 66.154571056366,
"dport": 5355,
"sport": 58056
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 36306,
"time": 61.303241968155,
"dport": 5355,
"sport": 58651
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 36626,
"time": 30.678164958954,
"dport": 5355,
"sport": 58989
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 36946,
"time": 68.908622026443,
"dport": 5355,
"sport": 59113
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 37266,
"time": 54.864627122879,
"dport": 5355,
"sport": 59490
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 37586,
"time": 28.012889146805,
"dport": 5355,
"sport": 59548
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 37906,
"time": 33.687139987946,
"dport": 5355,
"sport": 60071
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 38226,
"time": 47.311768054962,
"dport": 5355,
"sport": 60575
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 38546,
"time": 35.624130964279,
"dport": 5355,
"sport": 62601
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 38866,
"time": 64.317306995392,
"dport": 5355,
"sport": 63089
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 39186,
"time": 21.627014160156,
"dport": 5355,
"sport": 63506
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 39506,
"time": 32.993646144867,
"dport": 5355,
"sport": 63646
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 39826,
"time": 14.085396051407,
"dport": 5355,
"sport": 64017
},
{
"src": "192.168.56.101",
"dst": "239.255.255.250",
"offset": 40146,
"time": 4.7167589664459,
"dport": 1900,
"sport": 1900
},
{
"src": "192.168.56.101",
"dst": "239.255.255.250",
"offset": 59556,
"time": 4.1862549781799,
"dport": 3702,
"sport": 49152
},
{
"src": "192.168.56.101",
"dst": "239.255.255.250",
"offset": 67940,
"time": 6.2779159545898,
"dport": 1900,
"sport": 53598
}
],
"dns_servers": [],
"http": [],
"icmp": [],
"smtp": [],
"tcp": [],
"smtp_ex": [],
"mitm": [],
"hosts": [],
"pcap_sha256": "e2e2cb31d7058906d5a180df989a7adfebcca2d15bae46c8fca211696fbb6abe",
"dns": [],
"http_ex": [],
"domains": [],
"dead_hosts": [],
"sorted_pcap_sha256": "8749f16052bd8af92929570880b965ff0a468639186ffc8e0fb4f3a92dea9e49",
"irc": [],
"https_ex": []
}Screenshots
Other files also named OverwolfUpdater.exe
OverwolfUpdater.exe (4 votes)
Hashes [?]
| Property | Value |
|---|---|
| MD5 | 403e3c26327e2d4f5c679ff0d6410a08 |
| SHA256 | daf6bce66c3697be3c8a1aa077143515dda5453aa07dfe6914465bfb7e51a3bc |
Error Messages
These are some of the error messages that can appear related to overwolfupdater.exe:
overwolfupdater.exe has encountered a problem and needs to close. We are sorry for the inconvenience.
overwolfupdater.exe - Application Error. The instruction at "0xXXXXXXXX" referenced memory at "0xXXXXXXXX". The memory could not be "read/written". Click on OK to terminate the program.
OverwolfUpdater has stopped working.
End Program - overwolfupdater.exe. This program is not responding.
overwolfupdater.exe is not a valid Win32 application.
overwolfupdater.exe - Application Error. The application failed to initialize properly (0xXXXXXXXX). Click OK to terminate the application.
What will you do with the file?
To help other users, please let us know what you will do with the file:
What did other users do?
The poll result listed below shows what users chose to do with the file. 100% have voted for removal. Based on votes from 1 user.
| Votes | |||
|---|---|---|---|
| Keep | 0 % | 0 | |
| Remove | 100 % | 1 |
NOTE: Please do not use this poll as the only source of input to determine what you will do with the file. Only 1 user has voted so far so it does not offer a high degree of confidence.
Malware or legitimate?
If you feel that you need more information to determine if your should keep this file or remove it, please read this guide.
And now some shameless self promotion ;)
Hi, my name is Roger Karlsson. I've been running this website since 2006. I want to let you know about the FreeFixer program. FreeFixer is a freeware tool that analyzes your system and let you manually identify unwanted programs. Once you've identified some malware files, FreeFixer is pretty good at removing them. You can download FreeFixer here. It runs on Windows 2000/XP/2003/2008/2016/2019/Vista/7/8/8.1/10. Supports both 32- and 64-bit Windows.
If you have questions, feedback on FreeFixer or the freefixer.com website, need help analyzing FreeFixer's scan result or just want to say hello, please contact me. You can find my email address at the contact page.
Comments
Please share with the other users what you think about this file. What does this file do? Is it legitimate or something that your computer is better without? Do you know how it was installed on your system? Did you install it yourself or did it come bundled with some other software? Is it running smoothly or do you get some error message? Any information that will help to document this file is welcome. Thank you for your contributions.
I'm reading all new comments so don't hesitate to post a question about the file. If I don't have the answer perhaps another user can help you.
No comments posted yet.