What is VisoftPremium.exe?
VisoftPremium.exe's description is " " according to the VisoftPremium.exe version information.
VisoftPremium.exe is usually located in the 'C:\ViSoftCreative\' folder.
None of the anti-virus scanners at VirusTotal reports anything malicious about VisoftPremium.exe.
If you have additional information about the file, please share it with the FreeFixer users by posting a comment at the bottom of this page.
Vendor and version information [?]
The following is the available information on VisoftPremium.exe:
| Property | Value |
|---|---|
| File description | |
| Internal name | VisoftApplication.exe |
| Original filename | VisoftApplication.exe |
| Legal copyright | |
| Product version | 1.0.2652.30571 |
| File version | 1.0.2652.30571 |
Here's a screenshot of the file properties when displayed by Windows Explorer:
| File description | |
| Internal name | VisoftApplication.exe |
| Original filename | VisoftApplication.exe |
| Legal copyright | |
| Product version | 1.0.2652.30571 |
| File version | 1.0.2652.30571 |
Digital signatures [?]
VisoftPremium.exe is not signed.
VirusTotal report
None of the 72 anti-virus programs at VirusTotal detected the VisoftPremium.exe file.
Sandbox Report
The following information was gathered by executing the file inside Cuckoo Sandbox.
Summary
Successfully executed process in sandbox.
Summary
{
"file_created": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER5E60.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_4ab103a47ec36b8e_503c23112082af311199add0d4a52edc49161154_cab_091a164f\\Report.wer",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER344F.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER5E60.tmp.WERInternalMetadata.xml",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER68C1.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER68C1.tmp.hdmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER344F.tmp.mdmp"
],
"file_recreated": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER5E60.tmp.WERInternalMetadata.xml"
],
"directory_created": [
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_4ab103a47ec36b8e_503c23112082af311199add0d4a52edc49161154_cab_091a164f",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\WER\\ReportQueue"
],
"dll_loaded": [
"dbghelp.dll",
"version.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\culture.dll",
"C:\\Windows\\system32\\ole32.dll",
"ntdll",
"gdi32.dll",
"CFGMGR32.dll",
"DUI70.dll",
"C:\\Windows\\system32\\DUser.dll",
"UxTheme.dll",
"AdvApi32.dll",
"SensApi.dll",
"werui.dll",
"dwmapi.dll",
"ntdll.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\ole32.dll",
"cryptsp.dll",
"winhttp.dll",
"verifier.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorwks.dll",
"C:\\Windows\\system32\\RICHED20.DLL",
"API-MS-WIN-Service-Management-L2-1-0.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorjit.dll",
"API-MS-WIN-Service-Management-L1-1-0.dll",
"C:\\Windows\\syswow64\\MSCTF.dll",
"API-MS-Win-Core-LocalRegistry-L1-1-0.dll",
"psapi.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscordacwks.dll",
"OLEAUT32.DLL",
"SspiCli.dll",
"C:\\Windows\\system32\\wer.dll",
"advapi32.dll",
"comctl32",
"ole32.dll",
"SHLWAPI.dll",
"CRYPTSP.dll",
"USER32.dll",
"Comctl32.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\VERSION.dll",
"credssp.dll",
"API-MS-WIN-Service-winsvc-L1-1-0.dll",
"IPHLPAPI.DLL",
"shell32.dll",
"C:\\Windows\\system32\\xmllite.dll",
"OLEAUT32.dll",
"SHELL32.dll",
"RPCRT4.dll",
"DNSAPI.dll",
"C:\\Windows\\System32\\wship6.dll",
"DUser.dll",
"comctl32.dll",
"NSI.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\diasymreader.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\mscorlib\\62a0b3e4b40ec0e8c5cfaa0c8848e64a\\mscorlib.ni.dll",
"VERSION.dll",
"mscoree.dll",
"kernel32.dll",
"C:\\Windows\\system32\\IMM32.DLL",
"C:\\Windows\\system32\\mswsock.dll",
"powrprof.dll",
"ADVAPI32.dll",
"rpcrt4.dll",
"C:\\Windows\\System32\\wshtcpip.dll",
"WS2_32.dll",
"user32.dll",
"WINHTTP.dll"
],
"file_opened": [
"C:\\Windows\\System32\\apphelp.dll",
"C:\\Windows\\SysWOW64\\CRYPTBASE.dll",
"C:\\Windows\\System32\\mscoree.dll",
"C:\\Windows\\SysWOW64\\user32.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\4ab103a47ec36b8e767e5fa832439561dfca15b648714d2bcbe2875989780c82.bin",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\index127.dat",
"C:\\Windows\\SysWOW64\\msctf.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER5E60.tmp.WERInternalMetadata.xml",
"C:\\Windows\\SysWOW64\\sspicli.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER68C1.tmp.hdmp",
"C:\\Windows\\SysWOW64\\kernel32.dll",
"C:\\Windows\\SysWOW64\\msvcrt.dll",
"C:\\Windows\\SysWOW64\\shlwapi.dll",
"C:\\Windows\\SysWOW64\\en-US\\KERNELBASE.dll.mui",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorwks.dll",
"C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\sortkey.nlp",
"C:\\Windows\\assembly\\pubpol4.dat",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorjit.dll",
"C:\\Windows\\SysWOW64\\ole32.dll",
"C:\\Windows\\System32\\profapi.dll",
"C:\\Windows\\System32\\l_intl.nls",
"C:\\Windows\\SysWOW64\\shell32.dll",
"C:\\Windows\\SysWOW64\\lpk.dll",
"C:\\Windows\\System32\\version.dll",
"C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\sorttbls.nlp",
"C:\\Windows\\SysWOW64\\advapi32.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorrc.dll",
"C:\\Windows\\win.ini",
"C:\\Windows\\System32\\en-US\\erofflps.txt",
"C:\\Windows\\SysWOW64\\ntdll.dll",
"C:\\Windows\\SysWOW64\\usp10.dll",
"C:\\Windows\\SysWOW64\\sechost.dll",
"C:\\Windows\\System32\\imm32.dll",
"C:\\Windows\\SysWOW64\\gdi32.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\mscorlib\\62a0b3e4b40ec0e8c5cfaa0c8848e64a\\mscorlib.ni.dll",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls",
"C:\\Windows\\winsxs\\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\\msvcr80.dll",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\WER\\ReportQueue",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\machine.config",
"C:\\Windows\\SysWOW64\\rpcrt4.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER344F.tmp.mdmp",
"C:\\Windows\\SysWOW64\\KERNELBASE.dll",
"C:\\Windows\\System32\\uxtheme.dll"
],
"file_copied": [
[
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER68C1.tmp.hdmp",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_4ab103a47ec36b8e_503c23112082af311199add0d4a52edc49161154_cab_091a164f\\WER68C1.tmp.hdmp"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER344F.tmp.mdmp",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_4ab103a47ec36b8e_503c23112082af311199add0d4a52edc49161154_cab_091a164f\\WER344F.tmp.mdmp"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER5E60.tmp.WERInternalMetadata.xml",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_4ab103a47ec36b8e_503c23112082af311199add0d4a52edc49161154_cab_091a164f\\WER5E60.tmp.WERInternalMetadata.xml"
]
],
"regkey_opened": [
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Winsock",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\LanguageProfile\\0x00000000\\{0001bea3-ed56-483d-a2e2-aeae25577436}",
"HKEY_CLASSES_ROOT\\CLSID\\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\\InprocServer32",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\DebugApplications",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\SecurityProviders",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\KnownClasses",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets\\LocalIntranet",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\index127",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Installer\\Assemblies\\C:|Users|cuck|AppData|Local|Temp|4ab103a47ec36b8e767e5fa832439561dfca15b648714d2bcbe2875989780c82.bin",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\SecurityProviders\\SaslProfiles",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\Standards\\v2.0.50727",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-699399860-4089948139-3198924279-1001",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\Upgrades",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Installer\\Assemblies\\C:|Users|cuck|AppData|Local|Temp|4ab103a47ec36b8e767e5fa832439561dfca15b648714d2bcbe2875989780c82.bin",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ExcludedApplications",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\Policy\\Standards",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\LsaExtensionConfig\\SspiCli",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\Policy\\",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\OLE\\Tracing",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\Windows Error Reporting",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PCHealth\\ErrorReporting\\ExclusionList",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip6\\Parameters\\Winsock",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32",
"HKEY_CURRENT_USER\\SOFTWARE\\Policies\\Microsoft\\PCHealth\\ErrorReporting\\InclusionList",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Fusion",
"HKEY_CURRENT_USER\\Software\\Microsoft\\windows\\CurrentVersion\\Internet Settings\\Connections",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\Compatibility\\dw20.exe",
"HKEY_CURRENT_USER\\Software\\Microsoft\\CTF\\DirectSwitchHotkeys",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\WinHttp\\Tracing",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\CEIPRole\\RolesInWER",
"HKEY_CURRENT_USER\\SOFTWARE\\Policies\\Microsoft\\PCHealth\\ErrorReporting\\ExclusionList",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\v2.0.50727\\Security\\Policy",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DebugApplications",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winsock\\Setup Migration\\Providers\\Tcpip",
"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\PCHealth\\ErrorReporting\\ExclusionList",
"HKEY_CURRENT_USER\\Software\\Microsoft\\windows\\CurrentVersion\\Internet Settings\\Wpad",
"HKEY_CURRENT_USER\\Software\\Microsoft\\CTF\\LayoutIcon\\0409\\0000041d",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Class\\{4d36e972-e325-11ce-bfc1-08002be10318}",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\Windows Error Reporting",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\SspiCache",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\WinHttp",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Windows",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1bd4e75c\\1940db5e",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\Rpc",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\Managed\\S-1-5-21-699399860-4089948139-3198924279-1001\\Installer\\Assemblies\\C:|Users|cuck|AppData|Local|Temp|4ab103a47ec36b8e767e5fa832439561dfca15b648714d2bcbe2875989780c82.bin",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PCHealth\\ErrorReporting\\ExclusionList",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Setup",
"HKEY_CLASSES_ROOT\\CLSID\\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\\Server",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PCHealth\\ErrorReporting\\InclusionList",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Consent",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\726e753\\47cded8c",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PCHealth\\ErrorReporting",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Installer\\Assemblies\\Global",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\Standards",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\Windows Error Reporting",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\ExcludedApplications",
"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\PCHealth\\ErrorReporting\\InclusionList",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\Windows Error Reporting\\HeapControlledList\\4ab103a47ec36b8e767e5fa832439561dfca15b648714d2bcbe2875989780c82.bin",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\DirectUI",
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Debug",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion\\GACChangeNotification\\Default",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\.NETFramework",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Installer\\Assemblies\\Global",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PCHealth\\ErrorReporting\\InclusionList",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\v2.0",
"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\PCHealth\\ErrorReporting",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\Managed\\S-1-5-21-699399860-4089948139-3198924279-1001\\Installer\\Assemblies\\Global",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Reliability Analysis\\RAC",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\4ab103a47ec36b8e767e5fa832439561dfca15b648714d2bcbe2875989780c82.bin",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\SystemInformation",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\AppPatch",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\windows\\CurrentVersion\\Internet Settings\\Connections",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\.NETFramework\\Policy\\Standards",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winsock\\Setup Migration\\Providers\\Tcpip6",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets\\Internet",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Rpc",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\StrongName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Winsock\\Setup Migration\\Providers",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\KnownManagedDebuggingDlls",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLEAUT",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion\\PublisherPolicy\\Default",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{3697C5FA-60DD-4B56-92D4-74A569205C16}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Winsock\\Parameters",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PCHealth\\ErrorReporting",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Ole",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\SOFTWARE\\Policies\\Microsoft\\PCHealth\\ErrorReporting"
],
"resolves_host": [
"watson.microsoft.com"
],
"file_written": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER68C1.tmp.hdmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER5E60.tmp.WERInternalMetadata.xml",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER344F.tmp.mdmp",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_4ab103a47ec36b8e_503c23112082af311199add0d4a52edc49161154_cab_091a164f\\Report.wer"
],
"file_deleted": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER5E60.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER344F.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER5E60.tmp.WERInternalMetadata.xml",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER68C1.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER68C1.tmp.hdmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER344F.tmp.mdmp"
],
"file_exists": [
"C:\\Windows\\System32\\apphelp.dll",
"C:\\Windows\\SysWOW64\\CRYPTBASE.dll",
"C:\\Windows\\System32\\mscoree.dll",
"C:\\Windows\\SysWOW64\\user32.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\4ab103a47ec36b8e767e5fa832439561dfca15b648714d2bcbe2875989780c82.bin",
"C:\\Windows\\SysWOW64\\msctf.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER5E60.tmp.WERInternalMetadata.xml",
"C:\\Users\\cuck\\AppData\\Local\\Temp",
"C:\\Windows\\SysWOW64\\sspicli.dll",
"C:\\Windows\\assembly\\GAC\\PublisherPolicy.tme",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER68C1.tmp.hdmp",
"C:\\Windows\\SysWOW64\\kernel32.dll",
"C:\\Windows\\SysWOW64\\msvcrt.dll",
"C:\\Windows\\SysWOW64\\shlwapi.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\4ab103a47ec36b8e767e5fa832439561dfca15b648714d2bcbe2875989780c82.bin.config",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CommonClasses.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorwks.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\fusion.localgac",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorjit.dll",
"C:\\Windows\\SysWOW64\\ole32.dll",
"C:\\Windows\\System32\\profapi.dll",
"C:\\Windows\\Globalization\\en-us.nlp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\",
"C:\\Windows\\SysWOW64\\shell32.dll",
"C:\\Windows\\SysWOW64\\lpk.dll",
"C:\\Windows\\System32\\version.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\4ab103a47ec36b8e767e5fa832439561dfca15b648714d2bcbe2875989780c82.PDB",
"C:\\Windows\\SysWOW64\\advapi32.dll",
"C:\\Windows\\System32\\MSCOREE.DLL.local",
"C:\\Windows\\System32\\en-US\\erofflps.txt",
"C:\\Windows\\SysWOW64\\ntdll.dll",
"C:\\Windows\\SysWOW64\\usp10.dll",
"C:\\Windows\\SysWOW64\\sechost.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CommonClasses\\CommonClasses.exe",
"C:\\Windows\\System32\\imm32.dll",
"C:\\Windows\\SysWOW64\\gdi32.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CommonClasses.exe",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\mscorlib\\62a0b3e4b40ec0e8c5cfaa0c8848e64a\\mscorlib.ni.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CommonClasses\\CommonClasses.dll",
"C:\\Windows\\winsxs\\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\\msvcr80.dll",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\WER\\ReportQueue",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\machine.config",
"C:\\Windows\\SysWOW64\\rpcrt4.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER344F.tmp.mdmp",
"C:\\Windows\\SysWOW64\\KERNELBASE.dll",
"C:\\Windows\\System32\\uxtheme.dll"
],
"command_line": [
"dw20.exe -x -s 428"
],
"mutex": [
"Global\\88561426-59ab-11ea-8829-08002749d99b"
],
"file_failed": [
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\enterprisesec.config.cch",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\4ab103a47ec36b8e767e5fa832439561dfca15b648714d2bcbe2875989780c82.bin.config",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\security.config.cch",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\enterprisesec.config",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\security.config.cch",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\security.config",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\security.config"
],
"guid": [
"{713aacc8-3b71-435c-a3a1-be4e53621ab1}",
"{22e4c895-8ab9-40bb-b81a-001dd9b1f449}"
],
"file_read": [
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\machine.config",
"C:\\Windows\\win.ini",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\4ab103a47ec36b8e767e5fa832439561dfca15b648714d2bcbe2875989780c82.bin"
],
"regkey_read": [
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Language Hotkey",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\LatestIndex",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\profapi.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\MaxRpcSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\MaxArchiveCount",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\LanguageProfile\\0x00000000\\{0001bea3-ed56-483d-a2e2-aeae25577436}\\Enable",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\QueuePesterInterval",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\UseDelayedAcceptance",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DisableQueue",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\Modules",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SecurityProviders\\SecurityProviders",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ConfigureArchive",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultConsent",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\SystemSetupInProgress",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\ScrollDelay",
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Hotkey",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\SspiCli.dll",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\SendEFSFiles",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\CTF\\EnableAnchorContext",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledProcesses\\44D72C57",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\DisableArchive",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\LoadAppInit_DLLs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\CLRLoadLogDir",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerPortNumber",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\LastWatsonCabUploaded",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\DevOverrideEnable",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerUseSSL",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\HelperDllName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\LPK.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\shell32.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerServer",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\ForceUserModeCabCollection",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ProxySettingsPerUser",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\EvalationData",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Terminal Server\\TSUserEnabled",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorjit.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\DownloadCacheQuotaInKB",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winsock\\Parameters\\Transports",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SystemInformation\\BIOSVersion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\DisableConfigCache",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\ILDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\BuildLabEx",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\KERNELBASE.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\UseLegacyIdentityFormat",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\APPCRASH",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\\DefaultConnectionSettings",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\MaxQueueCount",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\ConfigMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultOverrideBehavior",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\CSDBuildNumber",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\CurrentType",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\mscorlib\\62a0b3e4b40ec0e8c5cfaa0c8848e64a\\mscorlib.ni.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\LogFailures",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\MissingDependencies",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\DontShowUI",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\DontSendAdditionalData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Segoe UI",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\ScrollInset",
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Layout Hotkey",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NoClientChecks",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\NIDependencies",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\ConfigureArchive",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Windows\\CSDBuildNumber",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\QueuePesterInterval",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\WinSxS\\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\\MSVCR80.dll",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Comment",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\GCStressStart",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\RPCRT4.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledSessions\\MachineThrottling",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\OnlyUseLatestCLR",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DisableArchive",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\MaxArchiveCount",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\EditionID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\index127\\ILUsageMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\KERNEL32.dll",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultOverrideBehavior",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\HelperDllName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winsock\\Setup Migration\\Providers\\Tcpip6\\WinSock 2.0 Provider ID",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\ForceQueue",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\index127\\NIUsageMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\SysWOW64\\sechost.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\ConfigString",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\WpadOverride",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\Mapping",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Type",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\uxtheme.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceUserModeCabCollection",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LoggingDisabled",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\MVID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\VersioningLog",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\CRYPTBASE.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProductName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\CacheLocation",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\LsaExtensionConfig\\SspiCli\\CheckSignatureRoutine",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\MachineID",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\MinSockaddrLength",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceQueue",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\ScrollInterval",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\IMM32.DLL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\LegacyPolicyTimeStamp",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\LoggingLevel",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\MinSockaddrLength",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\LsaExtensionConfig\\SspiCli\\CheckSignatureDll",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\APPCRASH",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\OOBEInProgress",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\ole32.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\LastModTime",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\MaxQueueCount",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\USER32.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerUseAuthentication",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Name",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\MSCTF.dll",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\DragMinDist",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\mscorlib,2.0.0.0,,b77a5c561934e089,x86",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\SendEFSFiles",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DontShowUI",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\MaxSockaddrLength",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\TurnOffSPIAnimations",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE\\PageAllocatorSystemHeapIsPrivate",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\MaxSockaddrLength",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\\InprocServer32\\(Default)",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SystemInformation\\SystemProductName",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\BypassDataThrottling",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\KnownManagedDebuggingDlls\\C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscordacwks.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Users\\cuck\\AppData\\Local\\Temp\\4ab103a47ec36b8e767e5fa832439561dfca15b648714d2bcbe2875989780c82.bin",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\Latest",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\DragDelay",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\\WinHttpSettings",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\ADVAPI32.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\SourcePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\DevicePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\TokenSize",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\UseDelayedAcceptance",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE\\PageAllocatorUseSystemHeap",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\InstallRoot",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Disabled",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Capabilities",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\LoggingDisabled",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\SYSTEM32\\MSCOREE.DLL",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ShareCredsWithWinHttp",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\WinHttp\\Tracing\\Enabled",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SystemInformation\\SystemManufacturer",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\LogResourceBinds",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\apphelp.dll",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Terminal Server\\TSAppCompat",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassDataThrottling",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorwks.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\msvcrt.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Reliability Analysis\\RAC\\RacWerSampleTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\SysWOW64\\ntdll.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\ForceLog",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledSessions\\GlobalSession",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\CurrentType",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\RestartRunTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\SHLWAPI.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\\Server\\(Default)",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultConsent",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\WinHttp\\DisableBranchCache",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DontSendAdditionalData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CEIPEnable",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\USP10.dll",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Version",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\ComputerName\\ActiveComputerName\\ComputerName",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\RestartRunTime",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winsock\\Setup Migration\\Providers\\Tcpip\\WinSock 2.0 Provider ID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\GDI32.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\DisableMSIPeek",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\GCStressStartAtJit",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE\\MaximumAllowedAllocationSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\DisplayName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\Mapping",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\EnableLog",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\RpcId",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Disabled",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\DisableQueue",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\index4",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\VERSION.dll"
],
"directory_enumerated": [
"C:\\Windows\\System32\\apphelp.dll",
"C:\\Windows\\SysWOW64",
"C:\\Users\\cuck\\AppData",
"C:\\Windows\\SysWOW64\\user32.dll",
"C:\\Windows\\SysWOW64\\advapi32.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\mscorlib",
"C:\\Windows\\SysWOW64\\msctf.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp",
"C:\\Windows\\SysWOW64\\sspicli.dll",
"C:\\Windows\\SysWOW64\\kernel32.dll",
"C:\\Windows\\SysWOW64\\msvcrt.dll",
"C:\\Windows\\assembly",
"C:\\Windows\\SysWOW64\\shlwapi.dll",
"C:\\Windows\\System32",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorjit.dll",
"C:\\Windows\\SysWOW64\\ole32.dll",
"C:\\Windows\\System32\\profapi.dll",
"C:\\Windows\\System32\\mscoree.dll",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\WER\\ReportArchive\\AppCrash_*_503c23112082af311199add0d4a52edc49161154_cab_*",
"C:\\Windows\\SysWOW64\\shell32.dll",
"C:\\Windows\\SysWOW64\\lpk.dll",
"C:\\Windows\\System32\\version.dll",
"C:\\Users",
"C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\mscorlib.INI",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorwks.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\Upgrades.2.0.50727\\mscoreei.dll",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_*_503c23112082af311199add0d4a52edc49161154_cab_*",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscoreei.dll",
"C:\\Windows\\SysWOW64\\ntdll.dll",
"C:\\Users\\cuck",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\WER\\ReportQueue\\*_*_*_*",
"C:\\Windows\\SysWOW64\\sechost.dll",
"C:\\Users\\cuck\\AppData\\Local",
"C:\\Windows\\System32\\imm32.dll",
"C:\\Windows\\SysWOW64\\gdi32.dll",
"C:\\Windows\\winsxs\\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\\msvcr80.dll",
"C:\\Windows\\SysWOW64\\usp10.dll",
"C:\\Windows\\SysWOW64\\rpcrt4.dll",
"C:\\Windows\\System32\\drivers\\*.mrk",
"C:\\Windows",
"C:\\Windows\\winsxs",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\4ab103a47ec36b8e767e5fa832439561dfca15b648714d2bcbe2875989780c82.INI",
"C:\\Windows\\System32\\uxtheme.dll"
]
}Dropped
[
{
"yara": [],
"sha1": "9d99239f5d787d750a12e3cc4ef60cf5765e9e37",
"name": "d9706b39d5e4d4e5_WER344F.tmp.mdmp",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\WER344F.tmp.mdmp",
"type": "MDMP crash report data",
"sha256": "d9706b39d5e4d4e558d85322639239b32eeca80100953163cd88d89abbdea394",
"urls": [
"http:\/\/g"
],
"crc32": "74162F79",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/5708\/files\/d9706b39d5e4d4e5_WER344F.tmp.mdmp",
"ssdeep": null,
"size": 2056538,
"sha512": "b087d6bfa34fd19e217b7d77a1c362e76bebf24402ae58d0ea40cd2ca4761a938802636ce8abf9859735e2b8b15b95dbb112a755063d57c11f2fcb6a4ab937c5",
"pids": [
2500
],
"md5": "98050ee3f9cf21f56ec4e6e4f22e5f88"
},
{
"yara": [
{
"meta": {
"description": "Contains an embedded PE32 file",
"author": "nex"
},
"name": "embedded_pe",
"offsets": {
"a": [
[
9045175,
0
],
[
13377149,
0
]
],
"b": [
[
16823974,
1
]
]
},
"strings": [
"UEUzMg==",
"VGhpcyBwcm9ncmFt"
]
},
{
"meta": {
"description": "A non-Windows executable contains win32 API functions names",
"author": "nex"
},
"name": "embedded_win_api",
"offsets": {
"api12": [
[
6551763,
2
],
[
9105168,
2
],
[
9105188,
2
]
],
"api6": [
[
6551832,
3
],
[
7857334,
3
],
[
9105212,
3
],
[
9133713,
3
]
],
"api14": [
[
6549758,
0
],
[
7855248,
0
],
[
9064917,
0
],
[
9105290,
0
]
],
"api8": [
[
6549758,
0
],
[
7855248,
0
],
[
9064917,
0
],
[
9105290,
0
]
],
"api13": [
[
6549840,
1
],
[
9104794,
1
]
]
},
"strings": [
"R2V0V2luZG93c0RpcmVjdG9yeQ==",
"R2V0VGVtcFBhdGg=",
"U2V0RmlsZVBvaW50ZXI=",
"V3JpdGVGaWxl"
]
},
{
"meta": {
"description": "Matched shellcode byte patterns",
"author": "nex"
},
"name": "shellcode",
"offsets": {
"shell7": [
[
5714660,
0
],
[
5729012,
0
],
[
5729252,
0
],
[
5729300,
0
],
[
5730436,
0
],
[
5748740,
0
],
[
5829252,
0
],
[
5900484,
0
],
[
5900676,
0
],
[
5922148,
0
],
[
5950676,
0
],
[
5979908,
0
],
[
5999924,
0
],
[
6026788,
0
],
[
6045652,
0
],
[
6115108,
0
],
[
6154052,
0
],
[
6195620,
0
],
[
6214084,
0
],
[
6214148,
0
],
[
6258612,
0
],
[
6272292,
0
],
[
6274212,
0
],
[
6282212,
0
],
[
10769880,
0
],
[
10837624,
0
],
[
10837796,
0
],
[
10837824,
0
],
[
10837852,
0
],
[
10837928,
0
],
[
10854144,
0
],
[
10854772,
0
],
[
10888996,
0
],
[
10906404,
0
],
[
10925948,
0
],
[
10938976,
0
],
[
11004708,
0
],
[
11013708,
0
],
[
11057716,
0
],
[
11058176,
0
],
[
11061240,
0
],
[
11065668,
0
],
[
11103996,
0
],
[
11123664,
0
],
[
11123692,
0
],
[
11123720,
0
],
[
11126772,
0
],
[
11126808,
0
],
[
11126908,
0
],
[
11126944,
0
],
[
11126988,
0
],
[
11128164,
0
],
[
11128208,
0
],
[
11128248,
0
],
[
11129048,
0
],
[
11129084,
0
],
[
11454788,
0
],
[
11454852,
0
],
[
11454880,
0
],
[
11455252,
0
],
[
11455604,
0
],
[
11456020,
0
],
[
11456052,
0
],
[
11456468,
0
],
[
11456500,
0
],
[
11456788,
0
],
[
11456820,
0
],
[
11456888,
0
],
[
11456916,
0
],
[
11465236,
0
],
[
11465268,
0
],
[
11465300,
0
],
[
11465396,
0
],
[
11473204,
0
],
[
11473372,
0
],
[
11473588,
0
],
[
11479772,
0
],
[
11480172,
0
],
[
11480980,
0
],
[
11481244,
0
],
[
11536572,
0
],
[
11536628,
0
],
[
11712828,
0
],
[
11716980,
0
],
[
11722448,
0
],
[
11733644,
0
],
[
11739540,
0
],
[
11758132,
0
],
[
11775028,
0
],
[
11866560,
0
],
[
11909364,
0
],
[
11960280,
0
],
[
11960328,
0
],
[
11960484,
0
],
[
11960564,
0
],
[
11960612,
0
],
[
11975880,
0
],
[
11977584,
0
],
[
11994004,
0
],
[
12012908,
0
],
[
12050628,
0
],
[
12364340,
0
],
[
12364536,
0
],
[
12364724,
0
],
[
12364884,
0
],
[
12364980,
0
],
[
12365300,
0
],
[
12367364,
0
],
[
12368684,
0
],
[
12369512,
0
],
[
12369544,
0
],
[
12370804,
0
],
[
12371476,
0
],
[
12382512,
0
],
[
12383956,
0
],
[
12384052,
0
],
[
12385080,
0
],
[
12391052,
0
],
[
12393956,
0
],
[
12394072,
0
],
[
12396440,
0
],
[
12410676,
0
],
[
12421140,
0
],
[
12425300,
0
],
[
12425332,
0
],
[
12426932,
0
],
[
12429048,
0
],
[
12429524,
0
],
[
12430080,
0
],
[
12430672,
0
],
[
12430932,
0
],
[
12431904,
0
],
[
12432116,
0
],
[
12436436,
0
],
[
12436572,
0
],
[
12436896,
0
],
[
12437472,
0
],
[
12438604,
0
],
[
12439264,
0
],
[
12446084,
0
],
[
12452416,
0
],
[
12453556,
0
],
[
12453848,
0
],
[
12456840,
0
],
[
12460180,
0
],
[
12460884,
0
],
[
12462492,
0
],
[
12468308,
0
],
[
12468508,
0
],
[
12471732,
0
],
[
12471828,
0
],
[
12474936,
0
],
[
12475124,
0
],
[
12475956,
0
],
[
12476732,
0
],
[
12477060,
0
],
[
12478996,
0
],
[
12479424,
0
],
[
12481256,
0
],
[
12493108,
0
],
[
12493948,
0
],
[
12500688,
0
],
[
12505376,
0
],
[
12506608,
0
],
[
12506676,
0
],
[
12506844,
0
],
[
12507776,
0
],
[
12508308,
0
],
[
12513428,
0
],
[
12513676,
0
],
[
12522284,
0
],
[
12522612,
0
],
[
12526484,
0
],
[
12530196,
0
],
[
12530260,
0
],
[
12531284,
0
],
[
12532100,
0
],
[
12532844,
0
],
[
12532972,
0
],
[
12540536,
0
],
[
12540692,
0
],
[
12546780,
0
],
[
12547968,
0
],
[
12548052,
0
],
[
12548304,
0
],
[
12549412,
0
],
[
12549524,
0
],
[
12556368,
0
],
[
12559012,
0
],
[
12574328,
0
],
[
12577728,
0
],
[
12583528,
0
],
[
12584180,
0
],
[
12586592,
0
],
[
12587884,
0
],
[
12588052,
0
],
[
12588316,
0
],
[
12588376,
0
],
[
12589684,
0
],
[
12590144,
0
],
[
12591780,
0
],
[
12592228,
0
],
[
12601140,
0
],
[
12601332,
0
],
[
12603028,
0
],
[
12603444,
0
],
[
12604824,
0
],
[
12608408,
0
],
[
12609816,
0
],
[
12616532,
0
],
[
12620520,
0
],
[
12623032,
0
],
[
12625460,
0
],
[
12630804,
0
],
[
12630984,
0
],
[
12635384,
0
],
[
12636412,
0
],
[
12636468,
0
],
[
12637664,
0
],
[
12638332,
0
],
[
12639552,
0
],
[
12640352,
0
],
[
12650324,
0
],
[
12653492,
0
],
[
12653652,
0
],
[
12654884,
0
],
[
12655892,
0
],
[
12658728,
0
],
[
12659160,
0
],
[
12663152,
0
],
[
12663660,
0
],
[
12669684,
0
],
[
12669876,
0
],
[
12671540,
0
],
[
12672100,
0
],
[
12673924,
0
],
[
12675992,
0
],
[
12681084,
0
],
[
12684276,
0
],
[
12688020,
0
],
[
12688584,
0
],
[
12689516,
0
],
[
12689780,
0
],
[
12690932,
0
],
[
12691548,
0
],
[
12695316,
0
],
[
12695848,
0
],
[
12699292,
0
],
[
12699732,
0
],
[
12701020,
0
]
],
"shell1": [
[
7158377,
1
],
[
7169795,
1
],
[
7288109,
1
],
[
7461953,
1
],
[
7513557,
1
],
[
7555811,
1
],
[
7601707,
1
],
[
7628495,
1
],
[
7653225,
1
],
[
7698397,
1
]
]
},
"strings": [
"VYvs6A==",
"ZItk"
]
}
],
"sha1": "52892b2281e68b8d8eb294e75867e59008d24756",
"name": "520d07fbbc9746cc_WER68C1.tmp.hdmp",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\WER68C1.tmp.hdmp",
"type": "MDMP crash report data",
"sha256": "520d07fbbc9746cca63e5a7b208945c420093e0d017bc3529945984663711962",
"urls": [
"http:\/\/g"
],
"crc32": "CCCB3B94",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/5708\/files\/520d07fbbc9746cc_WER68C1.tmp.hdmp",
"ssdeep": null,
"size": 17149352,
"sha512": "0e70e8795b22f14ce1a8e3459c776a383c1ca57bef8715964f3c5c8266e819fbd37ee2b1f360b834de223939d55f0aae9da75bbbfb6ee513b9717139f033a6cb",
"pids": [
2500
],
"md5": "61023439a0e700a79c48abe06ae424c3"
},
{
"yara": [],
"sha1": "38723a942cd3c4aed3f905e67c2a2e2b89dbfd95",
"name": "fafa5c4b1c4abbdd_report.wer",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_4ab103a47ec36b8e_503c23112082af311199add0d4a52edc49161154_cab_091a164f\\Report.wer",
"type": "data",
"sha256": "fafa5c4b1c4abbddf798ff2e8a28fefe3b9a1772dfb86583f02be4e0d2d3efc8",
"urls": [],
"crc32": "4307D357",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/5708\/files\/fafa5c4b1c4abbdd_report.wer",
"ssdeep": null,
"size": 7438,
"sha512": "98599e1d2b85d65321a3b7ddb0ff1cdba6d88d6d69a4f85863f13b74adf3285abd189354e7814d188117adbe4c5b3ad8aae5fe6eccd5ba9c0835c8bce1bb9774",
"pids": [
2500
],
"md5": "dddcde8a73ccffe90f62068136ee26c7"
},
{
"yara": [],
"sha1": "45d2c41c660586fb842bc22dfc7f71586fa507b7",
"name": "57eba2cb34bfa435_WER5E60.tmp.WERInternalMetadata.xml",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\WER5E60.tmp.WERInternalMetadata.xml",
"type": "XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators",
"sha256": "57eba2cb34bfa4350a1f7631eb07b831dfc74bfcee90ccdb6d7285b26a06e6cf",
"urls": [],
"crc32": "7A75ED0E",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/5708\/files\/57eba2cb34bfa435_WER5E60.tmp.WERInternalMetadata.xml",
"ssdeep": null,
"size": 2652,
"sha512": "0e33b538f2aa08d80c5d43acd64d1aa0c22719048feba23ac492ba1d975deb42c26edc34e512829ff37adc98c912cd3259785e3b5049b0f752223d33aaf72606",
"pids": [
2500
],
"md5": "02dd180ff2693680faff0e17741c5c78"
},
{
"yara": [],
"sha1": "da39a3ee5e6b4b0d3255bfef95601890afd80709",
"name": "e3b0c44298fc1c14_WER5E60.tmp",
"type": "empty",
"sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"urls": [],
"crc32": "00000000",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/5708\/files\/e3b0c44298fc1c14_WER5E60.tmp",
"ssdeep": null,
"size": 0,
"sha512": "cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e",
"md5": "d41d8cd98f00b204e9800998ecf8427e"
}
]Generic
[
{
"process_path": "C:\\Users\\cuck\\AppData\\Local\\Temp\\4ab103a47ec36b8e767e5fa832439561dfca15b648714d2bcbe2875989780c82.bin",
"process_name": "4ab103a47ec36b8e767e5fa832439561dfca15b648714d2bcbe2875989780c82.bin",
"pid": 2816,
"summary": {
"dll_loaded": [
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\diasymreader.dll",
"C:\\Windows\\system32\\IMM32.DLL",
"ntdll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\VERSION.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\mscorlib\\62a0b3e4b40ec0e8c5cfaa0c8848e64a\\mscorlib.ni.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorjit.dll",
"VERSION.dll",
"mscoree.dll",
"gdi32.dll",
"advapi32.dll",
"kernel32.dll",
"shell32.dll",
"AdvApi32.dll",
"ADVAPI32.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\ole32.dll",
"SHLWAPI.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\culture.dll",
"ole32.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorwks.dll"
],
"file_failed": [
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\enterprisesec.config.cch",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\4ab103a47ec36b8e767e5fa832439561dfca15b648714d2bcbe2875989780c82.bin.config",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\security.config.cch",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\enterprisesec.config",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\security.config.cch",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\security.config",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\security.config"
],
"regkey_opened": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\Managed\\S-1-5-21-699399860-4089948139-3198924279-1001\\Installer\\Assemblies\\Global",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\Managed\\S-1-5-21-699399860-4089948139-3198924279-1001\\Installer\\Assemblies\\C:|Users|cuck|AppData|Local|Temp|4ab103a47ec36b8e767e5fa832439561dfca15b648714d2bcbe2875989780c82.bin",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PCHealth\\ErrorReporting\\ExclusionList",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\Policy\\",
"HKEY_CLASSES_ROOT\\CLSID\\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\\Server",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets\\LocalIntranet",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\AppPatch",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PCHealth\\ErrorReporting\\InclusionList",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PCHealth\\ErrorReporting\\ExclusionList",
"HKEY_CLASSES_ROOT\\CLSID\\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\\InprocServer32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\726e753\\47cded8c",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PCHealth\\ErrorReporting",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Installer\\Assemblies\\Global",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets\\Internet",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\index127",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Installer\\Assemblies\\C:|Users|cuck|AppData|Local|Temp|4ab103a47ec36b8e767e5fa832439561dfca15b648714d2bcbe2875989780c82.bin",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Installer\\Assemblies\\Global",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\Standards",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\Standards\\v2.0.50727",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-699399860-4089948139-3198924279-1001",
"HKEY_CURRENT_USER\\SOFTWARE\\Policies\\Microsoft\\PCHealth\\ErrorReporting\\ExclusionList",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\v2.0.50727\\Security\\Policy",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\StrongName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Fusion",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion\\PublisherPolicy\\Default",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1bd4e75c\\1940db5e",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion\\GACChangeNotification\\Default",
"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\PCHealth\\ErrorReporting\\ExclusionList",
"HKEY_CURRENT_USER\\Software\\Microsoft\\.NETFramework",
"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\PCHealth\\ErrorReporting\\InclusionList",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PCHealth\\ErrorReporting",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\Upgrades",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Installer\\Assemblies\\C:|Users|cuck|AppData|Local|Temp|4ab103a47ec36b8e767e5fa832439561dfca15b648714d2bcbe2875989780c82.bin",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\4ab103a47ec36b8e767e5fa832439561dfca15b648714d2bcbe2875989780c82.bin",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\Policy\\Standards",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PCHealth\\ErrorReporting\\InclusionList",
"HKEY_CURRENT_USER\\SOFTWARE\\Policies\\Microsoft\\PCHealth\\ErrorReporting",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83",
"HKEY_CURRENT_USER\\SOFTWARE\\Policies\\Microsoft\\PCHealth\\ErrorReporting\\InclusionList",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\v2.0",
"HKEY_CURRENT_USER\\Software\\Microsoft\\.NETFramework\\Policy\\Standards",
"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\PCHealth\\ErrorReporting"
],
"file_exists": [
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\fusion.localgac",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\4ab103a47ec36b8e767e5fa832439561dfca15b648714d2bcbe2875989780c82.bin.config",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CommonClasses.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CommonClasses\\CommonClasses.dll",
"C:\\Windows\\Globalization\\en-us.nlp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\4ab103a47ec36b8e767e5fa832439561dfca15b648714d2bcbe2875989780c82.bin",
"C:\\Windows\\winsxs\\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\\msvcr80.dll",
"C:\\Windows\\System32\\MSCOREE.DLL.local",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\machine.config",
"C:\\Windows\\assembly\\GAC\\PublisherPolicy.tme",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CommonClasses.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CommonClasses\\CommonClasses.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\4ab103a47ec36b8e767e5fa832439561dfca15b648714d2bcbe2875989780c82.PDB"
],
"file_opened": [
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorrc.dll",
"C:\\Windows\\System32\\l_intl.nls",
"C:\\Windows\\assembly\\pubpol4.dat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\4ab103a47ec36b8e767e5fa832439561dfca15b648714d2bcbe2875989780c82.bin",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\index127.dat",
"C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\sortkey.nlp",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\machine.config",
"C:\\Windows\\SysWOW64\\en-US\\KERNELBASE.dll.mui",
"C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\sorttbls.nlp"
],
"command_line": [
"dw20.exe -x -s 428"
],
"file_read": [
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\machine.config",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\4ab103a47ec36b8e767e5fa832439561dfca15b648714d2bcbe2875989780c82.bin"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\LatestIndex",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\LegacyPolicyTimeStamp",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\LoggingLevel",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\InstallRoot",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\MVID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\ConfigMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\CacheLocation",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\LogResourceBinds",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\LogFailures",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\MissingDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\EnableLog",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\Status",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Terminal Server\\TSUserEnabled",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\NIDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\Latest",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\LastModTime",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Terminal Server\\TSAppCompat",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\DisableConfigCache",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\ILDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\UseLegacyIdentityFormat",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\ForceLog",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\GCStressStart",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\EvalationData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\\Server\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\GCStressStartAtJit",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\LoadAppInit_DLLs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\CLRLoadLogDir",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\OnlyUseLatestCLR",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\DevOverrideEnable",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\VersioningLog",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\\InprocServer32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\DisableMSIPeek",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\mscorlib,2.0.0.0,,b77a5c561934e089,x86",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\index127\\NIUsageMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NoClientChecks",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\ConfigString",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\DownloadCacheQuotaInKB",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\index127\\ILUsageMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\index4"
],
"directory_enumerated": [
"C:\\Users",
"C:\\Windows\\Microsoft.NET\\Framework\\Upgrades.2.0.50727\\mscoreei.dll",
"C:\\Users\\cuck\\AppData",
"C:\\Windows\\winsxs\\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\\msvcr80.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp",
"C:\\Users\\cuck",
"C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\mscorlib.INI",
"C:\\Windows",
"C:\\Windows\\winsxs",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscoreei.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\4ab103a47ec36b8e767e5fa832439561dfca15b648714d2bcbe2875989780c82.INI",
"C:\\Users\\cuck\\AppData\\Local",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorwks.dll"
]
},
"first_seen": 1582843985.59375,
"ppid": 2016
},
{
"process_path": "C:\\Windows\\System32\\lsass.exe",
"process_name": "lsass.exe",
"pid": 476,
"summary": {},
"first_seen": 1582843985.34375,
"ppid": 376
},
{
"process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\dw20.exe",
"process_name": "dw20.exe",
"pid": 2500,
"summary": {
"file_created": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER5E60.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_4ab103a47ec36b8e_503c23112082af311199add0d4a52edc49161154_cab_091a164f\\Report.wer",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER344F.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER5E60.tmp.WERInternalMetadata.xml",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER68C1.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER68C1.tmp.hdmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER344F.tmp.mdmp"
],
"file_recreated": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER5E60.tmp.WERInternalMetadata.xml"
],
"directory_created": [
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_4ab103a47ec36b8e_503c23112082af311199add0d4a52edc49161154_cab_091a164f",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\WER\\ReportQueue"
],
"dll_loaded": [
"dbghelp.dll",
"version.dll",
"C:\\Windows\\system32\\ole32.dll",
"CFGMGR32.dll",
"DUI70.dll",
"C:\\Windows\\system32\\DUser.dll",
"UxTheme.dll",
"SensApi.dll",
"werui.dll",
"dwmapi.dll",
"ntdll.dll",
"cryptsp.dll",
"winhttp.dll",
"verifier.dll",
"C:\\Windows\\system32\\RICHED20.DLL",
"API-MS-WIN-Service-Management-L2-1-0.dll",
"API-MS-WIN-Service-Management-L1-1-0.dll",
"C:\\Windows\\syswow64\\MSCTF.dll",
"API-MS-Win-Core-LocalRegistry-L1-1-0.dll",
"psapi.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscordacwks.dll",
"OLEAUT32.DLL",
"SspiCli.dll",
"C:\\Windows\\system32\\wer.dll",
"advapi32.dll",
"comctl32",
"ole32.dll",
"SHLWAPI.dll",
"CRYPTSP.dll",
"USER32.dll",
"Comctl32.dll",
"credssp.dll",
"API-MS-WIN-Service-winsvc-L1-1-0.dll",
"IPHLPAPI.DLL",
"C:\\Windows\\system32\\xmllite.dll",
"OLEAUT32.dll",
"SHELL32.dll",
"RPCRT4.dll",
"DNSAPI.dll",
"C:\\Windows\\System32\\wship6.dll",
"DUser.dll",
"comctl32.dll",
"NSI.dll",
"kernel32.dll",
"C:\\Windows\\system32\\mswsock.dll",
"powrprof.dll",
"ADVAPI32.dll",
"rpcrt4.dll",
"C:\\Windows\\System32\\wshtcpip.dll",
"WS2_32.dll",
"user32.dll",
"WINHTTP.dll"
],
"file_opened": [
"C:\\Windows\\System32\\apphelp.dll",
"C:\\Windows\\SysWOW64\\CRYPTBASE.dll",
"C:\\Windows\\System32\\mscoree.dll",
"C:\\Windows\\SysWOW64\\user32.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\4ab103a47ec36b8e767e5fa832439561dfca15b648714d2bcbe2875989780c82.bin",
"C:\\Windows\\SysWOW64\\msctf.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER5E60.tmp.WERInternalMetadata.xml",
"C:\\Windows\\SysWOW64\\sspicli.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER68C1.tmp.hdmp",
"C:\\Windows\\SysWOW64\\kernel32.dll",
"C:\\Windows\\SysWOW64\\msvcrt.dll",
"C:\\Windows\\SysWOW64\\shlwapi.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorwks.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorjit.dll",
"C:\\Windows\\SysWOW64\\ole32.dll",
"C:\\Windows\\System32\\profapi.dll",
"C:\\Windows\\SysWOW64\\shell32.dll",
"C:\\Windows\\SysWOW64\\lpk.dll",
"C:\\Windows\\System32\\version.dll",
"C:\\Windows\\SysWOW64\\advapi32.dll",
"C:\\Windows\\win.ini",
"C:\\Windows\\System32\\en-US\\erofflps.txt",
"C:\\Windows\\SysWOW64\\ntdll.dll",
"C:\\Windows\\SysWOW64\\usp10.dll",
"C:\\Windows\\SysWOW64\\sechost.dll",
"C:\\Windows\\System32\\imm32.dll",
"C:\\Windows\\SysWOW64\\gdi32.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\mscorlib\\62a0b3e4b40ec0e8c5cfaa0c8848e64a\\mscorlib.ni.dll",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls",
"C:\\Windows\\winsxs\\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\\msvcr80.dll",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\WER\\ReportQueue",
"C:\\Windows\\SysWOW64\\rpcrt4.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER344F.tmp.mdmp",
"C:\\Windows\\SysWOW64\\KERNELBASE.dll",
"C:\\Windows\\System32\\uxtheme.dll"
],
"file_copied": [
[
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER68C1.tmp.hdmp",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_4ab103a47ec36b8e_503c23112082af311199add0d4a52edc49161154_cab_091a164f\\WER68C1.tmp.hdmp"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER344F.tmp.mdmp",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_4ab103a47ec36b8e_503c23112082af311199add0d4a52edc49161154_cab_091a164f\\WER344F.tmp.mdmp"
],
[
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER5E60.tmp.WERInternalMetadata.xml",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_4ab103a47ec36b8e_503c23112082af311199add0d4a52edc49161154_cab_091a164f\\WER5E60.tmp.WERInternalMetadata.xml"
]
],
"regkey_opened": [
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\LsaExtensionConfig\\SspiCli",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\Rpc",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Reliability Analysis\\RAC",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip6\\Parameters\\Winsock",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Winsock",
"HKEY_CURRENT_USER\\Software\\Microsoft\\windows\\CurrentVersion\\Internet Settings\\Connections",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\OLE\\Tracing",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\Windows Error Reporting",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Setup",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Consent",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\LanguageProfile\\0x00000000\\{0001bea3-ed56-483d-a2e2-aeae25577436}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\DebugApplications",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\SecurityProviders",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\KnownClasses",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\windows\\CurrentVersion\\Internet Settings\\Connections",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\CEIPRole\\RolesInWER",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winsock\\Setup Migration\\Providers\\Tcpip6",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\Windows Error Reporting",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Rpc",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\Compatibility\\dw20.exe",
"HKEY_CURRENT_USER\\Software\\Microsoft\\CTF\\DirectSwitchHotkeys",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\SecurityProviders\\SaslProfiles",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\SystemInformation",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\ExcludedApplications",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Winsock\\Setup Migration\\Providers",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\WinHttp\\Tracing",
"HKEY_CURRENT_USER\\Software\\Microsoft\\CTF\\LayoutIcon\\0409\\0000041d",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\Windows Error Reporting\\HeapControlledList\\4ab103a47ec36b8e767e5fa832439561dfca15b648714d2bcbe2875989780c82.bin",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\KnownManagedDebuggingDlls",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\DirectUI",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLEAUT",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{3697C5FA-60DD-4B56-92D4-74A569205C16}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DebugApplications",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Debug",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winsock\\Setup Migration\\Providers\\Tcpip",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion",
"HKEY_CURRENT_USER\\Software\\Microsoft\\windows\\CurrentVersion\\Internet Settings\\Wpad",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Class\\{4d36e972-e325-11ce-bfc1-08002be10318}",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\Windows Error Reporting",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Ole",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\WinHttp",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ExcludedApplications",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Windows",
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\SspiCache",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Winsock\\Parameters"
],
"resolves_host": [
"watson.microsoft.com"
],
"file_written": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER68C1.tmp.hdmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER5E60.tmp.WERInternalMetadata.xml",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER344F.tmp.mdmp",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_4ab103a47ec36b8e_503c23112082af311199add0d4a52edc49161154_cab_091a164f\\Report.wer"
],
"file_deleted": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER5E60.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER344F.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER5E60.tmp.WERInternalMetadata.xml",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER68C1.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER68C1.tmp.hdmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER344F.tmp.mdmp"
],
"file_exists": [
"C:\\Windows\\System32\\apphelp.dll",
"C:\\Windows\\SysWOW64\\CRYPTBASE.dll",
"C:\\Windows\\System32\\mscoree.dll",
"C:\\Windows\\SysWOW64\\user32.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\4ab103a47ec36b8e767e5fa832439561dfca15b648714d2bcbe2875989780c82.bin",
"C:\\Windows\\SysWOW64\\msctf.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER5E60.tmp.WERInternalMetadata.xml",
"C:\\Users\\cuck\\AppData\\Local\\Temp",
"C:\\Windows\\SysWOW64\\sspicli.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER68C1.tmp.hdmp",
"C:\\Windows\\SysWOW64\\kernel32.dll",
"C:\\Windows\\SysWOW64\\msvcrt.dll",
"C:\\Windows\\SysWOW64\\shlwapi.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorwks.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorjit.dll",
"C:\\Windows\\SysWOW64\\ole32.dll",
"C:\\Windows\\System32\\profapi.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\",
"C:\\Windows\\SysWOW64\\shell32.dll",
"C:\\Windows\\SysWOW64\\lpk.dll",
"C:\\Windows\\System32\\version.dll",
"C:\\Windows\\SysWOW64\\advapi32.dll",
"C:\\Windows\\System32\\en-US\\erofflps.txt",
"C:\\Windows\\SysWOW64\\ntdll.dll",
"C:\\Windows\\SysWOW64\\usp10.dll",
"C:\\Windows\\SysWOW64\\sechost.dll",
"C:\\Windows\\System32\\imm32.dll",
"C:\\Windows\\SysWOW64\\gdi32.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\mscorlib\\62a0b3e4b40ec0e8c5cfaa0c8848e64a\\mscorlib.ni.dll",
"C:\\Windows\\winsxs\\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\\msvcr80.dll",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\WER\\ReportQueue",
"C:\\Windows\\SysWOW64\\rpcrt4.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\WER344F.tmp.mdmp",
"C:\\Windows\\SysWOW64\\KERNELBASE.dll",
"C:\\Windows\\System32\\uxtheme.dll"
],
"mutex": [
"Global\\88561426-59ab-11ea-8829-08002749d99b"
],
"guid": [
"{713aacc8-3b71-435c-a3a1-be4e53621ab1}",
"{22e4c895-8ab9-40bb-b81a-001dd9b1f449}"
],
"file_read": [
"C:\\Windows\\win.ini"
],
"regkey_read": [
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Language Hotkey",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\profapi.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\MaxRpcSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\MaxArchiveCount",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\LanguageProfile\\0x00000000\\{0001bea3-ed56-483d-a2e2-aeae25577436}\\Enable",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\QueuePesterInterval",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\UseDelayedAcceptance",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DisableQueue",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SecurityProviders\\SecurityProviders",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ConfigureArchive",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultConsent",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\SystemSetupInProgress",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\ScrollDelay",
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Hotkey",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\SspiCli.dll",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\SendEFSFiles",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\CTF\\EnableAnchorContext",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledProcesses\\44D72C57",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\DisableArchive",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerPortNumber",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\LastWatsonCabUploaded",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerUseSSL",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\HelperDllName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\LPK.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\shell32.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerServer",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\ForceUserModeCabCollection",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ProxySettingsPerUser",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorjit.dll",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winsock\\Parameters\\Transports",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SystemInformation\\BIOSVersion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\BuildLabEx",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\KERNELBASE.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\APPCRASH",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\\DefaultConnectionSettings",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\MaxQueueCount",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultOverrideBehavior",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\CSDBuildNumber",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\CurrentType",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\mscorlib\\62a0b3e4b40ec0e8c5cfaa0c8848e64a\\mscorlib.ni.dll",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\DontShowUI",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\DontSendAdditionalData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Segoe UI",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\ScrollInset",
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Layout Hotkey",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\ConfigureArchive",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Windows\\CSDBuildNumber",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\QueuePesterInterval",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\WinSxS\\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\\MSVCR80.dll",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Comment",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\RPCRT4.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledSessions\\MachineThrottling",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DisableArchive",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\MaxArchiveCount",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\EditionID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\KERNEL32.dll",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultOverrideBehavior",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\HelperDllName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winsock\\Setup Migration\\Providers\\Tcpip6\\WinSock 2.0 Provider ID",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\ForceQueue",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\SysWOW64\\sechost.dll",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\WpadOverride",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\Mapping",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Type",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\uxtheme.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceUserModeCabCollection",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LoggingDisabled",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\CRYPTBASE.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProductName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\LsaExtensionConfig\\SspiCli\\CheckSignatureRoutine",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\MachineID",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\MinSockaddrLength",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\ForceQueue",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\ScrollInterval",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\IMM32.DLL",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\MinSockaddrLength",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\LsaExtensionConfig\\SspiCli\\CheckSignatureDll",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\APPCRASH",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\OOBEInProgress",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\ole32.dll",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\MaxQueueCount",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\USER32.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\CorporateWerUseAuthentication",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Name",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\MSCTF.dll",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\DragMinDist",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\SendEFSFiles",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DontShowUI",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\MaxSockaddrLength",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\TurnOffSPIAnimations",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE\\PageAllocatorSystemHeapIsPrivate",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\MaxSockaddrLength",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SystemInformation\\SystemProductName",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\BypassDataThrottling",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\KnownManagedDebuggingDlls\\C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscordacwks.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Users\\cuck\\AppData\\Local\\Temp\\4ab103a47ec36b8e767e5fa832439561dfca15b648714d2bcbe2875989780c82.bin",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\DragDelay",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\\WinHttpSettings",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\ADVAPI32.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\SourcePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\DevicePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\TokenSize",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\UseDelayedAcceptance",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE\\PageAllocatorUseSystemHeap",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Disabled",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Capabilities",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\LoggingDisabled",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\SYSTEM32\\MSCOREE.DLL",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ShareCredsWithWinHttp",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\WinHttp\\Tracing\\Enabled",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SystemInformation\\SystemManufacturer",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\apphelp.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\BypassDataThrottling",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorwks.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\msvcrt.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Reliability Analysis\\RAC\\RacWerSampleTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\SysWOW64\\ntdll.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledSessions\\GlobalSession",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\CurrentType",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\RestartRunTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\SHLWAPI.dll",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultConsent",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\WinHttp\\DisableBranchCache",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DontSendAdditionalData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CEIPEnable",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\USP10.dll",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Version",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\ComputerName\\ActiveComputerName\\ComputerName",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\RestartRunTime",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winsock\\Setup Migration\\Providers\\Tcpip\\WinSock 2.0 Provider ID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\syswow64\\GDI32.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE\\MaximumAllowedAllocationSize",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\Mapping",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\RpcId",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Disabled",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\DisableQueue",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\MiniDumpAuxiliaryDlls\\C:\\Windows\\system32\\VERSION.dll"
],
"directory_enumerated": [
"C:\\Windows\\System32\\apphelp.dll",
"C:\\Windows\\SysWOW64",
"C:\\Users\\cuck\\AppData",
"C:\\Windows\\SysWOW64\\user32.dll",
"C:\\Windows\\SysWOW64\\advapi32.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\mscorlib",
"C:\\Windows\\SysWOW64\\msctf.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp",
"C:\\Windows\\SysWOW64\\sspicli.dll",
"C:\\Windows\\SysWOW64\\kernel32.dll",
"C:\\Windows\\SysWOW64\\msvcrt.dll",
"C:\\Windows\\assembly",
"C:\\Windows\\SysWOW64\\shlwapi.dll",
"C:\\Windows\\System32",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorjit.dll",
"C:\\Windows\\SysWOW64\\ole32.dll",
"C:\\Windows\\System32\\profapi.dll",
"C:\\Windows\\System32\\mscoree.dll",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\WER\\ReportArchive\\AppCrash_*_503c23112082af311199add0d4a52edc49161154_cab_*",
"C:\\Windows\\SysWOW64\\shell32.dll",
"C:\\Windows\\SysWOW64\\lpk.dll",
"C:\\Windows\\System32\\version.dll",
"C:\\Users",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorwks.dll",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_*_503c23112082af311199add0d4a52edc49161154_cab_*",
"C:\\Windows\\SysWOW64\\ntdll.dll",
"C:\\Users\\cuck",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\WER\\ReportQueue\\*_*_*_*",
"C:\\Windows\\SysWOW64\\sechost.dll",
"C:\\Users\\cuck\\AppData\\Local",
"C:\\Windows\\System32\\imm32.dll",
"C:\\Windows\\SysWOW64\\gdi32.dll",
"C:\\Windows\\winsxs\\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\\msvcr80.dll",
"C:\\Windows\\SysWOW64\\usp10.dll",
"C:\\Windows\\SysWOW64\\rpcrt4.dll",
"C:\\Windows\\System32\\drivers\\*.mrk",
"C:\\Windows",
"C:\\Windows\\winsxs",
"C:\\Windows\\System32\\uxtheme.dll"
]
},
"first_seen": 1582843985.90625,
"ppid": 2816
}
]Signatures
[
{
"markcount": 2,
"families": [],
"description": "Queries for the computername",
"severity": 1,
"marks": [
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "GetComputerNameA",
"return_value": 1,
"arguments": {
"computer_name": "CUCKPC"
},
"time": 1582843985.99925,
"tid": 2952,
"flags": {}
},
"pid": 2500,
"type": "call",
"cid": 95
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "GetComputerNameW",
"return_value": 1,
"arguments": {
"computer_name": "CUCKPC"
},
"time": 1582843985.99925,
"tid": 2952,
"flags": {}
},
"pid": 2500,
"type": "call",
"cid": 96
}
],
"references": [],
"name": "antivm_queries_computername"
},
{
"markcount": 2,
"families": [],
"description": "Checks if process is being debugged by a debugger",
"severity": 1,
"marks": [
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": -1073741700,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1582843985.74975,
"tid": 2420,
"flags": {}
},
"pid": 2816,
"type": "call",
"cid": 369
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 2,
"nt_status": -1073741772,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1582843985.79675,
"tid": 2420,
"flags": {}
},
"pid": 2816,
"type": "call",
"cid": 699
}
],
"references": [],
"name": "checks_debugger"
},
{
"markcount": 1,
"families": [],
"description": "Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available",
"severity": 1,
"marks": [
{
"call": {
"category": "system",
"status": 1,
"stacktrace": [],
"api": "GlobalMemoryStatusEx",
"return_value": 1,
"arguments": {},
"time": 1582843985.98425,
"tid": 2952,
"flags": {}
},
"pid": 2500,
"type": "call",
"cid": 48
}
],
"references": [],
"name": "antivm_memory_available"
},
{
"markcount": 17,
"families": [],
"description": "Allocates read-write-execute memory (usually to unpack itself)",
"severity": 2,
"marks": [
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2816,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffff",
"base_address": "0x749f1000"
},
"time": 1582843985.73475,
"tid": 2420,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2816,
"type": "call",
"cid": 259
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2816,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x0056a000"
},
"time": 1582843985.74975,
"tid": 2420,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2816,
"type": "call",
"cid": 381
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2816,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 8192,
"protection": 64,
"process_handle": "0xffffffff",
"base_address": "0x749f2000"
},
"time": 1582843985.74975,
"tid": 2420,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2816,
"type": "call",
"cid": 382
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2816,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00562000"
},
"time": 1582843985.74975,
"tid": 2420,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2816,
"type": "call",
"cid": 383
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2816,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00572000"
},
"time": 1582843985.76575,
"tid": 2420,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2816,
"type": "call",
"cid": 511
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2816,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x005ab000"
},
"time": 1582843985.76575,
"tid": 2420,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2816,
"type": "call",
"cid": 596
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2816,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x005a7000"
},
"time": 1582843985.76575,
"tid": 2420,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2816,
"type": "call",
"cid": 597
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2816,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00573000"
},
"time": 1582843985.78175,
"tid": 2420,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2816,
"type": "call",
"cid": 633
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2816,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x0057c000"
},
"time": 1582843985.78175,
"tid": 2420,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2816,
"type": "call",
"cid": 634
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2816,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x0059a000"
},
"time": 1582843985.79675,
"tid": 2420,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2816,
"type": "call",
"cid": 692
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2816,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00592000"
},
"time": 1582844043.90675,
"tid": 2420,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2816,
"type": "call",
"cid": 768
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2816,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x005a5000"
},
"time": 1582844043.90675,
"tid": 2420,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2816,
"type": "call",
"cid": 779
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2500,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x02840000"
},
"time": 1582843986.12425,
"tid": 2576,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2500,
"type": "call",
"cid": 1098
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2500,
"region_size": 1376256,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 8192,
"base_address": "0x044a0000"
},
"time": 1582843990.54625,
"tid": 2952,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_RESERVE"
}
},
"pid": 2500,
"type": "call",
"cid": 5818
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2500,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x045b0000"
},
"time": 1582843990.54625,
"tid": 2952,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2500,
"type": "call",
"cid": 5820
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2500,
"region_size": 1703936,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 8192,
"base_address": "0x04590000"
},
"time": 1582844042.49925,
"tid": 2952,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_RESERVE"
}
},
"pid": 2500,
"type": "call",
"cid": 616215
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2500,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x046f0000"
},
"time": 1582844042.49925,
"tid": 2952,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2500,
"type": "call",
"cid": 616217
}
],
"references": [],
"name": "allocates_rwx"
},
{
"markcount": 1,
"families": [],
"description": "Checks adapter addresses which can be used to detect virtual network interfaces",
"severity": 2,
"marks": [
{
"call": {
"category": "network",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": -1073741772,
"api": "GetAdaptersAddresses",
"return_value": 111,
"arguments": {
"flags": 15,
"family": 0
},
"time": 1582843987.67125,
"tid": 2256,
"flags": {}
},
"pid": 2500,
"type": "call",
"cid": 2340
}
],
"references": [],
"name": "antivm_network_adapters"
},
{
"markcount": 4,
"families": [],
"description": "Potentially malicious URLs were found in the process memory dump",
"severity": 2,
"marks": [
{
"category": "url",
"ioc": "http:\/\/www.microsoft.com\/pki\/certs\/CSPCA.crt0",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/g",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/www.microsoft.com\/pki\/certs\/tspca.crt0",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/microsoft.com0",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "memdump_urls"
},
{
"markcount": 7,
"families": [],
"description": "Resumed a suspended thread in a remote process potentially indicative of process injection",
"severity": 3,
"marks": [
{
"category": "Process injection",
"ioc": "Process 2500 resumed a thread in remote process 2816",
"type": "ioc",
"description": null
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtResumeThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x000002f0",
"suspend_count": 1,
"process_identifier": 2816
},
"time": 1582844041.95325,
"tid": 2952,
"flags": {}
},
"pid": 2500,
"type": "call",
"cid": 614366
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtResumeThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x000002f8",
"suspend_count": 1,
"process_identifier": 2816
},
"time": 1582844042.15625,
"tid": 2952,
"flags": {}
},
"pid": 2500,
"type": "call",
"cid": 614368
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtResumeThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x000002fc",
"suspend_count": 1,
"process_identifier": 2816
},
"time": 1582844042.34325,
"tid": 2952,
"flags": {}
},
"pid": 2500,
"type": "call",
"cid": 614371
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtResumeThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x000002fc",
"suspend_count": 1,
"process_identifier": 2816
},
"time": 1582844043.26525,
"tid": 2952,
"flags": {}
},
"pid": 2500,
"type": "call",
"cid": 622045
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtResumeThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x000002f0",
"suspend_count": 1,
"process_identifier": 2816
},
"time": 1582844043.46825,
"tid": 2952,
"flags": {}
},
"pid": 2500,
"type": "call",
"cid": 622047
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtResumeThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x000002f4",
"suspend_count": 1,
"process_identifier": 2816
},
"time": 1582844043.65625,
"tid": 2952,
"flags": {}
},
"pid": 2500,
"type": "call",
"cid": 622049
}
],
"references": [
"www.endgame.com\/blog\/technical-blog\/ten-process-injection-techniques-technical-survey-common-and-trending-process"
],
"name": "injection_resumethread"
}
]Yara
The Yara rules did not detect anything in the file.
Network
{
"tls": [],
"udp": [
{
"src": "192.168.56.101",
"dst": "192.168.56.255",
"offset": 662,
"time": 6.144243001937866,
"dport": 137,
"sport": 137
},
{
"src": "192.168.56.101",
"dst": "192.168.56.255",
"offset": 5990,
"time": 12.142935991287231,
"dport": 138,
"sport": 138
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 7834,
"time": 6.103750944137573,
"dport": 5355,
"sport": 51001
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 8162,
"time": 4.12663197517395,
"dport": 5355,
"sport": 53595
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 8490,
"time": 6.116357088088989,
"dport": 5355,
"sport": 53848
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 8818,
"time": 4.631925106048584,
"dport": 5355,
"sport": 54255
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 9146,
"time": 2.9768459796905518,
"dport": 5355,
"sport": 55314
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 9474,
"time": 6.969300985336304,
"dport": 5355,
"sport": 55880
},
{
"src": "192.168.56.101",
"dst": "239.255.255.250",
"offset": 9794,
"time": 4.64388108253479,
"dport": 1900,
"sport": 1900
},
{
"src": "192.168.56.101",
"dst": "239.255.255.250",
"offset": 29204,
"time": 4.14766001701355,
"dport": 3702,
"sport": 49152
},
{
"src": "192.168.56.101",
"dst": "239.255.255.250",
"offset": 37588,
"time": 6.1902549266815186,
"dport": 1900,
"sport": 53598
}
],
"dns_servers": [],
"http": [],
"icmp": [],
"smtp": [],
"tcp": [],
"smtp_ex": [],
"mitm": [],
"hosts": [],
"pcap_sha256": "43400afc05fba678cfd0601d6bfed048d9c8b58361a7f8754405de1590b744b7",
"dns": [],
"http_ex": [],
"domains": [],
"dead_hosts": [],
"sorted_pcap_sha256": "19032e4157ca8e03f65853e6c23faab5e2f2b20df23b5ddef31c33f2850857de",
"irc": [],
"https_ex": []
}Screenshots
Hashes [?]
| Property | Value |
|---|---|
| MD5 | 5e185520e643a962e71a8aa853ecf936 |
| SHA256 | 4ab103a47ec36b8e767e5fa832439561dfca15b648714d2bcbe2875989780c82 |
Error Messages
These are some of the error messages that can appear related to visoftpremium.exe:
visoftpremium.exe has encountered a problem and needs to close. We are sorry for the inconvenience.
visoftpremium.exe - Application Error. The instruction at "0xXXXXXXXX" referenced memory at "0xXXXXXXXX". The memory could not be "read/written". Click on OK to terminate the program.
has stopped working.
End Program - visoftpremium.exe. This program is not responding.
visoftpremium.exe is not a valid Win32 application.
visoftpremium.exe - Application Error. The application failed to initialize properly (0xXXXXXXXX). Click OK to terminate the application.
What will you do with the file?
To help other users, please let us know what you will do with the file:
Malware or legitimate?
If you feel that you need more information to determine if your should keep this file or remove it, please read this guide.
And now some shameless self promotion ;)
Hi, my name is Roger Karlsson. I've been running this website since 2006. I want to let you know about the FreeFixer program. FreeFixer is a freeware tool that analyzes your system and let you manually identify unwanted programs. Once you've identified some malware files, FreeFixer is pretty good at removing them. You can download FreeFixer here. It runs on Windows 2000/XP/2003/2008/2016/2019/Vista/7/8/8.1/10. Supports both 32- and 64-bit Windows.
If you have questions, feedback on FreeFixer or the freefixer.com website, need help analyzing FreeFixer's scan result or just want to say hello, please contact me. You can find my email address at the contact page.
Comments
Please share with the other users what you think about this file. What does this file do? Is it legitimate or something that your computer is better without? Do you know how it was installed on your system? Did you install it yourself or did it come bundled with some other software? Is it running smoothly or do you get some error message? Any information that will help to document this file is welcome. Thank you for your contributions.
I'm reading all new comments so don't hesitate to post a question about the file. If I don't have the answer perhaps another user can help you.
No comments posted yet.