What is kBwCGnTY.exe?
kBwCGnTY.exe is part of Notifiaction and developed by Micro-Star International Co., Ltd. according to the kBwCGnTY.exe version information.
kBwCGnTY.exe's description is "MSI Notification"
kBwCGnTY.exe is usually located in the 'c:\users\%USERNAME%\appdata\roaming\' folder.
Some of the anti-virus scanners at VirusTotal detected kBwCGnTY.exe.
If you have additional information about the file, please share it with the FreeFixer users by posting a comment at the bottom of this page.
Vendor and version information [?]
The following is the available information on kBwCGnTY.exe:
| Property | Value |
|---|---|
| Product name | Notifiaction |
| Company name | Micro-Star International Co., Ltd. |
| File description | MSI Notification |
| Internal name | MSI Notifications.exe |
| Original filename | MSI Notifications.exe |
| Comments | MSI Notification |
| Legal copyright | Copyright \xA9 2015 Micro-Star International Co., Ltd. |
| Product version | 2.3.1806.8 |
| File version | 2.3.1806.8 |
Here's a screenshot of the file properties when displayed by Windows Explorer:
| Product name | Notifiaction |
| Company name | Micro-Star International Co., Ltd. |
| File description | MSI Notification |
| Internal name | MSI Notifications.exe |
| Original filename | MSI Notifications.exe |
| Comments | MSI Notification |
| Legal copyright | Copyright \xA9 2015 Micro-Star Inte.. |
| Product version | 2.3.1806.8 |
| File version | 2.3.1806.8 |
Digital signatures [?]
kBwCGnTY.exe is not signed.
VirusTotal report
41 of the 71 anti-virus programs at VirusTotal detected the kBwCGnTY.exe file. That's a 58% detection rate.
| Scanner | Detection Name |
|---|---|
| Acronis | suspicious |
| Ad-Aware | Gen:Variant.MSILPerseus.185881 |
| AegisLab | Trojan.Win32.Perseus.4!c |
| AhnLab-V3 | Trojan/Win32.MSIL.C3175244 |
| Alibaba | Trojan:MSIL/Kryptik.101da959 |
| ALYac | Gen:Variant.MSILPerseus.185881 |
| Arcabit | Trojan.MSILPerseus.D2D619 |
| Avast | Win32:Trojan-gen |
| AVG | Win32:Trojan-gen |
| BitDefender | Gen:Variant.MSILPerseus.185881 |
| CrowdStrike | win/malicious_confidence_90% (W) |
| Cybereason | malicious.20aaa2 |
| Cyren | W32/Trojan.ULYR-3716 |
| Emsisoft | Gen:Variant.MSILPerseus.185881 (B) |
| Endgame | malicious (moderate confidence) |
| ESET-NOD32 | a variant of MSIL/Kryptik.RKO |
| FireEye | Generic.mg.6a492d582f1a19dd |
| Fortinet | MSIL/Kryptik.RKO!tr |
| GData | Win32.Backdoor.Gamarue.TE6O8C |
| Ikarus | Trojan.MSIL.Crypt |
| Invincea | heuristic |
| K7AntiVirus | Trojan ( 0054cb391 ) |
| K7GW | Trojan ( 0054cb391 ) |
| Kaspersky | HEUR:Trojan.MSIL.Crypt.gen |
| McAfee | RDN/Generic.dx |
| McAfee-GW-Edition | BehavesLike.Win32.Generic.gc |
| Microsoft | Trojan:MSIL/Imminent.A!MTB |
| MicroWorld-eScan | Gen:Variant.MSILPerseus.185881 |
| Paloalto | generic.ml |
| Panda | Trj/GdSda.A |
| Qihoo-360 | HEUR/QVM03.0.C479.Malware.Gen |
| Rising | Trojan.Kryptik!8.8 (CLOUD) |
| SentinelOne | DFI - Malicious PE |
| Sophos | Mal/Generic-S |
| Symantec | Trojan.Gen.MBT |
| Tencent | Msil.Trojan.Crypt.Wozx |
| Trapmine | malicious.high.ml.score |
| TrendMicro | TROJ_GEN.R002C0WDR19 |
| TrendMicro-HouseCall | TROJ_GEN.R002C0WDR19 |
| VBA32 | TScope.Trojan.MSIL |
| ZoneAlarm | HEUR:Trojan.MSIL.Crypt.gen |
Sandbox Report
The following information was gathered by executing the file inside Cuckoo Sandbox.
Summary
Successfully executed process in sandbox.
Summary
{
"file_deleted": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\tmp1F2F.tmp",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\security.config.cch.2740.16896828",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\security.config.cch.2740.16896812",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\enterprisesec.config.cch.2740.16896812"
],
"file_created": [
"C:\\Users\\cuck\\AppData\\Roaming\\Imminent\\Monitoring\\network.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Imminent\\Monitoring\\system.dat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\tmp1F2F.tmp",
"C:\\Users\\cuck\\AppData\\Roaming\\Imminent\\Logs\\17-11-2019"
],
"file_recreated": [
"C:\\Users\\cuck\\AppData\\Roaming\\Imminent\\Monitoring\\network.dat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\tmp1F2F.tmp",
"C:\\Users\\cuck\\AppData\\Roaming\\Imminent\\Logs\\17-11-2019"
],
"regkey_written": [
"HKEY_CURRENT_USER\\Software\\Microsoft\\ActiveMovie\\devenum\\Version"
],
"dll_loaded": [
"C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\shell32.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\Microsoft.VisualBas#\\08d608378aa405adc844f3cf36974b8c\\Microsoft.VisualBasic.ni.dll",
"imm32.dll",
"C:\\Windows\\System32\\mswsock.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Xml\\461d3b6b3f43e6fbe6c897d5936e17e4\\System.Xml.ni.dll",
"kernel32",
"C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\oleaut32.dll",
"ntdll",
"gdi32.dll",
"DNSAPI.dll",
"kernel32.dll",
"oleaut32",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Windows.Forms\\3afcd5168c7a6cb02eab99d7fd71e102\\System.Windows.Forms.ni.dll",
"oleaut32.dll",
"ntdll.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System\\9e0a3b9b9f457233a335d7fba8f95419\\System.ni.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Drawing\\dbfe8642a8ed7b2b103ad28e0c96418a\\System.Drawing.ni.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\ole32.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Configuration\\bc09ad2d49d8535371845cd7532f9271\\System.Configuration.ni.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\culture.dll",
"ADVAPI32.dll",
"ntmarta.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorwks.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\OLEAUT32.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorjit.dll",
"C:\\Windows\\system32\\napinsp.dll",
"uxtheme.dll",
"setupapi.dll",
"SXS.DLL",
"API-MS-Win-Core-LocalRegistry-L1-1-0.dll",
"SspiCli.dll",
"advapi32.dll",
"C:\\Windows\\assembly\\GAC_MSIL\\System.Windows.Forms\\2.0.0.0__b77a5c561934e089\\uxtheme.dll",
"ole32.dll",
"SHLWAPI.dll",
"CRYPTSP.dll",
"C:\\Windows\\system32\\IMM32.DLL",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\CustomMarshalers\\bf7e7494e75e32979c7824a07570a8a9\\CustomMarshalers.ni.dll",
"gdiplus.dll",
"API-MS-Win-Security-SDDL-L1-1-0.dll",
"C:\\Windows\\assembly\\GAC_32\\CustomMarshalers\\2.0.0.0__b03f5f7f11d50a3a\\oleaut32",
"IPHLPAPI.DLL",
"C:\\Windows\\assembly\\GAC_32\\CustomMarshalers\\2.0.0.0__b03f5f7f11d50a3a\\CustomMarshalers.dll",
"msdmo.dll",
"WINTRUST.dll",
"C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\psapi.dll",
"AdvApi32.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\\\wminet_utils.dll",
"OLEAUT32.dll",
"C:\\Windows\\system32\\pnrpnsp.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\diasymreader.dll",
"C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\ws2_32.dll",
"C:\\Windows\\System32\\winrnr.dll",
"psapi.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Management\\6f3b99ed0b791ff4d8aa52f2f0cd0bcf\\System.Management.ni.dll",
"sxs.dll",
"C:\\Windows\\system32\\NLAapi.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\mscorlib\\62a0b3e4b40ec0e8c5cfaa0c8848e64a\\mscorlib.ni.dll",
"WindowsCodecs.dll",
"VERSION.dll",
"mscoree.dll",
"RpcRtRemote.dll",
"C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\iphlpapi.dll",
"avicap32.dll",
"C:\\Windows\\WinSxS\\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\\gdiplus.dll",
"Kernel32.dll",
"shfolder.dll",
"iphlpapi.dll",
"shell32.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\Gdiplus.dll",
"SETUPAPI.dll",
"WS2_32.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Runtime.Remo#\\5cae93d923c8378370758489e5535820\\System.Runtime.Remoting.ni.dll",
"user32.dll",
"ws2_32.dll"
],
"file_opened": [
"C:\\Windows\\Fonts\\msyh.ttf",
"C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\System.dll",
"C:\\Users\\cuck\\AppData\\Roaming\\",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\index127.dat",
"C:\\Windows\\Fonts\\tahoma.ttf",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\machine.config",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe",
"C:\\Windows\\Fonts\\msjh.ttf",
"C:\\Windows\\SysWOW64\\en-US\\KERNELBASE.dll.mui",
"C:\\Windows\\assembly\\pubpol4.dat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\tmp1F2F.tmp",
"C:\\Windows\\System32\\l_intl.nls",
"C:\\Windows\\System32\\wbem\\wbemdisp.tlb",
"C:\\Windows\\Fonts\\malgun.ttf",
"C:\\Users\\cuck\\AppData\\Roaming\\kBwCGnTY.exe",
"C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\sorttbls.nlp",
"C:\\Windows\\assembly\\GAC_32\\CustomMarshalers\\2.0.0.0__b03f5f7f11d50a3a\\CustomMarshalers.dll",
"C:\\Windows\\SysWOW64\\stdole2.tlb",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorrc.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe.config",
"C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\sortkey.nlp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\549604be1da98f7cd5665c04deb8242523b87e4ad13513a65228354fe648464e.bin",
"C:\\Users\\cuck\\AppData\\Local\\GDIPFONTCACHEV1.DAT",
"C:\\Users\\cuck\\AppData\\Roaming\\Imminent\\Logs\\17-11-2019",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe.Config",
"C:\\Windows\\Fonts\\micross.ttf",
"C:\\Windows\\Fonts\\segoeui.ttf"
],
"file_copied": [
[
"C:\\Users\\cuck\\AppData\\Local\\Temp\\549604be1da98f7cd5665c04deb8242523b87e4ad13513a65228354fe648464e.bin",
"C:\\Users\\cuck\\AppData\\Roaming\\kBwCGnTY.exe"
]
],
"regkey_opened": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.Accessibility__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\DnsClient",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\Managed\\S-1-5-21-699399860-4089948139-3198924279-1001\\Installer\\Assemblies\\C:|Users|cuck|AppData|Local|Temp|549604be1da98f7cd5665c04deb8242523b87e4ad13513a65228354fe648464e.bin",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\519613b5\\7c7c3a83",
"HKEY_LOCAL_MACHINE\\HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 2\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Deployment__b03f5f7f11d50a3a",
"HKEY_CLASSES_ROOT\\CLSID\\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\\InprocServer32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Runtime.Remoting__b77a5c561934e089",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets\\LocalIntranet",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\index127",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.DirectoryServices__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\COM3",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.2.AForge.Video.DirectShow__61ea4348d43881b7",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\296507a\\7c3adc7b",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Installer\\Assemblies\\Global",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\BFE",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Fusion",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\Standards\\v2.0.50727",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-699399860-4089948139-3198924279-1001",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\432ba598\\f6e8397\\6f",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\5a8de2c3\\2b1a4e4",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c04f6bc\\27b8c711",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\6f1da7aa\\88",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\109d7e79\\357ee49a",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces\\{846EE342-7039-11DE-9D20-806E6F6E6963}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3a6a696d\\52d7076e\\72",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Oracle\\VirtualBox Guest Additions",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\msasn1",
"HKEY_CURRENT_USER\\Software\\Microsoft\\ActiveMovie\\devenum\\{860BB310-5D01-11D0-BD3B-00A0C911CE86}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\Upgrades",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\73843e06\\43a920ef\\66",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\WBEM\\CIMOM",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Installer\\Assemblies\\C:|Users|cuck|AppData|Local|Temp|549604be1da98f7cd5665c04deb8242523b87e4ad13513a65228354fe648464e.bin",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\Policy\\Standards",
"HKEY_LOCAL_MACHINE\\HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 1\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\VMware, Inc.\\VMware Tools",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\DnsCache\\Parameters",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Web__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\1c83327b\\86",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\RegAsm.exe",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\Policy\\",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Installer\\Assemblies\\C:|Users|cuck|AppData|Local|Temp|549604be1da98f7cd5665c04deb8242523b87e4ad13513a65228354fe648464e.bin",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064",
"HKEY_CURRENT_USER\\Interface\\{00000134-0000-0000-C000-000000000046}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{860BB310-5D01-11D0-BD3B-00A0C911CE86}\\Instance",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\163e1f5e\\80",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\a5cd4db\\7e",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\c991064\\2bd33e1c\\79",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2b1a4e4\\38a3212c\\44",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.CustomMarshalers__b03f5f7f11d50a3a",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Installer\\Assemblies\\C:|Windows|Microsoft.NET|Framework|v2.0.50727|RegAsm.exe.Config",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Security__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e",
"HKEY_CURRENT_USER\\winmgmts",
"HKEY_LOCAL_MACHINE\\System\\Setup",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces\\{EF381EA0-4D07-418D-A490-68AF67CE948B}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\7454be22\\631aafc0",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\5a8de2c3\\2b1a4e4\\47",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\VFW",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\v2.0.50727\\Security\\Policy",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{423EC01E-2E35-11D2-B604-00104B703EFD}\\ProxyStubClsid32",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\NetBT\\Parameters",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System__b77a5c561934e089",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\StrongName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\357ee49a\\7d2df0ec\\41",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Xml__b77a5c561934e089",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\75638fee\\7566cac\\84",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8\\87",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{00000134-0000-0000-C000-000000000046}\\ProxyStubClsid32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.8.0.Microsoft.JScript__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Installer\\Assemblies\\C:|Windows|Microsoft.NET|Framework|v2.0.50727|RegAsm.exe.Config",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Runtime.Serialization.Formatters.Soap__b03f5f7f11d50a3a",
"HKEY_CURRENT_USER\\Software\\Microsoft\\ActiveMovie\\devenum",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\1bd7b0d8\\87",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\System\\DNSClient",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3355219f\\255d5226",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Configuration.Install__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Class\\{4D36E968-E325-11CE-BFC1-08002BE10318}\\0000",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\432ba598\\f6e8397",
"HKEY_CURRENT_USER\\Interface\\{423EC01E-2E35-11D2-B604-00104B703EFD}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WINMGMTS\\CLSID",
"HKEY_CLASSES_ROOT\\CLSID\\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\\Server",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c04f6bc\\6d975bdb",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\11e1807\\17b3fbc6",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\24bf93f6\\455bab30\\6e",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\1b2590b1\\7c",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\519613b5\\6375ea68",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Installer\\Assemblies\\Global",
"HKEY_CURRENT_USER\\Control Panel\\International",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\Standards",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\f6e8397\\46ad0879\\6f",
"HKEY_CLASSES_ROOT\\CLSID\\{62E522DC-8CF3-40A8-8B2E-37D595651E40}\\InprocServer32",
"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Paths\\control.exe",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\.NET CLR Networking\\Performance",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Drawing__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\\ProxyStubClsid32",
"HKEY_CLASSES_ROOT\\CLSID\\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\\Instance\\Disabled",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\141dfd70\\6b79efab\\43",
"HKEY_CURRENT_USER\\Interface\\{1C1C45EE-4395-11D2-B60B-00104B703EFD}",
"HKEY_CLASSES_ROOT\\CLSID\\{D6BDAFB2-9435-491F-BB87-6AA0F0BC31A2}\\InprocServer32",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\549604be1da98f7cd5665c04deb8242523b87e4ad13513a65228354fe648464e.bin",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion\\GACChangeNotification\\Default",
"HKEY_CLASSES_ROOT\\CLSID",
"HKEY_CURRENT_USER\\Software\\Microsoft\\.NETFramework",
"HKEY_LOCAL_MACHINE\\HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0",
"HKEY_CLASSES_ROOT\\CLSID\\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\\Instance",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\LDAP",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.8.0.Microsoft.VisualC__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1b61539e\\3c585e89",
"HKEY_CLASSES_ROOT\\CLSID\\{04B83D61-21AE-11D2-8B33-00600806D9B6}\\InprocServer32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\Policy\\APTCA",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\v2.0",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\Managed\\S-1-5-21-699399860-4089948139-3198924279-1001\\Installer\\Assemblies\\Global",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Data.SqlXml__b77a5c561934e089",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\41c04c7e\\7f3b6ac4\\78",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Class\\{4D36E968-E325-11CE-BFC1-08002BE10318}\\0000\\Settings",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\AppPatch",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\2d382ce6\\85",
"HKEY_LOCAL_MACHINE\\HARDWARE\\Description\\System",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\4f99a7c9\\53bea2b0\\2e",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9",
"HKEY_CURRENT_USER\\Software\\Microsoft\\.NETFramework\\Policy\\Standards",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Windows.Forms__b77a5c561934e089",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets\\Internet",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\Managed\\S-1-5-21-699399860-4089948139-3198924279-1001\\Installer\\Assemblies\\C:|Windows|Microsoft.NET|Framework|v2.0.50727|RegAsm.exe.Config",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\7cdb1e21\\64824de1",
"HKEY_CLASSES_ROOT\\CLSID\\{62BE5D10-60EB-11D0-BD3B-00A0C911CE86}\\InprocServer32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3355219f\\1de10146",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Configuration__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\DNS",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Wbem\\Scripting",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion\\PublisherPolicy\\Default",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Management__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3d590c3f\\59f3b67b\\82",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\5d608f43\\663c74a9",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Disk\\Enum",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\109d7e79\\357ee49a\\44",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\.net clr networking\\Performance",
"HKEY_CURRENT_USER\\TypeLib",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.8.0.Microsoft.VisualBasic__b03f5f7f11d50a3a"
],
"resolves_host": [
"cuckpc",
"qaisexam.ddns.net"
],
"file_written": [
"C:\\Users\\cuck\\AppData\\Roaming\\Imminent\\Monitoring\\network.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Imminent\\Monitoring\\system.dat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\tmp1F2F.tmp",
"C:\\Users\\cuck\\AppData\\Roaming\\Imminent\\Logs\\17-11-2019"
],
"command_line": [
"\"C:\\Windows\\System32\\schtasks.exe\" \/Create \/TN \"Updates\\kBwCGnTY\" \/XML \"C:\\Users\\cuck\\AppData\\Local\\Temp\\tmp1F2F.tmp\"",
"schtasks.exe \/Create \/TN \"Updates\\kBwCGnTY\" \/XML \"C:\\Users\\cuck\\AppData\\Local\\Temp\\tmp1F2F.tmp\"",
"\"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe\""
],
"file_exists": [
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\vLJhPMEGeucFiVaPOEALEdRuaPN.exe",
"C:\\Users\\cuck\\AppData\\Roaming\\Imminent\\Monitoring\\network.dat",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\Lzma.exe",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\AForge.Video.DirectShow\\AForge.Video.DirectShow.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\en\\6Q5TLvMHuDXQT0Bn0Bnolh.resources\\6Q5TLvMHuDXQT0Bn0Bnolh.resources.exe",
"C:\\Windows\\Globalization\\en-us.nlp",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\en\\1338.resources.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\LZLoader\\LZLoader.exe",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\en-US\\1338.resources\\1338.resources.dll",
"C:\\Windows\\assembly\\GAC_MSIL\\AForge.Video.DirectShow\\2.2.5.0__61ea4348d43881b7",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\en-US\\6Q5TLvMHuDXQT0Bn0Bnolh.resources.exe",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\machine.config",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe",
"C:\\Windows\\assembly",
"C:\\Users\\cuck\\AppData\\Roaming\\Imminent\\Monitoring",
"C:\\Users\\cuck\\AppData\\Roaming\\Imminent\\Monitoring\\",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\en\\6Q5TLvMHuDXQT0Bn0Bnolh.resources.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\vLJhPMEGeucFiVaPOEALEdRuaPN\\vLJhPMEGeucFiVaPOEALEdRuaPN.exe",
"C:\\Users\\cuck\\AppData\\Roaming\\Imminent\\Monitoring\\system.dat",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\fusion.localgac",
"C:\\Users\\cuck\\AppData\\Roaming\\Imminent\\Logs",
"C:\\Users\\cuck\\AppData",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\en-US\\SlhLish3xNqEXy1qB.resources.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\en\\6Q5TLvMHuDXQT0Bn0Bnolh.resources\\6Q5TLvMHuDXQT0Bn0Bnolh.resources.dll",
"C:\\Windows\\Fonts\\ahronbd.ttf",
"C:\\Users\\cuck\\AppData\\Roaming\\Imminent\\Logs\\",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\LZLoader.exe",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\en\\1338.resources\\1338.resources.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\en\\SlhLish3xNqEXy1qB.resources\\SlhLish3xNqEXy1qB.resources.exe",
"C:\\Windows\\assembly\\GAC_32\\AForge.Video.DirectShow\\2.2.5.0__61ea4348d43881b7",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\en-US\\6Q5TLvMHuDXQT0Bn0Bnolh.resources.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\549604be1da98f7cd5665c04deb8242523b87e4ad13513a65228354fe648464e.config",
"C:\\Users\\cuck\\AppData\\Roaming",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\Lzma\\Lzma.exe",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\AForge.Video.DirectShow.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\AForge.Video.DirectShow.exe",
"C:\\Users\\cuck\\AppData\\Roaming\\kBwCGnTY.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\en-US\\6Q5TLvMHuDXQT0Bn0Bnolh.resources\\6Q5TLvMHuDXQT0Bn0Bnolh.resources.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\en-US\\SlhLish3xNqEXy1qB.resources\\SlhLish3xNqEXy1qB.resources.dll",
"C:\\Windows\\assembly\\Desktop.ini",
"C:\\Windows\\System32\\MSCOREE.DLL.local",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\en\\SlhLish3xNqEXy1qB.resources.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\en-US\\6Q5TLvMHuDXQT0Bn0Bnolh.resources\\6Q5TLvMHuDXQT0Bn0Bnolh.resources.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\Lzma\\Lzma.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\LZLoader\\LZLoader.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\549604be1da98f7cd5665c04deb8242523b87e4ad13513a65228354fe648464e.bin",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\en-US\\1338.resources.exe",
"C:\\Users\\cuck",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\en\\1338.resources\\1338.resources.exe",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\en\\1338.resources.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\en\\SlhLish3xNqEXy1qB.resources.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\en-US\\SlhLish3xNqEXy1qB.resources.exe",
"C:\\Users\\cuck\\AppData\\Roaming\\Imminent",
"C:\\Users\\cuck\\AppData\\Local\\Temp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\en\\SlhLish3xNqEXy1qB.resources\\SlhLish3xNqEXy1qB.resources.dll",
"C:\\Users",
"C:\\Users\\cuck\\AppData\\Roaming\\Imminent\\Logs\\17-11-2019",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\AForge.Video.DirectShow\\AForge.Video.DirectShow.exe",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe.Config",
"C:\\Windows\\winsxs\\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\\msvcr80.dll",
"C:\\Windows\\assembly\\GAC\\AForge.Video.DirectShow\\2.2.5.0__61ea4348d43881b7",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\en-US\\1338.resources\\1338.resources.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\en-US\\SlhLish3xNqEXy1qB.resources\\SlhLish3xNqEXy1qB.resources.exe",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\LZLoader.dll",
"C:\\Windows\\Globalization\\en.nlp",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\en-US\\1338.resources.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\vLJhPMEGeucFiVaPOEALEdRuaPN.dll",
"C:\\Windows\\assembly\\GAC\\PublisherPolicy.tme",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\vLJhPMEGeucFiVaPOEALEdRuaPN\\vLJhPMEGeucFiVaPOEALEdRuaPN.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\en\\6Q5TLvMHuDXQT0Bn0Bnolh.resources.exe",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\Lzma.dll"
],
"mutex": [
"09de80d8-6f82-4ff6-90a6-d72528e090f2",
"Global\\.net clr networking",
"eed3bd3a-a1ad-4e99-987b-d7cb3fcfa7f0 - S-1-5-21-699399860-4089948139-3198924279-1001"
],
"file_failed": [
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\enterprisesec.config.cch",
"C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\System.pdb",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe:Zone.Identifier",
"C:\\Windows\\System.pdb",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\security.config.cch",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\enterprisesec.config",
"C:\\Windows\\dll\\System.pdb",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\security.config.cch",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\security.config",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\security.config",
"C:\\Users\\cuck\\AppData\\Roaming\\kBwCGnTY.exe",
"C:\\Windows\\symbols\\dll\\System.pdb",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\549604be1da98f7cd5665c04deb8242523b87e4ad13513a65228354fe648464e.bin.config"
],
"wmi_query": [
"Select * from AntiVirusProduct",
"SELECT * FROM Win32_VideoController",
"SELECT * FROM FirewallProduct",
"select * from Win32_OperatingSystem"
],
"guid": [
"{f309ad18-d86a-11d0-a075-00c04fb68820}",
"{860bb310-5d01-11d0-bd3b-00a0c911ce86}",
"{4590f812-1d3a-11d0-891f-00aa004b2e24}",
"{00000003-0000-0000-c000-000000000046}",
"{172bddf8-ceea-11d1-8b05-00600806d9b6}",
"{0000011a-0000-0000-c000-000000000046}",
"{29840822-5b84-11d0-bd3b-00a0c911ce86}",
"{4590f811-1d3a-11d0-891f-00aa004b2e24}",
"{44aca674-e8fc-11d0-a07c-00c04fb68820}",
"{cf4cc405-e2c5-4ddd-b3ce-5e7582d8c9fa}",
"{62be5d10-60eb-11d0-bd3b-00a0c911ce86}",
"{674b6698-ee92-11d0-ad71-00c04fd8fdff}",
"{8bc3f05e-d86b-11d0-a075-00c04fb68820}",
"{2faba4c7-4da9-4013-9697-20cc3fd40f85}",
"{3bc15af2-736c-477e-9e51-238af8667dcc}",
"{7c857801-7381-11cf-884d-00aa004b2e24}",
"{d5f569d0-593b-101a-b569-08002b2dbf7a}",
"{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}",
"{00000001-0000-0000-c000-000000000046}",
"{dc12a687-737f-11cf-884d-00aa004b2e24}"
],
"file_read": [
"C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\System.dll",
"C:\\Users\\cuck\\AppData\\Roaming\\Imminent\\Logs\\17-11-2019",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\tmp1F2F.tmp",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe.Config",
"C:\\Windows\\System32\\wbem\\wbemdisp.tlb",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\machine.config",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe.config",
"C:\\Windows\\SysWOW64\\stdole2.tlb"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\DbgJITDebugLaunchSetting",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\ILDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\141dfd70\\6b79efab\\43\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3a6a696d\\52d7076e\\72\\Modules",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Interfaces\\{EF381EA0-4D07-418D-A490-68AF67CE948B}\\EnableMulticast",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\UpdateSecurityLevel",
"HKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System\\SystemBiosVersion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\ConfigString",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\73843e06\\43a920ef\\66\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\Extensions\\RemoteRpcDll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\NIDependencies",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Domain",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\\InprocServer32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\a5cd4db\\7e\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\2d382ce6\\85\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\5a8de2c3\\2b1a4e4\\47\\ConfigMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\DevOverrideEnable",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\EvalationData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NoClientChecks",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\1b2590b1\\7c\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\DownloadCacheQuotaInKB",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\RegistrationTtl",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\4f99a7c9\\53bea2b0\\2e\\LastModTime",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\.NET CLR Networking\\Performance\\IsMultiInstance",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8\\87\\EvalationData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\f6e8397\\46ad0879\\6f\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\141dfd70\\6b79efab\\43\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\6f1da7aa\\88\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\432ba598\\f6e8397\\6f\\EvalationData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86\\MVID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\NIDependencies",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\DnsSecureNameQueryFallback",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\WBEM\\Scripting\\Default Namespace",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8\\87\\ConfigString",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\73843e06\\43a920ef\\66\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\MissingDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\1bd7b0d8\\87\\SIG",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\.NET CLR Networking\\Performance\\CategoryOptions",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\.NET CLR Networking\\Performance\\Library",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Interfaces\\{EF381EA0-4D07-418D-A490-68AF67CE948B}\\RegistrationEnabled",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\RegistrationEnabled",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3d590c3f\\59f3b67b\\82\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\432ba598\\f6e8397\\6f\\ConfigString",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\f6e8397\\46ad0879\\6f\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\index127\\NIUsageMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\4f99a7c9\\53bea2b0\\2e\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\1c83327b\\86\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8\\87\\NIDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\MVID",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\.NET CLR Networking\\Performance\\FileMappingSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Runtime.Remoting,2.0.0.0,,b77a5c561934e089,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86\\ConfigMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\DisplayName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\RegistrationMaxAddressCount",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2b1a4e4\\38a3212c\\44\\Status",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\NetBT\\Parameters\\NodeType",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\LegacyPolicyTimeStamp",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3a6a696d\\52d7076e\\72\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\6f1da7aa\\88\\SIG",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\PrioritizeRecordData",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\UseHostsFile",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\73843e06\\43a920ef\\66\\DisplayName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\DnsQueryTimeouts",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\MVID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\mscorlib,2.0.0.0,,b77a5c561934e089,x86",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\MissingDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\Microsoft.JScript,8.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\NetBT\\Parameters\\DhcpNodeType",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\1b2590b1\\7c\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\Latest",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.DirectoryServices,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\1b2590b1\\7c\\SIG",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Disk\\Enum\\0",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\DevicePath",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\Data",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\Generation",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\ILDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\EnableLog",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\WaitForNameErrorOnAll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e\\ILDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\109d7e79\\357ee49a\\44\\NIDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8\\87\\MVID",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\DnsTest",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\QueryIpMatching",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\163e1f5e\\80\\Status",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Interfaces\\{EF381EA0-4D07-418D-A490-68AF67CE948B}\\DhcpDomain",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\c991064\\2bd33e1c\\79\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\ConfigMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\MissingDependencies",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\MulticastSenderFlags",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\432ba598\\f6e8397\\6f\\MissingDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\VersioningLog",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\357ee49a\\7d2df0ec\\41\\Status",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\DirectAccessQueryOrder",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\5a8de2c3\\2b1a4e4\\47\\Status",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\AppendToMultiLabelName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e\\NIDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\1b2590b1\\7c\\LastModTime",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\PrioritizeRecordData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\163e1f5e\\80\\LastModTime",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\NetBT\\Parameters\\ScopeId",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\RegisterAdapterName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\SystemSetupInProgress",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2b1a4e4\\38a3212c\\44\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\41c04c7e\\7f3b6ac4\\78\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Data.SqlXml,2.0.0.0,,b77a5c561934e089,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\357ee49a\\7d2df0ec\\41\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\5a8de2c3\\2b1a4e4\\47\\EvalationData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\SourcePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\MulticastResponderFlags",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\1c83327b\\86\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\ConfigString",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\CLRLoadLogDir",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\109d7e79\\357ee49a\\44\\ILDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\432ba598\\f6e8397\\6f\\ConfigMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2b1a4e4\\38a3212c\\44\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\a5cd4db\\7e\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\2d382ce6\\85\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8\\87\\ConfigMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Management,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\357ee49a\\7d2df0ec\\41\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\ConfigString",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\Microsoft.VisualBasic,8.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\41c04c7e\\7f3b6ac4\\78\\LastModTime",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\UseDomainNameDevolution",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86\\ILDependencies",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Interfaces\\{EF381EA0-4D07-418D-A490-68AF67CE948B}\\MaxNumberOfAddressesToRegister",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\75638fee\\7566cac\\84\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\WBEM\\CIMOM\\EnableObjectValidation",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0\\0\\win32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86\\MissingDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\GCStressStart",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\Microsoft.VisualC,8.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledSessions\\MachineThrottling",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\CLASS\\{4D36E968-E325-11CE-BFC1-08002BE10318}\\0000\\DriverDesc",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\109d7e79\\357ee49a\\44\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3d590c3f\\59f3b67b\\82\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Configuration.Install,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\ConfigString",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2b1a4e4\\38a3212c\\44\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\1c83327b\\86\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8\\87\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e\\MissingDependencies",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\DnsQuickQueryTimeouts",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\5a8de2c3\\2b1a4e4\\47\\DisplayName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Hostname",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Interfaces\\{EF381EA0-4D07-418D-A490-68AF67CE948B}\\DisableAdapterDomainName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\LastModTime",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\DnsQuickQueryTimeouts",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\RegistrationRefreshInterval",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\73843e06\\43a920ef\\66\\Modules",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\AllowUnqualifiedQuery",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\1bd7b0d8\\87\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\41c04c7e\\7f3b6ac4\\78\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\75638fee\\7566cac\\84\\SIG",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\UseCompartments",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\AccessProviders\\MartaExtension",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\ConfigMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\DisableMSIPeek",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\DefaultRegistrationRefreshInterval",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Security,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\InstallRoot",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\DisableWanDynamicUpdate",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\NetBT\\Parameters\\EnableProxy",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\73843e06\\43a920ef\\66\\SIG",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\AdapterTimeoutLimit",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{62BE5D10-60EB-11D0-BD3B-00A0C911CE86}\\InprocServer32\\Class",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\.NET CLR Networking\\Performance\\Counter Names",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\InstallationType",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\EnableAdapterDomainNameRegistration",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8\\87\\ILDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Configuration,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\ResolverRegistrationOnly",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\f6e8397\\46ad0879\\6f\\Modules",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Interfaces\\{EF381EA0-4D07-418D-A490-68AF67CE948B}\\Domain",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\0\\win32\\(Default)",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\Generation",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\CustomMarshalers,2.0.0.0,,b03f5f7f11d50a3a,x86",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86\\ConfigString",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\41c04c7e\\7f3b6ac4\\78\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{00000134-0000-0000-C000-000000000046}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\109d7e79\\357ee49a\\44\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Runtime.Serialization.Formatters.Soap,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\141dfd70\\6b79efab\\43\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\a5cd4db\\7e\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\c991064\\2bd33e1c\\79\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\109d7e79\\357ee49a\\44\\MVID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\24bf93f6\\455bab30\\6e\\Modules",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\MaxCacheTtl",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\UpdateSecurityLevel",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\COM3\\FinalizerActivityBypass",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\DisplayName",
"HKEY_CURRENT_USER\\Software\\Microsoft\\GDIPlus\\FontCachePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\24bf93f6\\455bab30\\6e\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\5a8de2c3\\2b1a4e4\\47\\MVID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\Status",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\DnsQueryTimeouts",
"HKEY_CURRENT_USER\\Control Panel\\International\\sYearMonth",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\75638fee\\7566cac\\84\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\Extensions\\NdrOleExtDLL",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\.NET CLR Networking\\Performance\\First Counter",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\432ba598\\f6e8397\\6f\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\LoggingLevel",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\MVID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\432ba598\\f6e8397\\6f\\NIDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3d590c3f\\59f3b67b\\82\\Status",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\DowncaseSpnCauseApiOwnerIsTooLazy",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\163e1f5e\\80\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\MissingDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3d590c3f\\59f3b67b\\82\\SIG",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\DefaultRegistrationTTL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\24bf93f6\\455bab30\\6e\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\141dfd70\\6b79efab\\43\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\Windows Error Reporting\\WMR\\Disable",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\Data",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\index127\\ILUsageMask",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\ResolverRegistration",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\432ba598\\f6e8397\\6f\\ILDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\OnlyUseLatestCLR",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\RegistrationOverwrite",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\2d382ce6\\85\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Xml,2.0.0.0,,b77a5c561934e089,MSIL",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\EnableMulticast",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\RegisterPrimaryName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\4f99a7c9\\53bea2b0\\2e\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\2d382ce6\\85\\Modules",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\EnableDAForAllNetworks",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{423EC01E-2E35-11D2-B604-00104B703EFD}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Interfaces\\{EF381EA0-4D07-418D-A490-68AF67CE948B}\\RegistrationMaxAddressCount",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Interfaces\\{EF381EA0-4D07-418D-A490-68AF67CE948B}\\RegisterAdapterName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\DisableAdapterDomainName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86\\NIDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\EvalationData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Drivers32\\msvideo5",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Drivers32\\msvideo4",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Drivers32\\msvideo7",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Drivers32\\msvideo6",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Drivers32\\msvideo1",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\24bf93f6\\455bab30\\6e\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Drivers32\\msvideo3",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Drivers32\\msvideo2",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\109d7e79\\357ee49a\\44\\ConfigString",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Drivers32\\msvideo8",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\432ba598\\f6e8397\\6f\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\Accessibility,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\1bd7b0d8\\87\\DisplayName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\RegisterWanAdapters",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\432ba598\\f6e8397\\6f\\MVID",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\MaxNumberOfAddressesToRegister",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\EvalationData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\5a8de2c3\\2b1a4e4\\47\\NIDependencies",
"HKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System\\VideoBiosVersion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\1bd7b0d8\\87\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WINMGMTS\\CLSID\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e\\MVID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\163e1f5e\\80\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\LogResourceBinds",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System,2.0.0.0,,b77a5c561934e089,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\1c83327b\\86\\LastModTime",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\DisableConfigCache",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledSessions\\GlobalSession",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\MaxNegativeCacheTtl",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\UseOldHostResolutionOrder",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e\\ConfigMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\\Server\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Windows.Forms,2.0.0.0,,b77a5c561934e089,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\NIDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\EvalationData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\a5cd4db\\7e\\SIG",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\NetBT\\Parameters\\DhcpScopeId",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\LatestIndex",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\163e1f5e\\80\\SIG",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\UseEdns",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\UseHostnameAsAlias",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Drawing,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e\\EvalationData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledProcesses\\1DF4D951",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3a6a696d\\52d7076e\\72\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\109d7e79\\357ee49a\\44\\EvalationData",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\ScreenDefaultServers",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\75638fee\\7566cac\\84\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\LoadAppInit_DLLs",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\CacheAllCompartments",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\109d7e79\\357ee49a\\44\\ConfigMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8\\87\\MissingDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\IJWEntrypointCompatMode",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8\\87\\Status",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\RegisterReverseLookup",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\1b2590b1\\7c\\DisplayName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\FilterClusterIp",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\ILDependencies",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\SearchList",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\UseDomainNameDevolution",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\6f1da7aa\\88\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\ForceLog",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\109d7e79\\357ee49a\\44\\MissingDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\ConfigMask",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\UseNewRegistration",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\MaxCachedSockets",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\ServerPriorityTimeLimit",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\LogFailures",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Deployment,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\MulticastSenderMaxTimeout",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86\\EvalationData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\c991064\\2bd33e1c\\79\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\75638fee\\7566cac\\84\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\UseLegacyIdentityFormat",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\MaxCacheSize",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\ScreenBadTlds",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\6f1da7aa\\88\\Modules",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\LdapClientIntegrity",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\DbgManagedDebugger",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\1c83327b\\86\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3a6a696d\\52d7076e\\72\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\5a8de2c3\\2b1a4e4\\47\\ILDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\4f99a7c9\\53bea2b0\\2e\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\NIDependencies",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\UpdateTopLevelDomainZones",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\5a8de2c3\\2b1a4e4\\47\\ConfigString",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\24bf93f6\\455bab30\\6e\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\6f1da7aa\\88\\Status",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\QueryAdapterName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\CacheLocation",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\NetBT\\Parameters\\EnableDns",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\CLASS\\{4D36E968-E325-11CE-BFC1-08002BE10318}\\0000\\Settings\\Device Description",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e\\ConfigString",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\f6e8397\\46ad0879\\6f\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\f6e8397\\46ad0879\\6f\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\GCStressStartAtJit",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\a5cd4db\\7e\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\ILDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\c991064\\2bd33e1c\\79\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\5a8de2c3\\2b1a4e4\\47\\MissingDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2b1a4e4\\38a3212c\\44\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3a6a696d\\52d7076e\\72\\LastModTime",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\DynamicServerQueryOrder",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\ScreenUnreachableServers",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\MVID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\357ee49a\\7d2df0ec\\41\\DisplayName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\DisableReverseAddressRegistrations",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\357ee49a\\7d2df0ec\\41\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\2d382ce6\\85\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\c991064\\2bd33e1c\\79\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\ConfigMask",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\DisableDynamicUpdate",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\DomainNameDevolutionLevel",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3d590c3f\\59f3b67b\\82\\Modules",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\AllowUnqualifiedQuery",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Drivers32\\msvideo9",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Interfaces\\{EF381EA0-4D07-418D-A490-68AF67CE948B}\\QueryAdapterName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CEIPEnable",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\41c04c7e\\7f3b6ac4\\78\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledProcesses\\67F448ED",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Drivers32\\msvideo",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Web,2.0.0.0,,b03f5f7f11d50a3a,x86",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\1bd7b0d8\\87\\LastModTime",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\AddrConfigControl",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\141dfd70\\6b79efab\\43\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\4f99a7c9\\53bea2b0\\2e\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\index4"
],
"directory_enumerated": [
"C:\\Users\\cuck\\AppData",
"C:\\Windows\\assembly\\GAC_MSIL\\System.Runtime.Remoting\\2.0.0.0__b77a5c561934e089\\System.Runtime.Remoting.INI",
"C:\\Windows\\assembly\\GAC_MSIL\\System.Configuration\\2.0.0.0__b03f5f7f11d50a3a\\System.Configuration.INI",
"C:\\Users\\cuck\\AppData\\Local\\Temp",
"C:\\Windows\\assembly\\GAC_32\\CustomMarshalers\\2.0.0.0__b03f5f7f11d50a3a\\CustomMarshalers.INI",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscoreei.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorwks.dll",
"C:\\Windows\\assembly\\GAC_MSIL\\System.Xml\\2.0.0.0__b77a5c561934e089\\System.Xml.INI",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.INI",
"C:\\Users",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\549604be1da98f7cd5665c04deb8242523b87e4ad13513a65228354fe648464e.INI",
"C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.VisualBasic\\8.0.0.0__b03f5f7f11d50a3a\\Microsoft.VisualBasic.INI",
"C:\\Windows\\Microsoft.NET\\Framework\\Upgrades.2.0.50727\\mscoreei.dll",
"C:\\Windows\\assembly\\GAC_MSIL\\System.Management\\2.0.0.0__b03f5f7f11d50a3a\\System.Management.INI",
"C:\\Users\\cuck",
"C:\\Users\\cuck\\AppData\\Local",
"C:\\Windows\\assembly\\GAC_MSIL\\System.Windows.Forms\\2.0.0.0__b77a5c561934e089\\System.Windows.Forms.INI",
"C:\\Windows\\winsxs\\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\\msvcr80.dll",
"C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\mscorlib.INI",
"C:\\Windows",
"C:\\Windows\\winsxs",
"C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\System.INI",
"C:\\Windows\\assembly\\GAC_MSIL\\System.Drawing\\2.0.0.0__b03f5f7f11d50a3a\\System.Drawing.INI"
],
"directory_created": [
"C:\\Users\\cuck\\AppData\\Roaming\\Imminent",
"C:\\Users\\cuck\\AppData\\Roaming\\Imminent\\Logs",
"C:\\Users\\cuck\\AppData\\Roaming\\Imminent\\Monitoring"
]
}Dropped
[
{
"yara": [],
"sha1": "83508754b756927fe4fd050ccbce53424ec8b7aa",
"name": "d3246937875e6aa6_tmp1F2F.tmp",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\tmp1F2F.tmp",
"type": "XML 1.0 document, ASCII text, with CRLF line terminators",
"sha256": "d3246937875e6aa66609a31820531815264df789a39c1a2a2eb90033ee40615d",
"urls": [],
"crc32": "47BA9582",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/3627\/files\/d3246937875e6aa6_tmp1F2F.tmp",
"ssdeep": null,
"size": 1610,
"sha512": "63afa79ca6b888f5d8ed04d5672ec6196555ebef53e276a7e784338d2e1bb62b9b32bb3dc99aa941efe2c5f6b2e5aa5bea5f6141e056f72abb4bdd369e8ad9ef",
"pids": [
2740
],
"md5": "b6d90b5bd94cc0b9c55bed3270fa1741"
},
{
"yara": [],
"sha1": "d6eebec301619b3efa36d7673eee5529f1518745",
"name": "db00c8cd4835e5da_network.dat",
"filepath": "C:\\Users\\cuck\\AppData\\Roaming\\Imminent\\Monitoring\\network.dat",
"type": "data",
"sha256": "db00c8cd4835e5da6c8f73b871329b53d60fd70009b93325c8178c9a0d135098",
"urls": [],
"crc32": "6265D4C4",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/3627\/files\/db00c8cd4835e5da_network.dat",
"ssdeep": null,
"size": 50,
"sha512": "9f79a073dac673792881d519817116eb5dbe7c89bbccc84e64c97930f76f802d9fc1c05c9c5be5cb782e5ce5496fd85856ffc8bb49ddeb0df4dc5dd93f7c58d0",
"pids": [
2728
],
"md5": "c3ffb9346d44b477cfa2b6cebe1c8a74"
},
{
"yara": [],
"sha1": "f45d36f43b734fb3c48a3c46eb59d108da0bf895",
"name": "37ea3d0cb89beb8a_system.dat",
"filepath": "C:\\Users\\cuck\\AppData\\Roaming\\Imminent\\Monitoring\\system.dat",
"type": "data",
"sha256": "37ea3d0cb89beb8afdc8867c69383553ac8c5d2755c9decd78515ee8ad2c4866",
"urls": [],
"crc32": "AAC1C5C3",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/3627\/files\/37ea3d0cb89beb8a_system.dat",
"ssdeep": null,
"size": 18,
"sha512": "fe6d5bd05263807cfe19c3318568f976c2a22681f1fd9b348f32c8125d50e3c58ced5a808bd00ec8a24a19798546a497343b5c7be8b3fd4ba5a79d52bfe793f5",
"pids": [
2728
],
"md5": "761fadd0469ba7cb2942a63f37785422"
},
{
"yara": [],
"sha1": "62d9b77ab2764d49a18029d78cfa8723ae19f06f",
"name": "3d6b748ffd8ca381_17-11-2019",
"filepath": "C:\\Users\\cuck\\AppData\\Roaming\\Imminent\\Logs\\17-11-2019",
"type": "data",
"sha256": "3d6b748ffd8ca381fef385d0a9f5ff22e0f81f0524674701edf5242442950781",
"urls": [],
"crc32": "FCE2D2FE",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/3627\/files\/3d6b748ffd8ca381_17-11-2019",
"ssdeep": null,
"size": 45,
"sha512": "fe2c971695e06800a536b0eb67c9748a60913771097dbcaeab955cf8a8cf74238aad54ca342fed03b26f123d2990b8ebf3ed89ab7f5e890b4efbc865a946966e",
"pids": [
2728
],
"md5": "6239075a60967348bcbc253d0976ca6d"
}
]Generic
[
{
"process_path": "C:\\Windows\\SysWOW64\\schtasks.exe",
"process_name": "schtasks.exe",
"pid": 1496,
"summary": {
"file_opened": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\tmp1F2F.tmp",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls"
],
"guid": [
"{2faba4c7-4da9-4013-9697-20cc3fd40f85}",
"{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}"
],
"file_read": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\tmp1F2F.tmp"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\Windows Error Reporting\\WMR\\Disable",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CEIPEnable",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US"
],
"dll_loaded": [
"VERSION.dll",
"kernel32.dll",
"SspiCli.dll"
]
},
"first_seen": 1574045641.1399,
"ppid": 2740
},
{
"process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe",
"process_name": "RegAsm.exe",
"pid": 2728,
"summary": {
"file_created": [
"C:\\Users\\cuck\\AppData\\Roaming\\Imminent\\Monitoring\\network.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Imminent\\Monitoring\\system.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Imminent\\Logs\\17-11-2019"
],
"file_recreated": [
"C:\\Users\\cuck\\AppData\\Roaming\\Imminent\\Monitoring\\network.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Imminent\\Logs\\17-11-2019"
],
"regkey_written": [
"HKEY_CURRENT_USER\\Software\\Microsoft\\ActiveMovie\\devenum\\Version"
],
"dll_loaded": [
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\Microsoft.VisualBas#\\08d608378aa405adc844f3cf36974b8c\\Microsoft.VisualBasic.ni.dll",
"imm32.dll",
"C:\\Windows\\System32\\mswsock.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Xml\\461d3b6b3f43e6fbe6c897d5936e17e4\\System.Xml.ni.dll",
"kernel32",
"C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\oleaut32.dll",
"ntdll",
"gdi32.dll",
"DNSAPI.dll",
"kernel32.dll",
"oleaut32",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Windows.Forms\\3afcd5168c7a6cb02eab99d7fd71e102\\System.Windows.Forms.ni.dll",
"oleaut32.dll",
"ntdll.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System\\9e0a3b9b9f457233a335d7fba8f95419\\System.ni.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Drawing\\dbfe8642a8ed7b2b103ad28e0c96418a\\System.Drawing.ni.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\ole32.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Configuration\\bc09ad2d49d8535371845cd7532f9271\\System.Configuration.ni.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\culture.dll",
"ADVAPI32.dll",
"ntmarta.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorwks.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\OLEAUT32.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorjit.dll",
"C:\\Windows\\system32\\napinsp.dll",
"setupapi.dll",
"advapi32.dll",
"ole32.dll",
"SHLWAPI.dll",
"CRYPTSP.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\CustomMarshalers\\bf7e7494e75e32979c7824a07570a8a9\\CustomMarshalers.ni.dll",
"API-MS-Win-Security-SDDL-L1-1-0.dll",
"C:\\Windows\\assembly\\GAC_32\\CustomMarshalers\\2.0.0.0__b03f5f7f11d50a3a\\oleaut32",
"IPHLPAPI.DLL",
"C:\\Windows\\assembly\\GAC_32\\CustomMarshalers\\2.0.0.0__b03f5f7f11d50a3a\\CustomMarshalers.dll",
"msdmo.dll",
"WINTRUST.dll",
"AdvApi32.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\\\wminet_utils.dll",
"OLEAUT32.dll",
"C:\\Windows\\system32\\pnrpnsp.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\diasymreader.dll",
"C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\ws2_32.dll",
"C:\\Windows\\System32\\winrnr.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Management\\6f3b99ed0b791ff4d8aa52f2f0cd0bcf\\System.Management.ni.dll",
"sxs.dll",
"C:\\Windows\\system32\\NLAapi.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\mscorlib\\62a0b3e4b40ec0e8c5cfaa0c8848e64a\\mscorlib.ni.dll",
"iphlpapi.dll",
"mscoree.dll",
"RpcRtRemote.dll",
"C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\iphlpapi.dll",
"avicap32.dll",
"Kernel32.dll",
"shfolder.dll",
"SXS.DLL",
"shell32.dll",
"WS2_32.dll",
"user32.dll",
"ws2_32.dll"
],
"file_opened": [
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorrc.dll",
"C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\System.dll",
"C:\\Windows\\System32\\l_intl.nls",
"C:\\Windows\\assembly\\pubpol4.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Imminent\\Logs\\17-11-2019",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe.config",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\index127.dat",
"C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\sortkey.nlp",
"C:\\Windows\\System32\\wbem\\wbemdisp.tlb",
"C:\\Windows\\assembly\\GAC_32\\CustomMarshalers\\2.0.0.0__b03f5f7f11d50a3a\\CustomMarshalers.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\machine.config",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe",
"C:\\Windows\\SysWOW64\\en-US\\KERNELBASE.dll.mui",
"C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\sorttbls.nlp",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe.Config",
"C:\\Windows\\SysWOW64\\stdole2.tlb"
],
"regkey_opened": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.Accessibility__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\DnsClient",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Deployment__b03f5f7f11d50a3a",
"HKEY_CLASSES_ROOT\\CLSID\\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\\InprocServer32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Runtime.Remoting__b77a5c561934e089",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets\\LocalIntranet",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\index127",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\COM3",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.2.AForge.Video.DirectShow__61ea4348d43881b7",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\296507a\\7c3adc7b",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Installer\\Assemblies\\Global",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\BFE",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Fusion",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\Standards\\v2.0.50727",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-699399860-4089948139-3198924279-1001",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\5a8de2c3\\2b1a4e4",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\6f1da7aa\\88",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\109d7e79\\357ee49a",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces\\{846EE342-7039-11DE-9D20-806E6F6E6963}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\msasn1",
"HKEY_CURRENT_USER\\Software\\Microsoft\\ActiveMovie\\devenum\\{860BB310-5D01-11D0-BD3B-00A0C911CE86}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\Upgrades",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\73843e06\\43a920ef\\66",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\WBEM\\CIMOM",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\Policy\\Standards",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\DnsCache\\Parameters",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Web__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\1c83327b\\86",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\RegAsm.exe",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\Policy\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064",
"HKEY_CURRENT_USER\\Interface\\{00000134-0000-0000-C000-000000000046}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{860BB310-5D01-11D0-BD3B-00A0C911CE86}\\Instance",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\163e1f5e\\80",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\a5cd4db\\7e",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\c991064\\2bd33e1c\\79",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2b1a4e4\\38a3212c\\44",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.CustomMarshalers__b03f5f7f11d50a3a",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Installer\\Assemblies\\C:|Windows|Microsoft.NET|Framework|v2.0.50727|RegAsm.exe.Config",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Security__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e",
"HKEY_CURRENT_USER\\winmgmts",
"HKEY_LOCAL_MACHINE\\System\\Setup",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces\\{EF381EA0-4D07-418D-A490-68AF67CE948B}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\7454be22\\631aafc0",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\5a8de2c3\\2b1a4e4\\47",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\VFW",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\v2.0.50727\\Security\\Policy",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{423EC01E-2E35-11D2-B604-00104B703EFD}\\ProxyStubClsid32",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\NetBT\\Parameters",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System__b77a5c561934e089",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\StrongName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\357ee49a\\7d2df0ec\\41",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Xml__b77a5c561934e089",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\75638fee\\7566cac\\84",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8\\87",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{00000134-0000-0000-C000-000000000046}\\ProxyStubClsid32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.8.0.Microsoft.JScript__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Installer\\Assemblies\\C:|Windows|Microsoft.NET|Framework|v2.0.50727|RegAsm.exe.Config",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Runtime.Serialization.Formatters.Soap__b03f5f7f11d50a3a",
"HKEY_CURRENT_USER\\Software\\Microsoft\\ActiveMovie\\devenum",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\1bd7b0d8\\87",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\System\\DNSClient",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3355219f\\255d5226",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Configuration.Install__b03f5f7f11d50a3a",
"HKEY_CURRENT_USER\\Interface\\{423EC01E-2E35-11D2-B604-00104B703EFD}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WINMGMTS\\CLSID",
"HKEY_CLASSES_ROOT\\CLSID\\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\\Server",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\11e1807\\17b3fbc6",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\24bf93f6\\455bab30\\6e",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\1b2590b1\\7c",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Installer\\Assemblies\\Global",
"HKEY_CURRENT_USER\\Control Panel\\International",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\Standards",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\f6e8397\\46ad0879\\6f",
"HKEY_CLASSES_ROOT\\CLSID\\{62E522DC-8CF3-40A8-8B2E-37D595651E40}\\InprocServer32",
"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Paths\\control.exe",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\.NET CLR Networking\\Performance",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Drawing__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\\ProxyStubClsid32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\141dfd70\\6b79efab\\43",
"HKEY_CURRENT_USER\\Interface\\{1C1C45EE-4395-11D2-B60B-00104B703EFD}",
"HKEY_CLASSES_ROOT\\CLSID\\{D6BDAFB2-9435-491F-BB87-6AA0F0BC31A2}\\InprocServer32",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion\\GACChangeNotification\\Default",
"HKEY_CLASSES_ROOT\\CLSID",
"HKEY_CURRENT_USER\\Software\\Microsoft\\.NETFramework",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\LDAP",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.8.0.Microsoft.VisualC__b03f5f7f11d50a3a",
"HKEY_CLASSES_ROOT\\CLSID\\{04B83D61-21AE-11D2-8B33-00600806D9B6}\\InprocServer32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\Policy\\APTCA",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\v2.0",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\Managed\\S-1-5-21-699399860-4089948139-3198924279-1001\\Installer\\Assemblies\\Global",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Data.SqlXml__b77a5c561934e089",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\41c04c7e\\7f3b6ac4\\78",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\AppPatch",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\2d382ce6\\85",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\4f99a7c9\\53bea2b0\\2e",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9",
"HKEY_CURRENT_USER\\Software\\Microsoft\\.NETFramework\\Policy\\Standards",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Windows.Forms__b77a5c561934e089",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets\\Internet",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\Managed\\S-1-5-21-699399860-4089948139-3198924279-1001\\Installer\\Assemblies\\C:|Windows|Microsoft.NET|Framework|v2.0.50727|RegAsm.exe.Config",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\7cdb1e21\\64824de1",
"HKEY_CLASSES_ROOT\\CLSID\\{62BE5D10-60EB-11D0-BD3B-00A0C911CE86}\\InprocServer32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3355219f\\1de10146",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Configuration__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\DNS",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Wbem\\Scripting",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion\\PublisherPolicy\\Default",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Management__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3d590c3f\\59f3b67b\\82",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\5d608f43\\663c74a9",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\109d7e79\\357ee49a\\44",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\.net clr networking\\Performance",
"HKEY_CURRENT_USER\\TypeLib",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.8.0.Microsoft.VisualBasic__b03f5f7f11d50a3a"
],
"resolves_host": [
"cuckpc",
"qaisexam.ddns.net"
],
"file_written": [
"C:\\Users\\cuck\\AppData\\Roaming\\Imminent\\Monitoring\\network.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Imminent\\Monitoring\\system.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Imminent\\Logs\\17-11-2019"
],
"file_exists": [
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\vLJhPMEGeucFiVaPOEALEdRuaPN.exe",
"C:\\Users\\cuck\\AppData\\Roaming\\Imminent\\Monitoring\\network.dat",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\Lzma.exe",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\AForge.Video.DirectShow\\AForge.Video.DirectShow.dll",
"C:\\Windows\\Globalization\\en-us.nlp",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\en\\1338.resources.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\LZLoader\\LZLoader.exe",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\en-US\\1338.resources\\1338.resources.dll",
"C:\\Windows\\assembly\\GAC_MSIL\\AForge.Video.DirectShow\\2.2.5.0__61ea4348d43881b7",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\machine.config",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe",
"C:\\Windows\\assembly",
"C:\\Users\\cuck\\AppData\\Roaming\\Imminent\\Monitoring",
"C:\\Users\\cuck\\AppData\\Roaming\\Imminent\\Monitoring\\",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\vLJhPMEGeucFiVaPOEALEdRuaPN\\vLJhPMEGeucFiVaPOEALEdRuaPN.exe",
"C:\\Users\\cuck\\AppData\\Roaming\\Imminent\\Monitoring\\system.dat",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\fusion.localgac",
"C:\\Users\\cuck\\AppData\\Roaming\\Imminent\\Logs",
"C:\\Users\\cuck\\AppData",
"C:\\Users\\cuck\\AppData\\Roaming\\Imminent\\Logs\\",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\LZLoader.exe",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\en\\1338.resources\\1338.resources.dll",
"C:\\Windows\\assembly\\GAC_32\\AForge.Video.DirectShow\\2.2.5.0__61ea4348d43881b7",
"C:\\Users\\cuck\\AppData\\Roaming",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\Lzma\\Lzma.exe",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\AForge.Video.DirectShow.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\AForge.Video.DirectShow.exe",
"C:\\Windows\\assembly\\Desktop.ini",
"C:\\Windows\\System32\\MSCOREE.DLL.local",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\Lzma\\Lzma.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\LZLoader\\LZLoader.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\en-US\\1338.resources.exe",
"C:\\Users\\cuck",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\en\\1338.resources\\1338.resources.exe",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\en\\1338.resources.exe",
"C:\\Users\\cuck\\AppData\\Roaming\\Imminent",
"C:\\Users",
"C:\\Users\\cuck\\AppData\\Roaming\\Imminent\\Logs\\17-11-2019",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\AForge.Video.DirectShow\\AForge.Video.DirectShow.exe",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe.Config",
"C:\\Windows\\winsxs\\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\\msvcr80.dll",
"C:\\Windows\\assembly\\GAC\\AForge.Video.DirectShow\\2.2.5.0__61ea4348d43881b7",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\en-US\\1338.resources\\1338.resources.exe",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\LZLoader.dll",
"C:\\Windows\\Globalization\\en.nlp",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\en-US\\1338.resources.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\vLJhPMEGeucFiVaPOEALEdRuaPN.dll",
"C:\\Windows\\assembly\\GAC\\PublisherPolicy.tme",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\vLJhPMEGeucFiVaPOEALEdRuaPN\\vLJhPMEGeucFiVaPOEALEdRuaPN.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\Lzma.dll"
],
"mutex": [
"09de80d8-6f82-4ff6-90a6-d72528e090f2",
"Global\\.net clr networking",
"eed3bd3a-a1ad-4e99-987b-d7cb3fcfa7f0 - S-1-5-21-699399860-4089948139-3198924279-1001"
],
"file_failed": [
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\enterprisesec.config.cch",
"C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\System.pdb",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe:Zone.Identifier",
"C:\\Windows\\System.pdb",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\security.config.cch",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\enterprisesec.config",
"C:\\Windows\\dll\\System.pdb",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\security.config.cch",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\security.config",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\security.config",
"C:\\Windows\\symbols\\dll\\System.pdb"
],
"wmi_query": [
"Select * from AntiVirusProduct",
"SELECT * FROM Win32_VideoController",
"SELECT * FROM FirewallProduct",
"select * from Win32_OperatingSystem"
],
"guid": [
"{4590f812-1d3a-11d0-891f-00aa004b2e24}",
"{860bb310-5d01-11d0-bd3b-00a0c911ce86}",
"{00000003-0000-0000-c000-000000000046}",
"{172bddf8-ceea-11d1-8b05-00600806d9b6}",
"{0000011a-0000-0000-c000-000000000046}",
"{29840822-5b84-11d0-bd3b-00a0c911ce86}",
"{4590f811-1d3a-11d0-891f-00aa004b2e24}",
"{44aca674-e8fc-11d0-a07c-00c04fb68820}",
"{cf4cc405-e2c5-4ddd-b3ce-5e7582d8c9fa}",
"{674b6698-ee92-11d0-ad71-00c04fd8fdff}",
"{8bc3f05e-d86b-11d0-a075-00c04fb68820}",
"{62be5d10-60eb-11d0-bd3b-00a0c911ce86}",
"{3bc15af2-736c-477e-9e51-238af8667dcc}",
"{7c857801-7381-11cf-884d-00aa004b2e24}",
"{d5f569d0-593b-101a-b569-08002b2dbf7a}",
"{f309ad18-d86a-11d0-a075-00c04fb68820}",
"{00000001-0000-0000-c000-000000000046}",
"{dc12a687-737f-11cf-884d-00aa004b2e24}"
],
"file_read": [
"C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\System.dll",
"C:\\Users\\cuck\\AppData\\Roaming\\Imminent\\Logs\\17-11-2019",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe.Config",
"C:\\Windows\\System32\\wbem\\wbemdisp.tlb",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\machine.config",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe.config",
"C:\\Windows\\SysWOW64\\stdole2.tlb"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\ILDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\141dfd70\\6b79efab\\43\\Status",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Interfaces\\{EF381EA0-4D07-418D-A490-68AF67CE948B}\\EnableMulticast",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\UpdateSecurityLevel",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\ConfigString",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\73843e06\\43a920ef\\66\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\Extensions\\RemoteRpcDll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\NIDependencies",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Domain",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\Microsoft.JScript,8.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\a5cd4db\\7e\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\2d382ce6\\85\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\5a8de2c3\\2b1a4e4\\47\\ConfigMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\DevOverrideEnable",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\EvalationData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NoClientChecks",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\1b2590b1\\7c\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\DownloadCacheQuotaInKB",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\RegistrationTtl",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\4f99a7c9\\53bea2b0\\2e\\LastModTime",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\.NET CLR Networking\\Performance\\IsMultiInstance",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8\\87\\EvalationData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\f6e8397\\46ad0879\\6f\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\141dfd70\\6b79efab\\43\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\6f1da7aa\\88\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86\\MVID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\NIDependencies",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\DnsSecureNameQueryFallback",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\WBEM\\Scripting\\Default Namespace",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8\\87\\ConfigString",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\73843e06\\43a920ef\\66\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\MissingDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\GCStressStart",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\.NET CLR Networking\\Performance\\CategoryOptions",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\.NET CLR Networking\\Performance\\Library",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Interfaces\\{EF381EA0-4D07-418D-A490-68AF67CE948B}\\RegistrationEnabled",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\RegistrationEnabled",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3d590c3f\\59f3b67b\\82\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\f6e8397\\46ad0879\\6f\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\index127\\NIUsageMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\4f99a7c9\\53bea2b0\\2e\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\1c83327b\\86\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8\\87\\NIDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\MVID",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\.NET CLR Networking\\Performance\\FileMappingSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Runtime.Remoting,2.0.0.0,,b77a5c561934e089,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86\\ConfigMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\DisplayName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\RegistrationMaxAddressCount",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2b1a4e4\\38a3212c\\44\\Status",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\NetBT\\Parameters\\NodeType",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\LegacyPolicyTimeStamp",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\6f1da7aa\\88\\SIG",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\PrioritizeRecordData",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\UseHostsFile",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\73843e06\\43a920ef\\66\\DisplayName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\DnsQueryTimeouts",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\MVID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\mscorlib,2.0.0.0,,b77a5c561934e089,x86",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\MissingDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\\InprocServer32\\(Default)",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\NetBT\\Parameters\\DhcpNodeType",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\1b2590b1\\7c\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\Latest",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\1b2590b1\\7c\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\ILDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\EnableLog",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\WaitForNameErrorOnAll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e\\ILDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\109d7e79\\357ee49a\\44\\NIDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8\\87\\MVID",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\DnsTest",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\QueryIpMatching",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\163e1f5e\\80\\Status",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Interfaces\\{EF381EA0-4D07-418D-A490-68AF67CE948B}\\DhcpDomain",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\c991064\\2bd33e1c\\79\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\ConfigMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\MissingDependencies",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\MulticastSenderFlags",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\VersioningLog",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\357ee49a\\7d2df0ec\\41\\Status",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\DirectAccessQueryOrder",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\5a8de2c3\\2b1a4e4\\47\\Status",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\AppendToMultiLabelName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e\\NIDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\1b2590b1\\7c\\LastModTime",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\PrioritizeRecordData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\163e1f5e\\80\\LastModTime",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\NetBT\\Parameters\\ScopeId",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\RegisterAdapterName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\SystemSetupInProgress",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2b1a4e4\\38a3212c\\44\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\41c04c7e\\7f3b6ac4\\78\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Data.SqlXml,2.0.0.0,,b77a5c561934e089,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\357ee49a\\7d2df0ec\\41\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\5a8de2c3\\2b1a4e4\\47\\EvalationData",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\MulticastResponderFlags",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\1c83327b\\86\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\ConfigString",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\CLRLoadLogDir",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\109d7e79\\357ee49a\\44\\ILDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2b1a4e4\\38a3212c\\44\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\a5cd4db\\7e\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\2d382ce6\\85\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8\\87\\ConfigMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Management,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\357ee49a\\7d2df0ec\\41\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\ConfigString",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\Microsoft.VisualBasic,8.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\41c04c7e\\7f3b6ac4\\78\\LastModTime",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\UseDomainNameDevolution",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86\\ILDependencies",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Interfaces\\{EF381EA0-4D07-418D-A490-68AF67CE948B}\\MaxNumberOfAddressesToRegister",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\75638fee\\7566cac\\84\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\WBEM\\CIMOM\\EnableObjectValidation",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0\\0\\win32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86\\MissingDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\1bd7b0d8\\87\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\Microsoft.VisualC,8.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledSessions\\MachineThrottling",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\109d7e79\\357ee49a\\44\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3d590c3f\\59f3b67b\\82\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Configuration.Install,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\ConfigString",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2b1a4e4\\38a3212c\\44\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\1c83327b\\86\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8\\87\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e\\MissingDependencies",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\DnsQuickQueryTimeouts",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\5a8de2c3\\2b1a4e4\\47\\DisplayName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Hostname",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Interfaces\\{EF381EA0-4D07-418D-A490-68AF67CE948B}\\DisableAdapterDomainName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\LastModTime",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\DnsQuickQueryTimeouts",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\RegistrationRefreshInterval",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\73843e06\\43a920ef\\66\\Modules",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\AllowUnqualifiedQuery",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\1bd7b0d8\\87\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\41c04c7e\\7f3b6ac4\\78\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\75638fee\\7566cac\\84\\SIG",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\UseCompartments",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\AccessProviders\\MartaExtension",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\ConfigMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\DisableMSIPeek",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\DefaultRegistrationRefreshInterval",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Security,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\InstallRoot",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\DisableWanDynamicUpdate",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\NetBT\\Parameters\\EnableProxy",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\73843e06\\43a920ef\\66\\SIG",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\AdapterTimeoutLimit",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{62BE5D10-60EB-11D0-BD3B-00A0C911CE86}\\InprocServer32\\Class",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\.NET CLR Networking\\Performance\\Counter Names",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\InstallationType",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\EnableAdapterDomainNameRegistration",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8\\87\\ILDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Configuration,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\ResolverRegistrationOnly",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\f6e8397\\46ad0879\\6f\\Modules",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Interfaces\\{EF381EA0-4D07-418D-A490-68AF67CE948B}\\Domain",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\0\\win32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\CustomMarshalers,2.0.0.0,,b03f5f7f11d50a3a,x86",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86\\ConfigString",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\41c04c7e\\7f3b6ac4\\78\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{00000134-0000-0000-C000-000000000046}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\109d7e79\\357ee49a\\44\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Runtime.Serialization.Formatters.Soap,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\141dfd70\\6b79efab\\43\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\a5cd4db\\7e\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\c991064\\2bd33e1c\\79\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\109d7e79\\357ee49a\\44\\MVID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\24bf93f6\\455bab30\\6e\\Modules",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\MaxCacheTtl",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\UpdateSecurityLevel",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\COM3\\FinalizerActivityBypass",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\24bf93f6\\455bab30\\6e\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\5a8de2c3\\2b1a4e4\\47\\MVID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\Status",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\DnsQueryTimeouts",
"HKEY_CURRENT_USER\\Control Panel\\International\\sYearMonth",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\75638fee\\7566cac\\84\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\Extensions\\NdrOleExtDLL",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\.NET CLR Networking\\Performance\\First Counter",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\LoggingLevel",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\MVID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3d590c3f\\59f3b67b\\82\\Status",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\DowncaseSpnCauseApiOwnerIsTooLazy",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\163e1f5e\\80\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\MissingDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3d590c3f\\59f3b67b\\82\\SIG",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\DefaultRegistrationTTL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\24bf93f6\\455bab30\\6e\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\141dfd70\\6b79efab\\43\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\index127\\ILUsageMask",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\ResolverRegistration",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\OnlyUseLatestCLR",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\RegistrationOverwrite",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\2d382ce6\\85\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Xml,2.0.0.0,,b77a5c561934e089,MSIL",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\EnableMulticast",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\RegisterPrimaryName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\4f99a7c9\\53bea2b0\\2e\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\2d382ce6\\85\\Modules",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\EnableDAForAllNetworks",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{423EC01E-2E35-11D2-B604-00104B703EFD}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Interfaces\\{EF381EA0-4D07-418D-A490-68AF67CE948B}\\RegistrationMaxAddressCount",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Interfaces\\{EF381EA0-4D07-418D-A490-68AF67CE948B}\\RegisterAdapterName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\DisableAdapterDomainName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86\\NIDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\EvalationData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Drivers32\\msvideo5",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Drivers32\\msvideo4",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Drivers32\\msvideo7",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Drivers32\\msvideo6",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Drivers32\\msvideo1",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\24bf93f6\\455bab30\\6e\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Drivers32\\msvideo3",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Drivers32\\msvideo2",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\109d7e79\\357ee49a\\44\\ConfigString",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Drivers32\\msvideo8",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\Accessibility,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\1bd7b0d8\\87\\DisplayName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\RegisterWanAdapters",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\MaxNumberOfAddressesToRegister",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\EvalationData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\5a8de2c3\\2b1a4e4\\47\\NIDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\1bd7b0d8\\87\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WINMGMTS\\CLSID\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e\\MVID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\163e1f5e\\80\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\LogResourceBinds",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System,2.0.0.0,,b77a5c561934e089,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\1c83327b\\86\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\DisableConfigCache",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledSessions\\GlobalSession",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\MaxNegativeCacheTtl",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\UseOldHostResolutionOrder",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e\\ConfigMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\\Server\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Windows.Forms,2.0.0.0,,b77a5c561934e089,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\NIDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\EvalationData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\a5cd4db\\7e\\SIG",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\NetBT\\Parameters\\DhcpScopeId",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\LatestIndex",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\163e1f5e\\80\\SIG",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\UseEdns",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\UseHostnameAsAlias",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Drawing,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e\\EvalationData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledProcesses\\1DF4D951",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\109d7e79\\357ee49a\\44\\EvalationData",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\ScreenDefaultServers",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\75638fee\\7566cac\\84\\DisplayName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\CacheAllCompartments",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\109d7e79\\357ee49a\\44\\ConfigMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8\\87\\MissingDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\IJWEntrypointCompatMode",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8\\87\\Status",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\RegisterReverseLookup",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\1b2590b1\\7c\\DisplayName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\FilterClusterIp",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\ILDependencies",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\SearchList",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\UseDomainNameDevolution",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\6f1da7aa\\88\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\ForceLog",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\109d7e79\\357ee49a\\44\\MissingDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\ConfigMask",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\UseNewRegistration",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\MaxCachedSockets",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\ServerPriorityTimeLimit",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\LogFailures",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Deployment,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\MulticastSenderMaxTimeout",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86\\EvalationData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\c991064\\2bd33e1c\\79\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\75638fee\\7566cac\\84\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\UseLegacyIdentityFormat",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\MaxCacheSize",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\ScreenBadTlds",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\6f1da7aa\\88\\Modules",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\LdapClientIntegrity",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\1c83327b\\86\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\5a8de2c3\\2b1a4e4\\47\\ILDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\4f99a7c9\\53bea2b0\\2e\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\NIDependencies",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\UpdateTopLevelDomainZones",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\5a8de2c3\\2b1a4e4\\47\\ConfigString",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\24bf93f6\\455bab30\\6e\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\6f1da7aa\\88\\Status",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\QueryAdapterName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\CacheLocation",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\NetBT\\Parameters\\EnableDns",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e\\ConfigString",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\f6e8397\\46ad0879\\6f\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\f6e8397\\46ad0879\\6f\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\GCStressStartAtJit",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\a5cd4db\\7e\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\ILDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\c991064\\2bd33e1c\\79\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\5a8de2c3\\2b1a4e4\\47\\MissingDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2b1a4e4\\38a3212c\\44\\DisplayName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\DynamicServerQueryOrder",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\ScreenUnreachableServers",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\MVID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\357ee49a\\7d2df0ec\\41\\DisplayName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\DisableReverseAddressRegistrations",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\357ee49a\\7d2df0ec\\41\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\2d382ce6\\85\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\c991064\\2bd33e1c\\79\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\ConfigMask",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\DisableDynamicUpdate",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\DomainNameDevolutionLevel",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3d590c3f\\59f3b67b\\82\\Modules",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\AllowUnqualifiedQuery",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Drivers32\\msvideo9",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Interfaces\\{EF381EA0-4D07-418D-A490-68AF67CE948B}\\QueryAdapterName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CEIPEnable",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\41c04c7e\\7f3b6ac4\\78\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Drivers32\\msvideo",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Web,2.0.0.0,,b03f5f7f11d50a3a,x86",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\1bd7b0d8\\87\\LastModTime",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\AddrConfigControl",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\141dfd70\\6b79efab\\43\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\4f99a7c9\\53bea2b0\\2e\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\index4"
],
"directory_enumerated": [
"C:\\Windows\\assembly\\GAC_32\\CustomMarshalers\\2.0.0.0__b03f5f7f11d50a3a\\CustomMarshalers.INI",
"C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.VisualBasic\\8.0.0.0__b03f5f7f11d50a3a\\Microsoft.VisualBasic.INI",
"C:\\Windows\\Microsoft.NET\\Framework\\Upgrades.2.0.50727\\mscoreei.dll",
"C:\\Windows\\winsxs\\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\\msvcr80.dll",
"C:\\Windows\\assembly\\GAC_MSIL\\System.Xml\\2.0.0.0__b77a5c561934e089\\System.Xml.INI",
"C:\\Windows\\assembly\\GAC_MSIL\\System.Configuration\\2.0.0.0__b03f5f7f11d50a3a\\System.Configuration.INI",
"C:\\Windows\\assembly\\GAC_MSIL\\System.Management\\2.0.0.0__b03f5f7f11d50a3a\\System.Management.INI",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.INI",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe",
"C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\mscorlib.INI",
"C:\\Windows\\assembly\\GAC_MSIL\\System.Drawing\\2.0.0.0__b03f5f7f11d50a3a\\System.Drawing.INI",
"C:\\Windows",
"C:\\Windows\\winsxs",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscoreei.dll",
"C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\System.INI",
"C:\\Windows\\assembly\\GAC_MSIL\\System.Windows.Forms\\2.0.0.0__b77a5c561934e089\\System.Windows.Forms.INI",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorwks.dll"
],
"directory_created": [
"C:\\Users\\cuck\\AppData\\Roaming\\Imminent",
"C:\\Users\\cuck\\AppData\\Roaming\\Imminent\\Logs",
"C:\\Users\\cuck\\AppData\\Roaming\\Imminent\\Monitoring"
]
},
"first_seen": 1574045642.8742,
"ppid": 2740
},
{
"process_path": "C:\\Users\\cuck\\AppData\\Local\\Temp\\549604be1da98f7cd5665c04deb8242523b87e4ad13513a65228354fe648464e.bin",
"process_name": "549604be1da98f7cd5665c04deb8242523b87e4ad13513a65228354fe648464e.bin",
"pid": 2740,
"summary": {
"file_created": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\tmp1F2F.tmp"
],
"file_recreated": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\tmp1F2F.tmp"
],
"dll_loaded": [
"C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\shell32.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\Microsoft.VisualBas#\\08d608378aa405adc844f3cf36974b8c\\Microsoft.VisualBasic.ni.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\culture.dll",
"kernel32",
"C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\oleaut32.dll",
"ntdll",
"gdi32.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\Gdiplus.dll",
"kernel32.dll",
"gdiplus.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Windows.Forms\\3afcd5168c7a6cb02eab99d7fd71e102\\System.Windows.Forms.ni.dll",
"oleaut32.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System\\9e0a3b9b9f457233a335d7fba8f95419\\System.ni.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Drawing\\dbfe8642a8ed7b2b103ad28e0c96418a\\System.Drawing.ni.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\ole32.dll",
"shfolder.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorwks.dll",
"ADVAPI32.dll",
"ntmarta.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\OLEAUT32.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorjit.dll",
"C:\\Windows\\WinSxS\\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\\gdiplus.dll",
"API-MS-Win-Core-LocalRegistry-L1-1-0.dll",
"advapi32.dll",
"ole32.dll",
"SHLWAPI.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Management\\6f3b99ed0b791ff4d8aa52f2f0cd0bcf\\System.Management.ni.dll",
"C:\\Windows\\system32\\IMM32.DLL",
"C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\psapi.dll",
"AdvApi32.dll",
"uxtheme.dll",
"OLEAUT32.dll",
"psapi.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\mscorlib\\62a0b3e4b40ec0e8c5cfaa0c8848e64a\\mscorlib.ni.dll",
"WindowsCodecs.dll",
"CRYPTSP.dll",
"mscoree.dll",
"RpcRtRemote.dll",
"C:\\Windows\\assembly\\GAC_MSIL\\System.Windows.Forms\\2.0.0.0__b77a5c561934e089\\uxtheme.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\\\wminet_utils.dll",
"shell32.dll",
"SETUPAPI.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Runtime.Remo#\\5cae93d923c8378370758489e5535820\\System.Runtime.Remoting.ni.dll",
"user32.dll"
],
"file_failed": [
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\enterprisesec.config.cch",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\549604be1da98f7cd5665c04deb8242523b87e4ad13513a65228354fe648464e.bin.config",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\security.config.cch",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\enterprisesec.config",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\security.config.cch",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\security.config",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\security.config",
"C:\\Users\\cuck\\AppData\\Roaming\\kBwCGnTY.exe"
],
"file_copied": [
[
"C:\\Users\\cuck\\AppData\\Local\\Temp\\549604be1da98f7cd5665c04deb8242523b87e4ad13513a65228354fe648464e.bin",
"C:\\Users\\cuck\\AppData\\Roaming\\kBwCGnTY.exe"
]
],
"regkey_opened": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.Accessibility__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\Managed\\S-1-5-21-699399860-4089948139-3198924279-1001\\Installer\\Assemblies\\C:|Users|cuck|AppData|Local|Temp|549604be1da98f7cd5665c04deb8242523b87e4ad13513a65228354fe648464e.bin",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\519613b5\\7c7c3a83",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Deployment__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Runtime.Remoting__b77a5c561934e089",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets\\LocalIntranet",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\index127",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.DirectoryServices__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Installer\\Assemblies\\Global",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Fusion",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\Standards\\v2.0.50727",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-699399860-4089948139-3198924279-1001",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\432ba598\\f6e8397\\6f",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\5a8de2c3\\2b1a4e4",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c04f6bc\\27b8c711",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Security__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.8.0.Microsoft.VisualBasic__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3a6a696d\\52d7076e\\72",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Oracle\\VirtualBox Guest Additions",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\Upgrades",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\73843e06\\43a920ef\\66",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Installer\\Assemblies\\C:|Users|cuck|AppData|Local|Temp|549604be1da98f7cd5665c04deb8242523b87e4ad13513a65228354fe648464e.bin",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\Policy\\Standards",
"HKEY_LOCAL_MACHINE\\HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 1\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Web__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\1c83327b\\86",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\549604be1da98f7cd5665c04deb8242523b87e4ad13513a65228354fe648464e.bin",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\Policy\\",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Installer\\Assemblies\\C:|Users|cuck|AppData|Local|Temp|549604be1da98f7cd5665c04deb8242523b87e4ad13513a65228354fe648464e.bin",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\163e1f5e\\80",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\c991064\\2bd33e1c\\79",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2b1a4e4\\38a3212c\\44",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\VMware, Inc.\\VMware Tools",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\5a8de2c3\\2b1a4e4\\47",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\v2.0.50727\\Security\\Policy",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System__b77a5c561934e089",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\StrongName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Xml__b77a5c561934e089",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Disk\\Enum",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.8.0.Microsoft.JScript__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Runtime.Serialization.Formatters.Soap__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\1bd7b0d8\\87",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Configuration.Install__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Class\\{4D36E968-E325-11CE-BFC1-08002BE10318}\\0000",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\432ba598\\f6e8397",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c04f6bc\\6d975bdb",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\a5cd4db\\7e",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\24bf93f6\\455bab30\\6e",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\1b2590b1\\7c",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\519613b5\\6375ea68",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Installer\\Assemblies\\Global",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\Standards",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\f6e8397\\46ad0879\\6f",
"HKEY_LOCAL_MACHINE\\HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Drawing__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Class\\{4D36E968-E325-11CE-BFC1-08002BE10318}\\0000\\Settings",
"HKEY_CLASSES_ROOT\\CLSID\\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\\Instance\\Disabled",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\141dfd70\\6b79efab\\43",
"HKEY_LOCAL_MACHINE\\HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 2\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion\\GACChangeNotification\\Default",
"HKEY_CURRENT_USER\\Software\\Microsoft\\.NETFramework",
"HKEY_CLASSES_ROOT\\CLSID\\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\\Instance",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1b61539e\\3c585e89",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\Policy\\APTCA",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\v2.0",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\Managed\\S-1-5-21-699399860-4089948139-3198924279-1001\\Installer\\Assemblies\\Global",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\41c04c7e\\7f3b6ac4\\78",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\AppPatch",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\2d382ce6\\85",
"HKEY_LOCAL_MACHINE\\HARDWARE\\Description\\System",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\4f99a7c9\\53bea2b0\\2e",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9",
"HKEY_CURRENT_USER\\Software\\Microsoft\\.NETFramework\\Policy\\Standards",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Windows.Forms__b77a5c561934e089",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets\\Internet",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Configuration__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion\\PublisherPolicy\\Default",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Management__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\6f1da7aa\\88"
],
"command_line": [
"\"C:\\Windows\\System32\\schtasks.exe\" \/Create \/TN \"Updates\\kBwCGnTY\" \/XML \"C:\\Users\\cuck\\AppData\\Local\\Temp\\tmp1F2F.tmp\"",
"schtasks.exe \/Create \/TN \"Updates\\kBwCGnTY\" \/XML \"C:\\Users\\cuck\\AppData\\Local\\Temp\\tmp1F2F.tmp\"",
"\"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe\""
],
"file_written": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\tmp1F2F.tmp"
],
"file_deleted": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\tmp1F2F.tmp",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\security.config.cch.2740.16896828",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\security.config.cch.2740.16896812",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\enterprisesec.config.cch.2740.16896812"
],
"file_exists": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\en-US\\SlhLish3xNqEXy1qB.resources\\SlhLish3xNqEXy1qB.resources.exe",
"C:\\Windows\\Globalization\\en-us.nlp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\en-US\\6Q5TLvMHuDXQT0Bn0Bnolh.resources.exe",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\machine.config",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\en-US\\SlhLish3xNqEXy1qB.resources\\SlhLish3xNqEXy1qB.resources.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\fusion.localgac",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\en-US\\SlhLish3xNqEXy1qB.resources.dll",
"C:\\Windows\\Fonts\\ahronbd.ttf",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\en\\SlhLish3xNqEXy1qB.resources\\SlhLish3xNqEXy1qB.resources.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\549604be1da98f7cd5665c04deb8242523b87e4ad13513a65228354fe648464e.config",
"C:\\Users\\cuck\\AppData\\Roaming\\kBwCGnTY.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\en\\6Q5TLvMHuDXQT0Bn0Bnolh.resources.exe",
"C:\\Windows\\assembly\\GAC\\PublisherPolicy.tme",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\en\\SlhLish3xNqEXy1qB.resources.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\en-US\\6Q5TLvMHuDXQT0Bn0Bnolh.resources\\6Q5TLvMHuDXQT0Bn0Bnolh.resources.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\en\\6Q5TLvMHuDXQT0Bn0Bnolh.resources\\6Q5TLvMHuDXQT0Bn0Bnolh.resources.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\549604be1da98f7cd5665c04deb8242523b87e4ad13513a65228354fe648464e.bin",
"C:\\Windows\\Globalization\\en.nlp",
"C:\\Users\\cuck\\AppData\\Local\\Temp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\en\\SlhLish3xNqEXy1qB.resources.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\en\\6Q5TLvMHuDXQT0Bn0Bnolh.resources.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\en\\SlhLish3xNqEXy1qB.resources\\SlhLish3xNqEXy1qB.resources.dll",
"C:\\Windows\\winsxs\\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\\msvcr80.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\en\\6Q5TLvMHuDXQT0Bn0Bnolh.resources\\6Q5TLvMHuDXQT0Bn0Bnolh.resources.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\en-US\\6Q5TLvMHuDXQT0Bn0Bnolh.resources.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\en-US\\6Q5TLvMHuDXQT0Bn0Bnolh.resources\\6Q5TLvMHuDXQT0Bn0Bnolh.resources.exe",
"C:\\Windows\\System32\\MSCOREE.DLL.local",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\en-US\\SlhLish3xNqEXy1qB.resources.exe"
],
"file_opened": [
"C:\\Windows\\Fonts\\msyh.ttf",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorrc.dll",
"C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\sortkey.nlp",
"C:\\Windows\\System32\\l_intl.nls",
"C:\\Windows\\assembly\\pubpol4.dat",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\index127.dat",
"C:\\Windows\\Fonts\\micross.ttf",
"C:\\Windows\\Fonts\\tahoma.ttf",
"C:\\Windows\\Fonts\\segoeui.ttf",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\549604be1da98f7cd5665c04deb8242523b87e4ad13513a65228354fe648464e.bin",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\machine.config",
"C:\\Users\\cuck\\AppData\\Local\\GDIPFONTCACHEV1.DAT",
"C:\\Users\\cuck\\AppData\\Roaming\\",
"C:\\Windows\\Fonts\\msjh.ttf",
"C:\\Windows\\Fonts\\malgun.ttf",
"C:\\Users\\cuck\\AppData\\Roaming\\kBwCGnTY.exe",
"C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\sorttbls.nlp"
],
"wmi_query": [
"SELECT * FROM Win32_VideoController"
],
"guid": [
"{4590f811-1d3a-11d0-891f-00aa004b2e24}",
"{44aca674-e8fc-11d0-a07c-00c04fb68820}",
"{cf4cc405-e2c5-4ddd-b3ce-5e7582d8c9fa}",
"{674b6698-ee92-11d0-ad71-00c04fd8fdff}",
"{8bc3f05e-d86b-11d0-a075-00c04fb68820}",
"{7c857801-7381-11cf-884d-00aa004b2e24}",
"{d5f569d0-593b-101a-b569-08002b2dbf7a}",
"{f309ad18-d86a-11d0-a075-00c04fb68820}",
"{00000001-0000-0000-c000-000000000046}",
"{dc12a687-737f-11cf-884d-00aa004b2e24}"
],
"file_read": [
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\machine.config"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Configuration.Install,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\DbgJITDebugLaunchSetting",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\LatestIndex",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\1c83327b\\86\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\c991064\\2bd33e1c\\79\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\163e1f5e\\80\\SIG",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\AccessProviders\\MartaExtension",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\24bf93f6\\455bab30\\6e\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\EvalationData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\COM3\\FinalizerActivityBypass",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\73843e06\\43a920ef\\66\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\Modules",
"HKEY_CURRENT_USER\\Software\\Microsoft\\GDIPlus\\FontCachePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Drawing,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\ILDependencies",
"HKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System\\SystemBiosVersion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\24bf93f6\\455bab30\\6e\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\41c04c7e\\7f3b6ac4\\78\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e\\EvalationData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\ConfigString",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\432ba598\\f6e8397\\6f\\ConfigMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3a6a696d\\52d7076e\\72\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\5a8de2c3\\2b1a4e4\\47\\EvalationData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\SourcePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\73843e06\\43a920ef\\66\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\1c83327b\\86\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\Extensions\\RemoteRpcDll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\ConfigString",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Domain",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\Extensions\\NdrOleExtDLL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\LoadAppInit_DLLs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\CLRLoadLogDir",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\a5cd4db\\7e\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\2d382ce6\\85\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\5a8de2c3\\2b1a4e4\\47\\ConfigMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\DevOverrideEnable",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2b1a4e4\\38a3212c\\44\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\EvalationData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\a5cd4db\\7e\\Modules",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\Data",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\2d382ce6\\85\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NoClientChecks",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\1b2590b1\\7c\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\DownloadCacheQuotaInKB",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Management,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\4f99a7c9\\53bea2b0\\2e\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\432ba598\\f6e8397\\6f\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\ILDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\LoggingLevel",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\6f1da7aa\\88\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3a6a696d\\52d7076e\\72\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\ConfigString",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\MVID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\ConfigMask",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\Data",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\432ba598\\f6e8397\\6f\\NIDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\141dfd70\\6b79efab\\43\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\LogFailures",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\MissingDependencies",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\UseHostnameAsAlias",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Deployment,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\432ba598\\f6e8397\\6f\\EvalationData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\NIDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\24bf93f6\\455bab30\\6e\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\141dfd70\\6b79efab\\43\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\NIDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{00000134-0000-0000-C000-000000000046}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\Microsoft.VisualBasic,8.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\c991064\\2bd33e1c\\79\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\index127\\ILUsageMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\UseLegacyIdentityFormat",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\73843e06\\43a920ef\\66\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\MissingDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\1bd7b0d8\\87\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\GCStressStart",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledSessions\\MachineThrottling",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\CLASS\\{4D36E968-E325-11CE-BFC1-08002BE10318}\\0000\\DriverDesc",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\432ba598\\f6e8397\\6f\\ILDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\OnlyUseLatestCLR",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\6f1da7aa\\88\\Modules",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\LdapClientIntegrity",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\2d382ce6\\85\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\DbgManagedDebugger",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\1b2590b1\\7c\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\432ba598\\f6e8397\\6f\\ConfigString",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\141dfd70\\6b79efab\\43\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\1c83327b\\86\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\f6e8397\\46ad0879\\6f\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Xml,2.0.0.0,,b77a5c561934e089,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\index127\\NIUsageMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\5a8de2c3\\2b1a4e4\\47\\ILDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\4f99a7c9\\53bea2b0\\2e\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\4f99a7c9\\53bea2b0\\2e\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\NIDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\4f99a7c9\\53bea2b0\\2e\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\73843e06\\43a920ef\\66\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\24bf93f6\\455bab30\\6e\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2b1a4e4\\38a3212c\\44\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\1c83327b\\86\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\6f1da7aa\\88\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\MVID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\2d382ce6\\85\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2b1a4e4\\38a3212c\\44\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledProcesses\\67F448ED",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{423EC01E-2E35-11D2-B604-00104B703EFD}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\CacheLocation",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\41c04c7e\\7f3b6ac4\\78\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Runtime.Remoting,2.0.0.0,,b77a5c561934e089,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\5a8de2c3\\2b1a4e4\\47\\MVID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e\\MissingDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2b1a4e4\\38a3212c\\44\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e\\ConfigString",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\LegacyPolicyTimeStamp",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\5a8de2c3\\2b1a4e4\\47\\DisplayName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Hostname",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3a6a696d\\52d7076e\\72\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\6f1da7aa\\88\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\163e1f5e\\80\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\73843e06\\43a920ef\\66\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\EvalationData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\f6e8397\\46ad0879\\6f\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\1bd7b0d8\\87\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\24bf93f6\\455bab30\\6e\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\f6e8397\\46ad0879\\6f\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\MVID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\41c04c7e\\7f3b6ac4\\78\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\VersioningLog",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\432ba598\\f6e8397\\6f\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\GCStressStartAtJit",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\mscorlib,2.0.0.0,,b77a5c561934e089,x86",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\a5cd4db\\7e\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\ILDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\c991064\\2bd33e1c\\79\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\ConfigMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\1bd7b0d8\\87\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\f6e8397\\46ad0879\\6f\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\5a8de2c3\\2b1a4e4\\47\\MissingDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\Microsoft.JScript,8.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2b1a4e4\\38a3212c\\44\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Security,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\1b2590b1\\7c\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\Latest",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\432ba598\\f6e8397\\6f\\MVID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\1b2590b1\\7c\\SIG",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Disk\\Enum\\0",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\MVID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\5a8de2c3\\2b1a4e4\\47\\NIDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\DevicePath",
"HKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System\\VideoBiosVersion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.DirectoryServices,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\1bd7b0d8\\87\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\InstallRoot",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\Accessibility,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e\\Status",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\Generation",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e\\MVID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\6f1da7aa\\88\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\163e1f5e\\80\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\2d382ce6\\85\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\ILDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\c991064\\2bd33e1c\\79\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\LogResourceBinds",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System,2.0.0.0,,b77a5c561934e089,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\1c83327b\\86\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\5a8de2c3\\2b1a4e4\\47\\ConfigString",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\EnableLog",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\ConfigMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\ConfigString",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\MissingDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e\\ILDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Configuration,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\DisableConfigCache",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\f6e8397\\46ad0879\\6f\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\ForceLog",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledSessions\\GlobalSession",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\163e1f5e\\80\\DisplayName",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\Generation",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\UseOldHostResolutionOrder",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e\\ConfigMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\c991064\\2bd33e1c\\79\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\ConfigMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\MissingDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Windows.Forms,2.0.0.0,,b77a5c561934e089,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\NIDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\41c04c7e\\7f3b6ac4\\78\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\41c04c7e\\7f3b6ac4\\78\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Web,2.0.0.0,,b03f5f7f11d50a3a,x86",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\CLASS\\{4D36E968-E325-11CE-BFC1-08002BE10318}\\0000\\Settings\\Device Description",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\1bd7b0d8\\87\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\432ba598\\f6e8397\\6f\\MissingDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\EvalationData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\1b2590b1\\7c\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\DisableMSIPeek",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\163e1f5e\\80\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3a6a696d\\52d7076e\\72\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\5a8de2c3\\2b1a4e4\\47\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\a5cd4db\\7e\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\141dfd70\\6b79efab\\43\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e\\NIDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Runtime.Serialization.Formatters.Soap,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3a6a696d\\52d7076e\\72\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\4f99a7c9\\53bea2b0\\2e\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\141dfd70\\6b79efab\\43\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\a5cd4db\\7e\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\index4"
],
"directory_enumerated": [
"C:\\Users",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\549604be1da98f7cd5665c04deb8242523b87e4ad13513a65228354fe648464e.INI",
"C:\\Windows\\Microsoft.NET\\Framework\\Upgrades.2.0.50727\\mscoreei.dll",
"C:\\Users\\cuck\\AppData",
"C:\\Windows\\winsxs\\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\\msvcr80.dll",
"C:\\Windows\\assembly\\GAC_MSIL\\System.Runtime.Remoting\\2.0.0.0__b77a5c561934e089\\System.Runtime.Remoting.INI",
"C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.VisualBasic\\8.0.0.0__b03f5f7f11d50a3a\\Microsoft.VisualBasic.INI",
"C:\\Users\\cuck\\AppData\\Local\\Temp",
"C:\\Windows\\assembly\\GAC_MSIL\\System.Management\\2.0.0.0__b03f5f7f11d50a3a\\System.Management.INI",
"C:\\Users\\cuck",
"C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\mscorlib.INI",
"C:\\Windows\\assembly\\GAC_MSIL\\System.Drawing\\2.0.0.0__b03f5f7f11d50a3a\\System.Drawing.INI",
"C:\\Windows",
"C:\\Windows\\winsxs",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscoreei.dll",
"C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\System.INI",
"C:\\Users\\cuck\\AppData\\Local",
"C:\\Windows\\assembly\\GAC_MSIL\\System.Windows.Forms\\2.0.0.0__b77a5c561934e089\\System.Windows.Forms.INI",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorwks.dll"
]
},
"first_seen": 1574045589.6094,
"ppid": 1664
},
{
"process_path": "C:\\Windows\\System32\\lsass.exe",
"process_name": "lsass.exe",
"pid": 476,
"summary": {},
"first_seen": 1574045589.3281,
"ppid": 376
}
]Signatures
[
{
"markcount": 11,
"families": [],
"description": "Queries for the computername",
"severity": 1,
"marks": [
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "GetComputerNameW",
"return_value": 1,
"arguments": {
"computer_name": "CUCKPC"
},
"time": 1574045640.9214,
"tid": 344,
"flags": {}
},
"pid": 2740,
"type": "call",
"cid": 2192
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "GetComputerNameW",
"return_value": 1,
"arguments": {
"computer_name": "CUCKPC"
},
"time": 1574045641.2019,
"tid": 1468,
"flags": {}
},
"pid": 1496,
"type": "call",
"cid": 39
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "GetComputerNameW",
"return_value": 1,
"arguments": {
"computer_name": "CUCKPC"
},
"time": 1574045643.7023,
"tid": 2580,
"flags": {}
},
"pid": 2728,
"type": "call",
"cid": 2188
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "GetComputerNameW",
"return_value": 1,
"arguments": {
"computer_name": "CUCKPC"
},
"time": 1574045643.7492,
"tid": 852,
"flags": {}
},
"pid": 2728,
"type": "call",
"cid": 2491
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "GetComputerNameW",
"return_value": 1,
"arguments": {
"computer_name": "CUCKPC"
},
"time": 1574045643.8433,
"tid": 852,
"flags": {}
},
"pid": 2728,
"type": "call",
"cid": 3201
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "GetComputerNameW",
"return_value": 1,
"arguments": {
"computer_name": "CUCKPC"
},
"time": 1574045644.9992,
"tid": 852,
"flags": {}
},
"pid": 2728,
"type": "call",
"cid": 3801
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "GetComputerNameW",
"return_value": 1,
"arguments": {
"computer_name": "CUCKPC"
},
"time": 1574045645.0152,
"tid": 852,
"flags": {}
},
"pid": 2728,
"type": "call",
"cid": 3846
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "GetComputerNameW",
"return_value": 1,
"arguments": {
"computer_name": "CUCKPC"
},
"time": 1574045645.0463,
"tid": 852,
"flags": {}
},
"pid": 2728,
"type": "call",
"cid": 4107
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "GetComputerNameW",
"return_value": 1,
"arguments": {
"computer_name": "CUCKPC"
},
"time": 1574045645.0622,
"tid": 852,
"flags": {}
},
"pid": 2728,
"type": "call",
"cid": 4263
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "GetComputerNameW",
"return_value": 1,
"arguments": {
"computer_name": "CUCKPC"
},
"time": 1574045645.1402,
"tid": 608,
"flags": {}
},
"pid": 2728,
"type": "call",
"cid": 5092
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "GetComputerNameW",
"return_value": 1,
"arguments": {
"computer_name": "CUCKPC"
},
"time": 1574045645.4523,
"tid": 2988,
"flags": {}
},
"pid": 2728,
"type": "call",
"cid": 7230
}
],
"references": [],
"name": "antivm_queries_computername"
},
{
"markcount": 3,
"families": [],
"description": "Checks if process is being debugged by a debugger",
"severity": 1,
"marks": [
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": -1073741700,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1574045589.7964,
"tid": 2436,
"flags": {}
},
"pid": 2740,
"type": "call",
"cid": 365
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 127,
"nt_status": -1073741511,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1574045640.2654,
"tid": 2436,
"flags": {}
},
"pid": 2740,
"type": "call",
"cid": 1838
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": -1073741700,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1574045642.9992,
"tid": 852,
"flags": {}
},
"pid": 2728,
"type": "call",
"cid": 315
}
],
"references": [],
"name": "checks_debugger"
},
{
"markcount": 1,
"families": [],
"description": "Command line console output was observed",
"severity": 1,
"marks": [
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleW",
"return_value": 1,
"arguments": {
"buffer": "SUCCESS: The scheduled task \"Updates\\kBwCGnTY\" has successfully been created.\n",
"console_handle": "0x00000007"
},
"time": 1574045641.3899,
"tid": 1468,
"flags": {}
},
"pid": 1496,
"type": "call",
"cid": 52
}
],
"references": [],
"name": "console_output"
},
{
"markcount": 3,
"families": [
"generic"
],
"description": "Uses Windows APIs to generate a cryptographic key",
"severity": 1,
"marks": [
{
"call": {
"category": "crypto",
"status": 1,
"stacktrace": [],
"api": "CryptExportKey",
"return_value": 1,
"arguments": {
"crypto_handle": "0x004cb6b0",
"crypto_export_handle": "0x00000000",
"buffer": "",
"blob_type": 6,
"flags": 0
},
"time": 1574045645.1713,
"tid": 852,
"flags": {}
},
"pid": 2728,
"type": "call",
"cid": 5177
},
{
"call": {
"category": "crypto",
"status": 1,
"stacktrace": [],
"api": "CryptExportKey",
"return_value": 1,
"arguments": {
"crypto_handle": "0x004cb6b0",
"crypto_export_handle": "0x00000000",
"buffer": "",
"blob_type": 6,
"flags": 0
},
"time": 1574045645.1713,
"tid": 852,
"flags": {}
},
"pid": 2728,
"type": "call",
"cid": 5181
},
{
"call": {
"category": "crypto",
"status": 1,
"stacktrace": [],
"api": "CryptExportKey",
"return_value": 1,
"arguments": {
"crypto_handle": "0x004cb5b0",
"crypto_export_handle": "0x00000000",
"buffer": "",
"blob_type": 6,
"flags": 0
},
"time": 1574045645.1713,
"tid": 852,
"flags": {}
},
"pid": 2728,
"type": "call",
"cid": 5194
}
],
"references": [],
"name": "generates_crypto_key"
},
{
"markcount": 1,
"families": [],
"description": "Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available",
"severity": 1,
"marks": [
{
"call": {
"category": "system",
"status": 1,
"stacktrace": [],
"api": "GlobalMemoryStatusEx",
"return_value": 1,
"arguments": {},
"time": 1574045641.4374,
"tid": 2436,
"flags": {}
},
"pid": 2740,
"type": "call",
"cid": 2518
}
],
"references": [],
"name": "antivm_memory_available"
},
{
"markcount": 1,
"families": [],
"description": "One or more processes crashed",
"severity": 1,
"marks": [
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "0\nx\n7\nd\n3\ne\n4\n8\n\n\nC\no\nU\nn\ni\nn\ni\nt\ni\na\nl\ni\nz\ne\nE\nE\n-\n0\nx\n2\n9\n8\n7\n0\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\n1\nb\n4\nc\n \n@\n \n0\nx\n7\n1\n2\n0\n1\nb\n4\nc\n\n\nC\no\nU\nn\ni\nn\ni\nt\ni\na\nl\ni\nz\ne\nE\nE\n-\n0\nx\n1\n2\n5\nd\ne\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\n1\n8\nd\nd\ne\n \n@\n \n0\nx\n7\n1\n2\n1\n8\nd\nd\ne\n\n\nC\no\nU\nn\ni\nn\ni\nt\ni\na\nl\ni\nz\ne\nE\nE\n-\n0\nx\n4\n9\n9\n0\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\n2\n6\na\n2\nc\n \n@\n \n0\nx\n7\n1\n2\n2\n6\na\n2\nc\n\n\nC\no\nU\nn\ni\nn\ni\nt\ni\na\nl\ni\nz\ne\nE\nE\n-\n0\nx\n4\n9\n5\nd\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\n2\n6\na\n5\nf\n \n@\n \n0\nx\n7\n1\n2\n2\n6\na\n5\nf\n\n\nC\no\nU\nn\ni\nn\ni\nt\ni\na\nl\ni\nz\ne\nE\nE\n-\n0\nx\n4\n9\n3\nf\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\n2\n6\na\n7\nd\n \n@\n \n0\nx\n7\n1\n2\n2\n6\na\n7\nd\n\n\nG\ne\nt\nM\ne\nt\na\nD\na\nt\na\nI\nn\nt\ne\nr\nn\na\nl\nI\nn\nt\ne\nr\nf\na\nc\ne\n+\n0\nx\na\n3\n2\n9\n \n_\nC\no\nr\nD\nl\nl\nM\na\ni\nn\n-\n0\nx\n3\n5\na\nc\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\n1\n6\n5\n4\n5\nc\n \n@\n \n0\nx\n7\n1\n3\n6\n5\n4\n5\nc\n\n\nG\ne\nt\nM\ne\nt\na\nD\na\nt\na\nI\nn\nt\ne\nr\nn\na\nl\nI\nn\nt\ne\nr\nf\na\nc\ne\n+\n0\nx\na\n4\n8\n7\n \n_\nC\no\nr\nD\nl\nl\nM\na\ni\nn\n-\n0\nx\n3\n4\n4\ne\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\n1\n6\n5\n5\nb\na\n \n@\n \n0\nx\n7\n1\n3\n6\n5\n5\nb\na\n\n\nm\ns\nc\no\nr\nl\ni\nb\n+\n0\nx\n2\n1\n5\n4\n5\n8\n \n@\n \n0\nx\n7\n0\n9\n1\n5\n4\n5\n8\n\n\nm\ns\nc\no\nr\nl\ni\nb\n+\n0\nx\n2\n1\n5\n2\n5\nf\n \n@\n \n0\nx\n7\n0\n9\n1\n5\n2\n5\nf\n\n\nm\ns\nc\no\nr\nl\ni\nb\n+\n0\nx\n2\n1\n5\n0\ne\ne\n \n@\n \n0\nx\n7\n0\n9\n1\n5\n0\ne\ne\n\n\n0\nx\n8\n6\n0\n2\nb\n2\n\n\n0\nx\n8\n6\n0\n1\ne\n9\n\n\nC\no\nU\nn\ni\nn\ni\nt\ni\na\nl\ni\nz\ne\nE\nE\n-\n0\nx\n2\n9\n8\n7\n0\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\n1\nb\n4\nc\n \n@\n \n0\nx\n7\n1\n2\n0\n1\nb\n4\nc\n\n\nC\no\nU\nn\ni\nn\ni\nt\ni\na\nl\ni\nz\ne\nE\nE\n-\n0\nx\n1\n2\n5\nd\ne\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\n1\n8\nd\nd\ne\n \n@\n \n0\nx\n7\n1\n2\n1\n8\nd\nd\ne\n\n\nC\no\nU\nn\ni\nn\ni\nt\ni\na\nl\ni\nz\ne\nE\nE\n-\n0\nx\n4\n9\n9\n0\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\n2\n6\na\n2\nc\n \n@\n \n0\nx\n7\n1\n2\n2\n6\na\n2\nc\n\n\nC\no\nU\nn\ni\nn\ni\nt\ni\na\nl\ni\nz\ne\nE\nE\n-\n0\nx\n4\n9\n5\nd\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\n2\n6\na\n5\nf\n \n@\n \n0\nx\n7\n1\n2\n2\n6\na\n5\nf\n\n\nC\no\nU\nn\ni\nn\ni\nt\ni\na\nl\ni\nz\ne\nE\nE\n-\n0\nx\n4\n9\n3\nf\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\n2\n6\na\n7\nd\n \n@\n \n0\nx\n7\n1\n2\n2\n6\na\n7\nd\n\n\nS\nt\nr\no\nn\ng\nN\na\nm\ne\nE\nr\nr\no\nr\nI\nn\nf\no\n+\n0\nx\nf\nd\n7\n9\n \n_\nC\no\nr\nE\nx\ne\nM\na\ni\nn\n-\n0\nx\n4\nb\nf\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\nc\n6\na\n8\nd\n \n@\n \n0\nx\n7\n1\n2\nc\n6\na\n8\nd\n\n\nS\nt\nr\no\nn\ng\nN\na\nm\ne\nE\nr\nr\no\nr\nI\nn\nf\no\n+\n0\nx\nf\nc\n9\n9\n \n_\nC\no\nr\nE\nx\ne\nM\na\ni\nn\n-\n0\nx\n5\n9\nf\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\nc\n6\n9\na\nd\n \n@\n \n0\nx\n7\n1\n2\nc\n6\n9\na\nd\n\n\nS\nt\nr\no\nn\ng\nN\na\nm\ne\nE\nr\nr\no\nr\nI\nn\nf\no\n+\n0\nx\n1\n0\n1\nb\n6\n \n_\nC\no\nr\nE\nx\ne\nM\na\ni\nn\n-\n0\nx\n8\n2\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\nc\n6\ne\nc\na\n \n@\n \n0\nx\n7\n1\n2\nc\n6\ne\nc\na\n\n\n_\nC\no\nr\nE\nx\ne\nM\na\ni\nn\n+\n0\nx\n1\n6\n8\n \nC\nl\nr\nC\nr\ne\na\nt\ne\nM\na\nn\na\ng\ne\nd\nI\nn\ns\nt\na\nn\nc\ne\n-\n0\nx\n4\n2\na\n6\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\nc\n7\n0\nb\n4\n \n@\n \n0\nx\n7\n1\n2\nc\n7\n0\nb\n4\n\n\n_\nC\no\nr\nE\nx\ne\nM\na\ni\nn\n+\n0\nx\n9\n8\n \nC\nl\nr\nC\nr\ne\na\nt\ne\nM\na\nn\na\ng\ne\nd\nI\nn\ns\nt\na\nn\nc\ne\n-\n0\nx\n4\n3\n7\n6\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\nc\n6\nf\ne\n4\n \n@\n \n0\nx\n7\n1\n2\nc\n6\nf\ne\n4\n\n\nG\ne\nt\nM\ne\nt\na\nD\na\nt\na\nI\nn\nt\ne\nr\nn\na\nl\nI\nn\nt\ne\nr\nf\na\nc\ne\n+\n0\nx\n2\nc\na\n0\n \nG\ne\nt\nT\no\nk\ne\nn\nF\no\nr\nV\nT\na\nb\nl\ne\nE\nn\nt\nr\ny\n-\n0\nx\n9\n5\nc\nc\n \nm\ns\nc\no\nr\ne\ne\n+\n0\nx\nb\n7\n7\nb\n \n@\n \n0\nx\n7\n5\n2\n1\nb\n7\n7\nb\n\n\nG\ne\nt\nM\ne\nt\na\nD\na\nt\na\nI\nn\nt\ne\nr\nn\na\nl\nI\nn\nt\ne\nr\nf\na\nc\ne\n+\n0\nx\n2\nc\n6\n2\n \nG\ne\nt\nT\no\nk\ne\nn\nF\no\nr\nV\nT\na\nb\nl\ne\nE\nn\nt\nr\ny\n-\n0\nx\n9\n6\n0\na\n \nm\ns\nc\no\nr\ne\ne\n+\n0\nx\nb\n7\n3\nd\n \n@\n \n0\nx\n7\n5\n2\n1\nb\n7\n3\nd\n\n\n_\nC\no\nr\nE\nx\ne\nM\na\ni\nn\n+\n0\nx\n8\n \nC\nr\ne\na\nt\ne\nC\no\nn\nf\ni\ng\nS\nt\nr\ne\na\nm\n-\n0\nx\n2\nf\nf\n4\n \nm\ns\nc\no\nr\ne\ne\n+\n0\nx\n4\nd\ne\n3\n \n@\n \n0\nx\n7\n5\n2\n1\n4\nd\ne\n3\n\n\nR\nt\nl\nI\nn\ni\nt\ni\na\nl\ni\nz\ne\nE\nx\nc\ne\np\nt\ni\no\nn\nC\nh\na\ni\nn\n+\n0\nx\n6\n3\n \nR\nt\nl\nA\nl\nl\no\nc\na\nt\ne\nA\nc\nt\ni\nv\na\nt\ni\no\nn\nC\no\nn\nt\ne\nx\nt\nS\nt\na\nc\nk\n-\n0\nx\na\n1\n \nn\nt\nd\nl\nl\n+\n0\nx\n3\n9\ne\nd\n2\n \n@\n \n0\nx\n7\n7\nb\nc\n9\ne\nd\n2\n\n\nR\nt\nl\nI\nn\ni\nt\ni\na\nl\ni\nz\ne\nE\nx\nc\ne\np\nt\ni\no\nn\nC\nh\na\ni\nn\n+\n0\nx\n3\n6\n \nR\nt\nl\nA\nl\nl\no\nc\na\nt\ne\nA\nc\nt\ni\nv\na\nt\ni\no\nn\nC\no\nn\nt\ne\nx\nt\nS\nt\na\nc\nk\n-\n0\nx\nc\ne\n \nn\nt\nd\nl\nl\n+\n0\nx\n3\n9\ne\na\n5\n \n@\n \n0\nx\n7\n7\nb\nc\n9\ne\na\n5",
"registers": {
"esp": 3402960,
"edi": 3402984,
"eax": 1,
"ebp": 3403000,
"edx": 4,
"ebx": 46535368,
"esi": 0,
"ecx": 0
},
"exception": {
"instruction_r": "39 09 ff 15 60 39 f1 00 8b f0 68 d4 82 5e 00 ba",
"instruction": "cmp dword ptr [ecx], ecx",
"exception_code": "0xc0000005",
"symbol": "",
"address": "0x7d43da"
}
},
"time": 1574045643.6093,
"tid": 852,
"flags": {}
},
"pid": 2728,
"type": "call",
"cid": 1511
}
],
"references": [],
"name": "raises_exception"
},
{
"markcount": 0,
"families": [],
"description": "One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.",
"severity": 2,
"marks": [],
"references": [],
"name": "dumped_buffer"
},
{
"markcount": 196,
"families": [],
"description": "Allocates read-write-execute memory (usually to unpack itself)",
"severity": 2,
"marks": [
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2740,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffff",
"base_address": "0x749f1000"
},
"time": 1574045589.7804,
"tid": 2436,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2740,
"type": "call",
"cid": 255
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2740,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x0053a000"
},
"time": 1574045589.7964,
"tid": 2436,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2740,
"type": "call",
"cid": 377
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2740,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 8192,
"protection": 64,
"process_handle": "0xffffffff",
"base_address": "0x749f2000"
},
"time": 1574045589.7964,
"tid": 2436,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2740,
"type": "call",
"cid": 378
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2740,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00532000"
},
"time": 1574045589.7964,
"tid": 2436,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2740,
"type": "call",
"cid": 379
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2740,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00542000"
},
"time": 1574045589.8124,
"tid": 2436,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2740,
"type": "call",
"cid": 507
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2740,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00543000"
},
"time": 1574045589.8274,
"tid": 2436,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2740,
"type": "call",
"cid": 581
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2740,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x0057b000"
},
"time": 1574045589.8274,
"tid": 2436,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2740,
"type": "call",
"cid": 588
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2740,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00577000"
},
"time": 1574045589.8274,
"tid": 2436,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2740,
"type": "call",
"cid": 589
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2740,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x0054c000"
},
"time": 1574045589.8594,
"tid": 2436,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2740,
"type": "call",
"cid": 796
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2740,
"region_size": 8192,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00544000"
},
"time": 1574045589.8744,
"tid": 2436,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2740,
"type": "call",
"cid": 891
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2740,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00a00000"
},
"time": 1574045589.8744,
"tid": 2436,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2740,
"type": "call",
"cid": 893
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2740,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00546000"
},
"time": 1574045589.8744,
"tid": 2436,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2740,
"type": "call",
"cid": 901
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2740,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x0056a000"
},
"time": 1574045589.8904,
"tid": 2436,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2740,
"type": "call",
"cid": 920
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2740,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x0055a000"
},
"time": 1574045589.8904,
"tid": 2436,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2740,
"type": "call",
"cid": 923
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2740,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00557000"
},
"time": 1574045589.8904,
"tid": 2436,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2740,
"type": "call",
"cid": 924
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2740,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x0053b000"
},
"time": 1574045589.9054,
"tid": 2436,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2740,
"type": "call",
"cid": 1016
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2740,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00562000"
},
"time": 1574045589.9054,
"tid": 2436,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2740,
"type": "call",
"cid": 1020
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2740,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x0056c000"
},
"time": 1574045589.9054,
"tid": 2436,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2740,
"type": "call",
"cid": 1021
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2740,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00547000"
},
"time": 1574045589.9214,
"tid": 2436,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2740,
"type": "call",
"cid": 1027
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2740,
"region_size": 327680,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 1056768,
"base_address": "0x7ef60000"
},
"time": 1574045589.9214,
"tid": 2436,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_RESERVE|MEM_TOP_DOWN"
}
},
"pid": 2740,
"type": "call",
"cid": 1033
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2740,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x7ef60000"
},
"time": 1574045589.9214,
"tid": 2436,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2740,
"type": "call",
"cid": 1034
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2740,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x7ef60000"
},
"time": 1574045589.9214,
"tid": 2436,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2740,
"type": "call",
"cid": 1035
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2740,
"region_size": 65536,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 1056768,
"base_address": "0x7ef50000"
},
"time": 1574045589.9214,
"tid": 2436,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_RESERVE|MEM_TOP_DOWN"
}
},
"pid": 2740,
"type": "call",
"cid": 1036
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2740,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x7ef50000"
},
"time": 1574045589.9214,
"tid": 2436,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2740,
"type": "call",
"cid": 1037
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2740,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00a01000"
},
"time": 1574045589.9524,
"tid": 2436,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2740,
"type": "call",
"cid": 1043
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2740,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00a02000"
},
"time": 1574045589.9524,
"tid": 2436,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2740,
"type": "call",
"cid": 1048
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2740,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00556000"
},
"time": 1574045590.0154,
"tid": 2436,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2740,
"type": "call",
"cid": 1463
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2740,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x0054a000"
},
"time": 1574045590.0154,
"tid": 2436,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2740,
"type": "call",
"cid": 1467
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2740,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x020d0000"
},
"time": 1574045590.0304,
"tid": 2436,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2740,
"type": "call",
"cid": 1472
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2740,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00575000"
},
"time": 1574045590.0304,
"tid": 2436,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2740,
"type": "call",
"cid": 1518
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2740,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00621000"
},
"time": 1574045590.0464,
"tid": 2436,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2740,
"type": "call",
"cid": 1569
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2740,
"region_size": 8192,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00a03000"
},
"time": 1574045590.0624,
"tid": 2436,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2740,
"type": "call",
"cid": 1596
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2740,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00a05000"
},
"time": 1574045590.0934,
"tid": 2436,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2740,
"type": "call",
"cid": 1658
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2740,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00533000"
},
"time": 1574045590.2184,
"tid": 2436,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2740,
"type": "call",
"cid": 1729
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2740,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00548000"
},
"time": 1574045590.2184,
"tid": 2436,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2740,
"type": "call",
"cid": 1736
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2740,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x020d1000"
},
"time": 1574045590.2494,
"tid": 2436,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2740,
"type": "call",
"cid": 1776
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2740,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00a06000"
},
"time": 1574045590.2654,
"tid": 2436,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2740,
"type": "call",
"cid": 1783
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2740,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x0054b000"
},
"time": 1574045640.9214,
"tid": 344,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2740,
"type": "call",
"cid": 2106
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2740,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x05db0000"
},
"time": 1574045640.9214,
"tid": 344,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2740,
"type": "call",
"cid": 2123
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2740,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x05db1000"
},
"time": 1574045640.9214,
"tid": 344,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2740,
"type": "call",
"cid": 2138
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2740,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x05db2000"
},
"time": 1574045640.9214,
"tid": 344,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2740,
"type": "call",
"cid": 2151
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2740,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x020d2000"
},
"time": 1574045640.9844,
"tid": 2436,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2740,
"type": "call",
"cid": 2309
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2740,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00a07000"
},
"time": 1574045640.9844,
"tid": 2436,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2740,
"type": "call",
"cid": 2340
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2740,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00a08000"
},
"time": 1574045641.4054,
"tid": 2436,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2740,
"type": "call",
"cid": 2501
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2740,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x020d3000"
},
"time": 1574045641.4374,
"tid": 2436,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2740,
"type": "call",
"cid": 2508
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2728,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffff",
"base_address": "0x71201000"
},
"time": 1574045642.9843,
"tid": 852,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2728,
"type": "call",
"cid": 66
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2728,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffff",
"base_address": "0x74f64000"
},
"time": 1574045642.9843,
"tid": 852,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2728,
"type": "call",
"cid": 68
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2728,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffff",
"base_address": "0x71201000"
},
"time": 1574045642.9843,
"tid": 852,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2728,
"type": "call",
"cid": 203
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2728,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x005da000"
},
"time": 1574045642.9992,
"tid": 852,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2728,
"type": "call",
"cid": 326
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2728,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 8192,
"protection": 64,
"process_handle": "0xffffffff",
"base_address": "0x71202000"
},
"time": 1574045642.9992,
"tid": 852,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2728,
"type": "call",
"cid": 327
}
],
"references": [],
"name": "allocates_rwx"
},
{
"markcount": 0,
"families": [],
"description": "Checks whether any human activity is being performed by constantly checking whether the foreground window changed",
"severity": 2,
"marks": [],
"references": [
"https:\/\/www.virusbtn.com\/virusbulletin\/archive\/2015\/09\/vb201509-custom-packer.dkb"
],
"name": "antisandbox_foregroundwindows"
},
{
"markcount": 1,
"families": [],
"description": "A process attempted to delay the analysis task.",
"severity": 2,
"marks": [
{
"type": "generic",
"description": "RegAsm.exe tried to sleep 724 seconds, actually delayed analysis time by 724 seconds"
}
],
"references": [],
"name": "antisandbox_sleep"
},
{
"markcount": 2,
"families": [],
"description": "Creates a suspicious process",
"severity": 2,
"marks": [
{
"category": "cmdline",
"ioc": "\"C:\\Windows\\System32\\schtasks.exe\" \/Create \/TN \"Updates\\kBwCGnTY\" \/XML \"C:\\Users\\cuck\\AppData\\Local\\Temp\\tmp1F2F.tmp\"",
"type": "ioc",
"description": null
},
{
"category": "cmdline",
"ioc": "schtasks.exe \/Create \/TN \"Updates\\kBwCGnTY\" \/XML \"C:\\Users\\cuck\\AppData\\Local\\Temp\\tmp1F2F.tmp\"",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "suspicious_process"
},
{
"markcount": 1,
"families": [],
"description": "A process created a hidden window",
"severity": 2,
"marks": [
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "ShellExecuteExW",
"return_value": 1,
"arguments": {
"parameters": "\/Create \/TN \"Updates\\kBwCGnTY\" \/XML \"C:\\Users\\cuck\\AppData\\Local\\Temp\\tmp1F2F.tmp\"",
"filepath": "schtasks.exe",
"filepath_r": "schtasks.exe",
"show_type": 0
},
"time": 1574045641.0624,
"tid": 2436,
"flags": {}
},
"pid": 2740,
"type": "call",
"cid": 2492
}
],
"references": [],
"name": "stealth_window"
},
{
"markcount": 1,
"families": [],
"description": "Checks adapter addresses which can be used to detect virtual network interfaces",
"severity": 2,
"marks": [
{
"call": {
"category": "network",
"status": 1,
"stacktrace": [],
"api": "GetAdaptersAddresses",
"return_value": 0,
"arguments": {
"flags": 1158,
"family": 0
},
"time": 1574045643.6402,
"tid": 852,
"flags": {}
},
"pid": 2728,
"type": "call",
"cid": 1730
}
],
"references": [],
"name": "antivm_network_adapters"
},
{
"markcount": 2,
"families": [],
"description": "The binary likely contains encrypted or compressed data indicative of a packer",
"severity": 2,
"marks": [
{
"entropy": 7.9597205099543,
"section": {
"size_of_data": "0x00071e00",
"virtual_address": "0x00002000",
"entropy": 7.9597205099543,
"name": ".text",
"virtual_size": "0x00071c64"
},
"type": "generic",
"description": "A section with a high entropy has been found"
},
{
"entropy": 0.99454148471616,
"type": "generic",
"description": "Overall entropy of this PE file is high"
}
],
"references": [
"http:\/\/www.forensickb.com\/2013\/03\/file-entropy-explained.html",
"http:\/\/virii.es\/U\/Using%20Entropy%20Analysis%20to%20Find%20Encrypted%20and%20Packed%20Malware.pdf"
],
"name": "packer_entropy"
},
{
"markcount": 2,
"families": [],
"description": "Checks for the Locally Unique Identifier on the system for a suspicious privilege",
"severity": 2,
"marks": [
{
"call": {
"category": "system",
"status": 1,
"stacktrace": [],
"api": "LookupPrivilegeValueW",
"return_value": 1,
"arguments": {
"system_name": "",
"privilege_name": "SeDebugPrivilege"
},
"time": 1574045590.2494,
"tid": 2436,
"flags": {}
},
"pid": 2740,
"type": "call",
"cid": 1763
},
{
"call": {
"category": "system",
"status": 1,
"stacktrace": [],
"api": "LookupPrivilegeValueW",
"return_value": 1,
"arguments": {
"system_name": "",
"privilege_name": "SeDebugPrivilege"
},
"time": 1574045645.4523,
"tid": 852,
"flags": {}
},
"pid": 2728,
"type": "call",
"cid": 7209
}
],
"references": [],
"name": "privilege_luid_check"
},
{
"markcount": 2,
"families": [],
"description": "Uses Windows utilities for basic Windows functionality",
"severity": 2,
"marks": [
{
"category": "cmdline",
"ioc": "\"C:\\Windows\\System32\\schtasks.exe\" \/Create \/TN \"Updates\\kBwCGnTY\" \/XML \"C:\\Users\\cuck\\AppData\\Local\\Temp\\tmp1F2F.tmp\"",
"type": "ioc",
"description": null
},
{
"category": "cmdline",
"ioc": "schtasks.exe \/Create \/TN \"Updates\\kBwCGnTY\" \/XML \"C:\\Users\\cuck\\AppData\\Local\\Temp\\tmp1F2F.tmp\"",
"type": "ioc",
"description": null
}
],
"references": [
"http:\/\/blog.jpcert.or.jp\/2016\/01\/windows-commands-abused-by-attackers.html"
],
"name": "uses_windows_utilities"
},
{
"markcount": 1,
"families": [],
"description": "Allocates execute permission to another process indicative of possible code injection",
"severity": 3,
"marks": [
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2728,
"region_size": 352256,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0x000003d0",
"allocation_type": 12288,
"base_address": "0x00400000"
},
"time": 1574045641.4374,
"tid": 2436,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2740,
"type": "call",
"cid": 2513
}
],
"references": [],
"name": "allocates_execute_remote_process"
},
{
"markcount": 1,
"families": [],
"description": "Looks for the Windows Idle Time to determine the uptime",
"severity": 3,
"marks": [
{
"call": {
"category": "system",
"status": 1,
"stacktrace": [],
"api": "NtQuerySystemInformation",
"return_value": 0,
"arguments": {
"information_class": 8
},
"time": 1574045647.0303,
"tid": 2736,
"flags": {
"information_class": "SystemProcessorPerformanceInformation"
}
},
"pid": 2728,
"type": "call",
"cid": 7456
}
],
"references": [],
"name": "antisandbox_idletime"
},
{
"markcount": 2,
"families": [],
"description": "Checks the version of Bios, possibly for anti-virtualization",
"severity": 3,
"marks": [
{
"category": "registry",
"ioc": "HKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System\\SystemBiosVersion",
"type": "ioc",
"description": null
},
{
"category": "registry",
"ioc": "HKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System\\VideoBiosVersion",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "antivm_generic_bios"
},
{
"markcount": 1,
"families": [],
"description": "Detects virtualization software with SCSI Disk Identifier trick(s)",
"severity": 3,
"marks": [
{
"category": "registry",
"ioc": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Disk\\Enum\\0",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "antivm_generic_scsi"
},
{
"markcount": 1,
"families": [],
"description": "Deletes executed files from disk",
"severity": 3,
"marks": [
{
"category": "file",
"ioc": "C:\\Users\\cuck\\AppData\\Local\\Temp\\tmp1F2F.tmp",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "deletes_executed_files"
},
{
"markcount": 4,
"families": [],
"description": "Executes one or more WMI queries",
"severity": 3,
"marks": [
{
"category": "wmi",
"ioc": "Select * from AntiVirusProduct",
"type": "ioc",
"description": null
},
{
"category": "wmi",
"ioc": "SELECT * FROM Win32_VideoController",
"type": "ioc",
"description": null
},
{
"category": "wmi",
"ioc": "SELECT * FROM FirewallProduct",
"type": "ioc",
"description": null
},
{
"category": "wmi",
"ioc": "select * from Win32_OperatingSystem",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "has_wmi"
},
{
"markcount": 4,
"families": [],
"description": "Potential code injection by writing to the memory of another process",
"severity": 3,
"marks": [
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "WriteProcessMemory",
"return_value": 1,
"arguments": {
"process_identifier": 2728,
"buffer": "MZ\u0090\u0000\u0003\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u00ff\u00ff\u0000\u0000\u00b8\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0080\u0000\u0000\u0000\u000e\u001f\u00ba\u000e\u0000\u00b4\t\u00cd!\u00b8\u0001L\u00cd!This program cannot be run in DOS mode.\r\r\n$\u0000\u0000\u0000\u0000\u0000\u0000\u0000PE\u0000\u0000L\u0001\u0003\u0000\u00b4\u0091\u00c0\\\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00e0\u0000\u0002\u0001\u000b\u0001\b\u0000\u0000\u0000\u0005\u0000\u0000\u0006\u0000\u0000\u0000\u0000\u0000\u0000^\u001e\u0005\u0000\u0000 \u0000\u0000\u0000 \u0005\u0000\u0000\u0000@\u0000\u0000 \u0000\u0000\u0000\u0002\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000`\u0005\u0000\u0000\u0002\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000@\u0085\u0000\u0000\u0010\u0000\u0000\u0010\u0000\u0000\u0000\u0000\u0010\u0000\u0000\u0010\u0000\u0000\u0000\u0000\u0000\u0000\u0010\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0004\u001e\u0005\u0000W\u0000\u0000\u0000\u0000 \u0005\u0000\u00c0\u0002\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0005\u0000\f\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000 \u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b \u0000\u0000H\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000.text\u0000\u0000\u0000d\u00fe\u0004\u0000\u0000 \u0000\u0000\u0000\u0000\u0005\u0000\u0000\u0002\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000 \u0000\u0000`.rsrc\u0000\u0000\u0000\u00c0\u0002\u0000\u0000\u0000 \u0005\u0000\u0000\u0004\u0000\u0000\u0000\u0002\u0005\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000@.reloc\u0000\u0000\f\u0000\u0000\u0000\u0000@\u0005\u0000\u0000\u0002\u0000\u0000\u0000\u0006\u0005\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000B\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"process_handle": "0x000003d0",
"base_address": "0x00400000"
},
"time": 1574045641.4374,
"tid": 2436,
"flags": {}
},
"pid": 2740,
"type": "call",
"cid": 2515
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "WriteProcessMemory",
"return_value": 1,
"arguments": {
"process_identifier": 2728,
"buffer": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u0010\u0000\u0000\u0000\u0018\u0000\u0000\u0080\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u0001\u0000\u0000\u00000\u0000\u0000\u0080\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000H\u0000\u0000\u0000X \u0005\u0000h\u0002\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000h\u00024\u0000\u0000\u0000V\u0000S\u0000_\u0000V\u0000E\u0000R\u0000S\u0000I\u0000O\u0000N\u0000_\u0000I\u0000N\u0000F\u0000O\u0000\u0000\u0000\u0000\u0000\u00bd\u0004\u00ef\u00fe\u0000\u0000\u0001\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000?\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000D\u0000\u0000\u0000\u0001\u0000V\u0000a\u0000r\u0000F\u0000i\u0000l\u0000e\u0000I\u0000n\u0000f\u0000o\u0000\u0000\u0000\u0000\u0000$\u0000\u0004\u0000\u0000\u0000T\u0000r\u0000a\u0000n\u0000s\u0000l\u0000a\u0000t\u0000i\u0000o\u0000n\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00b0\u0004\u00c8\u0001\u0000\u0000\u0001\u0000S\u0000t\u0000r\u0000i\u0000n\u0000g\u0000F\u0000i\u0000l\u0000e\u0000I\u0000n\u0000f\u0000o\u0000\u0000\u0000\u00a4\u0001\u0000\u0000\u0001\u00000\u00000\u00000\u00000\u00000\u00004\u0000b\u00000\u0000\u0000\u0000\u001c\u0000\u0002\u0000\u0001\u0000C\u0000o\u0000m\u0000m\u0000e\u0000n\u0000t\u0000s\u0000\u0000\u0000 \u0000\u0000\u0000<\u0000\t\u0000\u0001\u0000F\u0000i\u0000l\u0000e\u0000D\u0000e\u0000s\u0000c\u0000r\u0000i\u0000p\u0000t\u0000i\u0000o\u0000n\u0000\u0000\u0000\u0000\u00001\u00003\u00003\u00008\u0000.\u0000e\u0000x\u0000e\u0000\u0000\u0000\u0000\u00000\u0000\b\u0000\u0001\u0000F\u0000i\u0000l\u0000e\u0000V\u0000e\u0000r\u0000s\u0000i\u0000o\u0000n\u0000\u0000\u0000\u0000\u00001\u0000.\u00000\u0000.\u00000\u0000.\u00000\u0000\u0000\u00004\u0000\t\u0000\u0001\u0000I\u0000n\u0000t\u0000e\u0000r\u0000n\u0000a\u0000l\u0000N\u0000a\u0000m\u0000e\u0000\u0000\u00001\u00003\u00003\u00008\u0000.\u0000e\u0000x\u0000e\u0000\u0000\u0000\u0000\u0000(\u0000\u0002\u0000\u0001\u0000L\u0000e\u0000g\u0000a\u0000l\u0000C\u0000o\u0000p\u0000y\u0000r\u0000i\u0000g\u0000h\u0000t\u0000\u0000\u0000 \u0000\u0000\u0000<\u0000\t\u0000\u0001\u0000O\u0000r\u0000i\u0000g\u0000i\u0000n\u0000a\u0000l\u0000F\u0000i\u0000l\u0000e\u0000n\u0000a\u0000m\u0000e\u0000\u0000\u00001\u00003\u00003\u00008\u0000.\u0000e\u0000x\u0000e\u0000\u0000\u0000\u0000\u00004\u0000\b\u0000\u0001\u0000P\u0000r\u0000o\u0000d\u0000u\u0000c\u0000t\u0000V\u0000e\u0000r\u0000s\u0000i\u0000o\u0000n\u0000\u0000\u00001\u0000.\u00000\u0000.\u00000\u0000.\u00000\u0000\u0000\u00008\u0000\b\u0000\u0001\u0000A\u0000s\u0000s\u0000e\u0000m\u0000b\u0000l\u0000y\u0000 \u0000V\u0000e\u0000r\u0000s\u0000i\u0000o\u0000n\u0000\u0000\u00001\u0000.\u00000\u0000.\u00000\u0000.\u00000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"process_handle": "0x000003d0",
"base_address": "0x00452000"
},
"time": 1574045641.4524,
"tid": 2436,
"flags": {}
},
"pid": 2740,
"type": "call",
"cid": 2524
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "WriteProcessMemory",
"return_value": 1,
"arguments": {
"process_identifier": 2728,
"buffer": "\u0000\u0010\u0005\u0000\f\u0000\u0000\u0000`>\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"process_handle": "0x000003d0",
"base_address": "0x00454000"
},
"time": 1574045641.4524,
"tid": 2436,
"flags": {}
},
"pid": 2740,
"type": "call",
"cid": 2525
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "WriteProcessMemory",
"return_value": 1,
"arguments": {
"process_identifier": 2728,
"buffer": "\u0000\u0000@\u0000",
"process_handle": "0x000003d0",
"base_address": "0x7efde008"
},
"time": 1574045641.4524,
"tid": 2436,
"flags": {}
},
"pid": 2740,
"type": "call",
"cid": 2526
}
],
"references": [],
"name": "injection_write_memory"
},
{
"markcount": 1,
"families": [],
"description": "Code injection by writing an executable or DLL to the memory of another process",
"severity": 3,
"marks": [
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "WriteProcessMemory",
"return_value": 1,
"arguments": {
"process_identifier": 2728,
"buffer": "MZ\u0090\u0000\u0003\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u00ff\u00ff\u0000\u0000\u00b8\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0080\u0000\u0000\u0000\u000e\u001f\u00ba\u000e\u0000\u00b4\t\u00cd!\u00b8\u0001L\u00cd!This program cannot be run in DOS mode.\r\r\n$\u0000\u0000\u0000\u0000\u0000\u0000\u0000PE\u0000\u0000L\u0001\u0003\u0000\u00b4\u0091\u00c0\\\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00e0\u0000\u0002\u0001\u000b\u0001\b\u0000\u0000\u0000\u0005\u0000\u0000\u0006\u0000\u0000\u0000\u0000\u0000\u0000^\u001e\u0005\u0000\u0000 \u0000\u0000\u0000 \u0005\u0000\u0000\u0000@\u0000\u0000 \u0000\u0000\u0000\u0002\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000`\u0005\u0000\u0000\u0002\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000@\u0085\u0000\u0000\u0010\u0000\u0000\u0010\u0000\u0000\u0000\u0000\u0010\u0000\u0000\u0010\u0000\u0000\u0000\u0000\u0000\u0000\u0010\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0004\u001e\u0005\u0000W\u0000\u0000\u0000\u0000 \u0005\u0000\u00c0\u0002\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0005\u0000\f\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000 \u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b \u0000\u0000H\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000.text\u0000\u0000\u0000d\u00fe\u0004\u0000\u0000 \u0000\u0000\u0000\u0000\u0005\u0000\u0000\u0002\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000 \u0000\u0000`.rsrc\u0000\u0000\u0000\u00c0\u0002\u0000\u0000\u0000 \u0005\u0000\u0000\u0004\u0000\u0000\u0000\u0002\u0005\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000@.reloc\u0000\u0000\f\u0000\u0000\u0000\u0000@\u0005\u0000\u0000\u0002\u0000\u0000\u0000\u0006\u0005\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000B\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"process_handle": "0x000003d0",
"base_address": "0x00400000"
},
"time": 1574045641.4374,
"tid": 2436,
"flags": {}
},
"pid": 2740,
"type": "call",
"cid": 2515
}
],
"references": [],
"name": "injection_write_memory_exe"
},
{
"markcount": 1,
"families": [],
"description": "Creates a windows hook that monitors keyboard input (keylogger)",
"severity": 3,
"marks": [
{
"call": {
"category": "system",
"status": 1,
"stacktrace": [],
"api": "SetWindowsHookExA",
"return_value": 3473849,
"arguments": {
"thread_identifier": 0,
"callback_function": "0x006118ea",
"module_address": "0x00000000",
"hook_identifier": 13
},
"time": 1574045645.2492,
"tid": 852,
"flags": {
"hook_identifier": "WH_KEYBOARD_LL"
}
},
"pid": 2728,
"type": "call",
"cid": 5789
}
],
"references": [],
"name": "infostealer_keylogger"
},
{
"markcount": 2,
"families": [],
"description": "Used NtSetContextThread to modify a thread in a remote process indicative of process injection",
"severity": 3,
"marks": [
{
"category": "Process injection",
"ioc": "Process 2740 called NtSetContextThread to modify thread in remote process 2728",
"type": "ioc",
"description": null
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtSetContextThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x000003d4",
"registers": {
"eip": 0,
"esp": 0,
"edi": 0,
"eax": 4529758,
"ebp": 0,
"edx": 0,
"ebx": 2130567168,
"esi": 0,
"ecx": 0
},
"process_identifier": 2728
},
"time": 1574045641.4524,
"tid": 2436,
"flags": {}
},
"pid": 2740,
"type": "call",
"cid": 2528
}
],
"references": [
"www.endgame.com\/blog\/technical-blog\/ten-process-injection-techniques-technical-survey-common-and-trending-process"
],
"name": "injection_ntsetcontextthread"
},
{
"markcount": 2,
"families": [],
"description": "Resumed a suspended thread in a remote process potentially indicative of process injection",
"severity": 3,
"marks": [
{
"category": "Process injection",
"ioc": "Process 2740 resumed a thread in remote process 2728",
"type": "ioc",
"description": null
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtResumeThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x000003d4",
"suspend_count": 1,
"process_identifier": 2728
},
"time": 1574045642.7494,
"tid": 2436,
"flags": {}
},
"pid": 2740,
"type": "call",
"cid": 2530
}
],
"references": [
"www.endgame.com\/blog\/technical-blog\/ten-process-injection-techniques-technical-survey-common-and-trending-process"
],
"name": "injection_resumethread"
},
{
"markcount": 1,
"families": [],
"description": "Detects VirtualBox through the presence of a registry key",
"severity": 3,
"marks": [
{
"category": "registry",
"ioc": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Oracle\\VirtualBox Guest Additions",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "antivm_vbox_keys"
},
{
"markcount": 1,
"families": [],
"description": "Detects VMWare through the presence of a registry key",
"severity": 3,
"marks": [
{
"category": "registry",
"ioc": "HKEY_LOCAL_MACHINE\\SOFTWARE\\VMware, Inc.\\VMware Tools",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "antivm_vmware_keys"
},
{
"markcount": 1,
"families": [],
"description": "Detects the presence of Wine emulator",
"severity": 3,
"marks": [
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 127,
"nt_status": -1073741511,
"api": "LdrGetProcedureAddress",
"return_value": 3221225785,
"arguments": {
"ordinal": 0,
"module": "KERNEL32",
"module_address": "0x75bb0000",
"function_address": "0x0038d9ec",
"function_name": "wine_get_unix_file_name"
},
"time": 1574045640.8274,
"tid": 2436,
"flags": {}
},
"pid": 2740,
"type": "call",
"cid": 1935
}
],
"references": [],
"name": "antiemu_wine"
},
{
"markcount": 34,
"families": [],
"description": "Executed a process and injected code into it, probably while unpacking",
"severity": 5,
"marks": [
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtResumeThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x000000cc",
"suspend_count": 1,
"process_identifier": 2740
},
"time": 1574045589.7964,
"tid": 2436,
"flags": {}
},
"pid": 2740,
"type": "call",
"cid": 362
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtResumeThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x00000158",
"suspend_count": 1,
"process_identifier": 2740
},
"time": 1574045589.8124,
"tid": 2436,
"flags": {}
},
"pid": 2740,
"type": "call",
"cid": 450
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtResumeThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x00000264",
"suspend_count": 1,
"process_identifier": 2740
},
"time": 1574045640.8434,
"tid": 2436,
"flags": {}
},
"pid": 2740,
"type": "call",
"cid": 1949
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtResumeThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x000002d0",
"suspend_count": 1,
"process_identifier": 2740
},
"time": 1574045640.8744,
"tid": 2436,
"flags": {}
},
"pid": 2740,
"type": "call",
"cid": 2072
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "CreateProcessInternalW",
"return_value": 1,
"arguments": {
"thread_identifier": 1468,
"thread_handle": "0x000003f4",
"process_identifier": 1496,
"current_directory": "C:\\Users\\cuck\\AppData\\Local\\Temp",
"filepath": "C:\\Windows\\System32\\schtasks.exe",
"track": 1,
"command_line": "\"C:\\Windows\\System32\\schtasks.exe\" \/Create \/TN \"Updates\\kBwCGnTY\" \/XML \"C:\\Users\\cuck\\AppData\\Local\\Temp\\tmp1F2F.tmp\"",
"filepath_r": "C:\\Windows\\System32\\schtasks.exe",
"stack_pivoted": 0,
"creation_flags": 67634192,
"process_handle": "0x00000414",
"inherit_handles": 0
},
"time": 1574045641.0624,
"tid": 2436,
"flags": {
"creation_flags": "CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT"
}
},
"pid": 2740,
"type": "call",
"cid": 2491
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "CreateProcessInternalW",
"return_value": 1,
"arguments": {
"thread_identifier": 852,
"thread_handle": "0x000003d4",
"process_identifier": 2728,
"current_directory": "",
"filepath": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe",
"track": 1,
"command_line": "\"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe\"",
"filepath_r": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe",
"stack_pivoted": 0,
"creation_flags": 4,
"process_handle": "0x000003d0",
"inherit_handles": 0
},
"time": 1574045641.4374,
"tid": 2436,
"flags": {
"creation_flags": "CREATE_SUSPENDED"
}
},
"pid": 2740,
"type": "call",
"cid": 2506
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtGetContextThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x000003d4"
},
"time": 1574045641.4374,
"tid": 2436,
"flags": {}
},
"pid": 2740,
"type": "call",
"cid": 2509
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2728,
"region_size": 352256,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0x000003d0",
"allocation_type": 12288,
"base_address": "0x00400000"
},
"time": 1574045641.4374,
"tid": 2436,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2740,
"type": "call",
"cid": 2513
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "WriteProcessMemory",
"return_value": 1,
"arguments": {
"process_identifier": 2728,
"buffer": "MZ\u0090\u0000\u0003\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u00ff\u00ff\u0000\u0000\u00b8\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0080\u0000\u0000\u0000\u000e\u001f\u00ba\u000e\u0000\u00b4\t\u00cd!\u00b8\u0001L\u00cd!This program cannot be run in DOS mode.\r\r\n$\u0000\u0000\u0000\u0000\u0000\u0000\u0000PE\u0000\u0000L\u0001\u0003\u0000\u00b4\u0091\u00c0\\\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00e0\u0000\u0002\u0001\u000b\u0001\b\u0000\u0000\u0000\u0005\u0000\u0000\u0006\u0000\u0000\u0000\u0000\u0000\u0000^\u001e\u0005\u0000\u0000 \u0000\u0000\u0000 \u0005\u0000\u0000\u0000@\u0000\u0000 \u0000\u0000\u0000\u0002\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000`\u0005\u0000\u0000\u0002\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000@\u0085\u0000\u0000\u0010\u0000\u0000\u0010\u0000\u0000\u0000\u0000\u0010\u0000\u0000\u0010\u0000\u0000\u0000\u0000\u0000\u0000\u0010\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0004\u001e\u0005\u0000W\u0000\u0000\u0000\u0000 \u0005\u0000\u00c0\u0002\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0005\u0000\f\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000 \u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b \u0000\u0000H\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000.text\u0000\u0000\u0000d\u00fe\u0004\u0000\u0000 \u0000\u0000\u0000\u0000\u0005\u0000\u0000\u0002\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000 \u0000\u0000`.rsrc\u0000\u0000\u0000\u00c0\u0002\u0000\u0000\u0000 \u0005\u0000\u0000\u0004\u0000\u0000\u0000\u0002\u0005\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000@.reloc\u0000\u0000\f\u0000\u0000\u0000\u0000@\u0005\u0000\u0000\u0002\u0000\u0000\u0000\u0006\u0005\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000B\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"process_handle": "0x000003d0",
"base_address": "0x00400000"
},
"time": 1574045641.4374,
"tid": 2436,
"flags": {}
},
"pid": 2740,
"type": "call",
"cid": 2515
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "WriteProcessMemory",
"return_value": 1,
"arguments": {
"process_identifier": 2728,
"buffer": "",
"process_handle": "0x000003d0",
"base_address": "0x00402000"
},
"time": 1574045641.4374,
"tid": 2436,
"flags": {}
},
"pid": 2740,
"type": "call",
"cid": 2523
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "WriteProcessMemory",
"return_value": 1,
"arguments": {
"process_identifier": 2728,
"buffer": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u0010\u0000\u0000\u0000\u0018\u0000\u0000\u0080\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u0001\u0000\u0000\u00000\u0000\u0000\u0080\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000H\u0000\u0000\u0000X \u0005\u0000h\u0002\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000h\u00024\u0000\u0000\u0000V\u0000S\u0000_\u0000V\u0000E\u0000R\u0000S\u0000I\u0000O\u0000N\u0000_\u0000I\u0000N\u0000F\u0000O\u0000\u0000\u0000\u0000\u0000\u00bd\u0004\u00ef\u00fe\u0000\u0000\u0001\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000?\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000D\u0000\u0000\u0000\u0001\u0000V\u0000a\u0000r\u0000F\u0000i\u0000l\u0000e\u0000I\u0000n\u0000f\u0000o\u0000\u0000\u0000\u0000\u0000$\u0000\u0004\u0000\u0000\u0000T\u0000r\u0000a\u0000n\u0000s\u0000l\u0000a\u0000t\u0000i\u0000o\u0000n\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00b0\u0004\u00c8\u0001\u0000\u0000\u0001\u0000S\u0000t\u0000r\u0000i\u0000n\u0000g\u0000F\u0000i\u0000l\u0000e\u0000I\u0000n\u0000f\u0000o\u0000\u0000\u0000\u00a4\u0001\u0000\u0000\u0001\u00000\u00000\u00000\u00000\u00000\u00004\u0000b\u00000\u0000\u0000\u0000\u001c\u0000\u0002\u0000\u0001\u0000C\u0000o\u0000m\u0000m\u0000e\u0000n\u0000t\u0000s\u0000\u0000\u0000 \u0000\u0000\u0000<\u0000\t\u0000\u0001\u0000F\u0000i\u0000l\u0000e\u0000D\u0000e\u0000s\u0000c\u0000r\u0000i\u0000p\u0000t\u0000i\u0000o\u0000n\u0000\u0000\u0000\u0000\u00001\u00003\u00003\u00008\u0000.\u0000e\u0000x\u0000e\u0000\u0000\u0000\u0000\u00000\u0000\b\u0000\u0001\u0000F\u0000i\u0000l\u0000e\u0000V\u0000e\u0000r\u0000s\u0000i\u0000o\u0000n\u0000\u0000\u0000\u0000\u00001\u0000.\u00000\u0000.\u00000\u0000.\u00000\u0000\u0000\u00004\u0000\t\u0000\u0001\u0000I\u0000n\u0000t\u0000e\u0000r\u0000n\u0000a\u0000l\u0000N\u0000a\u0000m\u0000e\u0000\u0000\u00001\u00003\u00003\u00008\u0000.\u0000e\u0000x\u0000e\u0000\u0000\u0000\u0000\u0000(\u0000\u0002\u0000\u0001\u0000L\u0000e\u0000g\u0000a\u0000l\u0000C\u0000o\u0000p\u0000y\u0000r\u0000i\u0000g\u0000h\u0000t\u0000\u0000\u0000 \u0000\u0000\u0000<\u0000\t\u0000\u0001\u0000O\u0000r\u0000i\u0000g\u0000i\u0000n\u0000a\u0000l\u0000F\u0000i\u0000l\u0000e\u0000n\u0000a\u0000m\u0000e\u0000\u0000\u00001\u00003\u00003\u00008\u0000.\u0000e\u0000x\u0000e\u0000\u0000\u0000\u0000\u00004\u0000\b\u0000\u0001\u0000P\u0000r\u0000o\u0000d\u0000u\u0000c\u0000t\u0000V\u0000e\u0000r\u0000s\u0000i\u0000o\u0000n\u0000\u0000\u00001\u0000.\u00000\u0000.\u00000\u0000.\u00000\u0000\u0000\u00008\u0000\b\u0000\u0001\u0000A\u0000s\u0000s\u0000e\u0000m\u0000b\u0000l\u0000y\u0000 \u0000V\u0000e\u0000r\u0000s\u0000i\u0000o\u0000n\u0000\u0000\u00001\u0000.\u00000\u0000.\u00000\u0000.\u00000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"process_handle": "0x000003d0",
"base_address": "0x00452000"
},
"time": 1574045641.4524,
"tid": 2436,
"flags": {}
},
"pid": 2740,
"type": "call",
"cid": 2524
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "WriteProcessMemory",
"return_value": 1,
"arguments": {
"process_identifier": 2728,
"buffer": "\u0000\u0010\u0005\u0000\f\u0000\u0000\u0000`>\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"process_handle": "0x000003d0",
"base_address": "0x00454000"
},
"time": 1574045641.4524,
"tid": 2436,
"flags": {}
},
"pid": 2740,
"type": "call",
"cid": 2525
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "WriteProcessMemory",
"return_value": 1,
"arguments": {
"process_identifier": 2728,
"buffer": "\u0000\u0000@\u0000",
"process_handle": "0x000003d0",
"base_address": "0x7efde008"
},
"time": 1574045641.4524,
"tid": 2436,
"flags": {}
},
"pid": 2740,
"type": "call",
"cid": 2526
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtSetContextThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x000003d4",
"registers": {
"eip": 0,
"esp": 0,
"edi": 0,
"eax": 4529758,
"ebp": 0,
"edx": 0,
"ebx": 2130567168,
"esi": 0,
"ecx": 0
},
"process_identifier": 2728
},
"time": 1574045641.4524,
"tid": 2436,
"flags": {}
},
"pid": 2740,
"type": "call",
"cid": 2528
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtResumeThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x000003d4",
"suspend_count": 1,
"process_identifier": 2728
},
"time": 1574045642.7494,
"tid": 2436,
"flags": {}
},
"pid": 2740,
"type": "call",
"cid": 2530
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtResumeThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x0000015c",
"suspend_count": 1,
"process_identifier": 2728
},
"time": 1574045642.9992,
"tid": 852,
"flags": {}
},
"pid": 2728,
"type": "call",
"cid": 313
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtResumeThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x000001b0",
"suspend_count": 1,
"process_identifier": 2728
},
"time": 1574045643.0152,
"tid": 852,
"flags": {}
},
"pid": 2728,
"type": "call",
"cid": 380
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtResumeThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x00000204",
"suspend_count": 1,
"process_identifier": 2728
},
"time": 1574045643.5463,
"tid": 852,
"flags": {}
},
"pid": 2728,
"type": "call",
"cid": 1078
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtResumeThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x00000218",
"suspend_count": 1,
"process_identifier": 2728
},
"time": 1574045643.5622,
"tid": 552,
"flags": {}
},
"pid": 2728,
"type": "call",
"cid": 1150
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtResumeThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x000002cc",
"suspend_count": 1,
"process_identifier": 2728
},
"time": 1574045643.6713,
"tid": 852,
"flags": {}
},
"pid": 2728,
"type": "call",
"cid": 2000
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtResumeThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x00000318",
"suspend_count": 1,
"process_identifier": 2728
},
"time": 1574045643.6713,
"tid": 852,
"flags": {}
},
"pid": 2728,
"type": "call",
"cid": 2052
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtResumeThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x00000470",
"suspend_count": 1,
"process_identifier": 2728
},
"time": 1574045645.1402,
"tid": 852,
"flags": {}
},
"pid": 2728,
"type": "call",
"cid": 5016
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtResumeThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x000004dc",
"suspend_count": 1,
"process_identifier": 2728
},
"time": 1574045645.2492,
"tid": 852,
"flags": {}
},
"pid": 2728,
"type": "call",
"cid": 5791
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtResumeThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x000004f0",
"suspend_count": 1,
"process_identifier": 2728
},
"time": 1574045645.2492,
"tid": 852,
"flags": {}
},
"pid": 2728,
"type": "call",
"cid": 5818
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtResumeThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x00000504",
"suspend_count": 1,
"process_identifier": 2728
},
"time": 1574045645.3742,
"tid": 852,
"flags": {}
},
"pid": 2728,
"type": "call",
"cid": 6931
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtResumeThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x0000051c",
"suspend_count": 1,
"process_identifier": 2728
},
"time": 1574045645.3902,
"tid": 852,
"flags": {}
},
"pid": 2728,
"type": "call",
"cid": 6994
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtResumeThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x00000530",
"suspend_count": 1,
"process_identifier": 2728
},
"time": 1574045645.3902,
"tid": 852,
"flags": {}
},
"pid": 2728,
"type": "call",
"cid": 7031
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtResumeThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x00000558",
"suspend_count": 1,
"process_identifier": 2728
},
"time": 1574045645.3902,
"tid": 852,
"flags": {}
},
"pid": 2728,
"type": "call",
"cid": 7078
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtResumeThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x0000056c",
"suspend_count": 1,
"process_identifier": 2728
},
"time": 1574045645.4053,
"tid": 852,
"flags": {}
},
"pid": 2728,
"type": "call",
"cid": 7126
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtResumeThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x00000580",
"suspend_count": 1,
"process_identifier": 2728
},
"time": 1574045645.4053,
"tid": 852,
"flags": {}
},
"pid": 2728,
"type": "call",
"cid": 7161
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtResumeThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x000005b8",
"suspend_count": 1,
"process_identifier": 2728
},
"time": 1574045645.4992,
"tid": 1820,
"flags": {}
},
"pid": 2728,
"type": "call",
"cid": 7258
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtResumeThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x00000224",
"suspend_count": 1,
"process_identifier": 2728
},
"time": 1574045646.5303,
"tid": 1820,
"flags": {}
},
"pid": 2728,
"type": "call",
"cid": 7416
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtResumeThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x00000474",
"suspend_count": 1,
"process_identifier": 2728
},
"time": 1574045648.3902,
"tid": 312,
"flags": {}
},
"pid": 2728,
"type": "call",
"cid": 7537
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtResumeThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x00000398",
"suspend_count": 1,
"process_identifier": 2728
},
"time": 1574045648.4213,
"tid": 312,
"flags": {}
},
"pid": 2728,
"type": "call",
"cid": 7600
}
],
"references": [],
"name": "injection_runpe"
}
] Yara
The Yara rules did not detect anything in the file.
Network
{
"tls": [],
"udp": [
{
"src": "192.168.56.101",
"dst": "192.168.56.255",
"offset": 546,
"time": 3.0784540176392,
"dport": 137,
"sport": 137
},
{
"src": "192.168.56.101",
"dst": "192.168.56.255",
"offset": 5226,
"time": 9.0791490077972,
"dport": 138,
"sport": 138
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 7070,
"time": 3.0265140533447,
"dport": 5355,
"sport": 51001
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 7398,
"time": 1.0161290168762,
"dport": 5355,
"sport": 53595
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 7726,
"time": 3.0362000465393,
"dport": 5355,
"sport": 53848
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 8054,
"time": 1.5198810100555,
"dport": 5355,
"sport": 54255
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 8382,
"time": -0.097172021865845,
"dport": 5355,
"sport": 55314
},
{
"src": "192.168.56.101",
"dst": "239.255.255.250",
"offset": 8710,
"time": 1.5314490795135,
"dport": 1900,
"sport": 1900
},
{
"src": "192.168.56.101",
"dst": "239.255.255.250",
"offset": 28120,
"time": 1.0465550422668,
"dport": 3702,
"sport": 49152
},
{
"src": "192.168.56.101",
"dst": "239.255.255.250",
"offset": 36504,
"time": 3.1252448558807,
"dport": 1900,
"sport": 53598
}
],
"dns_servers": [],
"http": [],
"icmp": [],
"smtp": [],
"tcp": [],
"smtp_ex": [],
"mitm": [],
"hosts": [],
"pcap_sha256": "fb41b77233047b82ee50df8fc7023d0424622df64fde2833054e1103b9f50118",
"dns": [],
"http_ex": [],
"domains": [],
"dead_hosts": [],
"sorted_pcap_sha256": "62b1ac49ce6da0b4f8b4ac02f15aafae1319a421c92c550b4ae4e301b7c6d763",
"irc": [],
"https_ex": []
}Screenshots
kBwCGnTY.exe removal instructions
The instructions below shows how to remove kBwCGnTY.exe with help from the FreeFixer removal tool. Basically, you install FreeFixer, scan your computer, check the kBwCGnTY.exe file for removal, restart your computer and scan it again to verify that kBwCGnTY.exe has been successfully removed. Here are the removal instructions in more detail:
- Download and install FreeFixer: http://www.freefixer.com/download.html
- Start FreeFixer and press the Start Scan button. The scan will finish in approximately five minutes.
- When the scan is finished, locate kBwCGnTY.exe in the scan result and tick the checkbox next to the kBwCGnTY.exe file. Do not check any other file for removal unless you are 100% sure you want to delete it. Tip: Press CTRL-F to open up FreeFixer's search dialog to quickly locate kBwCGnTY.exe in the scan result.
c:\users\%USERNAME%\appdata\roaming\kBwCGnTY.exe 
- Scroll down to the bottom of the scan result and press the Fix button. FreeFixer will now delete the kBwCGnTY.exe file.
- Restart your computer.
- Start FreeFixer and scan your computer again. If kBwCGnTY.exe still remains in the scan result, proceed with the next step. If kBwCGnTY.exe is gone from the scan result you're done.
- If kBwCGnTY.exe still remains in the scan result, check its checkbox again in the scan result and click Fix.
- Restart your computer.
- Start FreeFixer and scan your computer again. Verify that kBwCGnTY.exe no longer appear in the scan result.
Hashes [?]
| Property | Value |
|---|---|
| MD5 | 6a492d582f1a19dda7ff29706546e3f8 |
| SHA256 | 549604be1da98f7cd5665c04deb8242523b87e4ad13513a65228354fe648464e |
Error Messages
These are some of the error messages that can appear related to kbwcgnty.exe:
kbwcgnty.exe has encountered a problem and needs to close. We are sorry for the inconvenience.
kbwcgnty.exe - Application Error. The instruction at "0xXXXXXXXX" referenced memory at "0xXXXXXXXX". The memory could not be "read/written". Click on OK to terminate the program.
MSI Notification has stopped working.
End Program - kbwcgnty.exe. This program is not responding.
kbwcgnty.exe is not a valid Win32 application.
kbwcgnty.exe - Application Error. The application failed to initialize properly (0xXXXXXXXX). Click OK to terminate the application.
What will you do with kBwCGnTY.exe?
To help other users, please let us know what you will do with kBwCGnTY.exe:
Comments
Please share with the other users what you think about this file. What does this file do? Is it legitimate or something that your computer is better without? Do you know how it was installed on your system? Did you install it yourself or did it come bundled with some other software? Is it running smoothly or do you get some error message? Any information that will help to document this file is welcome. Thank you for your contributions.
I'm reading all new comments so don't hesitate to post a question about the file. If I don't have the answer perhaps another user can help you.
No comments posted yet.