Analysis

Category Package Started Completed Duration Options Log
FILE Extraction_js 2020-03-24 05:09:59 2020-03-24 05:14:15 256 seconds Show Options Show Log
route = internet
procdump = 0
2020-03-24 05:10:00,000 [root] INFO: Date set to: 03-24-20, time set to: 05:10:00, timeout set to: 200
2020-03-24 05:10:00,015 [root] DEBUG: Starting analyzer from: C:\vgzsvvr
2020-03-24 05:10:00,015 [root] DEBUG: Storing results at: C:\hLUpzAAQj
2020-03-24 05:10:00,015 [root] DEBUG: Pipe server name: \\.\PIPE\pSNnCqspPc
2020-03-24 05:10:00,015 [root] INFO: Analysis package "Extraction_js" has been specified.
2020-03-24 05:10:00,326 [root] DEBUG: Started auxiliary module Browser
2020-03-24 05:10:00,326 [root] DEBUG: Started auxiliary module Curtain
2020-03-24 05:10:00,326 [modules.auxiliary.digisig] DEBUG: Checking for a digitial signature.
2020-03-24 05:10:00,950 [modules.auxiliary.digisig] DEBUG: File is not signed.
2020-03-24 05:10:00,950 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2020-03-24 05:10:00,950 [root] DEBUG: Started auxiliary module DigiSig
2020-03-24 05:10:00,950 [root] DEBUG: Started auxiliary module Disguise
2020-03-24 05:10:00,950 [root] DEBUG: Started auxiliary module Human
2020-03-24 05:10:00,950 [root] DEBUG: Started auxiliary module Screenshots
2020-03-24 05:10:00,950 [root] DEBUG: Started auxiliary module Sysmon
2020-03-24 05:10:00,950 [root] DEBUG: Started auxiliary module Usage
2020-03-24 05:10:00,950 [root] INFO: Analyzer: DLL set to Extraction.dll from package modules.packages.Extraction_js
2020-03-24 05:10:00,950 [root] INFO: Analyzer: DLL_64 set to Extraction_x64.dll from package modules.packages.Extraction_js
2020-03-24 05:10:01,045 [lib.api.process] INFO: Successfully executed process from path "C:\Windows\system32\wscript.exe" with arguments ""C:\Users\user\AppData\Local\Temp\look_presentation_z8d.js"" with pid 1436
2020-03-24 05:10:01,107 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 05:10:01,107 [lib.api.process] INFO: 32-bit DLL to inject is C:\vgzsvvr\dll\JrANdsY.dll, loader C:\vgzsvvr\bin\RUYfSAb.exe
2020-03-24 05:10:01,122 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\pSNnCqspPc.
2020-03-24 05:10:01,122 [root] DEBUG: Loader: Injecting process 1436 (thread 928) with C:\vgzsvvr\dll\JrANdsY.dll.
2020-03-24 05:10:01,138 [root] DEBUG: Process image base: 0x00A80000
2020-03-24 05:10:01,138 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\vgzsvvr\dll\JrANdsY.dll.
2020-03-24 05:10:01,138 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-03-24 05:10:01,138 [root] DEBUG: Successfully injected DLL C:\vgzsvvr\dll\JrANdsY.dll.
2020-03-24 05:10:01,138 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1436
2020-03-24 05:10:03,151 [lib.api.process] INFO: Successfully resumed process with pid 1436
2020-03-24 05:10:03,151 [root] INFO: Added new process to list with pid: 1436
2020-03-24 05:10:03,165 [root] DEBUG: Terminate processes on terminate_event enabled.
2020-03-24 05:10:03,165 [root] DEBUG: Process dumps disabled.
2020-03-24 05:10:03,213 [root] INFO: Disabling sleep skipping.
2020-03-24 05:10:03,213 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-03-24 05:10:03,213 [root] INFO: Disabling sleep skipping.
2020-03-24 05:10:03,213 [root] INFO: Disabling sleep skipping.
2020-03-24 05:10:03,213 [root] INFO: Disabling sleep skipping.
2020-03-24 05:10:03,213 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x77110000, KiUserExceptionDispatcher: 0x0, NtSetContextThread: 0x7716124a, Wow64PrepareForException: 0x0
2020-03-24 05:10:03,213 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0xb0000
2020-03-24 05:10:03,213 [root] DEBUG: Debugger initialised.
2020-03-24 05:10:03,213 [root] DEBUG: CAPE initialised: 32-bit Extraction package loaded in process 1436 at 0x747d0000, image base 0xa80000, stack from 0x346000-0x350000
2020-03-24 05:10:03,213 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Windows\system32\wscript.exe" "C:\Users\user\AppData\Local\Temp\look_presentation_z8d.js".
2020-03-24 05:10:03,213 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x00A80000) returned 0x00000000.
2020-03-24 05:10:03,213 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x00000000.
2020-03-24 05:10:03,213 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x00A80000) -> AllocationBase 0x00A80000 RegionSize 0x4096.
2020-03-24 05:10:03,213 [root] DEBUG: AddTrackedRegion: EntryPoint 0x2f3b, Entropy 5.636160e+00
2020-03-24 05:10:03,213 [root] DEBUG: AddTrackedRegion: New region at 0x00A80000 size 0x1000 added to tracked regions.
2020-03-24 05:10:03,213 [root] DEBUG: ExtractionInit: Adding main image base to tracked regions.
2020-03-24 05:10:03,213 [root] INFO: Monitor successfully loaded in process with pid 1436.
2020-03-24 05:10:03,229 [root] DEBUG: DLL unloaded from 0x75D60000.
2020-03-24 05:10:03,229 [root] DEBUG: DLL unloaded from 0x00A80000.
2020-03-24 05:10:03,229 [root] DEBUG: DLL loaded at 0x74960000: C:\Windows\SysWOW64\SXS (0x5f000 bytes).
2020-03-24 05:10:03,229 [root] DEBUG: CreateThread: Initialising breakpoints for thread 1592.
2020-03-24 05:10:03,229 [root] DEBUG: DLL unloaded from 0x772F0000.
2020-03-24 05:10:03,259 [root] DEBUG: DLL loaded at 0x74EB0000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2020-03-24 05:10:03,276 [root] DEBUG: DLL loaded at 0x74480000: C:\Windows\SysWOW64\jscript (0xb2000 bytes).
2020-03-24 05:10:03,290 [root] DEBUG: DLL loaded at 0x75470000: C:\Windows\syswow64\WINTRUST (0x2d000 bytes).
2020-03-24 05:10:03,290 [root] DEBUG: DLL loaded at 0x75790000: C:\Windows\syswow64\CRYPT32 (0x11d000 bytes).
2020-03-24 05:10:03,290 [root] DEBUG: DLL loaded at 0x755F0000: C:\Windows\syswow64\MSASN1 (0xc000 bytes).
2020-03-24 05:10:03,290 [root] DEBUG: DLL loaded at 0x74C70000: C:\Windows\SysWOW64\CRYPTSP (0x16000 bytes).
2020-03-24 05:10:03,306 [root] DEBUG: DLL loaded at 0x74C30000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2020-03-24 05:10:03,306 [root] DEBUG: DLL loaded at 0x74950000: C:\Windows\SysWOW64\MSISIP (0x8000 bytes).
2020-03-24 05:10:03,306 [root] DEBUG: DLL unloaded from 0x751B0000.
2020-03-24 05:10:03,306 [root] DEBUG: DLL loaded at 0x74930000: C:\Windows\SysWOW64\wshext (0x16000 bytes).
2020-03-24 05:10:03,306 [root] DEBUG: DLL loaded at 0x748A0000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\COMCTL32 (0x84000 bytes).
2020-03-24 05:10:03,306 [root] DEBUG: DLL loaded at 0x75E70000: C:\Windows\syswow64\SHELL32 (0xc4a000 bytes).
2020-03-24 05:10:03,322 [root] DEBUG: DLL loaded at 0x74450000: C:\Windows\SysWOW64\scrobj (0x2d000 bytes).
2020-03-24 05:10:03,338 [root] DEBUG: DLL unloaded from 0x76C00000.
2020-03-24 05:10:03,572 [root] DEBUG: DLL loaded at 0x74440000: C:\Windows\SysWOW64\RpcRtRemote (0xe000 bytes).
2020-03-24 05:10:03,572 [root] DEBUG: CreateThread: Initialising breakpoints for thread 2380.
2020-03-24 05:10:03,588 [root] DEBUG: DLL unloaded from 0x772F0000.
2020-03-24 05:10:03,634 [root] DEBUG: DLL loaded at 0x74410000: C:\Windows\SysWOW64\wshom.ocx (0x21000 bytes).
2020-03-24 05:10:03,634 [root] DEBUG: DLL loaded at 0x743F0000: C:\Windows\SysWOW64\MPR (0x12000 bytes).
2020-03-24 05:10:03,650 [root] DEBUG: DLL loaded at 0x743C0000: C:\Windows\SysWOW64\ScrRun (0x2a000 bytes).
2020-03-24 05:10:03,711 [root] DEBUG: DLL loaded at 0x742C0000: C:\Program Files (x86)\Common Files\System\ado\msado15 (0xf9000 bytes).
2020-03-24 05:10:03,743 [root] DEBUG: DLL loaded at 0x742A0000: C:\Windows\system32\MSDART (0x1f000 bytes).
2020-03-24 05:10:23,618 [root] DEBUG: DLL unloaded from 0x751B0000.
2020-03-24 05:10:24,398 [root] DEBUG: DLL loaded at 0x74270000: C:\Windows\system32\mlang (0x2e000 bytes).
2020-03-24 05:10:24,460 [root] DEBUG: DLL loaded at 0x74170000: C:\Windows\SysWOW64\PROPSYS (0xf5000 bytes).
2020-03-24 05:10:24,460 [root] DEBUG: DLL loaded at 0x73FD0000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32 (0x19e000 bytes).
2020-03-24 05:10:24,460 [root] DEBUG: DLL loaded at 0x74AF0000: C:\Windows\SysWOW64\apphelp (0x4c000 bytes).
2020-03-24 05:10:24,523 [root] DEBUG: DLL loaded at 0x72F70000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2020-03-24 05:10:24,615 [root] DEBUG: DLL loaded at 0x73F90000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2020-03-24 05:10:24,631 [root] DEBUG: DLL loaded at 0x76CA0000: C:\Windows\syswow64\iertutil (0x1fb000 bytes).
2020-03-24 05:10:24,710 [root] DEBUG: DLL loaded at 0x74F40000: C:\Windows\syswow64\urlmon (0x136000 bytes).
2020-03-24 05:10:24,756 [root] DEBUG: DLL loaded at 0x75600000: C:\Windows\syswow64\WININET (0xf5000 bytes).
2020-03-24 05:10:24,913 [root] DEBUG: DLL loaded at 0x75A70000: C:\Windows\syswow64\SETUPAPI (0x19d000 bytes).
2020-03-24 05:10:24,913 [root] DEBUG: DLL loaded at 0x75A10000: C:\Windows\syswow64\CFGMGR32 (0x27000 bytes).
2020-03-24 05:10:24,913 [root] DEBUG: DLL loaded at 0x75D40000: C:\Windows\syswow64\DEVOBJ (0x12000 bytes).
2020-03-24 05:10:24,913 [root] DEBUG: DLL unloaded from 0x75E70000.
2020-03-24 05:10:24,927 [root] DEBUG: DLL loaded at 0x749D0000: C:\Windows\SysWOW64\ntmarta (0x21000 bytes).
2020-03-24 05:10:24,927 [root] DEBUG: DLL loaded at 0x76EA0000: C:\Windows\syswow64\WLDAP32 (0x45000 bytes).
2020-03-24 05:10:24,944 [root] DEBUG: DLL loaded at 0x73F80000: C:\Windows\SysWOW64\profapi (0xb000 bytes).
2020-03-24 05:10:24,990 [root] INFO: Announced 32-bit process name: regsvr32.exe pid: 2788
2020-03-24 05:10:24,990 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 05:10:24,990 [lib.api.process] INFO: 32-bit DLL to inject is C:\vgzsvvr\dll\JrANdsY.dll, loader C:\vgzsvvr\bin\RUYfSAb.exe
2020-03-24 05:10:24,990 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\pSNnCqspPc.
2020-03-24 05:10:24,990 [root] DEBUG: Loader: Injecting process 2788 (thread 2772) with C:\vgzsvvr\dll\JrANdsY.dll.
2020-03-24 05:10:24,990 [root] DEBUG: Process image base: 0x000B0000
2020-03-24 05:10:24,990 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\vgzsvvr\dll\JrANdsY.dll.
2020-03-24 05:10:24,990 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-03-24 05:10:24,990 [root] DEBUG: Successfully injected DLL C:\vgzsvvr\dll\JrANdsY.dll.
2020-03-24 05:10:24,990 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2788
2020-03-24 05:10:25,022 [root] INFO: Announced 32-bit process name: regsvr32.exe pid: 2788
2020-03-24 05:10:25,022 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 05:10:25,022 [lib.api.process] INFO: 32-bit DLL to inject is C:\vgzsvvr\dll\JrANdsY.dll, loader C:\vgzsvvr\bin\RUYfSAb.exe
2020-03-24 05:10:25,022 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\pSNnCqspPc.
2020-03-24 05:10:25,022 [root] DEBUG: Loader: Injecting process 2788 (thread 2772) with C:\vgzsvvr\dll\JrANdsY.dll.
2020-03-24 05:10:25,022 [root] DEBUG: Process image base: 0x000B0000
2020-03-24 05:10:25,022 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\vgzsvvr\dll\JrANdsY.dll.
2020-03-24 05:10:25,022 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-03-24 05:10:25,022 [root] DEBUG: Successfully injected DLL C:\vgzsvvr\dll\JrANdsY.dll.
2020-03-24 05:10:25,022 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2788
2020-03-24 05:10:25,038 [root] DEBUG: DLL unloaded from 0x74410000.
2020-03-24 05:10:25,038 [root] DEBUG: DLL unloaded from 0x742C0000.
2020-03-24 05:10:25,038 [root] DEBUG: DLL unloaded from 0x75E70000.
2020-03-24 05:10:25,038 [root] DEBUG: DLL unloaded from 0x742A0000.
2020-03-24 05:10:25,038 [root] DEBUG: DLL unloaded from 0x74450000.
2020-03-24 05:10:25,052 [root] DEBUG: DLL unloaded from 0x74F40000.
2020-03-24 05:10:25,052 [root] DEBUG: DLL unloaded from 0x74170000.
2020-03-24 05:10:25,052 [root] DEBUG: DLL unloaded from 0x72F70000.
2020-03-24 05:10:25,052 [root] DEBUG: DLL unloaded from 0x75D60000.
2020-03-24 05:10:25,052 [root] DEBUG: DLL unloaded from 0x74270000.
2020-03-24 05:10:25,052 [root] DEBUG: DLL unloaded from 0x743C0000.
2020-03-24 05:10:25,069 [root] DEBUG: DLL unloaded from 0x74480000.
2020-03-24 05:10:25,069 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 1436).
2020-03-24 05:10:25,069 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-03-24 05:10:25,069 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00A80000.
2020-03-24 05:10:25,069 [root] DEBUG: ProcessImageBase: EP 0x00002F3B image base 0x00A80000 size 0x0 entropy 5.636403e+00.
2020-03-24 05:10:25,069 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 1592.
2020-03-24 05:10:25,069 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 2380.
2020-03-24 05:10:25,069 [root] DEBUG: DLL unloaded from 0x74170000.
2020-03-24 05:10:25,069 [root] DEBUG: DLL unloaded from 0x75140000.
2020-03-24 05:10:25,069 [root] DEBUG: DLL unloaded from 0x749D0000.
2020-03-24 05:10:25,069 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 1436).
2020-03-24 05:10:25,069 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-03-24 05:10:25,069 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00A80000.
2020-03-24 05:10:25,069 [root] DEBUG: ProcessImageBase: EP 0x00002F3B image base 0x00A80000 size 0x0 entropy 5.636403e+00.
2020-03-24 05:10:25,069 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 1592.
2020-03-24 05:10:25,069 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 2380.
2020-03-24 05:10:25,069 [root] INFO: Notified of termination of process with pid 1436.
2020-03-24 05:10:25,194 [root] DEBUG: Terminate processes on terminate_event enabled.
2020-03-24 05:10:25,194 [root] DEBUG: Process dumps disabled.
2020-03-24 05:10:25,209 [root] INFO: Disabling sleep skipping.
2020-03-24 05:10:25,224 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-03-24 05:10:25,240 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x77110000, KiUserExceptionDispatcher: 0x0, NtSetContextThread: 0x7716124a, Wow64PrepareForException: 0x0
2020-03-24 05:10:25,256 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0xc0000
2020-03-24 05:10:25,272 [root] DEBUG: Debugger initialised.
2020-03-24 05:10:25,286 [root] DEBUG: CAPE initialised: 32-bit Extraction package loaded in process 2788 at 0x747d0000, image base 0xb0000, stack from 0x196000-0x1a0000
2020-03-24 05:10:25,286 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Windows\System32\regsvr32.exe" -s C:\Users\user\AppData\Local\Temp\xBjMNtgfJT.txt.
2020-03-24 05:10:25,286 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x000B0000) returned 0x00000000.
2020-03-24 05:10:25,286 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x00000000.
2020-03-24 05:10:25,286 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x000B0000) -> AllocationBase 0x000B0000 RegionSize 0x4096.
2020-03-24 05:10:25,286 [root] DEBUG: AddTrackedRegion: EntryPoint 0x27c1, Entropy 3.395374e+00
2020-03-24 05:10:25,286 [root] DEBUG: AddTrackedRegion: New region at 0x000B0000 size 0x1000 added to tracked regions.
2020-03-24 05:10:25,286 [root] DEBUG: ExtractionInit: Adding main image base to tracked regions.
2020-03-24 05:10:25,302 [root] INFO: Added new process to list with pid: 2788
2020-03-24 05:10:25,302 [root] INFO: Monitor successfully loaded in process with pid 2788.
2020-03-24 05:10:25,318 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-03-24 05:10:25,318 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x000B0000.
2020-03-24 05:10:25,334 [root] DEBUG: ProcessImageBase: EP 0x000027C1 image base 0x000B0000 size 0x0 entropy 3.399706e+00.
2020-03-24 05:10:25,349 [root] DEBUG: ProtectionHandler: Adding region at 0x01BE1000 to tracked regions.
2020-03-24 05:10:25,349 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x01BE1000) returned 0x00000000.
2020-03-24 05:10:25,365 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x00000000.
2020-03-24 05:10:25,381 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x01BE1000) -> AllocationBase 0x01BE0000 RegionSize 0x380928.
2020-03-24 05:10:25,395 [root] DEBUG: AddTrackedRegion: EntryPoint 0x25ce0, Entropy 5.445284e+00
2020-03-24 05:10:25,411 [root] DEBUG: AddTrackedRegion: New region at 0x01BE0000 size 0x5d000 added to tracked regions.
2020-03-24 05:10:25,411 [root] DEBUG: ProtectionHandler: Address: 0x01BE1000 (alloc base 0x01BE0000), NumberOfBytesToProtect: 0x5d000, NewAccessProtection: 0x40
2020-03-24 05:10:25,427 [root] DEBUG: ProtectionHandler: Increased region size at 0x01BE1000 to 0x5e000.
2020-03-24 05:10:25,427 [root] DEBUG: ProtectionHandler: New code detected at (0x01BE0000), scanning for PE images.
2020-03-24 05:10:25,427 [root] DEBUG: DumpPEsInRange: Scanning range 0x1be0000 - 0x1c3e000.
2020-03-24 05:10:25,427 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x1be0000
2020-03-24 05:10:25,427 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-03-24 05:10:25,443 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x01BE0000.
2020-03-24 05:10:25,459 [root] DEBUG: DumpProcess: Module entry point VA is 0x00025CE0.
2020-03-24 05:10:25,490 [root] INFO: Added new CAPE file to list with path: C:\hLUpzAAQj\CAPE\2788_6518491782510524232020
2020-03-24 05:10:25,490 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x65600.
2020-03-24 05:10:25,506 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x1be0200-0x1c3e000.
2020-03-24 05:10:25,506 [root] DEBUG: ProtectionHandler: PE image(s) dumped from 0x01BE0000.
2020-03-24 05:10:25,506 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x1be0000 - 0x1c3e000.
2020-03-24 05:10:25,520 [root] DEBUG: ProtectionHandler: Address 0x01C5C000 already in tracked region at 0x01BE0000, size 0x5e000
2020-03-24 05:10:25,520 [root] DEBUG: ProtectionHandler: Address: 0x01C5C000 (alloc base 0x01BE0000), NumberOfBytesToProtect: 0x1000, NewAccessProtection: 0x40
2020-03-24 05:10:25,520 [root] DEBUG: ProtectionHandler: Increased region size at 0x01C5C000 to 0x7d000.
2020-03-24 05:10:25,520 [root] DEBUG: ProtectionHandler: New code detected at (0x01BE0000), scanning for PE images.
2020-03-24 05:10:25,520 [root] DEBUG: DumpPEsInRange: Scanning range 0x1be0000 - 0x1c5d000.
2020-03-24 05:10:25,520 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x1be0000
2020-03-24 05:10:25,520 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-03-24 05:10:25,520 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x01BE0000.
2020-03-24 05:10:25,552 [root] DEBUG: DumpProcess: Module entry point VA is 0x00025CE0.
2020-03-24 05:10:25,584 [root] INFO: Added new CAPE file to list with path: C:\hLUpzAAQj\CAPE\2788_15643864322510524232020
2020-03-24 05:10:25,584 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x65600.
2020-03-24 05:10:25,615 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x1be0200-0x1c5d000.
2020-03-24 05:10:25,630 [root] DEBUG: ProtectionHandler: PE image(s) dumped from 0x01BE0000.
2020-03-24 05:10:25,645 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x1be0000 - 0x1c5d000.
2020-03-24 05:10:25,645 [root] DEBUG: ProtectionHandler: Address 0x01C5D000 already in tracked region at 0x01BE0000, size 0x7d000
2020-03-24 05:10:25,661 [root] DEBUG: ProtectionHandler: Address: 0x01C5D000 (alloc base 0x01BE0000), NumberOfBytesToProtect: 0x5000, NewAccessProtection: 0x40
2020-03-24 05:10:25,677 [root] DEBUG: ProtectionHandler: Increased region size at 0x01C5D000 to 0x82000.
2020-03-24 05:10:25,677 [root] DEBUG: ProtectionHandler: New code detected at (0x01BE0000), scanning for PE images.
2020-03-24 05:10:25,677 [root] DEBUG: DumpPEsInRange: Scanning range 0x1be0000 - 0x1c62000.
2020-03-24 05:10:25,677 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x1be0000
2020-03-24 05:10:25,693 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-03-24 05:10:25,693 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x01BE0000.
2020-03-24 05:10:25,693 [root] DEBUG: DumpProcess: Module entry point VA is 0x00025CE0.
2020-03-24 05:10:25,693 [root] INFO: Added new CAPE file to list with path: C:\hLUpzAAQj\CAPE\2788_11470453702510524232020
2020-03-24 05:10:25,707 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x65600.
2020-03-24 05:10:25,707 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x1be0200-0x1c62000.
2020-03-24 05:10:25,707 [root] DEBUG: ProtectionHandler: PE image(s) dumped from 0x01BE0000.
2020-03-24 05:10:25,707 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x1be0000 - 0x1c62000.
2020-03-24 05:10:25,723 [root] DEBUG: ProtectionHandler: Address 0x01BE1000 already in tracked region at 0x01BE0000, size 0x82000
2020-03-24 05:10:25,723 [root] DEBUG: ProtectionHandler: Address: 0x01BE1000 (alloc base 0x01BE0000), NumberOfBytesToProtect: 0x5d000, NewAccessProtection: 0x20
2020-03-24 05:10:25,723 [root] DEBUG: ProtectionHandler: Updated region protection at 0x01BE1000 to 0x20.
2020-03-24 05:10:25,723 [root] DEBUG: ProtectionHandler: New code detected at (0x01BE0000), scanning for PE images.
2020-03-24 05:10:25,723 [root] DEBUG: DumpPEsInRange: Scanning range 0x1be0000 - 0x1c62000.
2020-03-24 05:10:25,740 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x1be0000
2020-03-24 05:10:25,740 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-03-24 05:10:25,740 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x01BE0000.
2020-03-24 05:10:25,740 [root] DEBUG: DumpProcess: Module entry point VA is 0x00025CE0.
2020-03-24 05:10:25,740 [root] INFO: Added new CAPE file to list with path: C:\hLUpzAAQj\CAPE\2788_18030380442510524232020
2020-03-24 05:10:25,740 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x65600.
2020-03-24 05:10:25,755 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x1be0200-0x1c62000.
2020-03-24 05:10:25,755 [root] DEBUG: ProtectionHandler: PE image(s) dumped from 0x01BE0000.
2020-03-24 05:10:25,755 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x1be0000 - 0x1c62000.
2020-03-24 05:10:25,755 [root] DEBUG: DLL loaded at 0x01BE0000: C:\Users\user\AppData\Local\Temp\xBjMNtgfJT.txt (0x82000 bytes).
2020-03-24 05:10:25,786 [root] DEBUG: DLL loaded at 0x743F0000: C:\Windows\system32\WINSPOOL.DRV (0x51000 bytes).
2020-03-24 05:10:25,802 [root] DEBUG: ProtectionHandler: Address 0x000B1000 already in tracked region at 0x000B0000, size 0x1000
2020-03-24 05:10:25,802 [root] DEBUG: ProtectionHandler: Address: 0x000B1000 (alloc base 0x000B0000), NumberOfBytesToProtect: 0x1000, NewAccessProtection: 0x40
2020-03-24 05:10:25,802 [root] DEBUG: ProtectionHandler: Increased region size at 0x000B1000 to 0x2000.
2020-03-24 05:10:25,802 [root] DEBUG: ProtectionHandler: Updated region protection at 0x000B1000 to 0x40.
2020-03-24 05:10:25,802 [root] DEBUG: ProcessImageBase: EP 0x000027C1 image base 0x000B0000 size 0x0 entropy 3.399706e+00.
2020-03-24 05:10:25,802 [root] DEBUG: ProtectionHandler: Address 0x000B1000 already in tracked region at 0x000B0000, size 0x2000
2020-03-24 05:10:25,802 [root] DEBUG: ProtectionHandler: Address: 0x000B1000 (alloc base 0x000B0000), NumberOfBytesToProtect: 0x1000, NewAccessProtection: 0x20
2020-03-24 05:10:25,802 [root] DEBUG: ProtectionHandler: Updated region protection at 0x000B1000 to 0x20.
2020-03-24 05:10:25,818 [root] DEBUG: ProcessImageBase: EP 0x000027C1 image base 0x000B0000 size 0x0 entropy 3.399574e+00.
2020-03-24 05:10:53,101 [root] DEBUG: Allocation: 0x00390000 - 0x00391000, size: 0x1000, protection: 0x40.
2020-03-24 05:10:53,101 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-03-24 05:10:53,101 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x000B0000.
2020-03-24 05:10:53,101 [root] DEBUG: ProcessImageBase: EP 0x000027C1 image base 0x000B0000 size 0x0 entropy 3.399574e+00.
2020-03-24 05:10:53,148 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01BE0000.
2020-03-24 05:10:53,148 [root] DEBUG: AllocationHandler: Adding allocation to tracked region list: 0x00390000, size: 0x1000.
2020-03-24 05:10:53,164 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x00390000) returned 0x00000000.
2020-03-24 05:10:53,196 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x00000000.
2020-03-24 05:10:53,226 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x00390000) -> AllocationBase 0x00390000 RegionSize 0x4096.
2020-03-24 05:10:53,242 [root] DEBUG: AddTrackedRegion: New region at 0x00390000 size 0x1000 added to tracked regions.
2020-03-24 05:10:53,273 [root] DEBUG: set_caller_info: Adding region at 0x00390000 to caller regions list (ntdll::NtAllocateVirtualMemory).
2020-03-24 05:10:53,289 [root] DEBUG: set_caller_info: Caller at 0x00390679 in tracked regions.
2020-03-24 05:10:53,305 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-03-24 05:10:53,305 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x000B0000.
2020-03-24 05:10:53,305 [root] DEBUG: ProcessImageBase: EP 0x000027C1 image base 0x000B0000 size 0x0 entropy 3.399574e+00.
2020-03-24 05:10:53,335 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01BE0000.
2020-03-24 05:10:53,351 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00390000.
2020-03-24 05:10:53,351 [root] DEBUG: DumpPEsInRange: Scanning range 0x390000 - 0x391000.
2020-03-24 05:10:53,351 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x390000-0x391000.
2020-03-24 05:10:53,382 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x00390000 - 0x00391000.
2020-03-24 05:10:53,382 [root] DEBUG: set_caller_info: Adding region at 0x01CB0000 to caller regions list (kernel32::GetSystemTime).
2020-03-24 05:10:53,414 [root] DEBUG: DumpPEsInRange: Scanning range 0x390000 - 0x391000.
2020-03-24 05:10:53,414 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x390000-0x391000.
2020-03-24 05:10:53,414 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x00390000 - 0x00391000.
2020-03-24 05:10:53,430 [root] DEBUG: DumpMemory: CAPE output file C:\hLUpzAAQj\CAPE\2788_82831849853301124232020 successfully created, size 0x1000
2020-03-24 05:10:53,476 [root] INFO: Added new CAPE file to list with path: C:\hLUpzAAQj\CAPE\2788_82831849853301124232020
2020-03-24 05:10:53,476 [root] DEBUG: DumpRegion: Dumped stack region from 0x00390000, size 0x1000.
2020-03-24 05:10:53,476 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x00390000.
2020-03-24 05:10:53,492 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x390000 - 0x391000.
2020-03-24 05:10:53,492 [root] DEBUG: DumpMemory: CAPE output file C:\hLUpzAAQj\CAPE\2788_38467647253301124232020 successfully created, size 0x1000
2020-03-24 05:10:53,492 [root] INFO: Added new CAPE file to list with path: C:\hLUpzAAQj\CAPE\2788_38467647253301124232020
2020-03-24 05:10:53,492 [root] DEBUG: DumpRegion: Dumped stack region from 0x00390000, size 0x1000.
2020-03-24 05:10:53,492 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x00390000.
2020-03-24 05:10:53,492 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x390000 - 0x391000.
2020-03-24 05:10:53,492 [root] DEBUG: Allocation: 0x003B0000 - 0x003D9000, size: 0x29000, protection: 0x40.
2020-03-24 05:10:53,507 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-03-24 05:10:53,507 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x000B0000.
2020-03-24 05:10:53,523 [root] DEBUG: ProcessImageBase: EP 0x000027C1 image base 0x000B0000 size 0x0 entropy 3.399574e+00.
2020-03-24 05:10:53,523 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01BE0000.
2020-03-24 05:10:53,523 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00390000.
2020-03-24 05:10:53,539 [root] DEBUG: AllocationHandler: Adding allocation to tracked region list: 0x003B0000, size: 0x29000.
2020-03-24 05:10:53,539 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x003B0000) returned 0x00000000.
2020-03-24 05:10:53,539 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x00000000.
2020-03-24 05:10:53,585 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x003B0000) -> AllocationBase 0x003B0000 RegionSize 0x167936.
2020-03-24 05:10:53,601 [root] DEBUG: AddTrackedRegion: New region at 0x003B0000 size 0x29000 added to tracked regions.
2020-03-24 05:10:53,631 [root] DEBUG: ActivateBreakpoints: TrackedRegion->AllocationBase: 0x003B0000, TrackedRegion->RegionSize: 0x29000, thread 2772
2020-03-24 05:10:54,645 [root] DEBUG: SetThreadBreakpoint: SetBreakpointThread timeout, thread killed.
2020-03-24 05:10:54,645 [root] DEBUG: SetThreadBreakpoint: Sample thread was not suspended. About to set breakpoint without thread.
2020-03-24 05:10:54,661 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xd0, Size=0x2, Address=0x003B0000 and Type=0x1.
2020-03-24 05:10:54,661 [root] DEBUG: SetBreakpointWithoutThread: bp set with register 0
2020-03-24 05:10:54,693 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on empty protect address: 0x003B0000
2020-03-24 05:10:55,707 [root] DEBUG: SetThreadBreakpoint: SetBreakpointThread timeout, thread killed.
2020-03-24 05:10:55,723 [root] DEBUG: SetThreadBreakpoint: Sample thread was not suspended. About to set breakpoint without thread.
2020-03-24 05:10:55,737 [root] DEBUG: SetDebugRegister: Setting breakpoint 1 hThread=0xd0, Size=0x4, Address=0x003B003C and Type=0x1.
2020-03-24 05:10:55,737 [root] DEBUG: SetBreakpointWithoutThread: bp set with register 1
2020-03-24 05:10:55,753 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on e_lfanew address: 0x003B003C
2020-03-24 05:10:55,753 [root] DEBUG: AllocationHandler: Breakpoints set on newly-allocated executable region at: 0x003B0000 (size 0x29000).
2020-03-24 05:10:55,753 [root] DEBUG: DLL unloaded from 0x772F0000.
2020-03-24 05:10:55,785 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x0039029C (thread 2772)
2020-03-24 05:10:55,785 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x003B0000.
2020-03-24 05:10:55,801 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 2 within Context, Size=0x0, Address=0x003B0000 and Type=0x0.
2020-03-24 05:10:55,832 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x3b0000: 0x5b.
2020-03-24 05:10:55,848 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2020-03-24 05:10:55,848 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x0039029C (thread 2772)
2020-03-24 05:10:55,878 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x003B0000.
2020-03-24 05:10:55,894 [root] DEBUG: ContextSetNextAvailableBreakpoint: An identical breakpoint (2) at 0x003B0000 already exists for thread 2772 (process 2788), skipping.
2020-03-24 05:10:55,894 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x3b0000: 0x5b.
2020-03-24 05:10:55,894 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2020-03-24 05:10:55,894 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x0039029C (thread 2772)
2020-03-24 05:10:55,894 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x003B003C.
2020-03-24 05:10:55,910 [root] DEBUG: ContextUpdateCurrentBreakpoint: bp 0x003B0000: 0x003B0000 0x003B003C 0x003B0000 0x00000000
2020-03-24 05:10:55,926 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x2, Address=0x003B00E4 and Type=0x1.
2020-03-24 05:10:55,971 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 3 within Context, Size=0x4, Address=0x003B00F4 and Type=0x1.
2020-03-24 05:10:56,003 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x003B00F4.
2020-03-24 05:10:56,019 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x0039029C (thread 2772)
2020-03-24 05:10:56,019 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x003B003C.
2020-03-24 05:10:56,035 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0xcccc (at 0x003B003C).
2020-03-24 05:10:56,065 [root] DEBUG: ContextSetNextAvailableBreakpoint: An identical breakpoint (2) at 0x003B0000 already exists for thread 2772 (process 2788), skipping.
2020-03-24 05:10:56,065 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x003B0000.
2020-03-24 05:10:56,082 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x0039029C (thread 2772)
2020-03-24 05:10:56,096 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x003B003C.
2020-03-24 05:10:56,096 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0x49cccc (at 0x003B003C).
2020-03-24 05:10:56,112 [root] DEBUG: ContextSetNextAvailableBreakpoint: An identical breakpoint (2) at 0x003B0000 already exists for thread 2772 (process 2788), skipping.
2020-03-24 05:10:56,112 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x003B0000.
2020-03-24 05:10:56,128 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x0039029C (thread 2772)
2020-03-24 05:10:56,128 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x003B003C.
2020-03-24 05:10:56,144 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0x4949cccc (at 0x003B003C).
2020-03-24 05:10:56,160 [root] DEBUG: ContextSetNextAvailableBreakpoint: An identical breakpoint (2) at 0x003B0000 already exists for thread 2772 (process 2788), skipping.
2020-03-24 05:10:56,206 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x003B0000.
2020-03-24 05:10:56,221 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x0039029C (thread 2772)
2020-03-24 05:10:56,221 [root] DEBUG: MagicWriteCallback: pointer to PE header too big: 0x4949CCCC.
2020-03-24 05:10:56,253 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x0039029C (thread 2772)
2020-03-24 05:10:56,253 [root] DEBUG: AddressOfEPWriteCallback: pointer to PE header too big: 0x4949CCCC.
2020-03-24 05:10:56,253 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x0039029C (thread 2772)
2020-03-24 05:10:56,253 [root] DEBUG: AddressOfEPWriteCallback: pointer to PE header too big: 0x4949CCCC.
2020-03-24 05:10:56,283 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x0039029C (thread 2772)
2020-03-24 05:10:56,299 [root] DEBUG: AddressOfEPWriteCallback: pointer to PE header too big: 0x4949CCCC.
2020-03-24 05:10:56,331 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x0039029C (thread 2772)
2020-03-24 05:10:56,331 [root] DEBUG: AddressOfEPWriteCallback: pointer to PE header too big: 0x4949CCCC.
2020-03-24 05:10:56,346 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x00390382 (thread 2772)
2020-03-24 05:10:56,361 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x003B003C.
2020-03-24 05:10:56,378 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0x4949cc26 (at 0x003B003C).
2020-03-24 05:10:56,378 [root] DEBUG: ContextSetNextAvailableBreakpoint: An identical breakpoint (2) at 0x003B0000 already exists for thread 2772 (process 2788), skipping.
2020-03-24 05:10:56,408 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x003B0000.
2020-03-24 05:10:56,408 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x00390382 (thread 2772)
2020-03-24 05:10:56,408 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x003B003C.
2020-03-24 05:10:56,424 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0x4949fc26 (at 0x003B003C).
2020-03-24 05:10:56,424 [root] DEBUG: ContextSetNextAvailableBreakpoint: An identical breakpoint (2) at 0x003B0000 already exists for thread 2772 (process 2788), skipping.
2020-03-24 05:10:56,440 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x003B0000.
2020-03-24 05:10:56,471 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x00390382 (thread 2772)
2020-03-24 05:10:56,471 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x003B003C.
2020-03-24 05:10:56,471 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0x497efc26 (at 0x003B003C).
2020-03-24 05:10:56,486 [root] DEBUG: ContextSetNextAvailableBreakpoint: An identical breakpoint (2) at 0x003B0000 already exists for thread 2772 (process 2788), skipping.
2020-03-24 05:10:56,517 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x003B0000.
2020-03-24 05:10:56,517 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x00390384 (thread 2772)
2020-03-24 05:10:56,533 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x003B003C.
2020-03-24 05:10:56,533 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0xe67efc26 (at 0x003B003C).
2020-03-24 05:10:56,533 [root] DEBUG: ContextSetNextAvailableBreakpoint: An identical breakpoint (2) at 0x003B0000 already exists for thread 2772 (process 2788), skipping.
2020-03-24 05:10:56,549 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x003B0000.
2020-03-24 05:10:56,565 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x00390382 (thread 2772)
2020-03-24 05:10:56,581 [root] DEBUG: MagicWriteCallback: pointer to PE header too big: 0xE67EFC26.
2020-03-24 05:10:56,595 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x00390382 (thread 2772)
2020-03-24 05:10:56,595 [root] DEBUG: MagicWriteCallback: pointer to PE header too big: 0xE67EFC26.
2020-03-24 05:10:56,595 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x00390384 (thread 2772)
2020-03-24 05:10:56,595 [root] DEBUG: AddressOfEPWriteCallback: pointer to PE header too big: 0xE67EFC26.
2020-03-24 05:10:56,628 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x00390382 (thread 2772)
2020-03-24 05:10:56,628 [root] DEBUG: AddressOfEPWriteCallback: pointer to PE header too big: 0xE67EFC26.
2020-03-24 05:10:56,628 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x00390382 (thread 2772)
2020-03-24 05:10:56,628 [root] DEBUG: AddressOfEPWriteCallback: pointer to PE header too big: 0xE67EFC26.
2020-03-24 05:10:56,628 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x00390382 (thread 2772)
2020-03-24 05:10:56,642 [root] DEBUG: AddressOfEPWriteCallback: pointer to PE header too big: 0xE67EFC26.
2020-03-24 05:10:56,658 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x003902D6 (thread 2772)
2020-03-24 05:10:56,674 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x003B003C.
2020-03-24 05:10:56,720 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0xe67efc65 (at 0x003B003C).
2020-03-24 05:10:56,767 [root] DEBUG: ContextSetNextAvailableBreakpoint: An identical breakpoint (2) at 0x003B0000 already exists for thread 2772 (process 2788), skipping.
2020-03-24 05:10:56,783 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x003B0000.
2020-03-24 05:10:56,783 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x003902D6 (thread 2772)
2020-03-24 05:10:56,799 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x003B003C.
2020-03-24 05:10:56,799 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0xe67ebf65 (at 0x003B003C).
2020-03-24 05:10:56,799 [root] DEBUG: ContextSetNextAvailableBreakpoint: An identical breakpoint (2) at 0x003B0000 already exists for thread 2772 (process 2788), skipping.
2020-03-24 05:10:56,815 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x003B0000.
2020-03-24 05:10:56,815 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x003902D6 (thread 2772)
2020-03-24 05:10:56,845 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x003B003C.
2020-03-24 05:10:56,845 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0xe63dbf65 (at 0x003B003C).
2020-03-24 05:10:56,861 [root] DEBUG: ContextSetNextAvailableBreakpoint: An identical breakpoint (2) at 0x003B0000 already exists for thread 2772 (process 2788), skipping.
2020-03-24 05:10:56,861 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x003B0000.
2020-03-24 05:10:56,861 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x003902D6 (thread 2772)
2020-03-24 05:10:56,861 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x003B003C.
2020-03-24 05:10:56,877 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0x753dbf65 (at 0x003B003C).
2020-03-24 05:10:56,892 [root] DEBUG: ContextSetNextAvailableBreakpoint: An identical breakpoint (2) at 0x003B0000 already exists for thread 2772 (process 2788), skipping.
2020-03-24 05:10:56,892 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x003B0000.
2020-03-24 05:10:56,907 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x003902D6 (thread 2772)
2020-03-24 05:10:56,907 [root] DEBUG: MagicWriteCallback: pointer to PE header too big: 0x753DBF65.
2020-03-24 05:10:56,907 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x003902D6 (thread 2772)
2020-03-24 05:10:56,940 [root] DEBUG: MagicWriteCallback: pointer to PE header too big: 0x753DBF65.
2020-03-24 05:10:56,940 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x003902D6 (thread 2772)
2020-03-24 05:10:56,940 [root] DEBUG: AddressOfEPWriteCallback: pointer to PE header too big: 0x753DBF65.
2020-03-24 05:10:56,970 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x003902D6 (thread 2772)
2020-03-24 05:10:56,970 [root] DEBUG: AddressOfEPWriteCallback: pointer to PE header too big: 0x753DBF65.
2020-03-24 05:10:56,986 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x003902D6 (thread 2772)
2020-03-24 05:10:56,986 [root] DEBUG: AddressOfEPWriteCallback: pointer to PE header too big: 0x753DBF65.
2020-03-24 05:10:56,986 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x003902D6 (thread 2772)
2020-03-24 05:10:56,986 [root] DEBUG: AddressOfEPWriteCallback: pointer to PE header too big: 0x753DBF65.
2020-03-24 05:10:56,986 [root] DEBUG: FreeHandler: Address: 0x003B0000.
2020-03-24 05:10:56,986 [root] DEBUG: DumpPEsInRange: Scanning range 0x3b0000 - 0x3d9000.
2020-03-24 05:10:56,986 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x3ba007
2020-03-24 05:10:56,986 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image.
2020-03-24 05:10:56,986 [root] DEBUG: DumpPE: Instantiating PeParser with address: 0x003BA007.
2020-03-24 05:10:57,032 [root] INFO: Added new CAPE file to list with path: C:\hLUpzAAQj\CAPE\2788_6371064745610524232020
2020-03-24 05:10:57,032 [root] DEBUG: DumpPE: PE file in memory dumped successfully - dump size 0xae00.
2020-03-24 05:10:57,079 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x3ba207-0x3d9000.
2020-03-24 05:10:57,079 [root] DEBUG: DumpPEsInTrackedRegion: Dumped 1 PE image(s) from range 0x003B0000 - 0x003D9000.
2020-03-24 05:10:57,095 [root] DEBUG: FreeHandler: Found and dumped PE image(s) in range 0x003B0000 - 0x003D9000.
2020-03-24 05:10:57,095 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x3b0000 - 0x3d9000.
2020-03-24 05:10:57,095 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x003B00E4.
2020-03-24 05:10:57,095 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x003B003C.
2020-03-24 05:10:57,127 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 2 address 0x003B0000.
2020-03-24 05:10:57,127 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 3 address 0x003B00F4.
2020-03-24 05:10:57,141 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x20afa10, AllocationBase 0x0.
2020-03-24 05:10:57,157 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x20afab8, AllocationBase 0xb0000.
2020-03-24 05:10:57,157 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x20a84c0, AllocationBase 0x1be0000.
2020-03-24 05:10:57,157 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x20aaad0, AllocationBase 0x390000.
2020-03-24 05:10:57,157 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x20aab78, AllocationBase 0x3b0000.
2020-03-24 05:10:57,174 [root] DEBUG: DropTrackedRegion: removed pages 0x3b0000-0x3d9000 from the end of the tracked region list.
2020-03-24 05:10:57,204 [root] DEBUG: CreateThread: Initialising breakpoints for thread 2696.
2020-03-24 05:10:57,220 [root] DEBUG: set_caller_info: Adding region at 0x000F0000 to caller regions list (ntdll::LdrLoadDll).
2020-03-24 05:10:57,266 [root] DEBUG: set_caller_info: Adding region at 0x00280000 to caller regions list (ntdll::LdrUnloadDll).
2020-03-24 05:10:57,266 [root] DEBUG: CreateThread: Initialising breakpoints for thread 1012.
2020-03-24 05:10:57,313 [root] DEBUG: DLL loaded at 0x74390000: C:\Windows\SysWOW64\WINHTTP (0x58000 bytes).
2020-03-24 05:10:57,313 [root] DEBUG: DLL loaded at 0x74340000: C:\Windows\SysWOW64\webio (0x4f000 bytes).
2020-03-24 05:10:57,313 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-03-24 05:10:57,313 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x000B0000.
2020-03-24 05:10:57,313 [root] DEBUG: ProcessImageBase: EP 0x000027C1 image base 0x000B0000 size 0x0 entropy 3.399574e+00.
2020-03-24 05:10:57,345 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01BE0000.
2020-03-24 05:10:57,361 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00390000.
2020-03-24 05:10:57,407 [root] DEBUG: ProtectionHandler: Adding region at 0x003B1000 to tracked regions.
2020-03-24 05:10:57,423 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x003B1000) returned 0x00000000.
2020-03-24 05:10:57,423 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x00000000.
2020-03-24 05:10:57,423 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x003B1000) -> AllocationBase 0x003B0000 RegionSize 0x40960.
2020-03-24 05:10:57,453 [root] DEBUG: AddTrackedRegion: EntryPoint 0x3bd2, Entropy 5.919400e+00
2020-03-24 05:10:57,470 [root] DEBUG: AddTrackedRegion: New region at 0x003B0000 size 0xa000 added to tracked regions.
2020-03-24 05:10:57,470 [root] DEBUG: ProtectionHandler: Address: 0x003B1000 (alloc base 0x003B0000), NumberOfBytesToProtect: 0x9d67, NewAccessProtection: 0x20
2020-03-24 05:10:57,500 [root] DEBUG: ProtectionHandler: Increased region size at 0x003B1000 to 0xad67.
2020-03-24 05:10:57,500 [root] DEBUG: ProtectionHandler: New code detected at (0x003B0000), scanning for PE images.
2020-03-24 05:10:57,532 [root] DEBUG: DumpPEsInRange: Scanning range 0x3b0000 - 0x3bad67.
2020-03-24 05:10:57,532 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x3b0000
2020-03-24 05:10:57,532 [root] DEBUG: DumpImageInCurrentProcess: Disguised PE image (bad MZ and/or PE headers) at 0x003B0000
2020-03-24 05:10:57,548 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-03-24 05:10:57,595 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x003B0000.
2020-03-24 05:10:57,609 [root] DEBUG: DumpProcess: Module entry point VA is 0x00003BD2.
2020-03-24 05:10:57,625 [root] INFO: Added new CAPE file to list with path: C:\hLUpzAAQj\CAPE\2788_743641445710524232020
2020-03-24 05:10:57,641 [root] DEBUG: DumpProcess: Module image dump success - dump size 0xc000.
2020-03-24 05:10:57,657 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x3b0200-0x3bad67.
2020-03-24 05:10:57,657 [root] DEBUG: ProtectionHandler: PE image(s) dumped from 0x003B0000.
2020-03-24 05:10:57,657 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x3b0000 - 0x3bad67.
2020-03-24 05:10:57,673 [root] DEBUG: set_caller_info: Adding region at 0x003B0000 to caller regions list (kernel32::HeapCreate).
2020-03-24 05:10:57,703 [root] DEBUG: set_caller_info: Caller at 0x003B8168 in tracked regions.
2020-03-24 05:10:57,720 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-03-24 05:10:57,750 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x000B0000.
2020-03-24 05:10:57,750 [root] DEBUG: ProcessImageBase: EP 0x000027C1 image base 0x000B0000 size 0x0 entropy 3.399574e+00.
2020-03-24 05:10:57,782 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01BE0000.
2020-03-24 05:10:57,782 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00390000.
2020-03-24 05:10:57,782 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003B0000.
2020-03-24 05:11:16,424 [root] INFO: Stopped WMI Service
2020-03-24 05:11:16,424 [root] INFO: Attaching to DcomLaunch service (pid 564)
2020-03-24 05:11:16,440 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 05:11:16,440 [lib.api.process] INFO: 64-bit DLL to inject is C:\vgzsvvr\dll\qdmwqOp.dll, loader C:\vgzsvvr\bin\OtyCQoYH.exe
2020-03-24 05:11:16,486 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\pSNnCqspPc.
2020-03-24 05:11:16,486 [root] DEBUG: Loader: Injecting process 564 (thread 0) with C:\vgzsvvr\dll\qdmwqOp.dll.
2020-03-24 05:11:16,486 [root] DEBUG: InjectDll: No thread ID supplied. Initial thread ID 568, handle 0x84
2020-03-24 05:11:16,486 [root] DEBUG: Process image base: 0x00000000FFA10000
2020-03-24 05:11:16,486 [root] DEBUG: InjectDllViaIAT: Not a new process, aborting IAT patch
2020-03-24 05:11:16,486 [root] DEBUG: InjectDll: IAT patching failed, falling back to thread injection.
2020-03-24 05:11:16,502 [root] DEBUG: Terminate processes on terminate_event enabled.
2020-03-24 05:11:16,517 [root] DEBUG: Process dumps disabled.
2020-03-24 05:11:16,549 [root] INFO: Disabling sleep skipping.
2020-03-24 05:11:16,579 [root] WARNING: Unable to place hook on LockResource
2020-03-24 05:11:16,611 [root] WARNING: Unable to hook LockResource
2020-03-24 05:11:16,641 [root] DEBUG: Debugger initialised.
2020-03-24 05:11:16,641 [root] DEBUG: CAPE initialised: 64-bit Extraction package loaded in process 564 at 0x0000000074250000, image base 0x00000000FFA10000, stack from 0x00000000022B6000-0x00000000022C0000
2020-03-24 05:11:16,641 [root] DEBUG: Commandline: C:\Windows\sysnative\svchost.exe -k DcomLaunch.
2020-03-24 05:11:16,657 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x00000000FFA10000) returned 0x0000000000000000.
2020-03-24 05:11:16,674 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x0000000000000000.
2020-03-24 05:11:16,674 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x00000000FFA10000) -> AllocationBase 0x00000000FFA10000 RegionSize 0x4096.
2020-03-24 05:11:16,688 [root] DEBUG: AddTrackedRegion: EntryPoint 0x246c, Entropy 3.671080e+00
2020-03-24 05:11:16,688 [root] DEBUG: AddTrackedRegion: New region at 0x00000000FFA10000 size 0x1000 added to tracked regions.
2020-03-24 05:11:16,688 [root] DEBUG: ExtractionInit: Adding main image base to tracked regions.
2020-03-24 05:11:16,688 [root] INFO: Added new process to list with pid: 564
2020-03-24 05:11:16,688 [root] INFO: Monitor successfully loaded in process with pid 564.
2020-03-24 05:11:16,688 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2020-03-24 05:11:16,688 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2020-03-24 05:11:16,688 [root] DEBUG: Successfully injected DLL C:\vgzsvvr\dll\qdmwqOp.dll.
2020-03-24 05:11:18,888 [root] INFO: Announced 64-bit process name: WmiPrvSE.exe pid: 1304
2020-03-24 05:11:18,888 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 05:11:18,888 [lib.api.process] INFO: 64-bit DLL to inject is C:\vgzsvvr\dll\qdmwqOp.dll, loader C:\vgzsvvr\bin\OtyCQoYH.exe
2020-03-24 05:11:18,888 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\pSNnCqspPc.
2020-03-24 05:11:18,888 [root] DEBUG: Loader: Injecting process 1304 (thread 2520) with C:\vgzsvvr\dll\qdmwqOp.dll.
2020-03-24 05:11:18,904 [root] DEBUG: Process image base: 0x00000000FFCC0000
2020-03-24 05:11:18,904 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\vgzsvvr\dll\qdmwqOp.dll.
2020-03-24 05:11:18,920 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-03-24 05:11:18,936 [root] DEBUG: Successfully injected DLL C:\vgzsvvr\dll\qdmwqOp.dll.
2020-03-24 05:11:18,936 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 1304
2020-03-24 05:11:18,967 [root] INFO: Announced 64-bit process name: WmiPrvSE.exe pid: 1304
2020-03-24 05:11:18,967 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 05:11:18,967 [lib.api.process] INFO: 64-bit DLL to inject is C:\vgzsvvr\dll\qdmwqOp.dll, loader C:\vgzsvvr\bin\OtyCQoYH.exe
2020-03-24 05:11:18,997 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\pSNnCqspPc.
2020-03-24 05:11:19,013 [root] DEBUG: Loader: Injecting process 1304 (thread 2520) with C:\vgzsvvr\dll\qdmwqOp.dll.
2020-03-24 05:11:19,013 [root] DEBUG: Process image base: 0x00000000FFCC0000
2020-03-24 05:11:19,029 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\vgzsvvr\dll\qdmwqOp.dll.
2020-03-24 05:11:19,045 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-03-24 05:11:19,045 [root] DEBUG: Successfully injected DLL C:\vgzsvvr\dll\qdmwqOp.dll.
2020-03-24 05:11:19,045 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 1304
2020-03-24 05:11:19,059 [root] DEBUG: Terminate processes on terminate_event enabled.
2020-03-24 05:11:19,075 [root] DEBUG: Process dumps disabled.
2020-03-24 05:11:19,075 [root] INFO: Disabling sleep skipping.
2020-03-24 05:11:19,092 [root] WARNING: Unable to place hook on LockResource
2020-03-24 05:11:19,092 [root] WARNING: Unable to hook LockResource
2020-03-24 05:11:19,092 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-03-24 05:11:19,092 [root] DEBUG: Debugger initialised.
2020-03-24 05:11:19,092 [root] DEBUG: CAPE initialised: 64-bit Extraction package loaded in process 1304 at 0x0000000074250000, image base 0x00000000FFCC0000, stack from 0x0000000000290000-0x00000000002A0000
2020-03-24 05:11:19,107 [root] DEBUG: Commandline: C:\Windows\sysnative\wbem\wmiprvse.exe -Embedding.
2020-03-24 05:11:19,122 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x00000000FFCC0000) returned 0x0000000000000000.
2020-03-24 05:11:19,138 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x0000000000000000.
2020-03-24 05:11:19,154 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x00000000FFCC0000) -> AllocationBase 0x00000000FFCC0000 RegionSize 0x4096.
2020-03-24 05:11:19,184 [root] DEBUG: AddTrackedRegion: EntryPoint 0xa9b4, Entropy 5.870304e+00
2020-03-24 05:11:19,200 [root] DEBUG: AddTrackedRegion: New region at 0x00000000FFCC0000 size 0x1000 added to tracked regions.
2020-03-24 05:11:19,200 [root] DEBUG: ExtractionInit: Adding main image base to tracked regions.
2020-03-24 05:11:19,216 [root] INFO: Added new process to list with pid: 1304
2020-03-24 05:11:19,216 [root] INFO: Monitor successfully loaded in process with pid 1304.
2020-03-24 05:11:19,279 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\system32\CRYPTBASE (0xf000 bytes).
2020-03-24 05:11:19,279 [root] DEBUG: DLL loaded at 0x000007FEFC190000: C:\Windows\system32\ntmarta (0x2d000 bytes).
2020-03-24 05:11:19,309 [root] DEBUG: DLL loaded at 0x000007FEFE860000: C:\Windows\system32\WLDAP32 (0x52000 bytes).
2020-03-24 05:11:19,357 [root] DEBUG: DLL loaded at 0x000007FEFE400000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2020-03-24 05:11:19,371 [root] DEBUG: CreateThread: Initialising breakpoints for thread 2780.
2020-03-24 05:11:19,388 [root] DEBUG: DLL unloaded from 0x0000000077110000.
2020-03-24 05:11:19,404 [root] DEBUG: DLL loaded at 0x000007FEF9D50000: C:\Windows\system32\wbem\wbemprox (0xf000 bytes).
2020-03-24 05:11:19,404 [root] DEBUG: CreateThread: Initialising breakpoints for thread 1368.
2020-03-24 05:11:19,418 [root] DEBUG: DLL loaded at 0x000007FEFC8F0000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2020-03-24 05:11:19,418 [root] DEBUG: DLL loaded at 0x000007FEFC5F0000: C:\Windows\system32\rsaenh (0x47000 bytes).
2020-03-24 05:11:19,418 [root] DEBUG: DLL loaded at 0x000007FEFD000000: C:\Windows\system32\RpcRtRemote (0x14000 bytes).
2020-03-24 05:11:19,418 [root] DEBUG: CreateThread: Initialising breakpoints for thread 1336.
2020-03-24 05:11:19,434 [root] DEBUG: DLL loaded at 0x000007FEFA0A0000: C:\Windows\system32\wbem\wbemsvc (0x14000 bytes).
2020-03-24 05:11:19,450 [root] DEBUG: DLL loaded at 0x000007FEF97C0000: C:\Windows\system32\wbem\wmiutils (0x26000 bytes).
2020-03-24 05:11:19,466 [root] DEBUG: DLL loaded at 0x000007FEF9BE0000: C:\Windows\system32\wbem\wmiprov (0x3c000 bytes).
2020-03-24 05:11:20,760 [root] INFO: Started WMI Service
2020-03-24 05:11:20,760 [root] INFO: Attaching to WMI service (pid 2240)
2020-03-24 05:11:20,760 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 05:11:20,760 [lib.api.process] INFO: 64-bit DLL to inject is C:\vgzsvvr\dll\qdmwqOp.dll, loader C:\vgzsvvr\bin\OtyCQoYH.exe
2020-03-24 05:11:20,760 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\pSNnCqspPc.
2020-03-24 05:11:20,760 [root] DEBUG: Loader: Injecting process 2240 (thread 0) with C:\vgzsvvr\dll\qdmwqOp.dll.
2020-03-24 05:11:20,776 [root] DEBUG: InjectDll: No thread ID supplied. Initial thread ID 2324, handle 0x84
2020-03-24 05:11:20,776 [root] DEBUG: Process image base: 0x00000000FFA10000
2020-03-24 05:11:20,776 [root] DEBUG: InjectDllViaIAT: Not a new process, aborting IAT patch
2020-03-24 05:11:20,776 [root] DEBUG: InjectDll: IAT patching failed, falling back to thread injection.
2020-03-24 05:11:20,776 [root] DEBUG: Terminate processes on terminate_event enabled.
2020-03-24 05:11:20,776 [root] DEBUG: Process dumps disabled.
2020-03-24 05:11:20,792 [root] INFO: Disabling sleep skipping.
2020-03-24 05:11:20,808 [root] WARNING: Unable to place hook on LockResource
2020-03-24 05:11:20,808 [root] WARNING: Unable to hook LockResource
2020-03-24 05:11:20,808 [root] DEBUG: Debugger initialised.
2020-03-24 05:11:20,808 [root] DEBUG: CAPE initialised: 64-bit Extraction package loaded in process 2240 at 0x0000000074250000, image base 0x00000000FFA10000, stack from 0x00000000032B6000-0x00000000032C0000
2020-03-24 05:11:20,822 [root] DEBUG: Commandline: C:\Windows\sysnative\svchost.exe -k netsvcs.
2020-03-24 05:11:20,838 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x00000000FFA10000) returned 0x0000000000000000.
2020-03-24 05:11:20,854 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x0000000000000000.
2020-03-24 05:11:20,869 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x00000000FFA10000) -> AllocationBase 0x00000000FFA10000 RegionSize 0x4096.
2020-03-24 05:11:20,901 [root] DEBUG: AddTrackedRegion: EntryPoint 0x246c, Entropy 3.657650e+00
2020-03-24 05:11:20,901 [root] DEBUG: AddTrackedRegion: New region at 0x00000000FFA10000 size 0x1000 added to tracked regions.
2020-03-24 05:11:20,901 [root] DEBUG: ExtractionInit: Adding main image base to tracked regions.
2020-03-24 05:11:20,901 [root] INFO: Added new process to list with pid: 2240
2020-03-24 05:11:20,901 [root] INFO: Monitor successfully loaded in process with pid 2240.
2020-03-24 05:11:20,901 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2020-03-24 05:11:20,901 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2020-03-24 05:11:20,901 [root] DEBUG: Successfully injected DLL C:\vgzsvvr\dll\qdmwqOp.dll.
2020-03-24 05:11:21,151 [root] DEBUG: DLL unloaded from 0x000007FEFB0D0000.
2020-03-24 05:11:21,165 [root] DEBUG: DLL unloaded from 0x000007FEF9540000.
2020-03-24 05:11:22,914 [root] DEBUG: DLL loaded at 0x74EB0000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2020-03-24 05:11:22,944 [root] DEBUG: DLL loaded at 0x74A90000: C:\Windows\system32\wbem\wbemprox (0xa000 bytes).
2020-03-24 05:11:22,976 [root] DEBUG: DLL loaded at 0x74A30000: C:\Windows\system32\wbemcomn (0x5c000 bytes).
2020-03-24 05:11:22,992 [root] DEBUG: DLL loaded at 0x75D00000: C:\Windows\syswow64\WS2_32 (0x35000 bytes).
2020-03-24 05:11:22,992 [root] DEBUG: DLL loaded at 0x75130000: C:\Windows\syswow64\NSI (0x6000 bytes).
2020-03-24 05:11:23,006 [root] DEBUG: DLL loaded at 0x74C70000: C:\Windows\SysWOW64\CRYPTSP (0x16000 bytes).
2020-03-24 05:11:23,023 [root] DEBUG: DLL loaded at 0x74C30000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2020-03-24 05:11:23,023 [root] DEBUG: DLL loaded at 0x74A20000: C:\Windows\SysWOW64\RpcRtRemote (0xe000 bytes).
2020-03-24 05:11:23,053 [root] DEBUG: DLL loaded at 0x74A10000: C:\Windows\system32\wbem\wbemsvc (0xf000 bytes).
2020-03-24 05:11:23,101 [root] DEBUG: DLL loaded at 0x741B0000: C:\Windows\system32\wbem\fastprox (0x96000 bytes).
2020-03-24 05:11:23,115 [root] DEBUG: DLL loaded at 0x74180000: C:\Windows\system32\NTDSAPI (0x18000 bytes).
2020-03-24 05:11:23,397 [root] DEBUG: set_caller_info: Adding region at 0x000007FEFCEC0000 to caller regions list (ntdll::NtOpenEvent).
2020-03-24 05:11:23,413 [root] INFO: Announced 32-bit process name: WmiPrvSE.exe pid: 2804
2020-03-24 05:11:23,413 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 05:11:23,413 [lib.api.process] INFO: 32-bit DLL to inject is C:\vgzsvvr\dll\JrANdsY.dll, loader C:\vgzsvvr\bin\RUYfSAb.exe
2020-03-24 05:11:23,427 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\pSNnCqspPc.
2020-03-24 05:11:23,427 [root] DEBUG: Loader: Injecting process 2804 (thread 2332) with C:\vgzsvvr\dll\JrANdsY.dll.
2020-03-24 05:11:23,427 [root] DEBUG: Process image base: 0x00200000
2020-03-24 05:11:23,427 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\vgzsvvr\dll\JrANdsY.dll.
2020-03-24 05:11:23,427 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-03-24 05:11:23,427 [root] DEBUG: Successfully injected DLL C:\vgzsvvr\dll\JrANdsY.dll.
2020-03-24 05:11:23,427 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2804
2020-03-24 05:11:23,460 [root] INFO: Announced 32-bit process name: WmiPrvSE.exe pid: 2804
2020-03-24 05:11:23,460 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 05:11:23,460 [lib.api.process] INFO: 32-bit DLL to inject is C:\vgzsvvr\dll\JrANdsY.dll, loader C:\vgzsvvr\bin\RUYfSAb.exe
2020-03-24 05:11:23,460 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\pSNnCqspPc.
2020-03-24 05:11:23,460 [root] DEBUG: Loader: Injecting process 2804 (thread 2332) with C:\vgzsvvr\dll\JrANdsY.dll.
2020-03-24 05:11:23,460 [root] DEBUG: Process image base: 0x00200000
2020-03-24 05:11:23,460 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\vgzsvvr\dll\JrANdsY.dll.
2020-03-24 05:11:23,460 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-03-24 05:11:23,460 [root] DEBUG: Successfully injected DLL C:\vgzsvvr\dll\JrANdsY.dll.
2020-03-24 05:11:23,460 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2804
2020-03-24 05:11:23,506 [root] DEBUG: Terminate processes on terminate_event enabled.
2020-03-24 05:11:23,506 [root] DEBUG: Process dumps disabled.
2020-03-24 05:11:23,506 [root] INFO: Disabling sleep skipping.
2020-03-24 05:11:23,506 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-03-24 05:11:23,522 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x77110000, KiUserExceptionDispatcher: 0x0, NtSetContextThread: 0x7716124a, Wow64PrepareForException: 0x0
2020-03-24 05:11:23,522 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x120000
2020-03-24 05:11:23,522 [root] DEBUG: Debugger initialised.
2020-03-24 05:11:23,522 [root] DEBUG: CAPE initialised: 32-bit Extraction package loaded in process 2804 at 0x747d0000, image base 0x200000, stack from 0x2b0000-0x2c0000
2020-03-24 05:11:23,522 [root] DEBUG: Commandline: C:\Windows\SysWOW64\wbem\wmiprvse.exe -secured -Embedding.
2020-03-24 05:11:23,522 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x00200000) returned 0x00000000.
2020-03-24 05:11:23,522 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x00000000.
2020-03-24 05:11:23,538 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x00200000) -> AllocationBase 0x00200000 RegionSize 0x4096.
2020-03-24 05:11:23,538 [root] DEBUG: AddTrackedRegion: EntryPoint 0xf643, Entropy 6.321695e+00
2020-03-24 05:11:23,538 [root] DEBUG: AddTrackedRegion: New region at 0x00200000 size 0x1000 added to tracked regions.
2020-03-24 05:11:23,538 [root] DEBUG: ExtractionInit: Adding main image base to tracked regions.
2020-03-24 05:11:23,538 [root] INFO: Added new process to list with pid: 2804
2020-03-24 05:11:23,538 [root] INFO: Monitor successfully loaded in process with pid 2804.
2020-03-24 05:11:23,552 [root] DEBUG: DLL loaded at 0x749D0000: C:\Windows\system32\ntmarta (0x21000 bytes).
2020-03-24 05:11:23,552 [root] DEBUG: DLL loaded at 0x76EA0000: C:\Windows\syswow64\WLDAP32 (0x45000 bytes).
2020-03-24 05:11:23,569 [root] DEBUG: DLL loaded at 0x74EB0000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2020-03-24 05:11:23,569 [root] DEBUG: CreateThread: Initialising breakpoints for thread 2976.
2020-03-24 05:11:23,569 [root] DEBUG: DLL unloaded from 0x772F0000.
2020-03-24 05:11:23,569 [root] DEBUG: DLL loaded at 0x74A90000: C:\Windows\system32\wbem\wbemprox (0xa000 bytes).
2020-03-24 05:11:23,584 [root] DEBUG: DLL loaded at 0x74C70000: C:\Windows\system32\CRYPTSP (0x16000 bytes).
2020-03-24 05:11:23,584 [root] DEBUG: DLL loaded at 0x74C30000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2020-03-24 05:11:23,584 [root] DEBUG: DLL loaded at 0x74A20000: C:\Windows\system32\RpcRtRemote (0xe000 bytes).
2020-03-24 05:11:23,599 [root] DEBUG: DLL loaded at 0x74A10000: C:\Windows\system32\wbem\wbemsvc (0xf000 bytes).
2020-03-24 05:11:23,599 [root] DEBUG: CreateThread: Initialising breakpoints for thread 992.
2020-03-24 05:11:23,631 [root] DEBUG: DLL loaded at 0x73FB0000: C:\Windows\system32\wbem\wmiutils (0x17000 bytes).
2020-03-24 05:11:23,802 [root] DEBUG: DLL loaded at 0x73F90000: C:\Windows\system32\wbem\stdprov (0x1c000 bytes).
2020-03-24 05:11:23,818 [root] DEBUG: DLL loaded at 0x73D10000: C:\Windows\system32\wbem\esscli (0x44000 bytes).
2020-03-24 05:11:23,834 [root] DEBUG: DLL loaded at 0x744A0000: C:\Windows\system32\USERENV (0x17000 bytes).
2020-03-24 05:11:23,834 [root] DEBUG: DLL loaded at 0x74490000: C:\Windows\system32\profapi (0xb000 bytes).
2020-03-24 05:11:34,394 [root] INFO: Announced 32-bit process name: iexplore.exe pid: 1624
2020-03-24 05:11:34,411 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 05:11:34,411 [lib.api.process] INFO: 32-bit DLL to inject is C:\vgzsvvr\dll\JrANdsY.dll, loader C:\vgzsvvr\bin\RUYfSAb.exe
2020-03-24 05:11:34,426 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\pSNnCqspPc.
2020-03-24 05:11:34,441 [root] DEBUG: Loader: Injecting process 1624 (thread 1568) with C:\vgzsvvr\dll\JrANdsY.dll.
2020-03-24 05:11:34,441 [root] DEBUG: Process image base: 0x01180000
2020-03-24 05:11:34,441 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\vgzsvvr\dll\JrANdsY.dll.
2020-03-24 05:11:34,441 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-03-24 05:11:34,441 [root] DEBUG: Successfully injected DLL C:\vgzsvvr\dll\JrANdsY.dll.
2020-03-24 05:11:34,441 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1624
2020-03-24 05:11:34,473 [root] INFO: Announced 32-bit process name: iexplore.exe pid: 1624
2020-03-24 05:11:34,473 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 05:11:34,473 [lib.api.process] INFO: 32-bit DLL to inject is C:\vgzsvvr\dll\JrANdsY.dll, loader C:\vgzsvvr\bin\RUYfSAb.exe
2020-03-24 05:11:34,519 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\pSNnCqspPc.
2020-03-24 05:11:34,519 [root] DEBUG: Loader: Injecting process 1624 (thread 1568) with C:\vgzsvvr\dll\JrANdsY.dll.
2020-03-24 05:11:34,519 [root] DEBUG: Process image base: 0x01180000
2020-03-24 05:11:34,519 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\vgzsvvr\dll\JrANdsY.dll.
2020-03-24 05:11:34,551 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-03-24 05:11:34,551 [root] DEBUG: Successfully injected DLL C:\vgzsvvr\dll\JrANdsY.dll.
2020-03-24 05:11:34,551 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1624
2020-03-24 05:11:34,566 [root] DEBUG: Terminate processes on terminate_event enabled.
2020-03-24 05:11:34,614 [root] DEBUG: Process dumps disabled.
2020-03-24 05:11:34,644 [root] INFO: Disabling sleep skipping.
2020-03-24 05:11:34,644 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-03-24 05:11:34,644 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x77110000, KiUserExceptionDispatcher: 0x0, NtSetContextThread: 0x7716124a, Wow64PrepareForException: 0x0
2020-03-24 05:11:34,644 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x230000
2020-03-24 05:11:34,660 [root] DEBUG: Debugger initialised.
2020-03-24 05:11:34,660 [root] DEBUG: CAPE initialised: 32-bit Extraction package loaded in process 1624 at 0x747d0000, image base 0x1180000, stack from 0x3d2000-0x3e0000
2020-03-24 05:11:34,660 [root] DEBUG: Commandline: C:\Windows\System32\"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -Embedding.
2020-03-24 05:11:34,676 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x01180000) returned 0x00000000.
2020-03-24 05:11:34,676 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x00000000.
2020-03-24 05:11:34,676 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x01180000) -> AllocationBase 0x01180000 RegionSize 0x4096.
2020-03-24 05:11:34,676 [root] DEBUG: AddTrackedRegion: EntryPoint 0x1c9a, Entropy 6.664381e+00
2020-03-24 05:11:34,676 [root] DEBUG: AddTrackedRegion: New region at 0x01180000 size 0x1000 added to tracked regions.
2020-03-24 05:11:34,691 [root] DEBUG: ExtractionInit: Adding main image base to tracked regions.
2020-03-24 05:11:34,691 [root] INFO: Added new process to list with pid: 1624
2020-03-24 05:11:34,691 [root] INFO: Monitor successfully loaded in process with pid 1624.
2020-03-24 05:11:34,691 [root] DEBUG: DLL unloaded from 0x754F0000.
2020-03-24 05:11:34,691 [root] DEBUG: DLL loaded at 0x724F0000: C:\Windows\system32\IEFRAME (0xa80000 bytes).
2020-03-24 05:11:34,691 [root] DEBUG: DLL loaded at 0x73CD0000: C:\Windows\system32\OLEACC (0x3c000 bytes).
2020-03-24 05:11:34,691 [root] DEBUG: DLL loaded at 0x73FD0000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32 (0x19e000 bytes).
2020-03-24 05:11:34,753 [root] DEBUG: DLL loaded at 0x74490000: C:\Windows\system32\profapi (0xb000 bytes).
2020-03-24 05:11:34,769 [root] DEBUG: DLL loaded at 0x75D00000: C:\Windows\syswow64\ws2_32 (0x35000 bytes).
2020-03-24 05:11:34,769 [root] DEBUG: DLL loaded at 0x75130000: C:\Windows\syswow64\NSI (0x6000 bytes).
2020-03-24 05:11:34,815 [root] DEBUG: DLL loaded at 0x74B50000: C:\Windows\system32\dnsapi (0x44000 bytes).
2020-03-24 05:11:34,815 [root] DEBUG: DLL loaded at 0x73CB0000: C:\Windows\system32\iphlpapi (0x1c000 bytes).
2020-03-24 05:11:34,815 [root] DEBUG: DLL loaded at 0x74170000: C:\Windows\system32\WINNSI (0x7000 bytes).
2020-03-24 05:11:34,862 [root] DEBUG: DLL loaded at 0x74EB0000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2020-03-24 05:11:34,878 [root] DEBUG: DLL loaded at 0x73C50000: C:\Windows\System32\netprofm (0x5a000 bytes).
2020-03-24 05:11:34,910 [root] DEBUG: DLL loaded at 0x74BD0000: C:\Windows\System32\nlaapi (0x10000 bytes).
2020-03-24 05:11:34,957 [root] DEBUG: DLL loaded at 0x74C70000: C:\Windows\system32\CRYPTSP (0x16000 bytes).
2020-03-24 05:11:34,957 [root] DEBUG: DLL loaded at 0x74C30000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2020-03-24 05:11:34,957 [root] DEBUG: DLL loaded at 0x74A20000: C:\Windows\system32\RpcRtRemote (0xe000 bytes).
2020-03-24 05:11:35,049 [root] DEBUG: DLL unloaded from 0x000007FEFD430000.
2020-03-24 05:11:35,112 [root] INFO: Announced starting service "netprofm"
2020-03-24 05:11:35,112 [root] INFO: Attaching to Service Control Manager (services.exe - pid 460)
2020-03-24 05:11:35,128 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 05:11:35,128 [lib.api.process] INFO: 64-bit DLL to inject is C:\vgzsvvr\dll\qdmwqOp.dll, loader C:\vgzsvvr\bin\OtyCQoYH.exe
2020-03-24 05:11:35,128 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\pSNnCqspPc.
2020-03-24 05:11:35,128 [root] DEBUG: Loader: Injecting process 460 (thread 0) with C:\vgzsvvr\dll\qdmwqOp.dll.
2020-03-24 05:11:35,128 [root] DEBUG: InjectDll: No thread ID supplied. Initial thread ID 2256, handle 0x84
2020-03-24 05:11:35,128 [root] DEBUG: Process image base: 0x00000000FFA10000
2020-03-24 05:11:35,128 [root] DEBUG: InjectDllViaIAT: Not a new process, aborting IAT patch
2020-03-24 05:11:35,128 [root] DEBUG: InjectDll: IAT patching failed, falling back to thread injection.
2020-03-24 05:11:35,128 [root] DEBUG: Terminate processes on terminate_event enabled.
2020-03-24 05:11:35,144 [root] DEBUG: Process dumps disabled.
2020-03-24 05:11:35,206 [root] INFO: Disabling sleep skipping.
2020-03-24 05:11:35,221 [root] WARNING: Unable to place hook on LockResource
2020-03-24 05:11:35,269 [root] WARNING: Unable to hook LockResource
2020-03-24 05:11:35,315 [root] DEBUG: Debugger initialised.
2020-03-24 05:11:35,315 [root] DEBUG: CAPE initialised: 64-bit Extraction package loaded in process 460 at 0x0000000074250000, image base 0x00000000FFA10000, stack from 0x0000000001276000-0x0000000001280000
2020-03-24 05:11:35,315 [root] DEBUG: Commandline: C:\Windows\sysnative\services.exe.
2020-03-24 05:11:35,361 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x00000000FFA10000) returned 0x0000000000000000.
2020-03-24 05:11:35,361 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x0000000000000000.
2020-03-24 05:11:35,408 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x00000000FFA10000) -> AllocationBase 0x00000000FFA10000 RegionSize 0x4096.
2020-03-24 05:11:35,456 [root] DEBUG: AddTrackedRegion: EntryPoint 0x13310, Entropy 6.073556e+00
2020-03-24 05:11:35,456 [root] DEBUG: AddTrackedRegion: New region at 0x00000000FFA10000 size 0x1000 added to tracked regions.
2020-03-24 05:11:35,503 [root] DEBUG: ExtractionInit: Adding main image base to tracked regions.
2020-03-24 05:11:35,503 [root] INFO: Added new process to list with pid: 460
2020-03-24 05:11:35,503 [root] INFO: Monitor successfully loaded in process with pid 460.
2020-03-24 05:11:35,533 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2020-03-24 05:11:35,581 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2020-03-24 05:11:35,581 [root] DEBUG: Successfully injected DLL C:\vgzsvvr\dll\qdmwqOp.dll.
2020-03-24 05:11:36,595 [root] DEBUG: DLL unloaded from 0x73C50000.
2020-03-24 05:11:36,625 [root] DEBUG: DLL loaded at 0x750B0000: C:\Windows\syswow64\comdlg32 (0x7b000 bytes).
2020-03-24 05:11:36,625 [root] DEBUG: Allocation: 0x5FFF0000 - 0x60000000, size: 0x10000, protection: 0x40.
2020-03-24 05:11:36,625 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-03-24 05:11:36,625 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01180000.
2020-03-24 05:11:36,625 [root] DEBUG: ProcessImageBase: EP 0x00001C9A image base 0x01180000 size 0x0 entropy 6.665048e+00.
2020-03-24 05:11:36,625 [root] DEBUG: AllocationHandler: Adding allocation to tracked region list: 0x5FFF0000, size: 0x10000.
2020-03-24 05:11:36,625 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x5FFF0000) returned 0x00000000.
2020-03-24 05:11:36,641 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x00000000.
2020-03-24 05:11:36,641 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x5FFF0000) -> AllocationBase 0x5FFF0000 RegionSize 0x65536.
2020-03-24 05:11:36,673 [root] DEBUG: AddTrackedRegion: New region at 0x5FFF0000 size 0x10000 added to tracked regions.
2020-03-24 05:11:36,673 [root] DEBUG: ActivateBreakpoints: TrackedRegion->AllocationBase: 0x5FFF0000, TrackedRegion->RegionSize: 0x10000, thread 1568
2020-03-24 05:11:36,673 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xc8, Size=0x2, Address=0x5FFF0000 and Type=0x1.
2020-03-24 05:11:36,673 [root] DEBUG: SetThreadBreakpoint: Set bp 0 thread id 1568 type 1 at address 0x5FFF0000, size 2 with Callback 0x747d7510.
2020-03-24 05:11:36,673 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on empty protect address: 0x5FFF0000
2020-03-24 05:11:36,673 [root] DEBUG: SetDebugRegister: Setting breakpoint 1 hThread=0xc8, Size=0x4, Address=0x5FFF003C and Type=0x1.
2020-03-24 05:11:36,687 [root] DEBUG: SetThreadBreakpoint: Set bp 1 thread id 1568 type 1 at address 0x5FFF003C, size 4 with Callback 0x747d71a0.
2020-03-24 05:11:36,687 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on e_lfanew address: 0x5FFF003C
2020-03-24 05:11:36,687 [root] DEBUG: AllocationHandler: Breakpoints set on newly-allocated executable region at: 0x5FFF0000 (size 0x10000).
2020-03-24 05:11:36,687 [root] DEBUG: DLL unloaded from 0x772F0000.
2020-03-24 05:11:36,687 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x7255DAF5 (thread 1568)
2020-03-24 05:11:36,703 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x5FFF0000.
2020-03-24 05:11:36,703 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 2 within Context, Size=0x0, Address=0x5FFF0000 and Type=0x0.
2020-03-24 05:11:36,703 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x5fff0000: 0x64.
2020-03-24 05:11:36,703 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2020-03-24 05:11:36,750 [root] DEBUG: ProtectionHandler: Address 0x5FFF0000 already in tracked region at 0x5FFF0000, size 0x10000
2020-03-24 05:11:36,750 [root] DEBUG: ProtectionHandler: Address: 0x5FFF0000 (alloc base 0x5FFF0000), NumberOfBytesToProtect: 0x10000, NewAccessProtection: 0x20
2020-03-24 05:11:36,798 [root] DEBUG: ProtectionHandler: Updated region protection at 0x5FFF0000 to 0x20.
2020-03-24 05:11:36,798 [root] DEBUG: ProtectionHandler: New code detected at (0x5FFF0000), scanning for PE images.
2020-03-24 05:11:36,812 [root] DEBUG: DumpPEsInRange: Scanning range 0x5fff0000 - 0x60000000.
2020-03-24 05:11:36,812 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x5fff0000-0x60000000.
2020-03-24 05:11:36,812 [root] DEBUG: DumpPEsInRange: Scanning range 0x5fff0000 - 0x60000000.
2020-03-24 05:11:36,812 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x5fff0000-0x60000000.
2020-03-24 05:11:36,812 [root] DEBUG: ActivateBreakpoints: TrackedRegion->AllocationBase: 0x5FFF0000, TrackedRegion->RegionSize: 0x10000, thread 1568
2020-03-24 05:11:36,812 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xc8, Size=0x0, Address=0x5FFF0000 and Type=0x0.
2020-03-24 05:11:36,828 [root] DEBUG: SetThreadBreakpoint: Set bp 0 thread id 1568 type 0 at address 0x5FFF0000, size 0 with Callback 0x747d73a0.
2020-03-24 05:11:36,875 [root] DEBUG: ActivateBreakpoints: Set execution breakpoint on non-zero byte 0x64 at protected address: 0x5FFF0000
2020-03-24 05:11:36,875 [root] DEBUG: SetDebugRegister: Setting breakpoint 1 hThread=0xc8, Size=0x4, Address=0x5FFF003C and Type=0x1.
2020-03-24 05:11:36,875 [root] DEBUG: SetThreadBreakpoint: Set bp 1 thread id 1568 type 1 at address 0x5FFF003C, size 4 with Callback 0x747d71a0.
2020-03-24 05:11:36,875 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on e_lfanew address: 0x5FFF003C
2020-03-24 05:11:36,891 [root] DEBUG: ProtectionHandler: Breakpoints set on executable region at: 0x5FFF0000.
2020-03-24 05:11:36,921 [root] DEBUG: DLL loaded at 0x73C70000: C:\Program Files (x86)\Internet Explorer\sqmapi (0x33000 bytes).
2020-03-24 05:11:36,921 [root] DEBUG: DLL unloaded from 0x76C00000.
2020-03-24 05:11:36,921 [root] DEBUG: DLL unloaded from 0x75D60000.
2020-03-24 05:11:36,937 [root] DEBUG: DLL unloaded from 0x73C70000.
2020-03-24 05:11:36,937 [root] DEBUG: DLL loaded at 0x749D0000: C:\Windows\system32\ntmarta (0x21000 bytes).
2020-03-24 05:11:36,937 [root] DEBUG: DLL loaded at 0x76EA0000: C:\Windows\syswow64\WLDAP32 (0x45000 bytes).
2020-03-24 05:11:36,984 [root] DEBUG: CreateThread: Initialising breakpoints for thread 2752.
2020-03-24 05:11:36,984 [root] DEBUG: DLL unloaded from 0x772F0000.
2020-03-24 05:11:37,032 [root] DEBUG: SetThreadBreakpoint: An identical breakpoint (0) at 0x5FFF0000 already exists for thread 2752 (process 1624), skipping.
2020-03-24 05:11:37,032 [root] DEBUG: SetThreadBreakpoint: An identical breakpoint (1) at 0x5FFF003C already exists for thread 2752 (process 1624), skipping.
2020-03-24 05:11:37,078 [root] DEBUG: CreateThread: Initialising breakpoints for thread 804.
2020-03-24 05:11:37,078 [root] DEBUG: SetThreadBreakpoint: An identical breakpoint (0) at 0x5FFF0000 already exists for thread 804 (process 1624), skipping.
2020-03-24 05:11:37,078 [root] DEBUG: SetThreadBreakpoint: An identical breakpoint (1) at 0x5FFF003C already exists for thread 804 (process 1624), skipping.
2020-03-24 05:11:37,078 [root] DEBUG: CreateThread: Initialising breakpoints for thread 1852.
2020-03-24 05:11:37,125 [root] DEBUG: SetThreadBreakpoint: An identical breakpoint (0) at 0x5FFF0000 already exists for thread 1852 (process 1624), skipping.
2020-03-24 05:11:37,171 [root] DEBUG: SetThreadBreakpoint: An identical breakpoint (1) at 0x5FFF003C already exists for thread 1852 (process 1624), skipping.
2020-03-24 05:11:37,187 [root] DEBUG: DLL loaded at 0x74930000: C:\Windows\system32\VERSION (0x9000 bytes).
2020-03-24 05:11:37,375 [root] INFO: Announced 32-bit process name: iexplore.exe pid: 1928
2020-03-24 05:11:37,375 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 05:11:37,375 [lib.api.process] INFO: 32-bit DLL to inject is C:\vgzsvvr\dll\JrANdsY.dll, loader C:\vgzsvvr\bin\RUYfSAb.exe
2020-03-24 05:11:37,390 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\pSNnCqspPc.
2020-03-24 05:11:37,390 [root] DEBUG: Loader: Injecting process 1928 (thread 2896) with C:\vgzsvvr\dll\JrANdsY.dll.
2020-03-24 05:11:37,437 [root] DEBUG: Process image base: 0x01180000
2020-03-24 05:11:37,437 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\vgzsvvr\dll\JrANdsY.dll.
2020-03-24 05:11:37,437 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-03-24 05:11:37,437 [root] DEBUG: Successfully injected DLL C:\vgzsvvr\dll\JrANdsY.dll.
2020-03-24 05:11:37,437 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1928
2020-03-24 05:11:37,483 [root] DEBUG: DLL unloaded from 0x01180000.
2020-03-24 05:11:37,483 [root] DEBUG: DLL loaded at 0x74AF0000: C:\Windows\system32\apphelp (0x4c000 bytes).
2020-03-24 05:11:37,530 [root] INFO: Announced 32-bit process name: iexplore.exe pid: 1928
2020-03-24 05:11:37,530 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 05:11:37,530 [lib.api.process] INFO: 32-bit DLL to inject is C:\vgzsvvr\dll\JrANdsY.dll, loader C:\vgzsvvr\bin\RUYfSAb.exe
2020-03-24 05:11:37,578 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\pSNnCqspPc.
2020-03-24 05:11:37,624 [root] DEBUG: Loader: Injecting process 1928 (thread 2896) with C:\vgzsvvr\dll\JrANdsY.dll.
2020-03-24 05:11:37,624 [root] DEBUG: Process image base: 0x01180000
2020-03-24 05:11:37,671 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\vgzsvvr\dll\JrANdsY.dll.
2020-03-24 05:11:37,717 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-03-24 05:11:37,717 [root] DEBUG: Successfully injected DLL C:\vgzsvvr\dll\JrANdsY.dll.
2020-03-24 05:11:37,717 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1928
2020-03-24 05:11:37,733 [root] DEBUG: DLL loaded at 0x73C50000: C:\Windows\system32\RASAPI32 (0x52000 bytes).
2020-03-24 05:11:37,733 [root] DEBUG: Terminate processes on terminate_event enabled.
2020-03-24 05:11:37,733 [root] DEBUG: DLL loaded at 0x73C30000: C:\Windows\system32\rasman (0x15000 bytes).
2020-03-24 05:11:37,733 [root] DEBUG: Process dumps disabled.
2020-03-24 05:11:37,733 [root] DEBUG: DLL unloaded from 0x73C50000.
2020-03-24 05:11:37,733 [root] INFO: Disabling sleep skipping.
2020-03-24 05:11:37,749 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-03-24 05:11:37,749 [root] DEBUG: DLL loaded at 0x73F80000: C:\Windows\system32\rtutils (0xd000 bytes).
2020-03-24 05:11:37,765 [root] DEBUG: DLL unloaded from 0x73F80000.
2020-03-24 05:11:37,765 [root] DEBUG: DLL unloaded from 0x75600000.
2020-03-24 05:11:37,765 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x77110000, KiUserExceptionDispatcher: 0x0, NtSetContextThread: 0x7716124a, Wow64PrepareForException: 0x0
2020-03-24 05:11:37,765 [root] DEBUG: DLL loaded at 0x73C20000: C:\Windows\system32\sensapi (0x6000 bytes).
2020-03-24 05:11:37,812 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x160000
2020-03-24 05:11:37,812 [root] DEBUG: DLL unloaded from 0x73C30000.
2020-03-24 05:11:37,812 [root] DEBUG: DLL loaded at 0x74BD0000: C:\Windows\system32\NLAapi (0x10000 bytes).
2020-03-24 05:11:37,812 [root] DEBUG: Debugger initialised.
2020-03-24 05:11:37,842 [root] DEBUG: CAPE initialised: 32-bit Extraction package loaded in process 1928 at 0x747d0000, image base 0x1180000, stack from 0x262000-0x270000
2020-03-24 05:11:37,842 [root] DEBUG: CreateThread: Initialising breakpoints for thread 912.
2020-03-24 05:11:37,842 [root] DEBUG: Commandline: C:\Users\user\Desktop\"C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:1624 CREDAT:79873.
2020-03-24 05:11:37,842 [root] DEBUG: DLL unloaded from 0x772F0000.
2020-03-24 05:11:37,842 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x01180000) returned 0x00000000.
2020-03-24 05:11:37,842 [root] DEBUG: SetThreadBreakpoint: An identical breakpoint (0) at 0x5FFF0000 already exists for thread 912 (process 1624), skipping.
2020-03-24 05:11:37,842 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x00000000.
2020-03-24 05:11:37,842 [root] DEBUG: SetThreadBreakpoint: An identical breakpoint (1) at 0x5FFF003C already exists for thread 912 (process 1624), skipping.
2020-03-24 05:11:37,842 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x01180000) -> AllocationBase 0x01180000 RegionSize 0x4096.
2020-03-24 05:11:37,842 [root] DEBUG: CreateThread: Initialising breakpoints for thread 1312.
2020-03-24 05:11:37,842 [root] DEBUG: DLL loaded at 0x74BC0000: C:\Windows\system32\napinsp (0x10000 bytes).
2020-03-24 05:11:37,842 [root] DEBUG: AddTrackedRegion: EntryPoint 0x1c9a, Entropy 6.664381e+00
2020-03-24 05:11:37,842 [root] DEBUG: SetThreadBreakpoint: An identical breakpoint (0) at 0x5FFF0000 already exists for thread 1312 (process 1624), skipping.
2020-03-24 05:11:37,842 [root] DEBUG: DLL loaded at 0x74BA0000: C:\Windows\system32\pnrpnsp (0x12000 bytes).
2020-03-24 05:11:37,842 [root] DEBUG: AddTrackedRegion: New region at 0x01180000 size 0x1000 added to tracked regions.
2020-03-24 05:11:37,858 [root] DEBUG: DLL loaded at 0x74BF0000: C:\Windows\System32\mswsock (0x3c000 bytes).
2020-03-24 05:11:37,858 [root] DEBUG: ExtractionInit: Adding main image base to tracked regions.
2020-03-24 05:11:37,858 [root] DEBUG: SetThreadBreakpoint: An identical breakpoint (1) at 0x5FFF003C already exists for thread 1312 (process 1624), skipping.
2020-03-24 05:11:37,858 [root] DEBUG: DLL loaded at 0x74B40000: C:\Windows\System32\winrnr (0x8000 bytes).
2020-03-24 05:11:37,858 [root] INFO: Added new process to list with pid: 1928
2020-03-24 05:11:37,858 [root] INFO: Monitor successfully loaded in process with pid 1928.
2020-03-24 05:11:37,858 [root] DEBUG: DLL loaded at 0x74BE0000: C:\Windows\System32\wshtcpip (0x5000 bytes).
2020-03-24 05:11:37,858 [root] DEBUG: DLL unloaded from 0x754F0000.
2020-03-24 05:11:37,858 [root] DEBUG: DLL loaded at 0x73C10000: C:\Windows\System32\wship6 (0x6000 bytes).
2020-03-24 05:11:37,858 [root] DEBUG: DLL loaded at 0x724F0000: C:\Windows\system32\IEFRAME (0xa80000 bytes).
2020-03-24 05:11:37,858 [root] DEBUG: DLL loaded at 0x73C00000: C:\Windows\system32\rasadhlp (0x6000 bytes).
2020-03-24 05:11:37,874 [root] DEBUG: DLL loaded at 0x73CD0000: C:\Windows\system32\OLEACC (0x3c000 bytes).
2020-03-24 05:11:37,874 [root] DEBUG: DLL loaded at 0x73BC0000: C:\Windows\System32\fwpuclnt (0x38000 bytes).
2020-03-24 05:11:37,890 [root] DEBUG: DLL loaded at 0x73FD0000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32 (0x19e000 bytes).
2020-03-24 05:11:37,890 [root] DEBUG: DLL loaded at 0x750B0000: C:\Windows\syswow64\comdlg32 (0x7b000 bytes).
2020-03-24 05:11:37,904 [root] DEBUG: DLL loaded at 0x73B60000: C:\Windows\System32\netprofm (0x5a000 bytes).
2020-03-24 05:11:37,904 [root] DEBUG: Allocation: 0x5FFF0000 - 0x60000000, size: 0x10000, protection: 0x40.
2020-03-24 05:11:37,904 [root] INFO: Announced 64-bit process name: explorer.exe pid: 1632
2020-03-24 05:11:37,904 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-03-24 05:11:37,921 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 05:11:37,921 [lib.api.process] INFO: 64-bit DLL to inject is C:\vgzsvvr\dll\qdmwqOp.dll, loader C:\vgzsvvr\bin\OtyCQoYH.exe
2020-03-24 05:11:37,921 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01180000.
2020-03-24 05:11:37,936 [root] DEBUG: ProcessImageBase: EP 0x00001C9A image base 0x01180000 size 0x0 entropy 6.665037e+00.
2020-03-24 05:11:37,936 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\pSNnCqspPc.
2020-03-24 05:11:37,936 [root] DEBUG: AllocationHandler: Adding allocation to tracked region list: 0x5FFF0000, size: 0x10000.
2020-03-24 05:11:37,936 [root] INFO: Announced starting service "netprofm"
2020-03-24 05:11:37,936 [root] DEBUG: Loader: Injecting process 1632 (thread 0) with C:\vgzsvvr\dll\qdmwqOp.dll.
2020-03-24 05:11:37,936 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x5FFF0000) returned 0x00000000.
2020-03-24 05:11:37,936 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed (SessionId=1).
2020-03-24 05:11:37,936 [root] DEBUG: DLL loaded at 0x73B40000: C:\Windows\system32\DHCPCSVC (0x12000 bytes).
2020-03-24 05:11:37,936 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x00000000.
2020-03-24 05:11:37,951 [root] DEBUG: Failed to inject DLL C:\vgzsvvr\dll\qdmwqOp.dll.
2020-03-24 05:11:37,951 [lib.api.process] ERROR: Unable to inject into 64-bit process with pid 1632, error: -15
2020-03-24 05:11:37,951 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x5FFF0000) -> AllocationBase 0x5FFF0000 RegionSize 0x65536.
2020-03-24 05:11:37,951 [root] DEBUG: DLL loaded at 0x73B30000: C:\Windows\system32\dhcpcsvc6 (0xd000 bytes).
2020-03-24 05:11:37,967 [root] DEBUG: DLL unloaded from 0x73CB0000.
2020-03-24 05:11:37,999 [root] DEBUG: AddTrackedRegion: New region at 0x5FFF0000 size 0x10000 added to tracked regions.
2020-03-24 05:11:37,999 [root] DEBUG: DLL loaded at 0x73B00000: C:\Windows\system32\IEUI (0x2d000 bytes).
2020-03-24 05:11:38,013 [root] DEBUG: DLL loaded at 0x73AF0000: C:\Windows\system32\MSIMG32 (0x5000 bytes).
2020-03-24 05:11:38,013 [root] DEBUG: CreateThread: Initialising breakpoints for thread 2516.
2020-03-24 05:11:38,046 [root] DEBUG: DLL unloaded from 0x772F0000.
2020-03-24 05:11:38,046 [root] DEBUG: DLL unloaded from 0x73B40000.
2020-03-24 05:11:38,046 [root] DEBUG: ActivateBreakpoints: TrackedRegion->AllocationBase: 0x5FFF0000, TrackedRegion->RegionSize: 0x10000, thread 2896
2020-03-24 05:11:38,046 [root] DEBUG: SetThreadBreakpoint: An identical breakpoint (0) at 0x5FFF0000 already exists for thread 2516 (process 1624), skipping.
2020-03-24 05:11:38,046 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xcc, Size=0x2, Address=0x5FFF0000 and Type=0x1.
2020-03-24 05:11:38,046 [root] DEBUG: DLL unloaded from 0x772F0000.
2020-03-24 05:11:38,046 [root] DEBUG: SetThreadBreakpoint: Set bp 0 thread id 2896 type 1 at address 0x5FFF0000, size 2 with Callback 0x747d7510.
2020-03-24 05:11:38,046 [root] DEBUG: SetThreadBreakpoint: An identical breakpoint (1) at 0x5FFF003C already exists for thread 2516 (process 1624), skipping.
2020-03-24 05:11:38,046 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on empty protect address: 0x5FFF0000
2020-03-24 05:11:38,046 [root] DEBUG: SetDebugRegister: Setting breakpoint 1 hThread=0xcc, Size=0x4, Address=0x5FFF003C and Type=0x1.
2020-03-24 05:11:38,092 [root] DEBUG: SetThreadBreakpoint: Set bp 1 thread id 2896 type 1 at address 0x5FFF003C, size 4 with Callback 0x747d71a0.
2020-03-24 05:11:38,092 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on e_lfanew address: 0x5FFF003C
2020-03-24 05:11:38,108 [root] DEBUG: AllocationHandler: Breakpoints set on newly-allocated executable region at: 0x5FFF0000 (size 0x10000).
2020-03-24 05:11:38,138 [root] DEBUG: DLL unloaded from 0x772F0000.
2020-03-24 05:11:38,138 [root] DEBUG: CreateThread: Initialising breakpoints for thread 2956.
2020-03-24 05:11:38,138 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x7255DAF5 (thread 2896)
2020-03-24 05:11:38,138 [root] DEBUG: SetThreadBreakpoint: An identical breakpoint (0) at 0x5FFF0000 already exists for thread 2956 (process 1624), skipping.
2020-03-24 05:11:38,138 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x5FFF0000.
2020-03-24 05:11:38,154 [root] DEBUG: SetThreadBreakpoint: An identical breakpoint (1) at 0x5FFF003C already exists for thread 2956 (process 1624), skipping.
2020-03-24 05:11:38,201 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 2 within Context, Size=0x0, Address=0x5FFF0000 and Type=0x0.
2020-03-24 05:11:38,201 [root] DEBUG: DLL loaded at 0x739C0000: C:\Program Files (x86)\Internet Explorer\ieproxy (0x2b000 bytes).
2020-03-24 05:11:38,201 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x5fff0000: 0x64.
2020-03-24 05:11:38,201 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2020-03-24 05:11:38,201 [root] DEBUG: Allocation: 0x00F30000 - 0x00F32000, size: 0x2000, protection: 0x40.
2020-03-24 05:11:38,263 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-03-24 05:11:38,263 [root] DEBUG: DLL loaded at 0x73980000: C:\Program Files (x86)\Internet Explorer\IEShims (0x35000 bytes).
2020-03-24 05:11:38,263 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01180000.
2020-03-24 05:11:38,279 [root] DEBUG: ProcessImageBase: EP 0x00001C9A image base 0x01180000 size 0x0 entropy 6.665048e+00.
2020-03-24 05:11:38,279 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x5FFF0000.
2020-03-24 05:11:38,279 [root] DEBUG: ProtectionHandler: Address 0x5FFF0000 already in tracked region at 0x5FFF0000, size 0x10000
2020-03-24 05:11:38,279 [root] DEBUG: ProtectionHandler: Address: 0x5FFF0000 (alloc base 0x5FFF0000), NumberOfBytesToProtect: 0x10000, NewAccessProtection: 0x20
2020-03-24 05:11:38,279 [root] DEBUG: AllocationHandler: Adding allocation to tracked region list: 0x00F30000, size: 0x2000.
2020-03-24 05:11:38,279 [root] DEBUG: ProtectionHandler: Updated region protection at 0x5FFF0000 to 0x20.
2020-03-24 05:11:38,279 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x00F30000) returned 0x00000000.
2020-03-24 05:11:38,279 [root] DEBUG: ProtectionHandler: New code detected at (0x5FFF0000), scanning for PE images.
2020-03-24 05:11:38,279 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x00000000.
2020-03-24 05:11:38,279 [root] DEBUG: DumpPEsInRange: Scanning range 0x5fff0000 - 0x60000000.
2020-03-24 05:11:38,279 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x00F30000) -> AllocationBase 0x00F30000 RegionSize 0x8192.
2020-03-24 05:11:38,279 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x5fff0000-0x60000000.
2020-03-24 05:11:38,279 [root] DEBUG: AddTrackedRegion: New region at 0x00F30000 size 0x2000 added to tracked regions.
2020-03-24 05:11:38,279 [root] DEBUG: DumpPEsInRange: Scanning range 0x5fff0000 - 0x60000000.
2020-03-24 05:11:38,279 [root] DEBUG: ActivateBreakpoints: TrackedRegion->AllocationBase: 0x00F30000, TrackedRegion->RegionSize: 0x2000, thread 2956
2020-03-24 05:11:38,279 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x5fff0000-0x60000000.
2020-03-24 05:11:38,295 [root] DEBUG: ActivateBreakpoints: Switching breakpoints from region 0x5FFF0000 to 0x00F30000.
2020-03-24 05:11:38,295 [root] DEBUG: DumpPEsInRange: Scanning range 0x5fff0000 - 0x60000000.
2020-03-24 05:11:38,295 [root] DEBUG: ActivateBreakpoints: TrackedRegion->AllocationBase: 0x5FFF0000, TrackedRegion->RegionSize: 0x10000, thread 2896
2020-03-24 05:11:38,295 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x5fff0000-0x60000000.
2020-03-24 05:11:38,295 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xcc, Size=0x0, Address=0x5FFF0000 and Type=0x0.
2020-03-24 05:11:38,295 [root] DEBUG: SetThreadBreakpoint: Set bp 0 thread id 2896 type 0 at address 0x5FFF0000, size 0 with Callback 0x747d73a0.
2020-03-24 05:11:38,295 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x5FFF0000 - 0x60000000.
2020-03-24 05:11:38,295 [root] DEBUG: ActivateBreakpoints: Set execution breakpoint on non-zero byte 0x64 at protected address: 0x5FFF0000
2020-03-24 05:11:38,311 [root] DEBUG: DumpMemory: CAPE output file C:\hLUpzAAQj\CAPE\1624_2006754033811524232020 successfully created, size 0x10000
2020-03-24 05:11:38,311 [root] DEBUG: SetDebugRegister: Setting breakpoint 1 hThread=0xcc, Size=0x4, Address=0x5FFF003C and Type=0x1.
2020-03-24 05:11:38,311 [root] DEBUG: SetThreadBreakpoint: Set bp 1 thread id 2896 type 1 at address 0x5FFF003C, size 4 with Callback 0x747d71a0.
2020-03-24 05:11:38,311 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on e_lfanew address: 0x5FFF003C
2020-03-24 05:11:38,311 [root] DEBUG: ProtectionHandler: Breakpoints set on executable region at: 0x5FFF0000.
2020-03-24 05:11:38,325 [root] INFO: Added new CAPE file to list with path: C:\hLUpzAAQj\CAPE\1624_2006754033811524232020
2020-03-24 05:11:38,342 [root] DEBUG: DumpRegion: Dumped stack region from 0x5FFF0000, size 0x10000.
2020-03-24 05:11:38,342 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x5FFF0000.
2020-03-24 05:11:38,342 [root] DEBUG: DLL loaded at 0x74A20000: C:\Windows\system32\RpcRtRemote (0xe000 bytes).
2020-03-24 05:11:38,388 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x5fff0000 - 0x60000000.
2020-03-24 05:11:38,420 [root] DEBUG: CreateThread: Initialising breakpoints for thread 2560.
2020-03-24 05:11:38,420 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0x4bc, Size=0x2, Address=0x00F30000 and Type=0x1.
2020-03-24 05:11:38,420 [root] DEBUG: SetThreadBreakpoint: An identical breakpoint (0) at 0x5FFF0000 already exists for thread 2560 (process 1928), skipping.
2020-03-24 05:11:38,420 [root] DEBUG: SetThreadBreakpoint: Set bp 0 thread id 2956 type 1 at address 0x00F30000, size 2 with Callback 0x747d7510.
2020-03-24 05:11:38,420 [root] DEBUG: SetThreadBreakpoint: An identical breakpoint (1) at 0x5FFF003C already exists for thread 2560 (process 1928), skipping.
2020-03-24 05:11:38,420 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on empty protect address: 0x00F30000
2020-03-24 05:11:38,420 [root] DEBUG: CreateThread: Initialising breakpoints for thread 2940.
2020-03-24 05:11:38,436 [root] DEBUG: SetDebugRegister: Setting breakpoint 1 hThread=0x4bc, Size=0x4, Address=0x00F3003C and Type=0x1.
2020-03-24 05:11:38,436 [root] DEBUG: SetThreadBreakpoint: An identical breakpoint (0) at 0x5FFF0000 already exists for thread 2940 (process 1928), skipping.
2020-03-24 05:11:38,436 [root] DEBUG: SetThreadBreakpoint: Set bp 1 thread id 2956 type 1 at address 0x00F3003C, size 4 with Callback 0x747d71a0.
2020-03-24 05:11:38,436 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on e_lfanew address: 0x00F3003C
2020-03-24 05:11:38,436 [root] DEBUG: SetThreadBreakpoint: An identical breakpoint (1) at 0x5FFF003C already exists for thread 2940 (process 1928), skipping.
2020-03-24 05:11:38,436 [root] DEBUG: AllocationHandler: Breakpoints set on newly-allocated executable region at: 0x00F30000 (size 0x2000).
2020-03-24 05:11:38,436 [root] DEBUG: CreateThread: Initialising breakpoints for thread 2556.
2020-03-24 05:11:38,436 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x752EAAB6 (thread 2956)
2020-03-24 05:11:38,482 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x00F30000.
2020-03-24 05:11:38,482 [root] DEBUG: SetThreadBreakpoint: An identical breakpoint (0) at 0x5FFF0000 already exists for thread 2556 (process 1928), skipping.
2020-03-24 05:11:38,482 [root] DEBUG: SetThreadBreakpoint: An identical breakpoint (1) at 0x5FFF003C already exists for thread 2556 (process 1928), skipping.
2020-03-24 05:11:38,482 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 2 within Context, Size=0x0, Address=0x00F30000 and Type=0x0.
2020-03-24 05:11:38,482 [root] DEBUG: BaseAddressWriteCallback: byte written to 0xf30000: 0xb0.
2020-03-24 05:11:38,482 [root] DEBUG: DLL loaded at 0x73940000: C:\Program Files (x86)\Internet Explorer\sqmapi (0x33000 bytes).
2020-03-24 05:11:38,482 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2020-03-24 05:11:38,482 [root] DEBUG: DLL unloaded from 0x76C00000.
2020-03-24 05:11:38,497 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x752EAAB6 (thread 2956)
2020-03-24 05:11:38,497 [root] DEBUG: DLL unloaded from 0x75D60000.
2020-03-24 05:11:38,497 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x00F3003C.
2020-03-24 05:11:38,497 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0x34eb0fb0 (at 0x00F3003C).
2020-03-24 05:11:38,529 [root] DEBUG: DLL unloaded from 0x73940000.
2020-03-24 05:11:38,529 [root] DEBUG: ContextSetNextAvailableBreakpoint: An identical breakpoint (2) at 0x00F30000 already exists for thread 2956 (process 1624), skipping.
2020-03-24 05:11:38,529 [root] DEBUG: DLL loaded at 0x74EB0000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2020-03-24 05:11:38,529 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x00F30000.
2020-03-24 05:11:38,529 [root] DEBUG: DLL loaded at 0x73880000: C:\Windows\system32\propsys (0xf5000 bytes).
2020-03-24 05:11:38,545 [root] DEBUG: DLL loaded at 0x749D0000: C:\Windows\system32\ntmarta (0x21000 bytes).
2020-03-24 05:11:38,575 [root] DEBUG: DLL loaded at 0x76EA0000: C:\Windows\syswow64\WLDAP32 (0x45000 bytes).
2020-03-24 05:11:38,575 [root] DEBUG: ProtectionHandler: Address 0x00F30000 already in tracked region at 0x00F30000, size 0x2000
2020-03-24 05:11:38,592 [root] DEBUG: ProtectionHandler: Address: 0x00F30000 (alloc base 0x00F30000), NumberOfBytesToProtect: 0x1e80, NewAccessProtection: 0x20
2020-03-24 05:11:38,592 [root] DEBUG: DLL loaded at 0x74490000: C:\Windows\system32\profapi (0xb000 bytes).
2020-03-24 05:11:38,592 [root] DEBUG: ProtectionHandler: Updated region protection at 0x00F30000 to 0x20.
2020-03-24 05:11:38,592 [root] DEBUG: DLL loaded at 0x75A70000: C:\Windows\syswow64\SETUPAPI (0x19d000 bytes).
2020-03-24 05:11:38,592 [root] DEBUG: DLL loaded at 0x75A10000: C:\Windows\syswow64\CFGMGR32 (0x27000 bytes).
2020-03-24 05:11:38,592 [root] DEBUG: ProtectionHandler: New code detected at (0x00F30000), scanning for PE images.
2020-03-24 05:11:38,592 [root] DEBUG: DLL loaded at 0x75D40000: C:\Windows\syswow64\DEVOBJ (0x12000 bytes).
2020-03-24 05:11:38,592 [root] DEBUG: DumpPEsInRange: Scanning range 0xf30000 - 0xf32000.
2020-03-24 05:11:38,592 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0xf30000-0xf32000.
2020-03-24 05:11:38,622 [root] DEBUG: DumpPEsInRange: Scanning range 0xf30000 - 0xf31e80.
2020-03-24 05:11:38,622 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0xf30000-0xf31e80.
2020-03-24 05:11:38,622 [root] DEBUG: DLL unloaded from 0x75E70000.
2020-03-24 05:11:38,622 [root] DEBUG: ActivateBreakpoints: TrackedRegion->AllocationBase: 0x00F30000, TrackedRegion->RegionSize: 0x2000, thread 2956
2020-03-24 05:11:38,684 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0x4bc, Size=0x0, Address=0x00F30000 and Type=0x0.
2020-03-24 05:11:38,684 [root] DEBUG: SetThreadBreakpoint: Set bp 0 thread id 2956 type 0 at address 0x00F30000, size 0 with Callback 0x747d73a0.
2020-03-24 05:11:38,684 [root] DEBUG: ActivateBreakpoints: Set execution breakpoint on non-zero byte 0xb0 at protected address: 0x00F30000
2020-03-24 05:11:38,684 [root] DEBUG: SetDebugRegister: Setting breakpoint 1 hThread=0x4bc, Size=0x4, Address=0x00F3003C and Type=0x1.
2020-03-24 05:11:38,684 [root] DEBUG: SetThreadBreakpoint: Set bp 1 thread id 2956 type 1 at address 0x00F3003C, size 4 with Callback 0x747d71a0.
2020-03-24 05:11:38,684 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on e_lfanew address: 0x00F3003C
2020-03-24 05:11:38,684 [root] DEBUG: ProtectionHandler: Breakpoints set on executable region at: 0x00F30000.
2020-03-24 05:11:38,732 [root] DEBUG: CreateThread: Initialising breakpoints for thread 1864.
2020-03-24 05:11:38,779 [root] DEBUG: DLL loaded at 0x74950000: C:\Windows\system32\UxTheme (0x80000 bytes).
2020-03-24 05:11:38,996 [root] DEBUG: DLL unloaded from 0x74F40000.
2020-03-24 05:11:39,028 [root] DEBUG: DLL loaded at 0x73850000: C:\Windows\system32\xmllite (0x2f000 bytes).
2020-03-24 05:11:39,075 [root] DEBUG: DLL loaded at 0x73880000: C:\Windows\system32\propsys (0xf5000 bytes).
2020-03-24 05:11:39,091 [root] DEBUG: DLL loaded at 0x75A70000: C:\Windows\syswow64\SETUPAPI (0x19d000 bytes).
2020-03-24 05:11:39,091 [root] DEBUG: DLL loaded at 0x75A10000: C:\Windows\syswow64\CFGMGR32 (0x27000 bytes).
2020-03-24 05:11:39,091 [root] DEBUG: DLL loaded at 0x75D40000: C:\Windows\syswow64\DEVOBJ (0x12000 bytes).
2020-03-24 05:11:39,121 [root] DEBUG: DLL unloaded from 0x75E70000.
2020-03-24 05:11:39,262 [root] DEBUG: DLL loaded at 0x736E0000: C:\Windows\system32\explorerframe (0x16f000 bytes).
2020-03-24 05:11:39,339 [root] DEBUG: DLL loaded at 0x736B0000: C:\Windows\system32\DUser (0x2f000 bytes).
2020-03-24 05:11:39,339 [root] DEBUG: DLL loaded at 0x735F0000: C:\Windows\system32\DUI70 (0xb2000 bytes).
2020-03-24 05:11:39,450 [root] DEBUG: DLL loaded at 0x75D00000: C:\Windows\syswow64\ws2_32 (0x35000 bytes).
2020-03-24 05:11:39,450 [root] DEBUG: DLL loaded at 0x75130000: C:\Windows\syswow64\NSI (0x6000 bytes).
2020-03-24 05:11:39,450 [root] DEBUG: DLL loaded at 0x74B50000: C:\Windows\system32\dnsapi (0x44000 bytes).
2020-03-24 05:11:39,496 [root] DEBUG: DLL loaded at 0x74C70000: C:\Windows\system32\CRYPTSP (0x16000 bytes).
2020-03-24 05:11:39,542 [root] DEBUG: DLL loaded at 0x73CB0000: C:\Windows\system32\iphlpapi (0x1c000 bytes).
2020-03-24 05:11:39,573 [root] DEBUG: DLL loaded at 0x74170000: C:\Windows\system32\WINNSI (0x7000 bytes).
2020-03-24 05:11:39,605 [root] DEBUG: DLL loaded at 0x74C30000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2020-03-24 05:11:39,698 [root] DEBUG: CreateThread: Initialising breakpoints for thread 3040.
2020-03-24 05:11:39,698 [root] DEBUG: DLL unloaded from 0x772F0000.
2020-03-24 05:11:39,698 [root] DEBUG: SetThreadBreakpoint: An identical breakpoint (0) at 0x5FFF0000 already exists for thread 3040 (process 1928), skipping.
2020-03-24 05:11:39,698 [root] DEBUG: SetThreadBreakpoint: An identical breakpoint (1) at 0x5FFF003C already exists for thread 3040 (process 1928), skipping.
2020-03-24 05:11:39,746 [root] DEBUG: DLL loaded at 0x739C0000: C:\Program Files (x86)\Internet Explorer\ieproxy (0x2b000 bytes).
2020-03-24 05:11:39,746 [root] DEBUG: Allocation: 0x005A0000 - 0x005A2000, size: 0x2000, protection: 0x40.
2020-03-24 05:11:39,776 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-03-24 05:11:39,776 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01180000.
2020-03-24 05:11:39,776 [root] DEBUG: ProcessImageBase: EP 0x00001C9A image base 0x01180000 size 0x0 entropy 6.665037e+00.
2020-03-24 05:11:39,776 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x5FFF0000.
2020-03-24 05:11:39,776 [root] DEBUG: AllocationHandler: Adding allocation to tracked region list: 0x005A0000, size: 0x2000.
2020-03-24 05:11:39,776 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x005A0000) returned 0x00000000.
2020-03-24 05:11:39,792 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x00000000.
2020-03-24 05:11:39,792 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x005A0000) -> AllocationBase 0x005A0000 RegionSize 0x8192.
2020-03-24 05:11:39,792 [root] DEBUG: AddTrackedRegion: New region at 0x005A0000 size 0x2000 added to tracked regions.
2020-03-24 05:11:39,792 [root] DEBUG: ActivateBreakpoints: TrackedRegion->AllocationBase: 0x005A0000, TrackedRegion->RegionSize: 0x2000, thread 2556
2020-03-24 05:11:39,792 [root] DEBUG: ActivateBreakpoints: Switching breakpoints from region 0x5FFF0000 to 0x005A0000.
2020-03-24 05:11:39,792 [root] DEBUG: DumpPEsInRange: Scanning range 0x5fff0000 - 0x60000000.
2020-03-24 05:11:39,792 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x5fff0000-0x60000000.
2020-03-24 05:11:39,792 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x5FFF0000 - 0x60000000.
2020-03-24 05:11:39,808 [root] DEBUG: DumpMemory: CAPE output file C:\hLUpzAAQj\CAPE\1928_7939729663911524232020 successfully created, size 0x10000
2020-03-24 05:11:39,808 [root] INFO: Added new CAPE file to list with path: C:\hLUpzAAQj\CAPE\1928_7939729663911524232020
2020-03-24 05:11:39,839 [root] DEBUG: DumpRegion: Dumped stack region from 0x5FFF0000, size 0x10000.
2020-03-24 05:11:39,839 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x5FFF0000.
2020-03-24 05:11:39,839 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x5fff0000 - 0x60000000.
2020-03-24 05:11:39,901 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0x1d4, Size=0x2, Address=0x005A0000 and Type=0x1.
2020-03-24 05:11:39,901 [root] DEBUG: SetThreadBreakpoint: Set bp 0 thread id 2556 type 1 at address 0x005A0000, size 2 with Callback 0x747d7510.
2020-03-24 05:11:39,901 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on empty protect address: 0x005A0000
2020-03-24 05:11:39,901 [root] DEBUG: SetDebugRegister: Setting breakpoint 1 hThread=0x1d4, Size=0x4, Address=0x005A003C and Type=0x1.
2020-03-24 05:11:39,901 [root] DEBUG: SetThreadBreakpoint: Set bp 1 thread id 2556 type 1 at address 0x005A003C, size 4 with Callback 0x747d71a0.
2020-03-24 05:11:39,901 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on e_lfanew address: 0x005A003C
2020-03-24 05:11:39,917 [root] DEBUG: AllocationHandler: Breakpoints set on newly-allocated executable region at: 0x005A0000 (size 0x2000).
2020-03-24 05:11:39,917 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x752EAAB6 (thread 2556)
2020-03-24 05:11:39,948 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x005A0000.
2020-03-24 05:11:39,948 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 2 within Context, Size=0x0, Address=0x005A0000 and Type=0x0.
2020-03-24 05:11:39,948 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x5a0000: 0xb0.
2020-03-24 05:11:39,948 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2020-03-24 05:11:39,948 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x752EAAB6 (thread 2556)
2020-03-24 05:11:39,948 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x005A003C.
2020-03-24 05:11:39,948 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0x34eb0fb0 (at 0x005A003C).
2020-03-24 05:11:39,996 [root] DEBUG: ContextSetNextAvailableBreakpoint: An identical breakpoint (2) at 0x005A0000 already exists for thread 2556 (process 1928), skipping.
2020-03-24 05:11:39,996 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x005A0000.
2020-03-24 05:11:40,026 [root] DEBUG: ProtectionHandler: Address 0x005A0000 already in tracked region at 0x005A0000, size 0x2000
2020-03-24 05:11:40,073 [root] DEBUG: ProtectionHandler: Address: 0x005A0000 (alloc base 0x005A0000), NumberOfBytesToProtect: 0x1e80, NewAccessProtection: 0x20
2020-03-24 05:11:40,073 [root] DEBUG: ProtectionHandler: Updated region protection at 0x005A0000 to 0x20.
2020-03-24 05:11:40,073 [root] DEBUG: ProtectionHandler: New code detected at (0x005A0000), scanning for PE images.
2020-03-24 05:11:40,073 [root] DEBUG: DumpPEsInRange: Scanning range 0x5a0000 - 0x5a2000.
2020-03-24 05:11:40,073 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x5a0000-0x5a2000.
2020-03-24 05:11:40,073 [root] DEBUG: DumpPEsInRange: Scanning range 0x5a0000 - 0x5a1e80.
2020-03-24 05:11:40,088 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x5a0000-0x5a1e80.
2020-03-24 05:11:40,088 [root] DEBUG: ActivateBreakpoints: TrackedRegion->AllocationBase: 0x005A0000, TrackedRegion->RegionSize: 0x2000, thread 2556
2020-03-24 05:11:40,119 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0x1d4, Size=0x0, Address=0x005A0000 and Type=0x0.
2020-03-24 05:11:40,119 [root] DEBUG: SetThreadBreakpoint: Set bp 0 thread id 2556 type 0 at address 0x005A0000, size 0 with Callback 0x747d73a0.
2020-03-24 05:11:40,119 [root] DEBUG: ActivateBreakpoints: Set execution breakpoint on non-zero byte 0xb0 at protected address: 0x005A0000
2020-03-24 05:11:40,119 [root] DEBUG: SetDebugRegister: Setting breakpoint 1 hThread=0x1d4, Size=0x4, Address=0x005A003C and Type=0x1.
2020-03-24 05:11:40,167 [root] DEBUG: SetThreadBreakpoint: Set bp 1 thread id 2556 type 1 at address 0x005A003C, size 4 with Callback 0x747d71a0.
2020-03-24 05:11:40,167 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on e_lfanew address: 0x005A003C
2020-03-24 05:11:40,213 [root] DEBUG: ProtectionHandler: Breakpoints set on executable region at: 0x005A0000.
2020-03-24 05:11:40,260 [root] DEBUG: DLL unloaded from 0x75600000.
2020-03-24 05:11:40,338 [root] DEBUG: DLL loaded at 0x73550000: C:\Windows\system32\msfeeds (0x96000 bytes).
2020-03-24 05:11:40,385 [root] DEBUG: DLL loaded at 0x73520000: C:\Windows\system32\MLANG (0x2e000 bytes).
2020-03-24 05:11:40,447 [root] DEBUG: DLL loaded at 0x74950000: C:\Windows\system32\UxTheme (0x80000 bytes).
2020-03-24 05:11:40,494 [root] DEBUG: DLL loaded at 0x74AF0000: C:\Windows\system32\apphelp (0x4c000 bytes).
2020-03-24 05:11:40,509 [root] DEBUG: DLL loaded at 0x73AD0000: C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim (0x11000 bytes).
2020-03-24 05:11:40,542 [root] DEBUG: DLL loaded at 0x73480000: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\MSVCR80 (0x9b000 bytes).
2020-03-24 05:11:40,556 [root] DEBUG: DLL loaded at 0x733F0000: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\MSVCP80 (0x87000 bytes).
2020-03-24 05:11:40,588 [root] DEBUG: DLL loaded at 0x73AA0000: C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper (0x10000 bytes).
2020-03-24 05:11:41,555 [root] DEBUG: DLL loaded at 0x732B0000: C:\PROGRA~2\MICROS~1\Office14\URLREDIR (0x91000 bytes).
2020-03-24 05:11:41,555 [root] DEBUG: DLL loaded at 0x74930000: C:\Windows\system32\VERSION (0x9000 bytes).
2020-03-24 05:11:41,571 [root] DEBUG: DLL loaded at 0x733E0000: C:\Windows\system32\Secur32 (0x8000 bytes).
2020-03-24 05:11:41,571 [root] DEBUG: DLL loaded at 0x74D80000: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742\MSVCR90 (0xa3000 bytes).
2020-03-24 05:11:41,586 [root] DEBUG: DLL loaded at 0x733C0000: C:\PROGRA~2\MICROS~1\Office14\MSOHEV (0x14000 bytes).
2020-03-24 05:11:41,618 [root] DEBUG: DLL loaded at 0x733B0000: C:\Program Files (x86)\Java\jre7\bin\jp2ssv (0xf000 bytes).
2020-03-24 05:11:41,680 [root] DEBUG: DLL loaded at 0x731F0000: C:\Program Files (x86)\Java\jre7\bin\MSVCR100 (0xbe000 bytes).
2020-03-24 05:11:41,711 [root] DEBUG: set_caller_info: Adding region at 0x04430000 to caller regions list (ntdll::LdrLoadDll).
2020-03-24 05:11:41,726 [root] DEBUG: set_caller_info: Adding region at 0x00C20000 to caller regions list (advapi32::RegOpenKeyExA).
2020-03-24 05:11:41,773 [root] DEBUG: DLL loaded at 0x74470000: C:\Windows\system32\DWMAPI (0x13000 bytes).
2020-03-24 05:11:41,773 [root] DEBUG: DLL loaded at 0x73350000: C:\Windows\system32\SXS (0x5f000 bytes).
2020-03-24 05:11:41,930 [root] DEBUG: DLL unloaded from 0x724F0000.
2020-03-24 05:11:41,930 [root] INFO: Announced 64-bit process name: explorer.exe pid: 1632
2020-03-24 05:11:41,930 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 05:11:41,930 [lib.api.process] INFO: 64-bit DLL to inject is C:\vgzsvvr\dll\qdmwqOp.dll, loader C:\vgzsvvr\bin\OtyCQoYH.exe
2020-03-24 05:11:41,930 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\pSNnCqspPc.
2020-03-24 05:11:41,946 [root] DEBUG: Loader: Injecting process 1632 (thread 0) with C:\vgzsvvr\dll\qdmwqOp.dll.
2020-03-24 05:11:41,946 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed (SessionId=1).
2020-03-24 05:11:41,946 [root] DEBUG: Failed to inject DLL C:\vgzsvvr\dll\qdmwqOp.dll.
2020-03-24 05:11:41,946 [lib.api.process] ERROR: Unable to inject into 64-bit process with pid 1632, error: -15
2020-03-24 05:11:41,992 [root] DEBUG: CreateThread: Initialising breakpoints for thread 2456.
2020-03-24 05:11:41,992 [root] DEBUG: DLL unloaded from 0x772F0000.
2020-03-24 05:11:41,992 [root] DEBUG: DLL unloaded from 0x73850000.
2020-03-24 05:11:42,007 [root] DEBUG: DLL unloaded from 0x724F0000.
2020-03-24 05:11:42,007 [root] INFO: Announced 64-bit process name: explorer.exe pid: 1632
2020-03-24 05:11:42,007 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 05:11:42,007 [lib.api.process] INFO: 64-bit DLL to inject is C:\vgzsvvr\dll\qdmwqOp.dll, loader C:\vgzsvvr\bin\OtyCQoYH.exe
2020-03-24 05:11:42,132 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\pSNnCqspPc.
2020-03-24 05:11:42,132 [root] DEBUG: Loader: Injecting process 1632 (thread 0) with C:\vgzsvvr\dll\qdmwqOp.dll.
2020-03-24 05:11:42,132 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed (SessionId=1).
2020-03-24 05:11:42,132 [root] DEBUG: Failed to inject DLL C:\vgzsvvr\dll\qdmwqOp.dll.
2020-03-24 05:11:42,132 [lib.api.process] ERROR: Unable to inject into 64-bit process with pid 1632, error: -15
2020-03-24 05:11:42,132 [root] INFO: Announced 64-bit process name: explorer.exe pid: 1632
2020-03-24 05:11:42,132 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 05:11:42,132 [lib.api.process] INFO: 64-bit DLL to inject is C:\vgzsvvr\dll\qdmwqOp.dll, loader C:\vgzsvvr\bin\OtyCQoYH.exe
2020-03-24 05:11:42,180 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\pSNnCqspPc.
2020-03-24 05:11:42,226 [root] DEBUG: Loader: Injecting process 1632 (thread 0) with C:\vgzsvvr\dll\qdmwqOp.dll.
2020-03-24 05:11:42,273 [root] DEBUG: InjectDll: No thread ID supplied. Initial thread ID 1636, handle 0x84
2020-03-24 05:11:42,319 [root] DEBUG: Process image base: 0x00000000FF900000
2020-03-24 05:11:42,319 [root] DEBUG: InjectDllViaIAT: Not a new process, aborting IAT patch
2020-03-24 05:11:42,319 [root] DEBUG: InjectDll: IAT patching failed, falling back to thread injection.
2020-03-24 05:11:42,367 [root] DEBUG: Terminate processes on terminate_event enabled.
2020-03-24 05:11:42,367 [root] DEBUG: Process dumps disabled.
2020-03-24 05:11:42,414 [root] INFO: Disabling sleep skipping.
2020-03-24 05:11:42,414 [root] WARNING: Unable to place hook on LockResource
2020-03-24 05:11:42,428 [root] WARNING: Unable to hook LockResource
2020-03-24 05:11:42,444 [root] DEBUG: Debugger initialised.
2020-03-24 05:11:42,444 [root] DEBUG: CAPE initialised: 64-bit Extraction package loaded in process 1632 at 0x0000000074250000, image base 0x00000000FF900000, stack from 0x0000000006CF2000-0x0000000006D00000
2020-03-24 05:11:42,460 [root] DEBUG: Commandline: C:\Windows\explorer.exe.
2020-03-24 05:11:42,460 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x00000000FF900000) returned 0x0000000000000000.
2020-03-24 05:11:42,460 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x0000000000000000.
2020-03-24 05:11:42,460 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x00000000FF900000) -> AllocationBase 0x00000000FF900000 RegionSize 0x4096.
2020-03-24 05:11:42,492 [root] DEBUG: AddTrackedRegion: EntryPoint 0x2b790, Entropy 5.860278e+00
2020-03-24 05:11:42,506 [root] DEBUG: AddTrackedRegion: New region at 0x00000000FF900000 size 0x1000 added to tracked regions.
2020-03-24 05:11:42,506 [root] DEBUG: ExtractionInit: Adding main image base to tracked regions.
2020-03-24 05:11:42,506 [root] INFO: Added new process to list with pid: 1632
2020-03-24 05:11:42,506 [root] INFO: Monitor successfully loaded in process with pid 1632.
2020-03-24 05:11:42,506 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2020-03-24 05:11:42,506 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2020-03-24 05:11:42,523 [root] DEBUG: Successfully injected DLL C:\vgzsvvr\dll\qdmwqOp.dll.
2020-03-24 05:11:42,523 [root] DEBUG: DLL loaded at 0x744A0000: C:\Windows\system32\USERENV (0x17000 bytes).
2020-03-24 05:11:42,585 [root] DEBUG: DLL loaded at 0x73870000: C:\Windows\system32\LINKINFO (0x9000 bytes).
2020-03-24 05:11:42,601 [root] DEBUG: DLL unloaded from 0x73B00000.
2020-03-24 05:11:42,601 [root] DEBUG: DLL unloaded from 0x73FD0000.
2020-03-24 05:11:42,601 [root] DEBUG: DLL unloaded from 0x736E0000.
2020-03-24 05:11:42,601 [root] DEBUG: DLL unloaded from 0x724F0000.
2020-03-24 05:11:42,615 [root] DEBUG: DLL unloaded from 0x732B0000.
2020-03-24 05:11:42,631 [root] DEBUG: DLL unloaded from 0x733B0000.
2020-03-24 05:11:42,648 [root] DEBUG: DLL unloaded from 0x73AD0000.
2020-03-24 05:11:42,726 [root] DEBUG: DLL unloaded from 0x75980000.
2020-03-24 05:11:42,726 [root] DEBUG: DLL unloaded from 0x73AA0000.
2020-03-24 05:11:42,726 [root] DEBUG: DLL unloaded from 0x739C0000.
2020-03-24 05:11:42,740 [root] DEBUG: DLL unloaded from 0x73880000.
2020-03-24 05:11:42,772 [root] DEBUG: ProtectionHandler: Address 0x5FFF0000 already in tracked region at 0x5FFF0000, size 0x10000
2020-03-24 05:11:42,772 [root] DEBUG: ProtectionHandler: Address: 0x5FFF0000 (alloc base 0x5FFF0000), NumberOfBytesToProtect: 0x10000, NewAccessProtection: 0x40
2020-03-24 05:11:42,772 [root] DEBUG: ProtectionHandler: Updated region protection at 0x5FFF0000 to 0x40.
2020-03-24 05:11:42,772 [root] DEBUG: ProtectionHandler: New code detected at (0x5FFF0000), scanning for PE images.
2020-03-24 05:11:42,772 [root] DEBUG: DumpPEsInRange: Scanning range 0x5fff0000 - 0x60000000.
2020-03-24 05:11:42,772 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x5fff0000-0x60000000.
2020-03-24 05:11:42,772 [root] DEBUG: ActivateBreakpoints: TrackedRegion->AllocationBase: 0x5FFF0000, TrackedRegion->RegionSize: 0x10000, thread 2896
2020-03-24 05:11:42,788 [root] DEBUG: ActivateBreakpoints: Switching breakpoints from region 0x005A0000 to 0x5FFF0000.
2020-03-24 05:11:42,788 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 2560.
2020-03-24 05:11:42,788 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 2940.
2020-03-24 05:11:42,788 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 2556.
2020-03-24 05:11:42,788 [root] DEBUG: DumpPEsInRange: Scanning range 0x5a0000 - 0x5a2000.
2020-03-24 05:11:42,788 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x5a0000-0x5a2000.
2020-03-24 05:11:42,788 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x005A0000 - 0x005A2000.
2020-03-24 05:11:42,788 [root] DEBUG: DumpMemory: CAPE output file C:\hLUpzAAQj\CAPE\1928_13432764204211524232020 successfully created, size 0x2000
2020-03-24 05:11:42,803 [root] INFO: Added new CAPE file to list with path: C:\hLUpzAAQj\CAPE\1928_13432764204211524232020
2020-03-24 05:11:42,803 [root] DEBUG: DumpRegion: Dumped stack region from 0x005A0000, size 0x2000.
2020-03-24 05:11:42,835 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x005A0000.
2020-03-24 05:11:42,881 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x5a0000 - 0x5a2000.
2020-03-24 05:11:42,881 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 2560.
2020-03-24 05:11:42,881 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 2940.
2020-03-24 05:11:42,927 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 2556.
2020-03-24 05:11:42,927 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xcc, Size=0x0, Address=0x5FFF0000 and Type=0x0.
2020-03-24 05:11:42,927 [root] DEBUG: SetThreadBreakpoint: Set bp 0 thread id 2896 type 0 at address 0x5FFF0000, size 0 with Callback 0x747d73a0.
2020-03-24 05:11:42,927 [root] DEBUG: ActivateBreakpoints: Set execution breakpoint on non-zero byte 0x64 at protected address: 0x5FFF0000
2020-03-24 05:11:42,927 [root] DEBUG: SetDebugRegister: Setting breakpoint 1 hThread=0xcc, Size=0x4, Address=0x5FFF003C and Type=0x1.
2020-03-24 05:11:42,927 [root] DEBUG: SetThreadBreakpoint: Set bp 1 thread id 2896 type 1 at address 0x5FFF003C, size 4 with Callback 0x747d71a0.
2020-03-24 05:11:42,944 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on e_lfanew address: 0x5FFF003C
2020-03-24 05:11:42,944 [root] DEBUG: ProtectionHandler: Breakpoints set on executable region at: 0x5FFF0000.
2020-03-24 05:11:42,944 [root] DEBUG: ProtectionHandler: Address 0x5FFF0000 already in tracked region at 0x5FFF0000, size 0x10000
2020-03-24 05:11:42,944 [root] DEBUG: ProtectionHandler: Address: 0x5FFF0000 (alloc base 0x5FFF0000), NumberOfBytesToProtect: 0x10000, NewAccessProtection: 0x20
2020-03-24 05:11:42,944 [root] DEBUG: ProtectionHandler: Updated region protection at 0x5FFF0000 to 0x20.
2020-03-24 05:11:42,944 [root] DEBUG: ProtectionHandler: New code detected at (0x5FFF0000), scanning for PE images.
2020-03-24 05:11:42,990 [root] DEBUG: DumpPEsInRange: Scanning range 0x5fff0000 - 0x60000000.
2020-03-24 05:11:42,990 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x5fff0000-0x60000000.
2020-03-24 05:11:43,006 [root] DEBUG: DumpPEsInRange: Scanning range 0x5fff0000 - 0x60000000.
2020-03-24 05:11:43,038 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x5fff0000-0x60000000.
2020-03-24 05:11:43,052 [root] DEBUG: ActivateBreakpoints: TrackedRegion->AllocationBase: 0x5FFF0000, TrackedRegion->RegionSize: 0x10000, thread 2896
2020-03-24 05:11:43,099 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 2560.
2020-03-24 05:11:43,099 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 2940.
2020-03-24 05:11:43,099 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 2556.
2020-03-24 05:11:43,099 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xcc, Size=0x0, Address=0x5FFF0000 and Type=0x0.
2020-03-24 05:11:43,099 [root] DEBUG: SetThreadBreakpoint: Set bp 0 thread id 2896 type 0 at address 0x5FFF0000, size 0 with Callback 0x747d73a0.
2020-03-24 05:11:43,099 [root] DEBUG: ActivateBreakpoints: Set execution breakpoint on non-zero byte 0x64 at protected address: 0x5FFF0000
2020-03-24 05:11:43,115 [root] DEBUG: SetDebugRegister: Setting breakpoint 1 hThread=0xcc, Size=0x4, Address=0x5FFF003C and Type=0x1.
2020-03-24 05:11:43,115 [root] DEBUG: SetThreadBreakpoint: Set bp 1 thread id 2896 type 1 at address 0x5FFF003C, size 4 with Callback 0x747d71a0.
2020-03-24 05:11:43,115 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on e_lfanew address: 0x5FFF003C
2020-03-24 05:11:43,115 [root] DEBUG: ProtectionHandler: Breakpoints set on executable region at: 0x5FFF0000.
2020-03-24 05:11:43,115 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 1928).
2020-03-24 05:11:43,115 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-03-24 05:11:43,115 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01180000.
2020-03-24 05:11:43,115 [root] DEBUG: ProcessImageBase: EP 0x00001C9A image base 0x01180000 size 0x0 entropy 6.664853e+00.
2020-03-24 05:11:43,131 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x5FFF0000.
2020-03-24 05:11:43,131 [root] DEBUG: DumpPEsInRange: Scanning range 0x5fff0000 - 0x60000000.
2020-03-24 05:11:43,131 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x5fff0000-0x60000000.
2020-03-24 05:11:43,161 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x5FFF0000 - 0x60000000.
2020-03-24 05:11:43,161 [root] DEBUG: DumpMemory: CAPE output file C:\hLUpzAAQj\CAPE\1928_33326017053321124232020 successfully created, size 0x10000
2020-03-24 05:11:43,161 [root] INFO: Added new CAPE file to list with path: C:\hLUpzAAQj\CAPE\1928_33326017053321124232020
2020-03-24 05:11:43,161 [root] DEBUG: DumpRegion: Dumped stack region from 0x5FFF0000, size 0x10000.
2020-03-24 05:11:43,161 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x5FFF0000.
2020-03-24 05:11:43,161 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x5fff0000 - 0x60000000.
2020-03-24 05:11:43,161 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x5FFF0000.
2020-03-24 05:11:43,177 [root] DEBUG: DLL unloaded from 0x772F0000.
2020-03-24 05:11:43,177 [root] DEBUG: Error 31 (0x1f) - ClearDebugRegister: Initial GetThreadContext failed: A device attached to the system is not functioning.
2020-03-24 05:11:43,177 [root] DEBUG: ClearThreadBreakpoint: Call to ClearDebugRegister failed.
2020-03-24 05:11:43,224 [root] DEBUG: Error 31 (0x1f) - ClearDebugRegister: Initial GetThreadContext failed: A device attached to the system is not functioning.
2020-03-24 05:11:43,256 [root] DEBUG: ClearThreadBreakpoint: Call to ClearDebugRegister failed.
2020-03-24 05:11:43,302 [root] DEBUG: Error 31 (0x1f) - ClearDebugRegister: Initial GetThreadContext failed: A device attached to the system is not functioning.
2020-03-24 05:11:43,302 [root] DEBUG: ClearThreadBreakpoint: Call to ClearDebugRegister failed.
2020-03-24 05:11:43,302 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x5FFF003C.
2020-03-24 05:11:43,302 [root] DEBUG: Error 31 (0x1f) - ClearDebugRegister: Initial GetThreadContext failed: A device attached to the system is not functioning.
2020-03-24 05:11:43,302 [root] DEBUG: ClearThreadBreakpoint: Call to ClearDebugRegister failed.
2020-03-24 05:11:43,302 [root] DEBUG: Error 31 (0x1f) - ClearDebugRegister: Initial GetThreadContext failed: A device attached to the system is not functioning.
2020-03-24 05:11:43,302 [root] DEBUG: ClearThreadBreakpoint: Call to ClearDebugRegister failed.
2020-03-24 05:11:43,302 [root] DEBUG: Error 31 (0x1f) - ClearDebugRegister: Initial GetThreadContext failed: A device attached to the system is not functioning.
2020-03-24 05:11:43,318 [root] DEBUG: ClearThreadBreakpoint: Call to ClearDebugRegister failed.
2020-03-24 05:11:43,318 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x005A0000.
2020-03-24 05:11:43,318 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 2560.
2020-03-24 05:11:43,318 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 2940.
2020-03-24 05:11:43,318 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 2556.
2020-03-24 05:11:43,318 [root] DEBUG: DLL unloaded from 0x73880000.
2020-03-24 05:11:43,318 [root] DEBUG: DLL unloaded from 0x75D60000.
2020-03-24 05:11:43,365 [root] DEBUG: DLL unloaded from 0x75140000.
2020-03-24 05:11:43,395 [root] DEBUG: DLL unloaded from 0x749D0000.
2020-03-24 05:11:43,411 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 1928).
2020-03-24 05:11:43,411 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-03-24 05:11:43,411 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01180000.
2020-03-24 05:11:43,411 [root] DEBUG: ProcessImageBase: EP 0x00001C9A image base 0x01180000 size 0x0 entropy 6.664853e+00.
2020-03-24 05:11:43,411 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x5FFF0000.
2020-03-24 05:11:43,411 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x005A0000.
2020-03-24 05:11:43,459 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 2560.
2020-03-24 05:11:43,459 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 2940.
2020-03-24 05:11:43,506 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 2556.
2020-03-24 05:11:43,506 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 3040.
2020-03-24 05:11:43,506 [root] INFO: Notified of termination of process with pid 1928.
2020-03-24 05:11:43,584 [root] DEBUG: ProtectionHandler: Address 0x5FFF0000 already in tracked region at 0x5FFF0000, size 0x10000
2020-03-24 05:11:43,598 [root] DEBUG: ProtectionHandler: Address: 0x5FFF0000 (alloc base 0x5FFF0000), NumberOfBytesToProtect: 0x10000, NewAccessProtection: 0x40
2020-03-24 05:11:43,598 [root] DEBUG: ProtectionHandler: Updated region protection at 0x5FFF0000 to 0x40.
2020-03-24 05:11:43,598 [root] DEBUG: ProtectionHandler: New code detected at (0x5FFF0000), scanning for PE images.
2020-03-24 05:11:43,598 [root] DEBUG: DumpPEsInRange: Scanning range 0x5fff0000 - 0x60000000.
2020-03-24 05:11:43,598 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x5fff0000-0x60000000.
2020-03-24 05:11:43,598 [root] DEBUG: ActivateBreakpoints: TrackedRegion->AllocationBase: 0x5FFF0000, TrackedRegion->RegionSize: 0x10000, thread 1568
2020-03-24 05:11:43,598 [root] DEBUG: ActivateBreakpoints: Switching breakpoints from region 0x00F30000 to 0x5FFF0000.
2020-03-24 05:11:43,598 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 2752.
2020-03-24 05:11:43,598 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 804.
2020-03-24 05:11:43,598 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 1852.
2020-03-24 05:11:43,598 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 1312.
2020-03-24 05:11:43,615 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 2516.
2020-03-24 05:11:43,615 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 1864.
2020-03-24 05:11:43,615 [root] DEBUG: DumpPEsInRange: Scanning range 0xf30000 - 0xf32000.
2020-03-24 05:11:43,615 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0xf30000-0xf32000.
2020-03-24 05:11:43,615 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x00F30000 - 0x00F32000.
2020-03-24 05:11:43,615 [root] DEBUG: DumpMemory: CAPE output file C:\hLUpzAAQj\CAPE\1624_8096091794311524232020 successfully created, size 0x2000
2020-03-24 05:11:43,630 [root] INFO: Added new CAPE file to list with path: C:\hLUpzAAQj\CAPE\1624_8096091794311524232020
2020-03-24 05:11:43,630 [root] DEBUG: DumpRegion: Dumped stack region from 0x00F30000, size 0x2000.
2020-03-24 05:11:43,630 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x00F30000.
2020-03-24 05:11:43,630 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0xf30000 - 0xf32000.
2020-03-24 05:11:43,630 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 2752.
2020-03-24 05:11:43,630 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 804.
2020-03-24 05:11:43,645 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 1852.
2020-03-24 05:11:43,645 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 1312.
2020-03-24 05:11:43,645 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 2516.
2020-03-24 05:11:43,645 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 1864.
2020-03-24 05:11:43,661 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xc8, Size=0x0, Address=0x5FFF0000 and Type=0x0.
2020-03-24 05:11:43,661 [root] DEBUG: SetThreadBreakpoint: Set bp 0 thread id 1568 type 0 at address 0x5FFF0000, size 0 with Callback 0x747d73a0.
2020-03-24 05:11:43,661 [root] DEBUG: ActivateBreakpoints: Set execution breakpoint on non-zero byte 0x64 at protected address: 0x5FFF0000
2020-03-24 05:11:43,661 [root] DEBUG: SetDebugRegister: Setting breakpoint 1 hThread=0xc8, Size=0x4, Address=0x5FFF003C and Type=0x1.
2020-03-24 05:11:43,661 [root] DEBUG: SetThreadBreakpoint: Set bp 1 thread id 1568 type 1 at address 0x5FFF003C, size 4 with Callback 0x747d71a0.
2020-03-24 05:11:43,661 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on e_lfanew address: 0x5FFF003C
2020-03-24 05:11:43,677 [root] DEBUG: ProtectionHandler: Breakpoints set on executable region at: 0x5FFF0000.
2020-03-24 05:11:43,677 [root] DEBUG: ProtectionHandler: Address 0x5FFF0000 already in tracked region at 0x5FFF0000, size 0x10000
2020-03-24 05:11:43,677 [root] DEBUG: ProtectionHandler: Address: 0x5FFF0000 (alloc base 0x5FFF0000), NumberOfBytesToProtect: 0x10000, NewAccessProtection: 0x20
2020-03-24 05:11:43,677 [root] DEBUG: ProtectionHandler: Updated region protection at 0x5FFF0000 to 0x20.
2020-03-24 05:11:43,677 [root] DEBUG: ProtectionHandler: New code detected at (0x5FFF0000), scanning for PE images.
2020-03-24 05:11:43,677 [root] DEBUG: DumpPEsInRange: Scanning range 0x5fff0000 - 0x60000000.
2020-03-24 05:11:43,693 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x5fff0000-0x60000000.
2020-03-24 05:11:43,693 [root] DEBUG: DumpPEsInRange: Scanning range 0x5fff0000 - 0x60000000.
2020-03-24 05:11:43,693 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x5fff0000-0x60000000.
2020-03-24 05:11:43,693 [root] DEBUG: ActivateBreakpoints: TrackedRegion->AllocationBase: 0x5FFF0000, TrackedRegion->RegionSize: 0x10000, thread 1568
2020-03-24 05:11:43,693 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 2752.
2020-03-24 05:11:43,693 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 804.
2020-03-24 05:11:43,693 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 1852.
2020-03-24 05:11:43,693 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 1312.
2020-03-24 05:11:43,693 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 2516.
2020-03-24 05:11:43,707 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 1864.
2020-03-24 05:11:43,707 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xc8, Size=0x0, Address=0x5FFF0000 and Type=0x0.
2020-03-24 05:11:43,707 [root] DEBUG: SetThreadBreakpoint: Set bp 0 thread id 1568 type 0 at address 0x5FFF0000, size 0 with Callback 0x747d73a0.
2020-03-24 05:11:43,707 [root] DEBUG: ActivateBreakpoints: Set execution breakpoint on non-zero byte 0x64 at protected address: 0x5FFF0000
2020-03-24 05:11:43,707 [root] DEBUG: SetDebugRegister: Setting breakpoint 1 hThread=0xc8, Size=0x4, Address=0x5FFF003C and Type=0x1.
2020-03-24 05:11:43,707 [root] DEBUG: SetThreadBreakpoint: Set bp 1 thread id 1568 type 1 at address 0x5FFF003C, size 4 with Callback 0x747d71a0.
2020-03-24 05:11:43,723 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on e_lfanew address: 0x5FFF003C
2020-03-24 05:11:43,723 [root] DEBUG: ProtectionHandler: Breakpoints set on executable region at: 0x5FFF0000.
2020-03-24 05:11:43,723 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 1624).
2020-03-24 05:11:43,723 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-03-24 05:11:43,723 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01180000.
2020-03-24 05:11:43,723 [root] DEBUG: ProcessImageBase: EP 0x00001C9A image base 0x01180000 size 0x0 entropy 6.664861e+00.
2020-03-24 05:11:43,723 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x5FFF0000.
2020-03-24 05:11:43,740 [root] DEBUG: DumpPEsInRange: Scanning range 0x5fff0000 - 0x60000000.
2020-03-24 05:11:43,740 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x5fff0000-0x60000000.
2020-03-24 05:11:43,740 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x5FFF0000 - 0x60000000.
2020-03-24 05:11:43,755 [root] DEBUG: DumpMemory: CAPE output file C:\hLUpzAAQj\CAPE\1624_8548115324371224232020 successfully created, size 0x10000
2020-03-24 05:11:43,755 [root] INFO: Added new CAPE file to list with path: C:\hLUpzAAQj\CAPE\1624_8548115324371224232020
2020-03-24 05:11:43,755 [root] DEBUG: DumpRegion: Dumped stack region from 0x5FFF0000, size 0x10000.
2020-03-24 05:11:43,770 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x5FFF0000.
2020-03-24 05:11:43,770 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x5fff0000 - 0x60000000.
2020-03-24 05:11:43,770 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x5FFF0000.
2020-03-24 05:11:43,770 [root] DEBUG: DLL unloaded from 0x772F0000.
2020-03-24 05:11:43,770 [root] DEBUG: Error 31 (0x1f) - ClearDebugRegister: Initial GetThreadContext failed: A device attached to the system is not functioning.
2020-03-24 05:11:43,770 [root] DEBUG: ClearThreadBreakpoint: Call to ClearDebugRegister failed.
2020-03-24 05:11:43,786 [root] DEBUG: Error 31 (0x1f) - ClearDebugRegister: Initial GetThreadContext failed: A device attached to the system is not functioning.
2020-03-24 05:11:43,786 [root] DEBUG: ClearThreadBreakpoint: Call to ClearDebugRegister failed.
2020-03-24 05:11:43,786 [root] DEBUG: Error 31 (0x1f) - ClearDebugRegister: Initial GetThreadContext failed: A device attached to the system is not functioning.
2020-03-24 05:11:43,786 [root] DEBUG: ClearThreadBreakpoint: Call to ClearDebugRegister failed.
2020-03-24 05:11:43,786 [root] DEBUG: Error 31 (0x1f) - ClearDebugRegister: Initial GetThreadContext failed: A device attached to the system is not functioning.
2020-03-24 05:11:43,802 [root] DEBUG: ClearThreadBreakpoint: Call to ClearDebugRegister failed.
2020-03-24 05:11:43,802 [root] DEBUG: Error 31 (0x1f) - ClearDebugRegister: Initial GetThreadContext failed: A device attached to the system is not functioning.
2020-03-24 05:11:43,802 [root] DEBUG: ClearThreadBreakpoint: Call to ClearDebugRegister failed.
2020-03-24 05:11:43,802 [root] DEBUG: Error 31 (0x1f) - ClearDebugRegister: Initial GetThreadContext failed: A device attached to the system is not functioning.
2020-03-24 05:11:43,802 [root] DEBUG: ClearThreadBreakpoint: Call to ClearDebugRegister failed.
2020-03-24 05:11:43,818 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x5FFF003C.
2020-03-24 05:11:43,818 [root] DEBUG: Error 31 (0x1f) - ClearDebugRegister: Initial GetThreadContext failed: A device attached to the system is not functioning.
2020-03-24 05:11:43,818 [root] DEBUG: ClearThreadBreakpoint: Call to ClearDebugRegister failed.
2020-03-24 05:11:43,818 [root] DEBUG: Error 31 (0x1f) - ClearDebugRegister: Initial GetThreadContext failed: A device attached to the system is not functioning.
2020-03-24 05:11:43,818 [root] DEBUG: ClearThreadBreakpoint: Call to ClearDebugRegister failed.
2020-03-24 05:11:43,818 [root] DEBUG: Error 31 (0x1f) - ClearDebugRegister: Initial GetThreadContext failed: A device attached to the system is not functioning.
2020-03-24 05:11:43,832 [root] DEBUG: ClearThreadBreakpoint: Call to ClearDebugRegister failed.
2020-03-24 05:11:43,832 [root] DEBUG: Error 31 (0x1f) - ClearDebugRegister: Initial GetThreadContext failed: A device attached to the system is not functioning.
2020-03-24 05:11:43,832 [root] DEBUG: ClearThreadBreakpoint: Call to ClearDebugRegister failed.
2020-03-24 05:11:43,832 [root] DEBUG: Error 31 (0x1f) - ClearDebugRegister: Initial GetThreadContext failed: A device attached to the system is not functioning.
2020-03-24 05:11:43,832 [root] DEBUG: ClearThreadBreakpoint: Call to ClearDebugRegister failed.
2020-03-24 05:11:43,848 [root] DEBUG: Error 31 (0x1f) - ClearDebugRegister: Initial GetThreadContext failed: A device attached to the system is not functioning.
2020-03-24 05:11:43,848 [root] DEBUG: ClearThreadBreakpoint: Call to ClearDebugRegister failed.
2020-03-24 05:11:43,848 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00F30000.
2020-03-24 05:11:43,848 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 2752.
2020-03-24 05:11:43,848 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 804.
2020-03-24 05:11:43,848 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 1852.
2020-03-24 05:11:43,848 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 1312.
2020-03-24 05:11:43,864 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 2516.
2020-03-24 05:11:43,864 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 1864.
2020-03-24 05:11:43,895 [root] DEBUG: DLL unloaded from 0x73880000.
2020-03-24 05:11:43,895 [root] DEBUG: DLL unloaded from 0x75D60000.
2020-03-24 05:11:43,895 [root] DEBUG: DLL unloaded from 0x75140000.
2020-03-24 05:11:43,895 [root] DEBUG: DLL unloaded from 0x749D0000.
2020-03-24 05:11:43,895 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 1624).
2020-03-24 05:11:43,895 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-03-24 05:11:43,911 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01180000.
2020-03-24 05:11:43,911 [root] DEBUG: ProcessImageBase: EP 0x00001C9A image base 0x01180000 size 0x0 entropy 6.664861e+00.
2020-03-24 05:11:43,911 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x5FFF0000.
2020-03-24 05:11:43,911 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00F30000.
2020-03-24 05:11:43,927 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 2752.
2020-03-24 05:11:43,927 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 804.
2020-03-24 05:11:43,927 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 1852.
2020-03-24 05:11:43,927 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 912.
2020-03-24 05:11:43,927 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 1312.
2020-03-24 05:11:43,927 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 2516.
2020-03-24 05:11:43,927 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 2956.
2020-03-24 05:11:43,927 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 1864.
2020-03-24 05:11:43,941 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 2456.
2020-03-24 05:11:43,941 [root] INFO: Notified of termination of process with pid 1624.
2020-03-24 05:11:53,645 [root] DEBUG: DLL unloaded from 0x751B0000.
2020-03-24 05:12:30,571 [root] DEBUG: DLL unloaded from 0x751B0000.
2020-03-24 05:12:30,710 [root] DEBUG: CreateThread: Initialising breakpoints for thread 1620.
2020-03-24 05:12:30,710 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF8390000 to caller regions list (ntdll::NtDuplicateObject).
2020-03-24 05:12:30,743 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF45C0000 to caller regions list (ntdll::NtDuplicateObject).
2020-03-24 05:12:30,743 [root] DEBUG: DLL unloaded from 0x772F0000.
2020-03-24 05:12:44,470 [root] INFO: Announced 32-bit process name: iexplore.exe pid: 1576
2020-03-24 05:12:44,470 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 05:12:44,470 [lib.api.process] INFO: 32-bit DLL to inject is C:\vgzsvvr\dll\JrANdsY.dll, loader C:\vgzsvvr\bin\RUYfSAb.exe
2020-03-24 05:12:44,532 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\pSNnCqspPc.
2020-03-24 05:12:44,532 [root] DEBUG: Loader: Injecting process 1576 (thread 2700) with C:\vgzsvvr\dll\JrANdsY.dll.
2020-03-24 05:12:44,563 [root] DEBUG: Process image base: 0x01180000
2020-03-24 05:12:44,563 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\vgzsvvr\dll\JrANdsY.dll.
2020-03-24 05:12:44,611 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-03-24 05:12:44,611 [root] DEBUG: Successfully injected DLL C:\vgzsvvr\dll\JrANdsY.dll.
2020-03-24 05:12:44,611 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1576
2020-03-24 05:12:44,641 [root] INFO: Announced 32-bit process name: iexplore.exe pid: 1576
2020-03-24 05:12:44,641 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 05:12:44,641 [lib.api.process] INFO: 32-bit DLL to inject is C:\vgzsvvr\dll\JrANdsY.dll, loader C:\vgzsvvr\bin\RUYfSAb.exe
2020-03-24 05:12:44,657 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\pSNnCqspPc.
2020-03-24 05:12:44,688 [root] DEBUG: Loader: Injecting process 1576 (thread 2700) with C:\vgzsvvr\dll\JrANdsY.dll.
2020-03-24 05:12:44,704 [root] DEBUG: Process image base: 0x01180000
2020-03-24 05:12:44,704 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\vgzsvvr\dll\JrANdsY.dll.
2020-03-24 05:12:44,720 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-03-24 05:12:44,720 [root] DEBUG: Successfully injected DLL C:\vgzsvvr\dll\JrANdsY.dll.
2020-03-24 05:12:44,720 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1576
2020-03-24 05:12:44,736 [root] DEBUG: Terminate processes on terminate_event enabled.
2020-03-24 05:12:44,736 [root] DEBUG: Process dumps disabled.
2020-03-24 05:12:44,736 [root] INFO: Disabling sleep skipping.
2020-03-24 05:12:44,736 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-03-24 05:12:44,750 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x77110000, KiUserExceptionDispatcher: 0x0, NtSetContextThread: 0x7716124a, Wow64PrepareForException: 0x0
2020-03-24 05:12:44,750 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x1a0000
2020-03-24 05:12:44,750 [root] DEBUG: Debugger initialised.
2020-03-24 05:12:44,750 [root] DEBUG: CAPE initialised: 32-bit Extraction package loaded in process 1576 at 0x747d0000, image base 0x1180000, stack from 0x412000-0x420000
2020-03-24 05:12:44,750 [root] DEBUG: Commandline: C:\Windows\System32\"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -Embedding.
2020-03-24 05:12:44,750 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x01180000) returned 0x00000000.
2020-03-24 05:12:44,750 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x00000000.
2020-03-24 05:12:44,750 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x01180000) -> AllocationBase 0x01180000 RegionSize 0x4096.
2020-03-24 05:12:44,750 [root] DEBUG: AddTrackedRegion: EntryPoint 0x1c9a, Entropy 6.664381e+00
2020-03-24 05:12:44,750 [root] DEBUG: AddTrackedRegion: New region at 0x01180000 size 0x1000 added to tracked regions.
2020-03-24 05:12:44,750 [root] DEBUG: ExtractionInit: Adding main image base to tracked regions.
2020-03-24 05:12:44,750 [root] INFO: Added new process to list with pid: 1576
2020-03-24 05:12:44,750 [root] INFO: Monitor successfully loaded in process with pid 1576.
2020-03-24 05:12:44,766 [root] DEBUG: DLL unloaded from 0x754F0000.
2020-03-24 05:12:44,766 [root] DEBUG: DLL loaded at 0x72F70000: C:\Windows\system32\IEFRAME (0xa80000 bytes).
2020-03-24 05:12:44,766 [root] DEBUG: DLL loaded at 0x73C90000: C:\Windows\system32\OLEACC (0x3c000 bytes).
2020-03-24 05:12:44,766 [root] DEBUG: DLL loaded at 0x73FD0000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32 (0x19e000 bytes).
2020-03-24 05:12:44,766 [root] DEBUG: DLL loaded at 0x74490000: C:\Windows\system32\profapi (0xb000 bytes).
2020-03-24 05:12:44,782 [root] DEBUG: DLL loaded at 0x75D00000: C:\Windows\syswow64\ws2_32 (0x35000 bytes).
2020-03-24 05:12:44,782 [root] DEBUG: DLL loaded at 0x75130000: C:\Windows\syswow64\NSI (0x6000 bytes).
2020-03-24 05:12:44,782 [root] DEBUG: DLL loaded at 0x74B50000: C:\Windows\system32\dnsapi (0x44000 bytes).
2020-03-24 05:12:44,782 [root] DEBUG: DLL loaded at 0x73CF0000: C:\Windows\system32\iphlpapi (0x1c000 bytes).
2020-03-24 05:12:44,798 [root] DEBUG: DLL loaded at 0x73F80000: C:\Windows\system32\WINNSI (0x7000 bytes).
2020-03-24 05:12:44,798 [root] DEBUG: DLL loaded at 0x74EB0000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2020-03-24 05:12:44,798 [root] DEBUG: DLL loaded at 0x73C30000: C:\Windows\System32\netprofm (0x5a000 bytes).
2020-03-24 05:12:44,798 [root] DEBUG: DLL loaded at 0x74BD0000: C:\Windows\System32\nlaapi (0x10000 bytes).
2020-03-24 05:12:44,798 [root] DEBUG: DLL loaded at 0x74C70000: C:\Windows\system32\CRYPTSP (0x16000 bytes).
2020-03-24 05:12:44,813 [root] DEBUG: DLL loaded at 0x74C30000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2020-03-24 05:12:44,813 [root] DEBUG: DLL loaded at 0x74A20000: C:\Windows\system32\RpcRtRemote (0xe000 bytes).
2020-03-24 05:12:44,828 [root] INFO: Announced starting service "netprofm"
2020-03-24 05:12:44,828 [root] DEBUG: DLL unloaded from 0x73C30000.
2020-03-24 05:12:44,828 [root] DEBUG: DLL loaded at 0x750B0000: C:\Windows\syswow64\comdlg32 (0x7b000 bytes).
2020-03-24 05:12:44,828 [root] DEBUG: Allocation: 0x5FFF0000 - 0x60000000, size: 0x10000, protection: 0x40.
2020-03-24 05:12:44,828 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-03-24 05:12:44,845 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01180000.
2020-03-24 05:12:44,845 [root] DEBUG: ProcessImageBase: EP 0x00001C9A image base 0x01180000 size 0x0 entropy 6.665045e+00.
2020-03-24 05:12:44,845 [root] DEBUG: AllocationHandler: Adding allocation to tracked region list: 0x5FFF0000, size: 0x10000.
2020-03-24 05:12:44,845 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x5FFF0000) returned 0x00000000.
2020-03-24 05:12:44,845 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x00000000.
2020-03-24 05:12:44,845 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x5FFF0000) -> AllocationBase 0x5FFF0000 RegionSize 0x65536.
2020-03-24 05:12:44,845 [root] DEBUG: AddTrackedRegion: New region at 0x5FFF0000 size 0x10000 added to tracked regions.
2020-03-24 05:12:44,845 [root] DEBUG: ActivateBreakpoints: TrackedRegion->AllocationBase: 0x5FFF0000, TrackedRegion->RegionSize: 0x10000, thread 2700
2020-03-24 05:12:44,845 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xcc, Size=0x2, Address=0x5FFF0000 and Type=0x1.
2020-03-24 05:12:44,845 [root] DEBUG: SetThreadBreakpoint: Set bp 0 thread id 2700 type 1 at address 0x5FFF0000, size 2 with Callback 0x747d7510.
2020-03-24 05:12:44,845 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on empty protect address: 0x5FFF0000
2020-03-24 05:12:44,845 [root] DEBUG: SetDebugRegister: Setting breakpoint 1 hThread=0xcc, Size=0x4, Address=0x5FFF003C and Type=0x1.
2020-03-24 05:12:44,861 [root] DEBUG: SetThreadBreakpoint: Set bp 1 thread id 2700 type 1 at address 0x5FFF003C, size 4 with Callback 0x747d71a0.
2020-03-24 05:12:44,861 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on e_lfanew address: 0x5FFF003C
2020-03-24 05:12:44,861 [root] DEBUG: AllocationHandler: Breakpoints set on newly-allocated executable region at: 0x5FFF0000 (size 0x10000).
2020-03-24 05:12:44,861 [root] DEBUG: DLL unloaded from 0x772F0000.
2020-03-24 05:12:44,861 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x72FDDAF5 (thread 2700)
2020-03-24 05:12:44,861 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x5FFF0000.
2020-03-24 05:12:44,861 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 2 within Context, Size=0x0, Address=0x5FFF0000 and Type=0x0.
2020-03-24 05:12:44,861 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x5fff0000: 0x64.
2020-03-24 05:12:44,861 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2020-03-24 05:12:44,861 [root] DEBUG: ProtectionHandler: Address 0x5FFF0000 already in tracked region at 0x5FFF0000, size 0x10000
2020-03-24 05:12:44,861 [root] DEBUG: ProtectionHandler: Address: 0x5FFF0000 (alloc base 0x5FFF0000), NumberOfBytesToProtect: 0x10000, NewAccessProtection: 0x20
2020-03-24 05:12:44,861 [root] DEBUG: ProtectionHandler: Updated region protection at 0x5FFF0000 to 0x20.
2020-03-24 05:12:44,875 [root] DEBUG: ProtectionHandler: New code detected at (0x5FFF0000), scanning for PE images.
2020-03-24 05:12:44,875 [root] DEBUG: DumpPEsInRange: Scanning range 0x5fff0000 - 0x60000000.
2020-03-24 05:12:44,875 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x5fff0000-0x60000000.
2020-03-24 05:12:44,875 [root] DEBUG: DumpPEsInRange: Scanning range 0x5fff0000 - 0x60000000.
2020-03-24 05:12:44,875 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x5fff0000-0x60000000.
2020-03-24 05:12:44,875 [root] DEBUG: ActivateBreakpoints: TrackedRegion->AllocationBase: 0x5FFF0000, TrackedRegion->RegionSize: 0x10000, thread 2700
2020-03-24 05:12:44,875 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xcc, Size=0x0, Address=0x5FFF0000 and Type=0x0.
2020-03-24 05:12:44,875 [root] DEBUG: SetThreadBreakpoint: Set bp 0 thread id 2700 type 0 at address 0x5FFF0000, size 0 with Callback 0x747d73a0.
2020-03-24 05:12:44,875 [root] DEBUG: ActivateBreakpoints: Set execution breakpoint on non-zero byte 0x64 at protected address: 0x5FFF0000
2020-03-24 05:12:44,875 [root] DEBUG: SetDebugRegister: Setting breakpoint 1 hThread=0xcc, Size=0x4, Address=0x5FFF003C and Type=0x1.
2020-03-24 05:12:44,875 [root] DEBUG: SetThreadBreakpoint: Set bp 1 thread id 2700 type 1 at address 0x5FFF003C, size 4 with Callback 0x747d71a0.
2020-03-24 05:12:44,875 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on e_lfanew address: 0x5FFF003C
2020-03-24 05:12:44,891 [root] DEBUG: ProtectionHandler: Breakpoints set on executable region at: 0x5FFF0000.
2020-03-24 05:12:44,891 [root] DEBUG: DLL loaded at 0x73C50000: C:\Program Files (x86)\Internet Explorer\sqmapi (0x33000 bytes).
2020-03-24 05:12:44,891 [root] DEBUG: DLL unloaded from 0x76C00000.
2020-03-24 05:12:44,891 [root] DEBUG: DLL unloaded from 0x75D60000.
2020-03-24 05:12:44,891 [root] DEBUG: DLL unloaded from 0x73C50000.
2020-03-24 05:12:44,891 [root] DEBUG: DLL loaded at 0x749D0000: C:\Windows\system32\ntmarta (0x21000 bytes).
2020-03-24 05:12:44,891 [root] DEBUG: DLL loaded at 0x76EA0000: C:\Windows\syswow64\WLDAP32 (0x45000 bytes).
2020-03-24 05:12:44,907 [root] DEBUG: CreateThread: Initialising breakpoints for thread 1592.
2020-03-24 05:12:44,907 [root] DEBUG: DLL unloaded from 0x772F0000.
2020-03-24 05:12:44,907 [root] DEBUG: SetThreadBreakpoint: An identical breakpoint (0) at 0x5FFF0000 already exists for thread 1592 (process 1576), skipping.
2020-03-24 05:12:44,907 [root] DEBUG: SetThreadBreakpoint: An identical breakpoint (1) at 0x5FFF003C already exists for thread 1592 (process 1576), skipping.
2020-03-24 05:12:44,907 [root] DEBUG: CreateThread: Initialising breakpoints for thread 2756.
2020-03-24 05:12:44,907 [root] DEBUG: SetThreadBreakpoint: An identical breakpoint (0) at 0x5FFF0000 already exists for thread 2756 (process 1576), skipping.
2020-03-24 05:12:44,907 [root] DEBUG: SetThreadBreakpoint: An identical breakpoint (1) at 0x5FFF003C already exists for thread 2756 (process 1576), skipping.
2020-03-24 05:12:44,907 [root] DEBUG: CreateThread: Initialising breakpoints for thread 2448.
2020-03-24 05:12:44,907 [root] DEBUG: SetThreadBreakpoint: An identical breakpoint (0) at 0x5FFF0000 already exists for thread 2448 (process 1576), skipping.
2020-03-24 05:12:44,923 [root] DEBUG: SetThreadBreakpoint: An identical breakpoint (1) at 0x5FFF003C already exists for thread 2448 (process 1576), skipping.
2020-03-24 05:12:45,078 [root] INFO: Announced 32-bit process name: iexplore.exe pid: 1784
2020-03-24 05:12:45,078 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 05:12:45,078 [lib.api.process] INFO: 32-bit DLL to inject is C:\vgzsvvr\dll\JrANdsY.dll, loader C:\vgzsvvr\bin\RUYfSAb.exe
2020-03-24 05:12:45,078 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\pSNnCqspPc.
2020-03-24 05:12:45,078 [root] DEBUG: Loader: Injecting process 1784 (thread 1924) with C:\vgzsvvr\dll\JrANdsY.dll.
2020-03-24 05:12:45,078 [root] DEBUG: Process image base: 0x01180000
2020-03-24 05:12:45,078 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\vgzsvvr\dll\JrANdsY.dll.
2020-03-24 05:12:45,078 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-03-24 05:12:45,078 [root] DEBUG: Successfully injected DLL C:\vgzsvvr\dll\JrANdsY.dll.
2020-03-24 05:12:45,095 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1784
2020-03-24 05:12:45,095 [root] DEBUG: DLL unloaded from 0x01180000.
2020-03-24 05:12:45,095 [root] DEBUG: DLL loaded at 0x74AF0000: C:\Windows\system32\apphelp (0x4c000 bytes).
2020-03-24 05:12:45,095 [root] INFO: Announced 32-bit process name: iexplore.exe pid: 1784
2020-03-24 05:12:45,095 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 05:12:45,095 [lib.api.process] INFO: 32-bit DLL to inject is C:\vgzsvvr\dll\JrANdsY.dll, loader C:\vgzsvvr\bin\RUYfSAb.exe
2020-03-24 05:12:45,095 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\pSNnCqspPc.
2020-03-24 05:12:45,095 [root] DEBUG: Loader: Injecting process 1784 (thread 1924) with C:\vgzsvvr\dll\JrANdsY.dll.
2020-03-24 05:12:45,095 [root] DEBUG: Process image base: 0x01180000
2020-03-24 05:12:45,109 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\vgzsvvr\dll\JrANdsY.dll.
2020-03-24 05:12:45,109 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-03-24 05:12:45,109 [root] DEBUG: Successfully injected DLL C:\vgzsvvr\dll\JrANdsY.dll.
2020-03-24 05:12:45,109 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1784
2020-03-24 05:12:45,109 [root] DEBUG: DLL loaded at 0x73C30000: C:\Windows\system32\RASAPI32 (0x52000 bytes).
2020-03-24 05:12:45,109 [root] DEBUG: Terminate processes on terminate_event enabled.
2020-03-24 05:12:45,109 [root] DEBUG: DLL loaded at 0x73CD0000: C:\Windows\system32\rasman (0x15000 bytes).
2020-03-24 05:12:45,109 [root] DEBUG: Process dumps disabled.
2020-03-24 05:12:45,125 [root] DEBUG: DLL unloaded from 0x73C30000.
2020-03-24 05:12:45,125 [root] DEBUG: DLL loaded at 0x74170000: C:\Windows\system32\rtutils (0xd000 bytes).
2020-03-24 05:12:45,125 [root] INFO: Disabling sleep skipping.
2020-03-24 05:12:45,125 [root] DEBUG: DLL unloaded from 0x75600000.
2020-03-24 05:12:45,141 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-03-24 05:12:45,141 [root] DEBUG: DLL unloaded from 0x73CD0000.
2020-03-24 05:12:45,141 [root] DEBUG: DLL loaded at 0x73C10000: C:\Windows\system32\sensapi (0x6000 bytes).
2020-03-24 05:12:45,141 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x77110000, KiUserExceptionDispatcher: 0x0, NtSetContextThread: 0x7716124a, Wow64PrepareForException: 0x0
2020-03-24 05:12:45,141 [root] DEBUG: DLL loaded at 0x74BD0000: C:\Windows\system32\NLAapi (0x10000 bytes).
2020-03-24 05:12:45,141 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0xb0000
2020-03-24 05:12:45,141 [root] DEBUG: CreateThread: Initialising breakpoints for thread 2576.
2020-03-24 05:12:45,141 [root] DEBUG: Debugger initialised.
2020-03-24 05:12:45,141 [root] DEBUG: DLL unloaded from 0x772F0000.
2020-03-24 05:12:45,141 [root] DEBUG: CAPE initialised: 32-bit Extraction package loaded in process 1784 at 0x747d0000, image base 0x1180000, stack from 0x2c2000-0x2d0000
2020-03-24 05:12:45,157 [root] DEBUG: SetThreadBreakpoint: An identical breakpoint (0) at 0x5FFF0000 already exists for thread 2576 (process 1576), skipping.
2020-03-24 05:12:45,157 [root] DEBUG: Commandline: C:\Users\user\Desktop\"C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:1576 CREDAT:79873.
2020-03-24 05:12:45,157 [root] DEBUG: SetThreadBreakpoint: An identical breakpoint (1) at 0x5FFF003C already exists for thread 2576 (process 1576), skipping.
2020-03-24 05:12:45,157 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x01180000) returned 0x00000000.
2020-03-24 05:12:45,157 [root] DEBUG: CreateThread: Initialising breakpoints for thread 3016.
2020-03-24 05:12:45,157 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x00000000.
2020-03-24 05:12:45,157 [root] DEBUG: DLL loaded at 0x74BC0000: C:\Windows\system32\napinsp (0x10000 bytes).
2020-03-24 05:12:45,157 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x01180000) -> AllocationBase 0x01180000 RegionSize 0x4096.
2020-03-24 05:12:45,157 [root] DEBUG: SetThreadBreakpoint: An identical breakpoint (0) at 0x5FFF0000 already exists for thread 3016 (process 1576), skipping.
2020-03-24 05:12:45,157 [root] DEBUG: DLL loaded at 0x74BA0000: C:\Windows\system32\pnrpnsp (0x12000 bytes).
2020-03-24 05:12:45,157 [root] DEBUG: AddTrackedRegion: EntryPoint 0x1c9a, Entropy 6.664381e+00
2020-03-24 05:12:45,157 [root] DEBUG: DLL loaded at 0x74BF0000: C:\Windows\System32\mswsock (0x3c000 bytes).
2020-03-24 05:12:45,157 [root] DEBUG: AddTrackedRegion: New region at 0x01180000 size 0x1000 added to tracked regions.
2020-03-24 05:12:45,157 [root] DEBUG: DLL loaded at 0x74B40000: C:\Windows\System32\winrnr (0x8000 bytes).
2020-03-24 05:12:45,157 [root] DEBUG: ExtractionInit: Adding main image base to tracked regions.
2020-03-24 05:12:45,157 [root] DEBUG: DLL loaded at 0x74BE0000: C:\Windows\System32\wshtcpip (0x5000 bytes).
2020-03-24 05:12:45,173 [root] INFO: Added new process to list with pid: 1784
2020-03-24 05:12:45,173 [root] DEBUG: DLL loaded at 0x73C20000: C:\Windows\System32\wship6 (0x6000 bytes).
2020-03-24 05:12:45,173 [root] INFO: Monitor successfully loaded in process with pid 1784.
2020-03-24 05:12:45,173 [root] DEBUG: SetThreadBreakpoint: An identical breakpoint (1) at 0x5FFF003C already exists for thread 3016 (process 1576), skipping.
2020-03-24 05:12:45,173 [root] DEBUG: DLL loaded at 0x73BF0000: C:\Windows\system32\rasadhlp (0x6000 bytes).
2020-03-24 05:12:45,173 [root] DEBUG: DLL unloaded from 0x754F0000.
2020-03-24 05:12:45,173 [root] DEBUG: DLL loaded at 0x73BB0000: C:\Windows\System32\fwpuclnt (0x38000 bytes).
2020-03-24 05:12:45,173 [root] DEBUG: DLL loaded at 0x72F70000: C:\Windows\system32\IEFRAME (0xa80000 bytes).
2020-03-24 05:12:45,173 [root] DEBUG: DLL loaded at 0x73B80000: C:\Windows\system32\IEUI (0x2d000 bytes).
2020-03-24 05:12:45,173 [root] DEBUG: DLL loaded at 0x73C90000: C:\Windows\system32\OLEACC (0x3c000 bytes).
2020-03-24 05:12:45,187 [root] DEBUG: DLL loaded at 0x73C00000: C:\Windows\system32\MSIMG32 (0x5000 bytes).
2020-03-24 05:12:45,187 [root] DEBUG: DLL loaded at 0x73FD0000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32 (0x19e000 bytes).
2020-03-24 05:12:45,187 [root] DEBUG: CreateThread: Initialising breakpoints for thread 3056.
2020-03-24 05:12:45,187 [root] DEBUG: DLL loaded at 0x750B0000: C:\Windows\syswow64\comdlg32 (0x7b000 bytes).
2020-03-24 05:12:45,187 [root] DEBUG: SetThreadBreakpoint: An identical breakpoint (0) at 0x5FFF0000 already exists for thread 3056 (process 1576), skipping.
2020-03-24 05:12:45,187 [root] DEBUG: Allocation: 0x5FFF0000 - 0x60000000, size: 0x10000, protection: 0x40.
2020-03-24 05:12:45,187 [root] DEBUG: SetThreadBreakpoint: An identical breakpoint (1) at 0x5FFF003C already exists for thread 3056 (process 1576), skipping.
2020-03-24 05:12:45,187 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-03-24 05:12:45,187 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01180000.
2020-03-24 05:12:45,187 [root] DEBUG: CreateThread: Initialising breakpoints for thread 2784.
2020-03-24 05:12:45,203 [root] DEBUG: SetThreadBreakpoint: An identical breakpoint (0) at 0x5FFF0000 already exists for thread 2784 (process 1576), skipping.
2020-03-24 05:12:45,203 [root] DEBUG: ProcessImageBase: EP 0x00001C9A image base 0x01180000 size 0x0 entropy 6.665040e+00.
2020-03-24 05:12:45,203 [root] DEBUG: SetThreadBreakpoint: An identical breakpoint (1) at 0x5FFF003C already exists for thread 2784 (process 1576), skipping.
2020-03-24 05:12:45,203 [root] DEBUG: AllocationHandler: Adding allocation to tracked region list: 0x5FFF0000, size: 0x10000.
2020-03-24 05:12:45,219 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x5FFF0000) returned 0x00000000.
2020-03-24 05:12:45,219 [root] DEBUG: DLL loaded at 0x73B50000: C:\Program Files (x86)\Internet Explorer\ieproxy (0x2b000 bytes).
2020-03-24 05:12:45,219 [root] DEBUG: Allocation: 0x00DB0000 - 0x00DB2000, size: 0x2000, protection: 0x40.
2020-03-24 05:12:45,234 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x00000000.
2020-03-24 05:12:45,234 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-03-24 05:12:45,234 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01180000.
2020-03-24 05:12:45,234 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x5FFF0000) -> AllocationBase 0x5FFF0000 RegionSize 0x65536.
2020-03-24 05:12:45,234 [root] DEBUG: ProcessImageBase: EP 0x00001C9A image base 0x01180000 size 0x0 entropy 6.665045e+00.
2020-03-24 05:12:45,234 [root] DEBUG: AddTrackedRegion: New region at 0x5FFF0000 size 0x10000 added to tracked regions.
2020-03-24 05:12:45,234 [root] DEBUG: ActivateBreakpoints: TrackedRegion->AllocationBase: 0x5FFF0000, TrackedRegion->RegionSize: 0x10000, thread 1924
2020-03-24 05:12:45,250 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x5FFF0000.
2020-03-24 05:12:45,250 [root] DEBUG: AllocationHandler: Adding allocation to tracked region list: 0x00DB0000, size: 0x2000.
2020-03-24 05:12:45,250 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xcc, Size=0x2, Address=0x5FFF0000 and Type=0x1.
2020-03-24 05:12:45,250 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x00DB0000) returned 0x00000000.
2020-03-24 05:12:45,250 [root] DEBUG: SetThreadBreakpoint: Set bp 0 thread id 1924 type 1 at address 0x5FFF0000, size 2 with Callback 0x747d7510.
2020-03-24 05:12:45,266 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on empty protect address: 0x5FFF0000
2020-03-24 05:12:45,266 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x00000000.
2020-03-24 05:12:45,266 [root] DEBUG: SetDebugRegister: Setting breakpoint 1 hThread=0xcc, Size=0x4, Address=0x5FFF003C and Type=0x1.
2020-03-24 05:12:45,266 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x00DB0000) -> AllocationBase 0x00DB0000 RegionSize 0x8192.
2020-03-24 05:12:45,266 [root] DEBUG: SetThreadBreakpoint: Set bp 1 thread id 1924 type 1 at address 0x5FFF003C, size 4 with Callback 0x747d71a0.
2020-03-24 05:12:45,266 [root] DEBUG: AddTrackedRegion: New region at 0x00DB0000 size 0x2000 added to tracked regions.
2020-03-24 05:12:45,266 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on e_lfanew address: 0x5FFF003C
2020-03-24 05:12:45,266 [root] DEBUG: ActivateBreakpoints: TrackedRegion->AllocationBase: 0x00DB0000, TrackedRegion->RegionSize: 0x2000, thread 2784
2020-03-24 05:12:45,266 [root] DEBUG: AllocationHandler: Breakpoints set on newly-allocated executable region at: 0x5FFF0000 (size 0x10000).
2020-03-24 05:12:45,266 [root] DEBUG: ActivateBreakpoints: Switching breakpoints from region 0x5FFF0000 to 0x00DB0000.
2020-03-24 05:12:45,266 [root] DEBUG: DLL unloaded from 0x772F0000.
2020-03-24 05:12:45,266 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 3016.
2020-03-24 05:12:45,266 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x72FDDAF5 (thread 1924)
2020-03-24 05:12:45,266 [root] DEBUG: DumpPEsInRange: Scanning range 0x5fff0000 - 0x60000000.
2020-03-24 05:12:45,266 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x5FFF0000.
2020-03-24 05:12:45,266 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x5fff0000-0x60000000.
2020-03-24 05:12:45,266 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 2 within Context, Size=0x0, Address=0x5FFF0000 and Type=0x0.
2020-03-24 05:12:45,282 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x5FFF0000 - 0x60000000.
2020-03-24 05:12:45,282 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x5fff0000: 0x64.
2020-03-24 05:12:45,282 [root] DEBUG: DumpMemory: CAPE output file C:\hLUpzAAQj\CAPE\1576_2574929964512524232020 successfully created, size 0x10000
2020-03-24 05:12:45,282 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2020-03-24 05:12:45,282 [root] DEBUG: DLL loaded at 0x73B10000: C:\Program Files (x86)\Internet Explorer\IEShims (0x35000 bytes).
2020-03-24 05:12:45,282 [root] DEBUG: ProtectionHandler: Address 0x5FFF0000 already in tracked region at 0x5FFF0000, size 0x10000
2020-03-24 05:12:45,282 [root] INFO: Added new CAPE file to list with path: C:\hLUpzAAQj\CAPE\1576_2574929964512524232020
2020-03-24 05:12:45,282 [root] DEBUG: ProtectionHandler: Address: 0x5FFF0000 (alloc base 0x5FFF0000), NumberOfBytesToProtect: 0x10000, NewAccessProtection: 0x20
2020-03-24 05:12:45,296 [root] DEBUG: DumpRegion: Dumped stack region from 0x5FFF0000, size 0x10000.
2020-03-24 05:12:45,296 [root] DEBUG: ProtectionHandler: Updated region protection at 0x5FFF0000 to 0x20.
2020-03-24 05:12:45,296 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x5FFF0000.
2020-03-24 05:12:45,296 [root] DEBUG: ProtectionHandler: New code detected at (0x5FFF0000), scanning for PE images.
2020-03-24 05:12:45,296 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x5fff0000 - 0x60000000.
2020-03-24 05:12:45,296 [root] DEBUG: DumpPEsInRange: Scanning range 0x5fff0000 - 0x60000000.
2020-03-24 05:12:45,296 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 3016.
2020-03-24 05:12:45,296 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x5fff0000-0x60000000.
2020-03-24 05:12:45,296 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0x4ac, Size=0x2, Address=0x00DB0000 and Type=0x1.
2020-03-24 05:12:45,296 [root] DEBUG: DumpPEsInRange: Scanning range 0x5fff0000 - 0x60000000.
2020-03-24 05:12:45,296 [root] DEBUG: SetThreadBreakpoint: Set bp 0 thread id 2784 type 1 at address 0x00DB0000, size 2 with Callback 0x747d7510.
2020-03-24 05:12:45,296 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x5fff0000-0x60000000.
2020-03-24 05:12:45,296 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on empty protect address: 0x00DB0000
2020-03-24 05:12:45,296 [root] DEBUG: ActivateBreakpoints: TrackedRegion->AllocationBase: 0x5FFF0000, TrackedRegion->RegionSize: 0x10000, thread 1924
2020-03-24 05:12:45,296 [root] DEBUG: SetDebugRegister: Setting breakpoint 1 hThread=0x4ac, Size=0x4, Address=0x00DB003C and Type=0x1.
2020-03-24 05:12:45,296 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xcc, Size=0x0, Address=0x5FFF0000 and Type=0x0.
2020-03-24 05:12:45,296 [root] DEBUG: SetThreadBreakpoint: Set bp 1 thread id 2784 type 1 at address 0x00DB003C, size 4 with Callback 0x747d71a0.
2020-03-24 05:12:45,312 [root] DEBUG: SetThreadBreakpoint: Set bp 0 thread id 1924 type 0 at address 0x5FFF0000, size 0 with Callback 0x747d73a0.
2020-03-24 05:12:45,312 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on e_lfanew address: 0x00DB003C
2020-03-24 05:12:45,312 [root] DEBUG: ActivateBreakpoints: Set execution breakpoint on non-zero byte 0x64 at protected address: 0x5FFF0000
2020-03-24 05:12:45,312 [root] DEBUG: AllocationHandler: Breakpoints set on newly-allocated executable region at: 0x00DB0000 (size 0x2000).
2020-03-24 05:12:45,312 [root] DEBUG: SetDebugRegister: Setting breakpoint 1 hThread=0xcc, Size=0x4, Address=0x5FFF003C and Type=0x1.
2020-03-24 05:12:45,312 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x752EAAB6 (thread 2784)
2020-03-24 05:12:45,312 [root] DEBUG: SetThreadBreakpoint: Set bp 1 thread id 1924 type 1 at address 0x5FFF003C, size 4 with Callback 0x747d71a0.
2020-03-24 05:12:45,312 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x00DB0000.
2020-03-24 05:12:45,312 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on e_lfanew address: 0x5FFF003C
2020-03-24 05:12:45,312 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 2 within Context, Size=0x0, Address=0x00DB0000 and Type=0x0.
2020-03-24 05:12:45,312 [root] DEBUG: ProtectionHandler: Breakpoints set on executable region at: 0x5FFF0000.
2020-03-24 05:12:45,312 [root] DEBUG: BaseAddressWriteCallback: byte written to 0xdb0000: 0xb0.
2020-03-24 05:12:45,328 [root] DEBUG: DLL loaded at 0x74A20000: C:\Windows\system32\RpcRtRemote (0xe000 bytes).
2020-03-24 05:12:45,328 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2020-03-24 05:12:45,328 [root] DEBUG: CreateThread: Initialising breakpoints for thread 2532.
2020-03-24 05:12:45,328 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x752EAAB6 (thread 2784)
2020-03-24 05:12:45,328 [root] DEBUG: SetThreadBreakpoint: An identical breakpoint (0) at 0x5FFF0000 already exists for thread 2532 (process 1784), skipping.
2020-03-24 05:12:45,328 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x00DB003C.
2020-03-24 05:12:45,328 [root] DEBUG: SetThreadBreakpoint: An identical breakpoint (1) at 0x5FFF003C already exists for thread 2532 (process 1784), skipping.
2020-03-24 05:12:45,328 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0x34eb0fb0 (at 0x00DB003C).
2020-03-24 05:12:45,328 [root] DEBUG: CreateThread: Initialising breakpoints for thread 3000.
2020-03-24 05:12:45,328 [root] DEBUG: ContextSetNextAvailableBreakpoint: An identical breakpoint (2) at 0x00DB0000 already exists for thread 2784 (process 1576), skipping.
2020-03-24 05:12:45,328 [root] DEBUG: SetThreadBreakpoint: An identical breakpoint (0) at 0x5FFF0000 already exists for thread 3000 (process 1784), skipping.
2020-03-24 05:12:45,328 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x00DB0000.
2020-03-24 05:12:45,328 [root] DEBUG: SetThreadBreakpoint: An identical breakpoint (1) at 0x5FFF003C already exists for thread 3000 (process 1784), skipping.
2020-03-24 05:12:45,328 [root] DEBUG: ProtectionHandler: Address 0x00DB0000 already in tracked region at 0x00DB0000, size 0x2000
2020-03-24 05:12:45,328 [root] DEBUG: CreateThread: Initialising breakpoints for thread 2864.
2020-03-24 05:12:45,328 [root] DEBUG: ProtectionHandler: Address: 0x00DB0000 (alloc base 0x00DB0000), NumberOfBytesToProtect: 0x1e80, NewAccessProtection: 0x20
2020-03-24 05:12:45,344 [root] DEBUG: SetThreadBreakpoint: An identical breakpoint (0) at 0x5FFF0000 already exists for thread 2864 (process 1784), skipping.
2020-03-24 05:12:45,344 [root] DEBUG: ProtectionHandler: Updated region protection at 0x00DB0000 to 0x20.
2020-03-24 05:12:45,344 [root] DEBUG: SetThreadBreakpoint: An identical breakpoint (1) at 0x5FFF003C already exists for thread 2864 (process 1784), skipping.
2020-03-24 05:12:45,344 [root] DEBUG: ProtectionHandler: New code detected at (0x00DB0000), scanning for PE images.
2020-03-24 05:12:45,344 [root] DEBUG: DLL loaded at 0x73AD0000: C:\Program Files (x86)\Internet Explorer\sqmapi (0x33000 bytes).
2020-03-24 05:12:45,344 [root] DEBUG: DumpPEsInRange: Scanning range 0xdb0000 - 0xdb2000.
2020-03-24 05:12:45,344 [root] DEBUG: DLL unloaded from 0x76C00000.
2020-03-24 05:12:45,344 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0xdb0000-0xdb2000.
2020-03-24 05:12:45,344 [root] DEBUG: DLL unloaded from 0x75D60000.
2020-03-24 05:12:45,344 [root] DEBUG: DumpPEsInRange: Scanning range 0xdb0000 - 0xdb1e80.
2020-03-24 05:12:45,344 [root] DEBUG: DLL unloaded from 0x73AD0000.
2020-03-24 05:12:45,359 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0xdb0000-0xdb1e80.
2020-03-24 05:12:45,359 [root] DEBUG: DLL loaded at 0x74EB0000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2020-03-24 05:12:45,359 [root] DEBUG: ActivateBreakpoints: TrackedRegion->AllocationBase: 0x00DB0000, TrackedRegion->RegionSize: 0x2000, thread 2784
2020-03-24 05:12:45,359 [root] DEBUG: DLL loaded at 0x72E70000: C:\Windows\system32\propsys (0xf5000 bytes).
2020-03-24 05:12:45,359 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 3016.
2020-03-24 05:12:45,359 [root] DEBUG: DLL loaded at 0x749D0000: C:\Windows\system32\ntmarta (0x21000 bytes).
2020-03-24 05:12:45,359 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0x4ac, Size=0x0, Address=0x00DB0000 and Type=0x0.
2020-03-24 05:12:45,359 [root] DEBUG: DLL loaded at 0x76EA0000: C:\Windows\syswow64\WLDAP32 (0x45000 bytes).
2020-03-24 05:12:45,375 [root] DEBUG: SetThreadBreakpoint: Set bp 0 thread id 2784 type 0 at address 0x00DB0000, size 0 with Callback 0x747d73a0.
2020-03-24 05:12:45,391 [root] DEBUG: DLL loaded at 0x74490000: C:\Windows\system32\profapi (0xb000 bytes).
2020-03-24 05:12:45,391 [root] DEBUG: ActivateBreakpoints: Set execution breakpoint on non-zero byte 0xb0 at protected address: 0x00DB0000
2020-03-24 05:12:45,391 [root] DEBUG: DLL loaded at 0x75A70000: C:\Windows\syswow64\SETUPAPI (0x19d000 bytes).
2020-03-24 05:12:45,391 [root] DEBUG: SetDebugRegister: Setting breakpoint 1 hThread=0x4ac, Size=0x4, Address=0x00DB003C and Type=0x1.
2020-03-24 05:12:45,391 [root] DEBUG: DLL loaded at 0x75A10000: C:\Windows\syswow64\CFGMGR32 (0x27000 bytes).
2020-03-24 05:12:45,391 [root] DEBUG: SetThreadBreakpoint: Set bp 1 thread id 2784 type 1 at address 0x00DB003C, size 4 with Callback 0x747d71a0.
2020-03-24 05:12:45,391 [root] DEBUG: DLL loaded at 0x75D40000: C:\Windows\syswow64\DEVOBJ (0x12000 bytes).
2020-03-24 05:12:45,391 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on e_lfanew address: 0x00DB003C
2020-03-24 05:12:45,407 [root] DEBUG: ProtectionHandler: Breakpoints set on executable region at: 0x00DB0000.
2020-03-24 05:12:45,407 [root] DEBUG: DLL unloaded from 0x75E70000.
2020-03-24 05:12:45,407 [root] DEBUG: CreateThread: Initialising breakpoints for thread 2596.
2020-03-24 05:12:45,407 [root] DEBUG: DLL loaded at 0x74950000: C:\Windows\system32\UxTheme (0x80000 bytes).
2020-03-24 05:12:45,437 [root] DEBUG: DLL loaded at 0x74930000: C:\Windows\system32\VERSION (0x9000 bytes).
2020-03-24 05:12:45,437 [root] DEBUG: DLL unloaded from 0x74F40000.
2020-03-24 05:12:45,437 [root] DEBUG: DLL loaded at 0x72E70000: C:\Windows\system32\propsys (0xf5000 bytes).
2020-03-24 05:12:45,437 [root] DEBUG: DLL loaded at 0x73AE0000: C:\Windows\system32\xmllite (0x2f000 bytes).
2020-03-24 05:12:45,469 [root] DEBUG: DLL loaded at 0x75A70000: C:\Windows\syswow64\SETUPAPI (0x19d000 bytes).
2020-03-24 05:12:45,469 [root] DEBUG: DLL loaded at 0x75A10000: C:\Windows\syswow64\CFGMGR32 (0x27000 bytes).
2020-03-24 05:12:45,469 [root] DEBUG: DLL loaded at 0x75D40000: C:\Windows\syswow64\DEVOBJ (0x12000 bytes).
2020-03-24 05:12:45,469 [root] DEBUG: DLL loaded at 0x72D00000: C:\Windows\system32\explorerframe (0x16f000 bytes).
2020-03-24 05:12:45,469 [root] DEBUG: DLL loaded at 0x72CD0000: C:\Windows\system32\DUser (0x2f000 bytes).
2020-03-24 05:12:45,500 [root] DEBUG: DLL loaded at 0x72C10000: C:\Windows\system32\DUI70 (0xb2000 bytes).
2020-03-24 05:12:45,516 [root] DEBUG: DLL loaded at 0x75D00000: C:\Windows\syswow64\ws2_32 (0x35000 bytes).
2020-03-24 05:12:45,530 [root] DEBUG: DLL unloaded from 0x75E70000.
2020-03-24 05:12:45,530 [root] DEBUG: DLL loaded at 0x75130000: C:\Windows\syswow64\NSI (0x6000 bytes).
2020-03-24 05:12:45,530 [root] DEBUG: DLL loaded at 0x74B50000: C:\Windows\system32\dnsapi (0x44000 bytes).
2020-03-24 05:12:45,530 [root] DEBUG: DLL loaded at 0x74C70000: C:\Windows\system32\CRYPTSP (0x16000 bytes).
2020-03-24 05:12:45,530 [root] DEBUG: DLL loaded at 0x73CF0000: C:\Windows\system32\iphlpapi (0x1c000 bytes).
2020-03-24 05:12:45,530 [root] DEBUG: DLL loaded at 0x73F80000: C:\Windows\system32\WINNSI (0x7000 bytes).
2020-03-24 05:12:45,546 [root] DEBUG: DLL loaded at 0x74C30000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2020-03-24 05:12:45,546 [root] DEBUG: CreateThread: Initialising breakpoints for thread 1312.
2020-03-24 05:12:45,546 [root] DEBUG: DLL unloaded from 0x772F0000.
2020-03-24 05:12:45,546 [root] DEBUG: SetThreadBreakpoint: An identical breakpoint (0) at 0x5FFF0000 already exists for thread 1312 (process 1784), skipping.
2020-03-24 05:12:45,546 [root] DEBUG: SetThreadBreakpoint: An identical breakpoint (1) at 0x5FFF003C already exists for thread 1312 (process 1784), skipping.
2020-03-24 05:12:45,546 [root] DEBUG: DLL loaded at 0x73B50000: C:\Program Files (x86)\Internet Explorer\ieproxy (0x2b000 bytes).
2020-03-24 05:12:45,546 [root] DEBUG: Allocation: 0x005F0000 - 0x005F2000, size: 0x2000, protection: 0x40.
2020-03-24 05:12:45,546 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-03-24 05:12:45,562 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01180000.
2020-03-24 05:12:45,562 [root] DEBUG: ProcessImageBase: EP 0x00001C9A image base 0x01180000 size 0x0 entropy 6.665040e+00.
2020-03-24 05:12:45,562 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x5FFF0000.
2020-03-24 05:12:45,562 [root] DEBUG: AllocationHandler: Adding allocation to tracked region list: 0x005F0000, size: 0x2000.
2020-03-24 05:12:45,562 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x005F0000) returned 0x00000000.
2020-03-24 05:12:45,562 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x00000000.
2020-03-24 05:12:45,562 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x005F0000) -> AllocationBase 0x005F0000 RegionSize 0x8192.
2020-03-24 05:12:45,562 [root] DEBUG: AddTrackedRegion: New region at 0x005F0000 size 0x2000 added to tracked regions.
2020-03-24 05:12:45,562 [root] DEBUG: ActivateBreakpoints: TrackedRegion->AllocationBase: 0x005F0000, TrackedRegion->RegionSize: 0x2000, thread 2864
2020-03-24 05:12:45,562 [root] DEBUG: ActivateBreakpoints: Switching breakpoints from region 0x5FFF0000 to 0x005F0000.
2020-03-24 05:12:45,562 [root] DEBUG: DumpPEsInRange: Scanning range 0x5fff0000 - 0x60000000.
2020-03-24 05:12:45,562 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x5fff0000-0x60000000.
2020-03-24 05:12:45,578 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x5FFF0000 - 0x60000000.
2020-03-24 05:12:45,578 [root] DEBUG: DumpMemory: CAPE output file C:\hLUpzAAQj\CAPE\1784_8747399944512524232020 successfully created, size 0x10000
2020-03-24 05:12:45,594 [root] INFO: Added new CAPE file to list with path: C:\hLUpzAAQj\CAPE\1784_8747399944512524232020
2020-03-24 05:12:45,594 [root] DEBUG: DumpRegion: Dumped stack region from 0x5FFF0000, size 0x10000.
2020-03-24 05:12:45,594 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x5FFF0000.
2020-03-24 05:12:45,594 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x5fff0000 - 0x60000000.
2020-03-24 05:12:45,594 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0x1c8, Size=0x2, Address=0x005F0000 and Type=0x1.
2020-03-24 05:12:45,594 [root] DEBUG: SetThreadBreakpoint: Set bp 0 thread id 2864 type 1 at address 0x005F0000, size 2 with Callback 0x747d7510.
2020-03-24 05:12:45,594 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on empty protect address: 0x005F0000
2020-03-24 05:12:45,594 [root] DEBUG: SetDebugRegister: Setting breakpoint 1 hThread=0x1c8, Size=0x4, Address=0x005F003C and Type=0x1.
2020-03-24 05:12:45,608 [root] DEBUG: SetThreadBreakpoint: Set bp 1 thread id 2864 type 1 at address 0x005F003C, size 4 with Callback 0x747d71a0.
2020-03-24 05:12:45,608 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on e_lfanew address: 0x005F003C
2020-03-24 05:12:45,608 [root] DEBUG: AllocationHandler: Breakpoints set on newly-allocated executable region at: 0x005F0000 (size 0x2000).
2020-03-24 05:12:45,608 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x752EAAB6 (thread 2864)
2020-03-24 05:12:45,608 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x005F0000.
2020-03-24 05:12:45,608 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 2 within Context, Size=0x0, Address=0x005F0000 and Type=0x0.
2020-03-24 05:12:45,608 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x5f0000: 0xb0.
2020-03-24 05:12:45,608 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2020-03-24 05:12:45,608 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x752EAAB6 (thread 2864)
2020-03-24 05:12:45,608 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x005F003C.
2020-03-24 05:12:45,608 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0x34eb0fb0 (at 0x005F003C).
2020-03-24 05:12:45,625 [root] DEBUG: ContextSetNextAvailableBreakpoint: An identical breakpoint (2) at 0x005F0000 already exists for thread 2864 (process 1784), skipping.
2020-03-24 05:12:45,625 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x005F0000.
2020-03-24 05:12:45,625 [root] DEBUG: ProtectionHandler: Address 0x005F0000 already in tracked region at 0x005F0000, size 0x2000
2020-03-24 05:12:45,625 [root] DEBUG: ProtectionHandler: Address: 0x005F0000 (alloc base 0x005F0000), NumberOfBytesToProtect: 0x1e80, NewAccessProtection: 0x20
2020-03-24 05:12:45,625 [root] DEBUG: ProtectionHandler: Updated region protection at 0x005F0000 to 0x20.
2020-03-24 05:12:45,625 [root] DEBUG: ProtectionHandler: New code detected at (0x005F0000), scanning for PE images.
2020-03-24 05:12:45,625 [root] DEBUG: DumpPEsInRange: Scanning range 0x5f0000 - 0x5f2000.
2020-03-24 05:12:45,625 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x5f0000-0x5f2000.
2020-03-24 05:12:45,625 [root] DEBUG: DumpPEsInRange: Scanning range 0x5f0000 - 0x5f1e80.
2020-03-24 05:12:45,625 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x5f0000-0x5f1e80.
2020-03-24 05:12:45,625 [root] DEBUG: ActivateBreakpoints: TrackedRegion->AllocationBase: 0x005F0000, TrackedRegion->RegionSize: 0x2000, thread 2864
2020-03-24 05:12:45,625 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0x1c8, Size=0x0, Address=0x005F0000 and Type=0x0.
2020-03-24 05:12:45,625 [root] DEBUG: SetThreadBreakpoint: Set bp 0 thread id 2864 type 0 at address 0x005F0000, size 0 with Callback 0x747d73a0.
2020-03-24 05:12:45,641 [root] DEBUG: ActivateBreakpoints: Set execution breakpoint on non-zero byte 0xb0 at protected address: 0x005F0000
2020-03-24 05:12:45,641 [root] DEBUG: SetDebugRegister: Setting breakpoint 1 hThread=0x1c8, Size=0x4, Address=0x005F003C and Type=0x1.
2020-03-24 05:12:45,641 [root] DEBUG: SetThreadBreakpoint: Set bp 1 thread id 2864 type 1 at address 0x005F003C, size 4 with Callback 0x747d71a0.
2020-03-24 05:12:45,641 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on e_lfanew address: 0x005F003C
2020-03-24 05:12:45,641 [root] DEBUG: ProtectionHandler: Breakpoints set on executable region at: 0x005F0000.
2020-03-24 05:12:45,655 [root] DEBUG: DLL loaded at 0x72BE0000: C:\Windows\system32\MLANG (0x2e000 bytes).
2020-03-24 05:12:45,655 [root] DEBUG: DLL loaded at 0x74950000: C:\Windows\system32\UxTheme (0x80000 bytes).
2020-03-24 05:12:45,687 [root] DEBUG: DLL loaded at 0x74AF0000: C:\Windows\system32\apphelp (0x4c000 bytes).
2020-03-24 05:12:45,687 [root] DEBUG: DLL loaded at 0x72BC0000: C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim (0x11000 bytes).
2020-03-24 05:12:45,687 [root] DEBUG: DLL loaded at 0x72B20000: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\MSVCR80 (0x9b000 bytes).
2020-03-24 05:12:45,687 [root] DEBUG: DLL loaded at 0x72A90000: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\MSVCP80 (0x87000 bytes).
2020-03-24 05:12:45,703 [root] DEBUG: DLL loaded at 0x73AD0000: C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper (0x10000 bytes).
2020-03-24 05:12:46,561 [root] DEBUG: DLL loaded at 0x72950000: C:\PROGRA~2\MICROS~1\Office14\URLREDIR (0x91000 bytes).
2020-03-24 05:12:46,561 [root] DEBUG: DLL loaded at 0x74930000: C:\Windows\system32\VERSION (0x9000 bytes).
2020-03-24 05:12:46,561 [root] DEBUG: DLL loaded at 0x73AA0000: C:\Windows\system32\Secur32 (0x8000 bytes).
2020-03-24 05:12:46,561 [root] DEBUG: DLL loaded at 0x74D80000: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742\MSVCR90 (0xa3000 bytes).
2020-03-24 05:12:46,561 [root] DEBUG: DLL loaded at 0x72A70000: C:\PROGRA~2\MICROS~1\Office14\MSOHEV (0x14000 bytes).
2020-03-24 05:12:46,576 [root] DEBUG: DLL loaded at 0x72A60000: C:\Program Files (x86)\Java\jre7\bin\jp2ssv (0xf000 bytes).
2020-03-24 05:12:46,576 [root] DEBUG: DLL loaded at 0x72890000: C:\Program Files (x86)\Java\jre7\bin\MSVCR100 (0xbe000 bytes).
2020-03-24 05:12:46,576 [root] DEBUG: set_caller_info: Adding region at 0x04340000 to caller regions list (ntdll::LdrLoadDll).
2020-03-24 05:12:46,576 [root] DEBUG: set_caller_info: Adding region at 0x00B00000 to caller regions list (advapi32::RegOpenKeyExA).
2020-03-24 05:12:46,576 [root] DEBUG: DLL loaded at 0x74470000: C:\Windows\system32\DWMAPI (0x13000 bytes).
2020-03-24 05:12:46,592 [root] DEBUG: DLL loaded at 0x72A00000: C:\Windows\system32\SXS (0x5f000 bytes).
2020-03-24 05:12:46,592 [root] DEBUG: DLL loaded at 0x72A00000: C:\Windows\system32\SXS (0x5f000 bytes).
2020-03-24 05:12:46,622 [root] DEBUG: DLL loaded at 0x727F0000: C:\Windows\system32\msfeeds (0x96000 bytes).
2020-03-24 05:12:46,622 [root] DEBUG: DLL unloaded from 0x72F70000.
2020-03-24 05:12:46,733 [root] DEBUG: DLL unloaded from 0x75D60000.
2020-03-24 05:12:46,733 [root] DEBUG: DLL loaded at 0x72A00000: C:\Windows\SysWOW64\SXS (0x5f000 bytes).
2020-03-24 05:12:46,733 [root] DEBUG: connect hook: Failed to dump region at 0x06DEF760 around 127.0.0.1.
2020-03-24 05:12:46,779 [root] DEBUG: DLL loaded at 0x751A0000: C:\Windows\syswow64\Normaliz (0x3000 bytes).
2020-03-24 05:12:46,779 [root] DEBUG: DLL unloaded from 0x74F40000.
2020-03-24 05:12:46,857 [root] DEBUG: DLL loaded at 0x73C30000: C:\Windows\system32\RASAPI32 (0x52000 bytes).
2020-03-24 05:12:46,857 [root] DEBUG: DLL loaded at 0x73CD0000: C:\Windows\system32\rasman (0x15000 bytes).
2020-03-24 05:12:46,857 [root] DEBUG: DLL unloaded from 0x73C30000.
2020-03-24 05:12:46,857 [root] DEBUG: DLL loaded at 0x74170000: C:\Windows\system32\rtutils (0xd000 bytes).
2020-03-24 05:12:46,857 [root] DEBUG: DLL unloaded from 0x75600000.
2020-03-24 05:12:46,872 [root] DEBUG: DLL loaded at 0x73C10000: C:\Windows\system32\sensapi (0x6000 bytes).
2020-03-24 05:12:46,872 [root] DEBUG: DLL loaded at 0x73C10000: C:\Windows\system32\sensapi (0x6000 bytes).
2020-03-24 05:12:46,872 [root] DEBUG: DLL loaded at 0x74BD0000: C:\Windows\system32\NLAapi (0x10000 bytes).
2020-03-24 05:12:46,872 [root] DEBUG: DLL loaded at 0x74BC0000: C:\Windows\system32\napinsp (0x10000 bytes).
2020-03-24 05:12:46,872 [root] DEBUG: DLL loaded at 0x74BA0000: C:\Windows\system32\pnrpnsp (0x12000 bytes).
2020-03-24 05:12:46,872 [root] DEBUG: DLL loaded at 0x74BF0000: C:\Windows\System32\mswsock (0x3c000 bytes).
2020-03-24 05:12:46,888 [root] DEBUG: DLL loaded at 0x74B40000: C:\Windows\System32\winrnr (0x8000 bytes).
2020-03-24 05:12:46,888 [root] DEBUG: DLL loaded at 0x74BE0000: C:\Windows\System32\wshtcpip (0x5000 bytes).
2020-03-24 05:12:46,888 [root] DEBUG: DLL loaded at 0x73C20000: C:\Windows\System32\wship6 (0x6000 bytes).
2020-03-24 05:12:46,888 [root] DEBUG: DLL loaded at 0x73BF0000: C:\Windows\system32\rasadhlp (0x6000 bytes).
2020-03-24 05:12:46,888 [root] DEBUG: DLL loaded at 0x73BB0000: C:\Windows\System32\fwpuclnt (0x38000 bytes).
2020-03-24 05:12:46,934 [root] DEBUG: connect hook: Failed to dump region at 0x0653CF40 around 204.79.197.200.
2020-03-24 05:12:46,967 [root] DEBUG: DLL unloaded from 0x75D60000.
2020-03-24 05:12:46,967 [root] DEBUG: connect hook: Failed to dump region at 0x0655F778 around 127.0.0.1.
2020-03-24 05:12:46,967 [root] DEBUG: DLL loaded at 0x751A0000: C:\Windows\syswow64\Normaliz (0x3000 bytes).
2020-03-24 05:12:47,434 [root] WARNING: File at path "C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R8OP9ZJC\favicon[1].ico" does not exist, skip.
2020-03-24 05:12:49,650 [root] DEBUG: DLL loaded at 0x72230000: C:\Windows\SysWOW64\mshtml (0x5b7000 bytes).
2020-03-24 05:12:49,680 [root] DEBUG: DLL loaded at 0x72200000: C:\Windows\SysWOW64\msls31 (0x2a000 bytes).
2020-03-24 05:12:49,711 [root] DEBUG: DLL unloaded from 0x72F70000.
2020-03-24 05:12:49,775 [root] DEBUG: DLL loaded at 0x721D0000: C:\Windows\SysWOW64\iepeers (0x30000 bytes).
2020-03-24 05:12:49,775 [root] DEBUG: DLL loaded at 0x743F0000: C:\Windows\SysWOW64\WINSPOOL.DRV (0x51000 bytes).
2020-03-24 05:12:49,805 [root] DEBUG: DLL loaded at 0x729F0000: C:\Windows\system32\msimtf (0xb000 bytes).
2020-03-24 05:12:49,836 [root] DEBUG: DLL loaded at 0x72110000: C:\Windows\SysWOW64\jscript (0xb2000 bytes).
2020-03-24 05:12:49,836 [root] DEBUG: DLL loaded at 0x72BE0000: C:\Windows\system32\MLANG (0x2e000 bytes).
2020-03-24 05:12:49,898 [root] DEBUG: CreateThread: Initialising breakpoints for thread 2304.
2020-03-24 05:12:49,898 [root] DEBUG: DLL unloaded from 0x772F0000.
2020-03-24 05:12:49,930 [root] DEBUG: DLL unloaded from 0x72F70000.
2020-03-24 05:12:49,930 [root] DEBUG: CreateThread: Initialising breakpoints for thread 804.
2020-03-24 05:12:49,930 [root] DEBUG: DLL unloaded from 0x772F0000.
2020-03-24 05:12:49,946 [root] DEBUG: DLL loaded at 0x72100000: C:\Windows\system32\ImgUtil (0xb000 bytes).
2020-03-24 05:12:49,976 [root] DEBUG: DLL loaded at 0x720F0000: C:\Windows\SysWOW64\pngfilt (0xe000 bytes).
2020-03-24 05:12:50,009 [root] DEBUG: DLL unloaded from 0x72F70000.
2020-03-24 05:12:50,071 [root] DEBUG: DLL unloaded from 0x74F40000.
2020-03-24 05:12:50,148 [root] DEBUG: DLL loaded at 0x744A0000: C:\Windows\system32\USERENV (0x17000 bytes).
2020-03-24 05:12:50,148 [root] DEBUG: DLL loaded at 0x75470000: C:\Windows\syswow64\wintrust (0x2d000 bytes).
2020-03-24 05:12:50,180 [root] DEBUG: DLL loaded at 0x720B0000: C:\Windows\system32\schannel (0x3a000 bytes).
2020-03-24 05:12:50,196 [root] DEBUG: DLL loaded at 0x71F70000: C:\Windows\System32\msxml3 (0x133000 bytes).
2020-03-24 05:12:50,257 [root] DEBUG: DLL loaded at 0x71F50000: C:\Windows\SysWOW64\msfeedsbs (0x12000 bytes).
2020-03-24 05:12:50,257 [root] DEBUG: DLL loaded at 0x73AA0000: C:\Windows\SysWOW64\Secur32 (0x8000 bytes).
2020-03-24 05:12:53,003 [root] DEBUG: connect hook: Failed to dump region at 0x0653CDF8 around 204.79.197.200.
2020-03-24 05:12:53,035 [root] DEBUG: DLL unloaded from 0x75600000.
2020-03-24 05:13:00,756 [root] DEBUG: DLL unloaded from 0x751B0000.
2020-03-24 05:13:00,756 [root] DEBUG: DLL loaded at 0x71F40000: C:\Windows\system32\credssp (0x8000 bytes).
2020-03-24 05:13:00,773 [root] DEBUG: DLL unloaded from 0x000007FEF9BE0000.
2020-03-24 05:13:00,773 [root] DEBUG: DLL unloaded from 0x74C70000.
2020-03-24 05:13:00,788 [root] DEBUG: DLL unloaded from 0x000007FEF97C0000.
2020-03-24 05:13:00,803 [root] DEBUG: DLL unloaded from 0x000007FEFE8C0000.
2020-03-24 05:13:00,803 [root] DEBUG: DLL unloaded from 0x73F90000.
2020-03-24 05:13:00,803 [root] DEBUG: DLL unloaded from 0x75600000.
2020-03-24 05:13:00,803 [root] DEBUG: DLL unloaded from 0x000007FEF9A00000.
2020-03-24 05:13:00,819 [root] DEBUG: DLL unloaded from 0x72230000.
2020-03-24 05:13:00,835 [root] INFO: Stopped Task Scheduler Service
2020-03-24 05:13:00,851 [root] DEBUG: DLL unloaded from 0x000007FEFA0A0000.
2020-03-24 05:13:00,851 [root] DEBUG: DLL unloaded from 0x73FB0000.
2020-03-24 05:13:00,865 [root] DEBUG: DLL unloaded from 0x741B0000.
2020-03-24 05:13:00,865 [root] DEBUG: DLL unloaded from 0x000007FEF9D50000.
2020-03-24 05:13:00,881 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 1304).
2020-03-24 05:13:00,881 [root] INFO: Started Task Scheduler Service
2020-03-24 05:13:00,881 [root] DEBUG: DLL unloaded from 0x74A10000.
2020-03-24 05:13:00,881 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x0000000000000000.
2020-03-24 05:13:00,881 [root] DEBUG: DLL unloaded from 0x74A90000.
2020-03-24 05:13:00,881 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000FFCC0000.
2020-03-24 05:13:00,881 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 05:13:00,897 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 2804).
2020-03-24 05:13:00,897 [root] DEBUG: ProcessImageBase: EP 0x000000000000A9B4 image base 0x00000000FFCC0000 size 0x0 entropy 5.871123e+00.
2020-03-24 05:13:00,897 [lib.api.process] INFO: 64-bit DLL to inject is C:\vgzsvvr\dll\qdmwqOp.dll, loader C:\vgzsvvr\bin\OtyCQoYH.exe
2020-03-24 05:13:00,897 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-03-24 05:13:00,897 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 2780.
2020-03-24 05:13:00,897 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00200000.
2020-03-24 05:13:00,897 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\pSNnCqspPc.
2020-03-24 05:13:00,913 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 1368.
2020-03-24 05:13:00,913 [root] DEBUG: ProcessImageBase: EP 0x0000F643 image base 0x00200000 size 0x0 entropy 6.322614e+00.
2020-03-24 05:13:00,913 [root] DEBUG: Loader: Injecting process 816 (thread 0) with C:\vgzsvvr\dll\qdmwqOp.dll.
2020-03-24 05:13:00,913 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 1336.
2020-03-24 05:13:00,913 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 2976.
2020-03-24 05:13:00,913 [root] DEBUG: InjectDll: No thread ID supplied. Initial thread ID 820, handle 0x84
2020-03-24 05:13:00,913 [root] DEBUG: Process image base: 0x00000000FFA10000
2020-03-24 05:13:00,913 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 992.
2020-03-24 05:13:00,913 [root] DEBUG: InjectDllViaIAT: Not a new process, aborting IAT patch
2020-03-24 05:13:00,913 [root] DEBUG: DLL unloaded from 0x75140000.
2020-03-24 05:13:00,913 [root] DEBUG: DLL unloaded from 0x000007FEFC190000.
2020-03-24 05:13:00,913 [root] DEBUG: InjectDll: IAT patching failed, falling back to thread injection.
2020-03-24 05:13:00,913 [root] DEBUG: DLL unloaded from 0x749D0000.
2020-03-24 05:13:00,913 [root] DEBUG: DLL unloaded from 0x000007FEFF190000.
2020-03-24 05:13:00,928 [root] DEBUG: Terminate processes on terminate_event enabled.
2020-03-24 05:13:00,928 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 2804).
2020-03-24 05:13:00,928 [root] DEBUG: Process dumps disabled.
2020-03-24 05:13:00,928 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-03-24 05:13:00,928 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00200000.
2020-03-24 05:13:00,928 [root] INFO: Disabling sleep skipping.
2020-03-24 05:13:00,928 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 1304).
2020-03-24 05:13:00,928 [root] DEBUG: ProcessImageBase: EP 0x0000F643 image base 0x00200000 size 0x0 entropy 6.322614e+00.
2020-03-24 05:13:00,928 [root] WARNING: Unable to place hook on LockResource
2020-03-24 05:13:00,944 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 2976.
2020-03-24 05:13:00,944 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x0000000000000000.
2020-03-24 05:13:00,944 [root] WARNING: Unable to hook LockResource
2020-03-24 05:13:00,944 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 992.
2020-03-24 05:13:00,944 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000FFCC0000.
2020-03-24 05:13:00,944 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 1620.
2020-03-24 05:13:00,944 [root] DEBUG: ProcessImageBase: EP 0x000000000000A9B4 image base 0x00000000FFCC0000 size 0x0 entropy 5.871123e+00.
2020-03-24 05:13:00,944 [root] INFO: Notified of termination of process with pid 2804.
2020-03-24 05:13:00,944 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 2780.
2020-03-24 05:13:00,974 [root] DEBUG: Debugger initialised.
2020-03-24 05:13:00,974 [root] DEBUG: CAPE initialised: 64-bit Extraction package loaded in process 816 at 0x0000000074250000, image base 0x00000000FFA10000, stack from 0x0000000001736000-0x0000000001740000
2020-03-24 05:13:01,069 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 1368.
2020-03-24 05:13:01,069 [root] DEBUG: Commandline: C:\Windows\sysnative\svchost.exe -k netsvcs.
2020-03-24 05:13:01,069 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 1336.
2020-03-24 05:13:01,069 [root] INFO: Notified of termination of process with pid 1304.
2020-03-24 05:13:07,417 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x00000000FFA10000) returned 0x0000000000000000.
2020-03-24 05:13:07,417 [root] DEBUG: DLL loaded at 0x73F90000: C:\Windows\system32\ncrypt (0x38000 bytes).
2020-03-24 05:13:07,417 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x0000000000000000.
2020-03-24 05:13:07,417 [root] DEBUG: DLL loaded at 0x73D40000: C:\Windows\system32\bcrypt (0x17000 bytes).
2020-03-24 05:13:07,417 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x00000000FFA10000) -> AllocationBase 0x00000000FFA10000 RegionSize 0x4096.
2020-03-24 05:13:07,417 [root] DEBUG: CreateThread: Initialising breakpoints for thread 2852.
2020-03-24 05:13:07,417 [root] DEBUG: DLL loaded at 0x71F00000: C:\Windows\SysWOW64\bcryptprimitives (0x3d000 bytes).
2020-03-24 05:13:07,417 [root] DEBUG: AddTrackedRegion: EntryPoint 0x246c, Entropy 3.672265e+00
2020-03-24 05:13:07,417 [root] DEBUG: DLL unloaded from 0x0000000077110000.
2020-03-24 05:13:07,464 [root] DEBUG: AddTrackedRegion: New region at 0x00000000FFA10000 size 0x1000 added to tracked regions.
2020-03-24 05:13:07,480 [root] DEBUG: DLL loaded at 0x73D20000: C:\Windows\system32\GPAPI (0x16000 bytes).
2020-03-24 05:13:07,480 [root] DEBUG: ExtractionInit: Adding main image base to tracked regions.
2020-03-24 05:13:07,480 [root] INFO: Added new process to list with pid: 816
2020-03-24 05:13:07,480 [root] INFO: Monitor successfully loaded in process with pid 816.
2020-03-24 05:13:07,480 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2020-03-24 05:13:07,480 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2020-03-24 05:13:07,480 [root] DEBUG: Successfully injected DLL C:\vgzsvvr\dll\qdmwqOp.dll.
2020-03-24 05:13:07,542 [root] DEBUG: DLL loaded at 0x71EE0000: C:\Windows\system32\cryptnet (0x1c000 bytes).
2020-03-24 05:13:07,573 [root] DEBUG: DLL loaded at 0x74390000: C:\Windows\system32\WINHTTP (0x58000 bytes).
2020-03-24 05:13:07,573 [root] DEBUG: DLL loaded at 0x74340000: C:\Windows\system32\webio (0x4f000 bytes).
2020-03-24 05:13:07,573 [root] DEBUG: DLL unloaded from 0x75D60000.
2020-03-24 05:13:07,589 [root] DEBUG: DLL loaded at 0x74A00000: C:\Windows\system32\dhcpcsvc6 (0xd000 bytes).
2020-03-24 05:13:07,605 [root] DEBUG: DLL loaded at 0x71EC0000: C:\Windows\system32\dhcpcsvc (0x12000 bytes).
2020-03-24 05:13:07,605 [root] DEBUG: DLL unloaded from 0x772F0000.
2020-03-24 05:13:13,361 [root] DEBUG: DLL unloaded from 0x000007FEFE8C0000.
2020-03-24 05:13:19,351 [root] DEBUG: DLL loaded at 0x71E40000: C:\Windows\SysWOW64\taskschd (0x7d000 bytes).
2020-03-24 05:13:19,368 [root] DEBUG: DLL unloaded from 0x74390000.
2020-03-24 05:13:19,368 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF4500000 to caller regions list (kernel32::GetSystemTimeAsFileTime).
2020-03-24 05:13:19,414 [root] DEBUG: DLL unloaded from 0x772F0000.
2020-03-24 05:13:19,414 [root] DEBUG: CreateThread: Initialising breakpoints for thread 1376.
2020-03-24 05:13:19,539 [root] DEBUG: DLL unloaded from 0x74390000.
2020-03-24 05:13:19,539 [root] DEBUG: DLL unloaded from 0x74390000.
2020-03-24 05:13:19,585 [root] DEBUG: DLL unloaded from 0x772F0000.
2020-03-24 05:13:19,585 [root] DEBUG: DLL unloaded from 0x74390000.
2020-03-24 05:13:20,288 [root] DEBUG: DLL unloaded from 0x000007FEFD560000.
2020-03-24 05:13:20,802 [root] DEBUG: DLL unloaded from 0x751B0000.
2020-03-24 05:13:20,881 [root] DEBUG: DLL unloaded from 0x71EE0000.
2020-03-24 05:13:27,355 [root] INFO: Analysis timeout hit (200 seconds), terminating analysis.
2020-03-24 05:13:27,371 [root] DEBUG: DLL loaded at 0x71E20000: C:\Windows\system32\Cabinet (0x15000 bytes).
2020-03-24 05:13:27,371 [root] INFO: Created shutdown mutex.
2020-03-24 05:13:30,911 [root] DEBUG: DLL loaded at 0x73D10000: C:\Windows\system32\DEVRTL (0xe000 bytes).
2020-03-24 05:13:30,911 [lib.api.process] INFO: Terminate event set for process 2788
2020-03-24 05:13:30,911 [root] DEBUG: DLL unloaded from 0x751B0000.
2020-03-24 05:13:30,911 [root] DEBUG: Terminate Event: Processing tracked regions before shutdown (process 2788).
2020-03-24 05:13:30,911 [root] DEBUG: DLL unloaded from 0x75A70000.
2020-03-24 05:13:30,927 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-03-24 05:13:30,927 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x000B0000.
2020-03-24 05:13:30,927 [root] DEBUG: ProcessImageBase: EP 0x000027C1 image base 0x000B0000 size 0x0 entropy 3.399574e+00.
2020-03-24 05:13:30,943 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01BE0000.
2020-03-24 05:13:30,943 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00390000.
2020-03-24 05:13:30,943 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003B0000.
2020-03-24 05:13:30,943 [lib.api.process] INFO: Termination confirmed for process 2788
2020-03-24 05:13:30,959 [root] DEBUG: Terminate Event: CAPE shutdown complete for process 2788
2020-03-24 05:13:30,959 [root] INFO: Terminate event set for process 2788.
2020-03-24 05:13:30,973 [root] INFO: Terminating process 2788 before shutdown.
2020-03-24 05:13:30,973 [root] INFO: Waiting for process 2788 to exit.
2020-03-24 05:13:31,223 [root] DEBUG: DLL unloaded from 0x72F70000.
2020-03-24 05:13:31,987 [root] INFO: Waiting for process 2788 to exit.
2020-03-24 05:13:45,342 [root] INFO: Waiting for process 2788 to exit.
2020-03-24 05:13:50,286 [root] DEBUG: DLL unloaded from 0x75600000.
2020-03-24 05:13:50,302 [lib.api.process] INFO: Terminate event set for process 1632
2020-03-24 05:13:50,302 [root] DEBUG: Terminate Event: Processing tracked regions before shutdown (process 1632).
2020-03-24 05:13:50,334 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x0000000000000000.
2020-03-24 05:13:50,334 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000FF900000.
2020-03-24 05:13:50,334 [root] DEBUG: ProcessImageBase: EP 0x000000000002B790 image base 0x00000000FF900000 size 0x0 entropy 5.860285e+00.
2020-03-24 05:13:50,334 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 2192.
2020-03-24 05:13:50,349 [lib.api.process] INFO: Termination confirmed for process 1632
2020-03-24 05:13:50,349 [root] INFO: Terminate event set for process 1632.
2020-03-24 05:13:50,349 [root] DEBUG: Terminate Event: CAPE shutdown complete for process 1632
2020-03-24 05:13:50,349 [root] INFO: Terminating process 1632 before shutdown.
2020-03-24 05:13:50,349 [root] INFO: Waiting for process 1632 to exit.
2020-03-24 05:13:50,536 [root] DEBUG: DLL loaded at 0x000007FEF7F80000: C:\Windows\system32\actxprxy (0xee000 bytes).
2020-03-24 05:13:50,536 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF7F80000 to caller regions list (kernel32::GetSystemTimeAsFileTime).
2020-03-24 05:13:50,957 [root] DEBUG: CreateThread: Initialising breakpoints for thread 1336.
2020-03-24 05:13:50,957 [root] DEBUG: DLL unloaded from 0x0000000077110000.
2020-03-24 05:13:50,973 [root] DEBUG: DLL loaded at 0x000007FEFA9A0000: c:\windows\system32\mmcss (0x1d000 bytes).
2020-03-24 05:13:50,973 [root] DEBUG: DLL loaded at 0x000007FEFB9F0000: c:\windows\system32\AVRT (0x9000 bytes).
2020-03-24 05:13:50,973 [root] DEBUG: set_caller_info: Adding region at 0x000007FEFA9A0000 to caller regions list (kernel32::GetSystemTimeAsFileTime).
2020-03-24 05:13:50,973 [root] DEBUG: DLL unloaded from 0x000007FEFA9A0000.
2020-03-24 05:13:50,989 [root] DEBUG: DLL unloaded from 0x71EE0000.
2020-03-24 05:13:50,989 [root] DEBUG: DLL unloaded from 0x75790000.
2020-03-24 05:13:51,473 [lib.api.process] INFO: Terminate event set for process 1576
2020-03-24 05:13:51,473 [root] DEBUG: Terminate Event: Processing tracked regions before shutdown (process 1576).
2020-03-24 05:13:51,473 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-03-24 05:13:51,519 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01180000.
2020-03-24 05:13:51,519 [root] DEBUG: ProcessImageBase: EP 0x00001C9A image base 0x01180000 size 0x0 entropy 6.665045e+00.
2020-03-24 05:13:51,721 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x5FFF0000.
2020-03-24 05:13:51,721 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00DB0000.
2020-03-24 05:13:51,737 [root] DEBUG: DumpPEsInRange: Scanning range 0xdb0000 - 0xdb2000.
2020-03-24 05:13:51,737 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0xdb0000-0xdb2000.
2020-03-24 05:13:51,753 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x00DB0000 - 0x00DB2000.
2020-03-24 05:13:51,753 [root] DEBUG: DumpMemory: CAPE output file C:\hLUpzAAQj\CAPE\1576_6616254745113524232020 successfully created, size 0x2000
2020-03-24 05:13:51,785 [root] INFO: Added new CAPE file to list with path: C:\hLUpzAAQj\CAPE\1576_6616254745113524232020
2020-03-24 05:13:51,785 [root] DEBUG: DumpRegion: Dumped stack region from 0x00DB0000, size 0x2000.
2020-03-24 05:13:51,799 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x00DB0000.
2020-03-24 05:13:51,799 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0xdb0000 - 0xdb2000.
2020-03-24 05:13:51,799 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x00DB0000.
2020-03-24 05:13:51,815 [root] DEBUG: Error 31 (0x1f) - ClearDebugRegister: Initial GetThreadContext failed: A device attached to the system is not functioning.
2020-03-24 05:13:51,815 [root] DEBUG: ClearThreadBreakpoint: Call to ClearDebugRegister failed.
2020-03-24 05:13:51,832 [root] DEBUG: Error 31 (0x1f) - ClearDebugRegister: Initial GetThreadContext failed: A device attached to the system is not functioning.
2020-03-24 05:13:51,832 [root] DEBUG: ClearThreadBreakpoint: Call to ClearDebugRegister failed.
2020-03-24 05:13:51,832 [root] DEBUG: Error 31 (0x1f) - ClearDebugRegister: Initial GetThreadContext failed: A device attached to the system is not functioning.
2020-03-24 05:13:51,846 [root] DEBUG: ClearThreadBreakpoint: Call to ClearDebugRegister failed.
2020-03-24 05:13:51,846 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x00DB003C.
2020-03-24 05:13:51,846 [root] DEBUG: Error 31 (0x1f) - ClearDebugRegister: Initial GetThreadContext failed: A device attached to the system is not functioning.
2020-03-24 05:13:52,065 [root] DEBUG: ClearThreadBreakpoint: Call to ClearDebugRegister failed.
2020-03-24 05:13:52,096 [root] DEBUG: Error 31 (0x1f) - ClearDebugRegister: Initial GetThreadContext failed: A device attached to the system is not functioning.
2020-03-24 05:13:52,096 [root] DEBUG: ClearThreadBreakpoint: Call to ClearDebugRegister failed.
2020-03-24 05:13:52,111 [root] DEBUG: Error 31 (0x1f) - ClearDebugRegister: Initial GetThreadContext failed: A device attached to the system is not functioning.
2020-03-24 05:13:52,111 [root] DEBUG: ClearThreadBreakpoint: Call to ClearDebugRegister failed.
2020-03-24 05:13:52,128 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 2576.
2020-03-24 05:13:52,128 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 3016.
2020-03-24 05:13:52,128 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 2784.
2020-03-24 05:13:52,253 [root] WARNING: File at path "C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\J6NWIC74\favicon[1].ico" does not exist, skip.
2020-03-24 05:13:52,799 [lib.api.process] INFO: Termination confirmed for process 1576
2020-03-24 05:13:52,799 [root] INFO: Terminate event set for process 1576.
2020-03-24 05:13:52,799 [root] DEBUG: Terminate Event: CAPE shutdown complete for process 1576
2020-03-24 05:13:52,799 [root] INFO: Terminating process 1576 before shutdown.
2020-03-24 05:13:52,813 [root] INFO: Waiting for process 1576 to exit.
2020-03-24 05:13:53,859 [root] INFO: Terminating process 1784 before shutdown.
2020-03-24 05:13:53,953 [root] INFO: Shutting down package.
2020-03-24 05:13:54,030 [root] INFO: Stopping auxiliary modules.
2020-03-24 05:13:54,078 [root] INFO: Finishing auxiliary modules.
2020-03-24 05:13:54,125 [root] INFO: Shutting down pipe server and dumping dropped files.
2020-03-24 05:13:54,171 [root] WARNING: File at path "C:\hLUpzAAQj\debugger" does not exist, skip.
2020-03-24 05:13:54,217 [root] INFO: Analysis completed.

MalScore

10.0

Malicious

Machine

Name Label Manager Started On Shutdown On
target-01 target-01 ESX 2020-03-24 05:09:59 2020-03-24 05:14:09

File Details

File Name look_presentation_z8d.js
File Size 4017049 bytes
File Type ASCII text, with very long lines, with no line terminators
MD5 10707b7d4f52a18a12e8b05b43ba6fbc
SHA1 cb2a7798e4e082aa40937f876163696bf56ea94a
SHA256 e423c8e84b0f4f81c4870c5a3d114ed1ad2e42d3e9ff13ec605c84336d3fe91a
SHA512 bd025cd1ea8ede9369d2615aeab0f9c5a7e55b246909f8e3e6ca51fb36b5b29306214e8800ef3e076dc38afb4557028fc84474f8a856a0b77901027cdc80eca3
CRC32 C847F0F3
Ssdeep 49152:odDrdDrdDrdDrdD4dDrdDrdDrdDrdDqdDdkQdDdJ:w
TrID
  • Unknown!
ClamAV None matched
Yara None matched
CAPE Yara None matched
Resubmit sample

Signatures

SetUnhandledExceptionFilter detected (possible anti-debug)
Behavioural detection: Executable code extraction
Attempts to connect to a dead IP:Port (3 unique times)
IP: 204.79.197.200:443 (United States)
IP: 204.79.197.200:80 (United States)
IP: 72.21.91.29:80 (United States)
Yara rule detections observed from a process memory dump/dropped files/CAPE
Hit: PID 2788 trigged the Yara rule 'shellcode_patterns'
Hit: PID 2788 trigged the Yara rule 'shellcode_get_eip'
Hit: PID 1624 trigged the Yara rule 'shellcode_patterns'
Possible date expiration check, exits too soon after checking local time
process: iexplore.exe, PID 1624
Guard pages use detected - possible anti-debugging.
A process attempted to delay the analysis task.
Process: regsvr32.exe tried to sleep 556 seconds, actually delayed analysis time by 0 seconds
Process: WmiPrvSE.exe tried to sleep 840 seconds, actually delayed analysis time by 0 seconds
Dynamic (imported) function loading detected
DynamicLoader: ADVAPI32.dll/SaferIdentifyLevel
DynamicLoader: ADVAPI32.dll/SaferComputeTokenFromLevel
DynamicLoader: ADVAPI32.dll/SaferCloseLevel
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: RpcRtRemote.dll/I_RpcExtInitializeExtensionPoint
DynamicLoader: ole32.dll/CLSIDFromProgIDEx
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: wscript.exe/
DynamicLoader: SXS.DLL/SxsOleAut32RedirectTypeLibrary
DynamicLoader: ADVAPI32.dll/RegOpenKeyW
DynamicLoader: ADVAPI32.dll/RegQueryValueW
DynamicLoader: wscript.exe/
DynamicLoader: SHELL32.dll/ShellExecuteExW
DynamicLoader: ole32.dll/OleInitialize
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: PROPSYS.dll/PSCreateMemoryPropertyStore
DynamicLoader: PROPSYS.dll/PSPropertyBag_WriteDWORD
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: PROPSYS.dll/PSPropertyBag_ReadDWORD
DynamicLoader: PROPSYS.dll/PSPropertyBag_ReadGUID
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: ADVAPI32.dll/OpenThreadToken
DynamicLoader: ole32.dll/StringFromGUID2
DynamicLoader: apphelp.dll/ApphelpCheckShellObject
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: urlmon.dll/CreateUri
DynamicLoader: kernel32.dll/InitializeSRWLock
DynamicLoader: kernel32.dll/AcquireSRWLockExclusive
DynamicLoader: kernel32.dll/AcquireSRWLockShared
DynamicLoader: kernel32.dll/ReleaseSRWLockExclusive
DynamicLoader: kernel32.dll/ReleaseSRWLockShared
DynamicLoader: kernel32.dll/InitializeSRWLock
DynamicLoader: kernel32.dll/AcquireSRWLockExclusive
DynamicLoader: kernel32.dll/AcquireSRWLockShared
DynamicLoader: kernel32.dll/ReleaseSRWLockExclusive
DynamicLoader: kernel32.dll/ReleaseSRWLockShared
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: SHELL32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: PROPSYS.dll/PSPropertyBag_ReadStrAlloc
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: profapi.dll/
DynamicLoader: PROPSYS.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegGetValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ole32.dll/CoTaskMemRealloc
DynamicLoader: PROPSYS.dll/InitPropVariantFromStringAsVector
DynamicLoader: PROPSYS.dll/PSCoerceToCanonicalValue
DynamicLoader: PROPSYS.dll/PropVariantToStringAlloc
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: ole32.dll/CoAllowSetForegroundWindow
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: SHELL32.dll/SHGetFolderPathW
DynamicLoader: ADVAPI32.dll/SaferGetPolicyInformation
DynamicLoader: ntdll.dll/RtlDllShutdownInProgress
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/OleUninitialize
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: comctl32.dll/
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: LPK.dll/LpkEditControl
DynamicLoader: kernel32.dll/RegQueryValueExW
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/SetDefaultPrinterW
DynamicLoader: WINSPOOL.DRV/GetDefaultPrinterW
DynamicLoader: WINSPOOL.DRV/GetPrinterDriverPackagePathW
DynamicLoader: WINSPOOL.DRV/CorePrinterDriverInstalledW
DynamicLoader: WINSPOOL.DRV/GetCorePrinterDriversW
DynamicLoader: WINSPOOL.DRV/UploadPrinterDriverPackageW
DynamicLoader: WINSPOOL.DRV/InstallPrinterDriverFromPackageW
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/AddPrinterConnection2W
DynamicLoader: WINSPOOL.DRV/OpenPrinter2W
DynamicLoader: WINSPOOL.DRV/DeletePrinterKeyW
DynamicLoader: WINSPOOL.DRV/DeletePrinterDataExW
DynamicLoader: WINSPOOL.DRV/EnumPrinterKeyW
DynamicLoader: WINSPOOL.DRV/EnumPrinterDataExW
DynamicLoader: WINSPOOL.DRV/GetPrinterDataExW
DynamicLoader: WINSPOOL.DRV/SetPrinterDataExW
DynamicLoader: WINSPOOL.DRV/DeletePrinterDataW
DynamicLoader: WINSPOOL.DRV/EnumPrinterDataW
DynamicLoader: WINSPOOL.DRV/SpoolerPrinterEvent
DynamicLoader: WINSPOOL.DRV/SetPortW
DynamicLoader: WINSPOOL.DRV/DocumentPropertySheets
DynamicLoader: WINSPOOL.DRV/DevicePropertySheets
DynamicLoader: WINSPOOL.DRV/IsValidDevmodeW
DynamicLoader: WINSPOOL.DRV/IsValidDevmodeA
DynamicLoader: WINSPOOL.DRV/AddPortExW
DynamicLoader: WINSPOOL.DRV/DeletePrintProvidorW
DynamicLoader: WINSPOOL.DRV/AddPrintProvidorW
DynamicLoader: WINSPOOL.DRV/DeletePrintProcessorW
DynamicLoader: WINSPOOL.DRV/DeleteMonitorW
DynamicLoader: WINSPOOL.DRV/AddMonitorW
DynamicLoader: WINSPOOL.DRV/StartDocDlgW
DynamicLoader: WINSPOOL.DRV/AdvancedDocumentPropertiesW
DynamicLoader: WINSPOOL.DRV/AdvancedDocumentPropertiesA
DynamicLoader: WINSPOOL.DRV/DocumentPropertiesW
DynamicLoader: WINSPOOL.DRV/DeviceCapabilitiesW
DynamicLoader: WINSPOOL.DRV/DeletePrinterIC
DynamicLoader: WINSPOOL.DRV/PlayGdiScriptOnPrinterIC
DynamicLoader: WINSPOOL.DRV/CreatePrinterIC
DynamicLoader: WINSPOOL.DRV/SetJobW
DynamicLoader: WINSPOOL.DRV/GetJobW
DynamicLoader: WINSPOOL.DRV/EnumJobsW
DynamicLoader: WINSPOOL.DRV/AddPrinterW
DynamicLoader: WINSPOOL.DRV/SetPrinterW
DynamicLoader: WINSPOOL.DRV/GetPrinterDriverW
DynamicLoader: WINSPOOL.DRV/GetPrinterDriverDirectoryW
DynamicLoader: WINSPOOL.DRV/EnumPrintersW
DynamicLoader: WINSPOOL.DRV/AddPrinterConnectionW
DynamicLoader: WINSPOOL.DRV/DeletePrinterConnectionW
DynamicLoader: WINSPOOL.DRV/AddPrinterDriverExW
DynamicLoader: WINSPOOL.DRV/AddPrinterDriverExA
DynamicLoader: WINSPOOL.DRV/EnumPrinterDriversW
DynamicLoader: WINSPOOL.DRV/DeletePrinterDriverW
DynamicLoader: WINSPOOL.DRV/DeletePrinterDriverExW
DynamicLoader: WINSPOOL.DRV/AddPrintProcessorW
DynamicLoader: WINSPOOL.DRV/EnumPrintProcessorsW
DynamicLoader: WINSPOOL.DRV/GetPrintProcessorDirectoryW
DynamicLoader: WINSPOOL.DRV/EnumPrintProcessorDatatypesW
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/SplDriverUnloadComplete
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/OpenPrinterW
DynamicLoader: WINSPOOL.DRV/OpenPrinterA
DynamicLoader: WINSPOOL.DRV/ResetPrinterW
DynamicLoader: WINSPOOL.DRV/StartDocPrinterW
DynamicLoader: WINSPOOL.DRV/FlushPrinter
DynamicLoader: WINSPOOL.DRV/GetPrinterDataW
DynamicLoader: WINSPOOL.DRV/SetPrinterDataW
DynamicLoader: WINSPOOL.DRV/AddJobW
DynamicLoader: WINSPOOL.DRV/ScheduleJob
DynamicLoader: WINSPOOL.DRV/WaitForPrinterChange
DynamicLoader: WINSPOOL.DRV/FindNextPrinterChangeNotification
DynamicLoader: WINSPOOL.DRV/PrinterMessageBoxW
DynamicLoader: WINSPOOL.DRV/ClosePrinter
DynamicLoader: WINSPOOL.DRV/AddFormW
DynamicLoader: WINSPOOL.DRV/DeleteFormW
DynamicLoader: WINSPOOL.DRV/GetFormW
DynamicLoader: WINSPOOL.DRV/SetFormW
DynamicLoader: WINSPOOL.DRV/EnumFormsW
DynamicLoader: WINSPOOL.DRV/EnumPortsW
DynamicLoader: WINSPOOL.DRV/EnumMonitorsW
DynamicLoader: WINSPOOL.DRV/AddPortW
DynamicLoader: WINSPOOL.DRV/ConfigurePortW
DynamicLoader: WINSPOOL.DRV/DeletePortW
DynamicLoader: WINSPOOL.DRV/GetPrinterW
DynamicLoader: WINSPOOL.DRV/DeletePrinterDriverPackageW
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/IsProcessorFeaturePresent
DynamicLoader: SHLWAPI.dll/StrStrIA
DynamicLoader: kernel32.dll/ExitThread
DynamicLoader: kernel32.dll/GetLocaleInfoA
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: kernel32.dll/GetSystemDefaultUILanguage
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/VerLanguageNameA
DynamicLoader: kernel32.dll/HeapAlloc
DynamicLoader: kernel32.dll/SleepEx
DynamicLoader: kernel32.dll/GetExitCodeThread
DynamicLoader: kernel32.dll/WaitForSingleObject
DynamicLoader: kernel32.dll/InterlockedDecrement
DynamicLoader: kernel32.dll/HeapCreate
DynamicLoader: kernel32.dll/HeapDestroy
DynamicLoader: kernel32.dll/InterlockedIncrement
DynamicLoader: kernel32.dll/CreateThread
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/HeapFree
DynamicLoader: kernel32.dll/AddVectoredExceptionHandler
DynamicLoader: kernel32.dll/TlsGetValue
DynamicLoader: kernel32.dll/RemoveVectoredExceptionHandler
DynamicLoader: kernel32.dll/TlsSetValue
DynamicLoader: kernel32.dll/TlsFree
DynamicLoader: kernel32.dll/TlsAlloc
DynamicLoader: kernel32.dll/GetModuleFileNameW
DynamicLoader: kernel32.dll/InitializeCriticalSection
DynamicLoader: kernel32.dll/GetModuleHandleA
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/LeaveCriticalSection
DynamicLoader: kernel32.dll/DeleteCriticalSection
DynamicLoader: kernel32.dll/lstrlenA
DynamicLoader: kernel32.dll/EnterCriticalSection
DynamicLoader: kernel32.dll/GetLongPathNameW
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/GetVersion
DynamicLoader: kernel32.dll/GetCurrentProcessId
DynamicLoader: kernel32.dll/CreateEventA
DynamicLoader: kernel32.dll/GetProcAddress
DynamicLoader: kernel32.dll/LoadLibraryA
DynamicLoader: kernel32.dll/TerminateThread
DynamicLoader: kernel32.dll/SetLastError
DynamicLoader: kernel32.dll/QueueUserAPC
DynamicLoader: kernel32.dll/MapViewOfFile
DynamicLoader: kernel32.dll/CreateFileMappingW
DynamicLoader: kernel32.dll/GetSystemTimeAsFileTime
DynamicLoader: ntdll.dll/_snwprintf
DynamicLoader: ntdll.dll/memset
DynamicLoader: ntdll.dll/memcpy
DynamicLoader: ntdll.dll/_aulldiv
DynamicLoader: ntdll.dll/RtlUnwind
DynamicLoader: ntdll.dll/NtQueryVirtualMemory
DynamicLoader: xBjMNtgfJT.txt/DllRegisterServer
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: ntdll.dll/ZwCreateSection
DynamicLoader: ntdll.dll/ZwMapViewOfSection
DynamicLoader: ntdll.dll/ZwUnmapViewOfSection
DynamicLoader: ntdll.dll/RtlNtStatusToDosError
DynamicLoader: ntdll.dll/ZwClose
DynamicLoader: ntdll.dll/sprintf
DynamicLoader: ntdll.dll/_snprintf
DynamicLoader: ntdll.dll/strcpy
DynamicLoader: ntdll.dll/ZwQueryInformationToken
DynamicLoader: ntdll.dll/wcstombs
DynamicLoader: ntdll.dll/ZwOpenProcessToken
DynamicLoader: ntdll.dll/ZwOpenProcess
DynamicLoader: ntdll.dll/ZwClose
DynamicLoader: ntdll.dll/_snwprintf
DynamicLoader: ntdll.dll/mbstowcs
DynamicLoader: ntdll.dll/memcpy
DynamicLoader: ntdll.dll/memset
DynamicLoader: ntdll.dll/_aulldiv
DynamicLoader: ntdll.dll/_allmul
DynamicLoader: ntdll.dll/RtlUnwind
DynamicLoader: ntdll.dll/NtQueryVirtualMemory
DynamicLoader: kernel32.dll/RaiseException
DynamicLoader: kernel32.dll/InterlockedExchange
DynamicLoader: kernel32.dll/LocalAlloc
DynamicLoader: kernel32.dll/HeapAlloc
DynamicLoader: kernel32.dll/Sleep
DynamicLoader: kernel32.dll/InterlockedIncrement
DynamicLoader: kernel32.dll/InterlockedDecrement
DynamicLoader: kernel32.dll/HeapFree
DynamicLoader: kernel32.dll/HeapDestroy
DynamicLoader: kernel32.dll/HeapCreate
DynamicLoader: kernel32.dll/SetEvent
DynamicLoader: kernel32.dll/GetTickCount
DynamicLoader: kernel32.dll/SetWaitableTimer
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: kernel32.dll/WaitForMultipleObjects
DynamicLoader: kernel32.dll/GetModuleHandleA
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/GetProcAddress
DynamicLoader: kernel32.dll/WaitForSingleObject
DynamicLoader: kernel32.dll/SleepEx
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/CreateWaitableTimerA
DynamicLoader: kernel32.dll/lstrlenA
DynamicLoader: kernel32.dll/GetSystemTimeAsFileTime
DynamicLoader: kernel32.dll/lstrcpyA
DynamicLoader: kernel32.dll/FindFirstFileA
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsA
DynamicLoader: kernel32.dll/lstrcmpA
DynamicLoader: kernel32.dll/lstrcmpW
DynamicLoader: kernel32.dll/GetComputerNameW
DynamicLoader: kernel32.dll/GetVersionExA
DynamicLoader: kernel32.dll/FreeLibrary
DynamicLoader: kernel32.dll/LoadLibraryA
DynamicLoader: kernel32.dll/CreateFileMappingW
DynamicLoader: kernel32.dll/MapViewOfFile
DynamicLoader: kernel32.dll/GetFileTime
DynamicLoader: kernel32.dll/FindNextFileA
DynamicLoader: kernel32.dll/LeaveCriticalSection
DynamicLoader: kernel32.dll/InitializeCriticalSection
DynamicLoader: kernel32.dll/EnterCriticalSection
DynamicLoader: kernel32.dll/CreateFileA
DynamicLoader: kernel32.dll/CompareFileTime
DynamicLoader: kernel32.dll/Wow64EnableWow64FsRedirection
DynamicLoader: kernel32.dll/QueryPerformanceCounter
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/GetVersion
DynamicLoader: kernel32.dll/GetCurrentProcessId
DynamicLoader: kernel32.dll/CreateEventA
DynamicLoader: kernel32.dll/lstrcatA
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: kernel32.dll/QueryPerformanceFrequency
DynamicLoader: kernel32.dll/FindClose
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: WINHTTP.dll/WinHttpQueryOption
DynamicLoader: WINHTTP.dll/WinHttpQueryHeaders
DynamicLoader: WINHTTP.dll/WinHttpReadData
DynamicLoader: WINHTTP.dll/WinHttpConnect
DynamicLoader: WINHTTP.dll/WinHttpSendRequest
DynamicLoader: WINHTTP.dll/WinHttpReceiveResponse
DynamicLoader: WINHTTP.dll/WinHttpQueryDataAvailable
DynamicLoader: WINHTTP.dll/WinHttpOpen
DynamicLoader: WINHTTP.dll/WinHttpSetOption
DynamicLoader: WINHTTP.dll/WinHttpCloseHandle
DynamicLoader: WINHTTP.dll/WinHttpOpenRequest
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: USER32.dll/wsprintfA
DynamicLoader: ADVAPI32.dll/GetUserNameW
DynamicLoader: SHLWAPI.dll/StrToIntExA
DynamicLoader: SHLWAPI.dll/StrChrA
DynamicLoader: SHLWAPI.dll/StrTrimA
DynamicLoader: SHLWAPI.dll/StrChrA
DynamicLoader: SHLWAPI.dll/StrRChrA
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: kernel32.dll/GetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/SetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/LocaleNameToLCID
DynamicLoader: kernel32.dll/GetLocaleInfoEx
DynamicLoader: kernel32.dll/LCIDToLocaleName
DynamicLoader: kernel32.dll/GetSystemDefaultLocaleName
DynamicLoader: ole32.dll/CoSetProxyBlanket
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/RegOpenKeyExW
DynamicLoader: OLEAUT32.dll/BSTR_UserSize
DynamicLoader: OLEAUT32.dll/BSTR_UserMarshal
DynamicLoader: OLEAUT32.dll/BSTR_UserUnmarshal
DynamicLoader: OLEAUT32.dll/BSTR_UserFree
DynamicLoader: OLEAUT32.dll/VARIANT_UserSize
DynamicLoader: OLEAUT32.dll/VARIANT_UserMarshal
DynamicLoader: OLEAUT32.dll/VARIANT_UserUnmarshal
DynamicLoader: OLEAUT32.dll/VARIANT_UserFree
DynamicLoader: OLEAUT32.dll/LPSAFEARRAY_UserSize
DynamicLoader: OLEAUT32.dll/LPSAFEARRAY_UserMarshal
DynamicLoader: OLEAUT32.dll/LPSAFEARRAY_UserUnmarshal
DynamicLoader: OLEAUT32.dll/LPSAFEARRAY_UserFree
DynamicLoader: SHLWAPI.dll/StrStrIW
DynamicLoader: kernel32.dll/RegCreateKeyExW
DynamicLoader: kernel32.dll/RegQueryValueExW
DynamicLoader: kernel32.dll/RegCloseKey
DynamicLoader: ntdll.dll/EtwRegisterTraceGuidsW
DynamicLoader: ntdll.dll/EtwRegisterTraceGuidsW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: sechost.dll/LookupAccountNameLocalW
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: RpcRtRemote.dll/I_RpcExtInitializeExtensionPoint
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: wbemsvc.dll/DllGetClassObject
DynamicLoader: wbemsvc.dll/DllCanUnloadNow
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/RegOpenKeyExW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ntdll.dll/EtwUnregisterTraceGuids
DynamicLoader: ntdll.dll/EtwUnregisterTraceGuids
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: wbemcore.dll/Reinitialize
DynamicLoader: wbemcore.dll/Reinitialize
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/LogonUserExExW
DynamicLoader: SspiCli.dll/LogonUserExExW
DynamicLoader: wbemcore.dll/Reinitialize
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: wbemcore.dll/Reinitialize
DynamicLoader: OLEAUT32.dll/
DynamicLoader: wbemcore.dll/Reinitialize
DynamicLoader: wbemcore.dll/Reinitialize
DynamicLoader: wbemcore.dll/Reinitialize
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: wbemcore.dll/Reinitialize
DynamicLoader: wbemcore.dll/Reinitialize
DynamicLoader: kernel32.dll/RegCreateKeyExW
DynamicLoader: ntdll.dll/EtwRegisterTraceGuidsW
DynamicLoader: ntdll.dll/EtwRegisterTraceGuidsW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: sechost.dll/LookupAccountNameLocalW
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: kernel32.dll/GetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/SetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/LocaleNameToLCID
DynamicLoader: kernel32.dll/GetLocaleInfoEx
DynamicLoader: kernel32.dll/LCIDToLocaleName
DynamicLoader: kernel32.dll/GetSystemDefaultLocaleName
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/RegOpenKeyExW
DynamicLoader: kernel32.dll/RegQueryValueExW
DynamicLoader: kernel32.dll/RegCloseKey
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyW
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/RegSetValueExW
DynamicLoader: ntdll.dll/EtwUnregisterTraceGuids
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ntdll.dll/EtwUnregisterTraceGuids
DynamicLoader: ntdll.dll/EtwUnregisterTraceGuids
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/EventWrite
DynamicLoader: ADVAPI32.dll/EventRegister
DynamicLoader: ADVAPI32.dll/EventUnregister
DynamicLoader: kernel32.dll/InitializeSRWLock
DynamicLoader: kernel32.dll/AcquireSRWLockExclusive
DynamicLoader: kernel32.dll/AcquireSRWLockShared
DynamicLoader: kernel32.dll/ReleaseSRWLockExclusive
DynamicLoader: kernel32.dll/ReleaseSRWLockShared
DynamicLoader: kernel32.dll/SetProcessDEPPolicy
DynamicLoader: USER32.dll/SetProcessDPIAware
DynamicLoader: SHELL32.dll/SetCurrentProcessExplicitAppUserModelID
DynamicLoader: USER32.dll/GetShellWindow
DynamicLoader: USER32.dll/GetWindowThreadProcessId
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: IEFRAME.dll/
DynamicLoader: WININET.dll/InternetQueryOptionW
DynamicLoader: ADVAPI32.dll/EventActivityIdControl
DynamicLoader: ADVAPI32.dll/EventWriteTransfer
DynamicLoader: kernel32.dll/SetFileInformationByHandle
DynamicLoader: SHELL32.dll/SHGetFolderPathW
DynamicLoader: kernel32.dll/GetModuleHandleW
DynamicLoader: ws2_32.DLL/accept
DynamicLoader: ws2_32.DLL/bind
DynamicLoader: ws2_32.DLL/closesocket
DynamicLoader: ws2_32.DLL/connect
DynamicLoader: ws2_32.DLL/getpeername
DynamicLoader: ws2_32.DLL/getsockname
DynamicLoader: ws2_32.DLL/getsockopt
DynamicLoader: ws2_32.DLL/ntohl
DynamicLoader: ws2_32.DLL/htonl
DynamicLoader: ws2_32.DLL/htons
DynamicLoader: ws2_32.DLL/inet_addr
DynamicLoader: ws2_32.DLL/inet_ntoa
DynamicLoader: ws2_32.DLL/ioctlsocket
DynamicLoader: ws2_32.DLL/listen
DynamicLoader: ws2_32.DLL/ntohs
DynamicLoader: ws2_32.DLL/recv
DynamicLoader: ws2_32.DLL/recvfrom
DynamicLoader: ws2_32.DLL/select
DynamicLoader: ws2_32.DLL/send
DynamicLoader: ws2_32.DLL/sendto
DynamicLoader: ws2_32.DLL/setsockopt
DynamicLoader: ws2_32.DLL/shutdown
DynamicLoader: ws2_32.DLL/socket
DynamicLoader: ws2_32.DLL/gethostbyname
DynamicLoader: ws2_32.DLL/gethostname
DynamicLoader: ws2_32.DLL/WSAIoctl
DynamicLoader: ws2_32.DLL/WSAGetLastError
DynamicLoader: ws2_32.DLL/WSASetLastError
DynamicLoader: ws2_32.DLL/WSAStartup
DynamicLoader: ws2_32.DLL/WSACleanup
DynamicLoader: ws2_32.DLL/__WSAFDIsSet
DynamicLoader: ws2_32.DLL/getaddrinfo
DynamicLoader: ws2_32.DLL/freeaddrinfo
DynamicLoader: ws2_32.DLL/getnameinfo
DynamicLoader: ws2_32.DLL/WSALookupServiceBeginW
DynamicLoader: ws2_32.DLL/WSALookupServiceNextW
DynamicLoader: ws2_32.DLL/WSALookupServiceEnd
DynamicLoader: ws2_32.DLL/WSANSPIoctl
DynamicLoader: ws2_32.DLL/WSAStringToAddressA
DynamicLoader: ws2_32.DLL/WSAStringToAddressW
DynamicLoader: ws2_32.DLL/WSAAddressToStringA
DynamicLoader: dnsapi.DLL/DnsGetProxyInformation
DynamicLoader: dnsapi.DLL/DnsFreeProxyName
DynamicLoader: iphlpapi.DLL/GetIpForwardTable2
DynamicLoader: iphlpapi.DLL/FreeMibTable
DynamicLoader: iphlpapi.DLL/GetIfEntry2
DynamicLoader: iphlpapi.DLL/ConvertInterfaceGuidToLuid
DynamicLoader: iphlpapi.DLL/ResolveIpNetEntry2
DynamicLoader: iphlpapi.DLL/GetIpNetEntry2
DynamicLoader: SHLWAPI.dll/
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: OLEAUT32.dll/
DynamicLoader: comctl32.dll/PropertySheetW
DynamicLoader: comctl32.dll/PropertySheetA
DynamicLoader: comdlg32.dll/PageSetupDlgW
DynamicLoader: comdlg32.dll/PrintDlgW
DynamicLoader: urlmon.dll/
DynamicLoader: urlmon.dll/
DynamicLoader: SHELL32.dll/SHGetFolderPathW
DynamicLoader: ADVAPI32.dll/TraceMessage
DynamicLoader: ADVAPI32.dll/TraceMessageVa
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: sqmapi.dll/SqmGetSession
DynamicLoader: sqmapi.dll/SqmEndSession
DynamicLoader: sqmapi.dll/SqmStartSession
DynamicLoader: sqmapi.dll/SqmStartUpload
DynamicLoader: sqmapi.dll/SqmWaitForUploadComplete
DynamicLoader: sqmapi.dll/SqmSet
DynamicLoader: sqmapi.dll/SqmSetBool
DynamicLoader: sqmapi.dll/SqmSetBits
DynamicLoader: sqmapi.dll/SqmSetString
DynamicLoader: sqmapi.dll/SqmIncrement
DynamicLoader: sqmapi.dll/SqmSetIfMax
DynamicLoader: sqmapi.dll/SqmSetIfMin
DynamicLoader: sqmapi.dll/SqmAddToAverage
DynamicLoader: sqmapi.dll/SqmAddToStreamDWord
DynamicLoader: sqmapi.dll/SqmAddToStreamString
DynamicLoader: sqmapi.dll/SqmSetAppId
DynamicLoader: sqmapi.dll/SqmSetAppVersion
DynamicLoader: sqmapi.dll/SqmSetMachineId
DynamicLoader: sqmapi.dll/SqmSetUserId
DynamicLoader: sqmapi.dll/SqmCreateNewId
DynamicLoader: sqmapi.dll/SqmReadSharedMachineId
DynamicLoader: sqmapi.dll/SqmReadSharedUserId
DynamicLoader: sqmapi.dll/SqmWriteSharedMachineId
DynamicLoader: sqmapi.dll/SqmWriteSharedUserId
DynamicLoader: sqmapi.dll/SqmIsWindowsOptedIn
DynamicLoader: urlmon.dll/
DynamicLoader: ADVAPI32.dll/AddMandatoryAce
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: kernel32.dll/WerRegisterMemoryBlock
DynamicLoader: kernel32.dll/WerUnregisterMemoryBlock
DynamicLoader: USER32.dll/RegisterWindowMessageW
DynamicLoader: RPCRT4.dll/UuidCreateSequential
DynamicLoader: RPCRT4.dll/RpcServerUseProtseqW
DynamicLoader: RPCRT4.dll/RpcServerRegisterIfEx
DynamicLoader: RPCRT4.dll/RpcServerInqBindings
DynamicLoader: RPCRT4.dll/RpcEpRegisterW
DynamicLoader: RPCRT4.dll/RpcServerListen
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: USER32.dll/RegisterClassExW
DynamicLoader: USER32.dll/CreateWindowExW
DynamicLoader: USER32.dll/DefWindowProcW
DynamicLoader: USER32.dll/SetWindowLongW
DynamicLoader: urlmon.dll/
DynamicLoader: VERSION.dll/GetFileVersionInfoSizeW
DynamicLoader: VERSION.dll/GetFileVersionInfoW
DynamicLoader: VERSION.dll/VerQueryValueW
DynamicLoader: kernel32.dll/RegisterApplicationRestart
DynamicLoader: SHELL32.dll/SHGetFolderPathW
DynamicLoader: SHELL32.dll/
DynamicLoader: urlmon.dll/CoInternetCreateZoneManager
DynamicLoader: USER32.dll/AllowSetForegroundWindow
DynamicLoader: WININET.dll/InternetInitializeAutoProxyDll
DynamicLoader: RASAPI32.dll/RasEnumEntriesW
DynamicLoader: RASAPI32.dll/RasConnectionNotificationW
DynamicLoader: rtutils.dll/TraceRegisterExA
DynamicLoader: rtutils.dll/TracePrintfExA
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: profapi.dll/
DynamicLoader: SHLWAPI.dll/PathCanonicalizeW
DynamicLoader: SHLWAPI.dll/PathRemoveFileSpecW
DynamicLoader: SHLWAPI.dll/PathFindFileNameW
DynamicLoader: sensapi.dll/IsNetworkAlive
DynamicLoader: RPCRT4.dll/RpcBindingFromStringBindingW
DynamicLoader: RPCRT4.dll/RpcBindingSetAuthInfoExW
DynamicLoader: RPCRT4.dll/NdrClientCall2
DynamicLoader: sechost.dll/NotifyServiceStatusChangeA
DynamicLoader: NLAapi.dll/NSPStartup
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: USER32.dll/PostThreadMessageW
DynamicLoader: iphlpapi.DLL/GetAdaptersAddresses
DynamicLoader: DHCPCSVC.DLL/DhcpRequestParams
DynamicLoader: comctl32.dll/LoadIconWithScaleDown
DynamicLoader: IEUI.dll/InitGadgets
DynamicLoader: ieproxy.dll/DllGetClassObject
DynamicLoader: ieproxy.dll/DllCanUnloadNow
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: UxTheme.dll/OpenThemeData
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: USER32.dll/MsgWaitForMultipleObjectsEx
DynamicLoader: comctl32.dll/
DynamicLoader: UxTheme.dll/IsAppThemed
DynamicLoader: comctl32.dll/ImageList_LoadImageW
DynamicLoader: comctl32.dll/ImageList_GetIconSize
DynamicLoader: UxTheme.dll/IsCompositionActive
DynamicLoader: UxTheme.dll/SetWindowTheme
DynamicLoader: UxTheme.dll/OpenThemeData
DynamicLoader: comctl32.dll/ImageList_Create
DynamicLoader: comctl32.dll/ImageList_ReplaceIcon
DynamicLoader: OLEAUT32.dll/
DynamicLoader: comctl32.dll/ImageList_AddMasked
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: IMM32.DLL/ImmIsIME
DynamicLoader: urlmon.dll/CoInternetCreateSecurityManager
DynamicLoader: MSCTF.dll/SetInputScopes2
DynamicLoader: UxTheme.dll/EnableThemeDialogTexture
DynamicLoader: urlmon.dll/
DynamicLoader: urlmon.dll/CreateUri
DynamicLoader: kernel32.dll/InitializeSRWLock
DynamicLoader: kernel32.dll/AcquireSRWLockExclusive
DynamicLoader: kernel32.dll/AcquireSRWLockShared
DynamicLoader: kernel32.dll/ReleaseSRWLockExclusive
DynamicLoader: kernel32.dll/ReleaseSRWLockShared
DynamicLoader: VERSION.dll/GetFileVersionInfoSizeW
DynamicLoader: VERSION.dll/GetFileVersionInfoW
DynamicLoader: VERSION.dll/VerQueryValueW
DynamicLoader: UxTheme.dll/IsThemeActive
DynamicLoader: IEUI.dll/CreateGadget
DynamicLoader: IEUI.dll/SetGadgetMessageFilter
DynamicLoader: IEUI.dll/SetGadgetStyle
DynamicLoader: IEUI.dll/SetGadgetRootInfo
DynamicLoader: xmllite.dll/CreateXmlReader
DynamicLoader: xmllite.dll/CreateXmlReaderInputWithEncodingName
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: SHELL32.dll/
DynamicLoader: IEUI.dll/FindStdColor
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: IEUI.dll/InvalidateGadget
DynamicLoader: IEUI.dll/SetGadgetParent
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: propsys.dll/PSCreateMemoryPropertyStore
DynamicLoader: propsys.dll/PSPropertyBag_WriteStr
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: OLEAUT32.dll/
DynamicLoader: propsys.dll/PSPropertyBag_WriteGUID
DynamicLoader: propsys.dll/PSPropertyBag_ReadGUID
DynamicLoader: IEUI.dll/GetGadgetTicket
DynamicLoader: IEUI.dll/SetGadgetRect
DynamicLoader: urlmon.dll/
DynamicLoader: urlmon.dll/
DynamicLoader: kernel32.dll/GetThreadUILanguage
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: comctl32.dll/
DynamicLoader: SHELL32.dll/SHGetInstanceExplorer
DynamicLoader: WININET.dll/InternetSetOptionW
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: RPCRT4.dll/RpcBindingToStringBindingW
DynamicLoader: RPCRT4.dll/RpcStringBindingParseW
DynamicLoader: RPCRT4.dll/RpcStringFreeW
DynamicLoader: RPCRT4.dll/I_RpcBindingInqLocalClientPID
DynamicLoader: RPCRT4.dll/RpcServerInqCallAttributesW
DynamicLoader: RPCRT4.dll/RpcImpersonateClient
DynamicLoader: RPCRT4.dll/RpcRevertToSelf
DynamicLoader: RPCRT4.dll/NdrServerCall2
DynamicLoader: RPCRT4.dll/RpcBindingInqObject
DynamicLoader: IEUI.dll/PeekMessageExW
DynamicLoader: ole32.dll/CoInitialize
DynamicLoader: ole32.dll/RegisterDragDrop
DynamicLoader: msfeeds.dll/MsfeedsCreateInstance
DynamicLoader: SHELL32.dll/SHGetSpecialFolderPathW
DynamicLoader: SHELL32.dll/
DynamicLoader: SHELL32.dll/SHGetFolderPathW
DynamicLoader: SHELL32.dll/SHCreateDirectoryExW
DynamicLoader: WININET.dll/FindFirstUrlCacheContainerW
DynamicLoader: WININET.dll/FindNextUrlCacheContainerW
DynamicLoader: WININET.dll/FindCloseUrlCache
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: IEUI.dll/WaitMessageEx
DynamicLoader: RPCRT4.dll/RpcStringBindingComposeW
DynamicLoader: RPCRT4.dll/RpcBindingFromStringBindingW
DynamicLoader: RPCRT4.dll/RpcBindingSetAuthInfoExW
DynamicLoader: RPCRT4.dll/NdrClientCall2
DynamicLoader: USER32.dll/PostMessageW
DynamicLoader: USER32.dll/GetWindowLongW
DynamicLoader: USER32.dll/IsWindow
DynamicLoader: USER32.dll/SendMessageW
DynamicLoader: RPCRT4.dll/RpcBindingFree
DynamicLoader: USER32.dll/PeekMessageW
DynamicLoader: OLEAUT32.dll/DllGetClassObject
DynamicLoader: OLEAUT32.dll/DllCanUnloadNow
DynamicLoader: USER32.dll/TranslateMessage
DynamicLoader: USER32.dll/DispatchMessageW
DynamicLoader: IEUI.dll/DUserPostEvent
DynamicLoader: IEUI.dll/DeleteHandle
DynamicLoader: comctl32.dll/
DynamicLoader: IEUI.dll/DUserFlushMessages
DynamicLoader: IEUI.dll/DUserFlushDeferredMessages
DynamicLoader: comctl32.dll/ImageList_Destroy
DynamicLoader: ole32.dll/RevokeDragDrop
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: IEUI.dll/DisableContainerHwnd
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/CoWaitForMultipleHandles
DynamicLoader: urlmon.dll/
DynamicLoader: urlmon.dll/
DynamicLoader: ntdll.dll/RtlDllShutdownInProgress
DynamicLoader: comctl32.dll/
DynamicLoader: LINKINFO.dll/IsValidLinkInfo
DynamicLoader: propsys.dll/
DynamicLoader: propsys.dll/PSGetNameFromPropertyKey
DynamicLoader: propsys.dll/PSStringFromPropertyKey
DynamicLoader: propsys.dll/InitVariantFromBuffer
DynamicLoader: OLEAUT32.dll/
DynamicLoader: propsys.dll/PropVariantToGUID
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: USER32.dll/DestroyWindow
DynamicLoader: USER32.dll/PostQuitMessage
DynamicLoader: urlmon.dll/
DynamicLoader: urlmon.dll/
DynamicLoader: USER32.dll/UnregisterClassW
DynamicLoader: RPCRT4.dll/RpcEpUnregister
DynamicLoader: RPCRT4.dll/RpcBindingVectorFree
DynamicLoader: RPCRT4.dll/RpcServerUnregisterIf
DynamicLoader: urlmon.dll/
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: RPCRT4.dll/RpcBindingFree
DynamicLoader: OLEAUT32.dll/
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/EventWrite
DynamicLoader: ADVAPI32.dll/EventRegister
DynamicLoader: ADVAPI32.dll/EventUnregister
DynamicLoader: kernel32.dll/InitializeSRWLock
DynamicLoader: kernel32.dll/AcquireSRWLockExclusive
DynamicLoader: kernel32.dll/AcquireSRWLockShared
DynamicLoader: kernel32.dll/ReleaseSRWLockExclusive
DynamicLoader: kernel32.dll/ReleaseSRWLockShared
DynamicLoader: kernel32.dll/SetProcessDEPPolicy
DynamicLoader: USER32.dll/SetProcessDPIAware
DynamicLoader: SHELL32.dll/SetCurrentProcessExplicitAppUserModelID
DynamicLoader: USER32.dll/GetShellWindow
DynamicLoader: USER32.dll/GetWindowThreadProcessId
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: IEFRAME.dll/
DynamicLoader: kernel32.dll/WerSetFlags
DynamicLoader: comctl32.dll/PropertySheetW
DynamicLoader: comctl32.dll/PropertySheetA
DynamicLoader: comdlg32.dll/PageSetupDlgW
DynamicLoader: comdlg32.dll/PrintDlgW
DynamicLoader: kernel32.dll/InitializeSRWLock
DynamicLoader: kernel32.dll/AcquireSRWLockExclusive
DynamicLoader: kernel32.dll/AcquireSRWLockShared
DynamicLoader: kernel32.dll/ReleaseSRWLockExclusive
DynamicLoader: kernel32.dll/ReleaseSRWLockShared
DynamicLoader: kernel32.dll/InitializeSRWLock
DynamicLoader: kernel32.dll/AcquireSRWLockExclusive
DynamicLoader: kernel32.dll/AcquireSRWLockShared
DynamicLoader: kernel32.dll/ReleaseSRWLockExclusive
DynamicLoader: kernel32.dll/ReleaseSRWLockShared
DynamicLoader: kernel32.dll/InitializeSRWLock
DynamicLoader: kernel32.dll/AcquireSRWLockExclusive
DynamicLoader: kernel32.dll/AcquireSRWLockShared
DynamicLoader: kernel32.dll/ReleaseSRWLockExclusive
DynamicLoader: kernel32.dll/ReleaseSRWLockShared
DynamicLoader: kernel32.dll/InitializeSRWLock
DynamicLoader: kernel32.dll/AcquireSRWLockExclusive
DynamicLoader: kernel32.dll/AcquireSRWLockShared
DynamicLoader: kernel32.dll/ReleaseSRWLockExclusive
DynamicLoader: kernel32.dll/ReleaseSRWLockShared
DynamicLoader: kernel32.dll/InitializeSRWLock
DynamicLoader: kernel32.dll/AcquireSRWLockExclusive
DynamicLoader: kernel32.dll/AcquireSRWLockShared
DynamicLoader: kernel32.dll/ReleaseSRWLockExclusive
DynamicLoader: kernel32.dll/ReleaseSRWLockShared
DynamicLoader: kernel32.dll/InitializeSRWLock
DynamicLoader: kernel32.dll/AcquireSRWLockExclusive
DynamicLoader: kernel32.dll/AcquireSRWLockShared
DynamicLoader: kernel32.dll/ReleaseSRWLockExclusive
DynamicLoader: kernel32.dll/ReleaseSRWLockShared
DynamicLoader: IEShims.dll/IEShims_Initialize
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: USER32.dll/SetWindowsHookExW
DynamicLoader: USER32.dll/FindWindowExA
DynamicLoader: kernel32.dll/WaitForSingleObject
DynamicLoader: USER32.dll/GetWindowThreadProcessId
DynamicLoader: kernel32.dll/CreateProcessW
DynamicLoader: kernel32.dll/CreateProcessA
DynamicLoader: ADVAPI32.dll/RegQueryValueA
DynamicLoader: ntdll.dll/LdrRegisterDllNotification
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: kernel32.dll/WerRegisterMemoryBlock
DynamicLoader: kernel32.dll/WerUnregisterMemoryBlock
DynamicLoader: USER32.dll/RegisterWindowMessageW
DynamicLoader: RPCRT4.dll/RpcServerUseProtseqW
DynamicLoader: RPCRT4.dll/RpcServerRegisterIfEx
DynamicLoader: RpcRtRemote.dll/I_RpcExtInitializeExtensionPoint
DynamicLoader: RPCRT4.dll/RpcServerInqBindings
DynamicLoader: RPCRT4.dll/RpcEpRegisterW
DynamicLoader: RPCRT4.dll/RpcServerListen
DynamicLoader: SHELL32.dll/SHGetInstanceExplorer
DynamicLoader: USER32.dll/RegisterClassExW
DynamicLoader: USER32.dll/CreateWindowExW
DynamicLoader: USER32.dll/DefWindowProcW
DynamicLoader: USER32.dll/SetWindowLongW
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: USER32.dll/MsgWaitForMultipleObjectsEx
DynamicLoader: urlmon.dll/
DynamicLoader: SHELL32.dll/SHGetFolderPathW
DynamicLoader: ADVAPI32.dll/TraceMessage
DynamicLoader: ADVAPI32.dll/TraceMessageVa
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: sqmapi.dll/SqmGetSession
DynamicLoader: sqmapi.dll/SqmEndSession
DynamicLoader: sqmapi.dll/SqmStartSession
DynamicLoader: sqmapi.dll/SqmStartUpload
DynamicLoader: sqmapi.dll/SqmWaitForUploadComplete
DynamicLoader: sqmapi.dll/SqmSet
DynamicLoader: sqmapi.dll/SqmSetBool
DynamicLoader: sqmapi.dll/SqmSetBits
DynamicLoader: sqmapi.dll/SqmSetString
DynamicLoader: sqmapi.dll/SqmIncrement
DynamicLoader: sqmapi.dll/SqmSetIfMax
DynamicLoader: sqmapi.dll/SqmSetIfMin
DynamicLoader: sqmapi.dll/SqmAddToAverage
DynamicLoader: sqmapi.dll/SqmAddToStreamDWord
DynamicLoader: sqmapi.dll/SqmAddToStreamString
DynamicLoader: sqmapi.dll/SqmSetAppId
DynamicLoader: sqmapi.dll/SqmSetAppVersion
DynamicLoader: sqmapi.dll/SqmSetMachineId
DynamicLoader: sqmapi.dll/SqmSetUserId
DynamicLoader: sqmapi.dll/SqmCreateNewId
DynamicLoader: sqmapi.dll/SqmReadSharedMachineId
DynamicLoader: sqmapi.dll/SqmReadSharedUserId
DynamicLoader: sqmapi.dll/SqmWriteSharedMachineId
DynamicLoader: sqmapi.dll/SqmWriteSharedUserId
DynamicLoader: sqmapi.dll/SqmIsWindowsOptedIn
DynamicLoader: ADVAPI32.dll/OpenThreadToken
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: SHELL32.dll/
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: profapi.dll/
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: propsys.dll/PSCreateMemoryPropertyStore
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: propsys.dll/PSPropertyBag_WriteStr
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: OLEAUT32.dll/
DynamicLoader: propsys.dll/PSPropertyBag_WriteGUID
DynamicLoader: propsys.dll/PSPropertyBag_ReadGUID
DynamicLoader: comctl32.dll/
DynamicLoader: RPCRT4.dll/RpcStringBindingComposeW
DynamicLoader: RPCRT4.dll/RpcBindingFromStringBindingW
DynamicLoader: RPCRT4.dll/RpcBindingSetAuthInfoExW
DynamicLoader: RPCRT4.dll/RpcStringFreeW
DynamicLoader: RPCRT4.dll/NdrClientCall2
DynamicLoader: USER32.dll/PostMessageW
DynamicLoader: USER32.dll/PeekMessageW
DynamicLoader: USER32.dll/TranslateMessage
DynamicLoader: USER32.dll/DispatchMessageW
DynamicLoader: USER32.dll/GetWindowLongW
DynamicLoader: WININET.dll/InternetSetOptionW
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: sechost.dll/LookupAccountNameLocalW
DynamicLoader: RPCRT4.dll/RpcBindingFree
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: ole32.dll/NdrOleInitializeExtension
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ieproxy.dll/DllGetClassObject
DynamicLoader: ieproxy.dll/DllCanUnloadNow
DynamicLoader: SHELL32.dll/SHChangeNotifyRegisterThread
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/ImageList_Destroy
DynamicLoader: comctl32.dll/ImageList_LoadImageW
DynamicLoader: comctl32.dll/ImageList_Add
DynamicLoader: RPCRT4.dll/RpcBindingToStringBindingW
DynamicLoader: RPCRT4.dll/RpcStringBindingParseW
DynamicLoader: RPCRT4.dll/I_RpcBindingInqLocalClientPID
DynamicLoader: RPCRT4.dll/RpcServerInqCallAttributesW
DynamicLoader: RPCRT4.dll/RpcImpersonateClient
DynamicLoader: RPCRT4.dll/RpcRevertToSelf
DynamicLoader: RPCRT4.dll/NdrServerCall2
DynamicLoader: RPCRT4.dll/RpcBindingInqObject
DynamicLoader: WININET.dll/GetUrlCacheEntryInfoExW
DynamicLoader: MLANG.dll/
DynamicLoader: WININET.dll/GetUrlCacheEntryInfoExA
DynamicLoader: UxTheme.dll/OpenThemeData
DynamicLoader: comctl32.dll/
DynamicLoader: UxTheme.dll/IsAppThemed
DynamicLoader: WININET.dll/InternetQueryOptionA
DynamicLoader: GDI32.dll/GetLayout
DynamicLoader: GDI32.dll/GdiRealizationInfo
DynamicLoader: GDI32.dll/FontIsLinked
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: GDI32.dll/GetTextFaceAliasW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: GDI32.dll/GetFontAssocStatus
DynamicLoader: ADVAPI32.dll/RegQueryValueExA
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: GDI32.dll/GetTextFaceAliasW
DynamicLoader: ole32.dll/CoInitialize
DynamicLoader: ole32.dll/RegisterDragDrop
DynamicLoader: UxTheme.dll/SetWindowTheme
DynamicLoader: UxTheme.dll/IsThemeActive
DynamicLoader: UxTheme.dll/OpenThemeData
DynamicLoader: GDI32.dll/GetTextExtentExPointWPri
DynamicLoader: urlmon.dll/
DynamicLoader: apphelp.dll/ApphelpCheckShellObject
DynamicLoader: kernel32.dll/FindActCtxSectionStringW
DynamicLoader: kernel32.dll/GetSystemWindowsDirectoryW
DynamicLoader: AcroIEHelper.dll/StubInit
DynamicLoader: AcroIEHelper.dll/StubSetSite
DynamicLoader: AcroIEHelper.dll/StubOnQuit
DynamicLoader: ADVAPI32.dll/RegOpenKeyExA
DynamicLoader: ADVAPI32.dll/RegEnumKeyA
DynamicLoader: ADVAPI32.dll/RegQueryValueExA
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegEnumKeyExA
DynamicLoader: ADVAPI32.dll/RegEnumKeyExA
DynamicLoader: SHLWAPI.dll/PathFileExistsA
DynamicLoader: SHLWAPI.dll/PathFileExistsA
DynamicLoader: SHLWAPI.dll/PathFileExistsA
DynamicLoader: ADVAPI32.dll/RegEnumKeyExA
DynamicLoader: ADVAPI32.dll/RegQueryValueA
DynamicLoader: OLEAUT32.dll/DllGetClassObject
DynamicLoader: OLEAUT32.dll/DllCanUnloadNow
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: OLEAUT32.dll/
DynamicLoader: USER32.dll/ChangeWindowMessageFilter
DynamicLoader: DWMAPI.DLL/DwmSetWindowAttribute
DynamicLoader: ADVAPI32.dll/AddMandatoryAce
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/RevokeDragDrop
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: IEShims.dll/IEShims_GetOriginatingThreadId
DynamicLoader: comctl32.dll/
DynamicLoader: USER32.dll/DestroyWindow
DynamicLoader: USER32.dll/PostQuitMessage
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: urlmon.dll/
DynamicLoader: urlmon.dll/
DynamicLoader: urlmon.dll/
DynamicLoader: USER32.dll/UnregisterClassW
DynamicLoader: RPCRT4.dll/RpcEpUnregister
DynamicLoader: RPCRT4.dll/RpcBindingVectorFree
DynamicLoader: RPCRT4.dll/RpcServerUnregisterIf
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: comctl32.dll/
DynamicLoader: IEShims.dll/IEShims_Uninitialize
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: ntdll.dll/LdrUnregisterDllNotification
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/EventWrite
DynamicLoader: ADVAPI32.dll/EventRegister
DynamicLoader: ADVAPI32.dll/EventUnregister
DynamicLoader: kernel32.dll/InitializeSRWLock
DynamicLoader: kernel32.dll/AcquireSRWLockExclusive
DynamicLoader: kernel32.dll/AcquireSRWLockShared
DynamicLoader: kernel32.dll/ReleaseSRWLockExclusive
DynamicLoader: kernel32.dll/ReleaseSRWLockShared
DynamicLoader: kernel32.dll/SetProcessDEPPolicy
DynamicLoader: USER32.dll/SetProcessDPIAware
DynamicLoader: SHELL32.dll/SetCurrentProcessExplicitAppUserModelID
DynamicLoader: USER32.dll/GetShellWindow
DynamicLoader: USER32.dll/GetWindowThreadProcessId
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: IEFRAME.dll/
DynamicLoader: WININET.dll/InternetQueryOptionW
DynamicLoader: ADVAPI32.dll/EventActivityIdControl
DynamicLoader: ADVAPI32.dll/EventWriteTransfer
DynamicLoader: kernel32.dll/SetFileInformationByHandle
DynamicLoader: SHELL32.dll/SHGetFolderPathW
DynamicLoader: kernel32.dll/GetModuleHandleW
DynamicLoader: ws2_32.DLL/accept
DynamicLoader: ws2_32.DLL/bind
DynamicLoader: ws2_32.DLL/closesocket
DynamicLoader: ws2_32.DLL/connect
DynamicLoader: ws2_32.DLL/getpeername
DynamicLoader: ws2_32.DLL/getsockname
DynamicLoader: ws2_32.DLL/getsockopt
DynamicLoader: ws2_32.DLL/ntohl
DynamicLoader: ws2_32.DLL/htonl
DynamicLoader: ws2_32.DLL/htons
DynamicLoader: ws2_32.DLL/inet_addr
DynamicLoader: ws2_32.DLL/inet_ntoa
DynamicLoader: ws2_32.DLL/ioctlsocket
DynamicLoader: ws2_32.DLL/listen
DynamicLoader: ws2_32.DLL/ntohs
DynamicLoader: ws2_32.DLL/recv
DynamicLoader: ws2_32.DLL/recvfrom
DynamicLoader: ws2_32.DLL/select
DynamicLoader: ws2_32.DLL/send
DynamicLoader: ws2_32.DLL/sendto
DynamicLoader: ws2_32.DLL/setsockopt
DynamicLoader: ws2_32.DLL/shutdown
DynamicLoader: ws2_32.DLL/socket
DynamicLoader: ws2_32.DLL/gethostbyname
DynamicLoader: ws2_32.DLL/gethostname
DynamicLoader: ws2_32.DLL/WSAIoctl
DynamicLoader: ws2_32.DLL/WSAGetLastError
DynamicLoader: ws2_32.DLL/WSASetLastError
DynamicLoader: ws2_32.DLL/WSAStartup
DynamicLoader: ws2_32.DLL/WSACleanup
DynamicLoader: ws2_32.DLL/__WSAFDIsSet
DynamicLoader: ws2_32.DLL/getaddrinfo
DynamicLoader: ws2_32.DLL/freeaddrinfo
DynamicLoader: ws2_32.DLL/getnameinfo
DynamicLoader: ws2_32.DLL/WSALookupServiceBeginW
DynamicLoader: ws2_32.DLL/WSALookupServiceNextW
DynamicLoader: ws2_32.DLL/WSALookupServiceEnd
DynamicLoader: ws2_32.DLL/WSANSPIoctl
DynamicLoader: ws2_32.DLL/WSAStringToAddressA
DynamicLoader: ws2_32.DLL/WSAStringToAddressW
DynamicLoader: ws2_32.DLL/WSAAddressToStringA
DynamicLoader: dnsapi.DLL/DnsGetProxyInformation
DynamicLoader: dnsapi.DLL/DnsFreeProxyName
DynamicLoader: iphlpapi.DLL/GetIpForwardTable2
DynamicLoader: iphlpapi.DLL/FreeMibTable
DynamicLoader: iphlpapi.DLL/GetIfEntry2
DynamicLoader: iphlpapi.DLL/ConvertInterfaceGuidToLuid
DynamicLoader: iphlpapi.DLL/ResolveIpNetEntry2
DynamicLoader: iphlpapi.DLL/GetIpNetEntry2
DynamicLoader: SHLWAPI.dll/
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: OLEAUT32.dll/
DynamicLoader: comctl32.dll/PropertySheetW
DynamicLoader: comctl32.dll/PropertySheetA
DynamicLoader: comdlg32.dll/PageSetupDlgW
DynamicLoader: comdlg32.dll/PrintDlgW
DynamicLoader: urlmon.dll/
DynamicLoader: urlmon.dll/
DynamicLoader: SHELL32.dll/SHGetFolderPathW
DynamicLoader: ADVAPI32.dll/TraceMessage
DynamicLoader: ADVAPI32.dll/TraceMessageVa
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: sqmapi.dll/SqmGetSession
DynamicLoader: sqmapi.dll/SqmEndSession
DynamicLoader: sqmapi.dll/SqmStartSession
DynamicLoader: sqmapi.dll/SqmStartUpload
DynamicLoader: sqmapi.dll/SqmWaitForUploadComplete
DynamicLoader: sqmapi.dll/SqmSet
DynamicLoader: sqmapi.dll/SqmSetBool
DynamicLoader: sqmapi.dll/SqmSetBits
DynamicLoader: sqmapi.dll/SqmSetString
DynamicLoader: sqmapi.dll/SqmIncrement
DynamicLoader: sqmapi.dll/SqmSetIfMax
DynamicLoader: sqmapi.dll/SqmSetIfMin
DynamicLoader: sqmapi.dll/SqmAddToAverage
DynamicLoader: sqmapi.dll/SqmAddToStreamDWord
DynamicLoader: sqmapi.dll/SqmAddToStreamString
DynamicLoader: sqmapi.dll/SqmSetAppId
DynamicLoader: sqmapi.dll/SqmSetAppVersion
DynamicLoader: sqmapi.dll/SqmSetMachineId
DynamicLoader: sqmapi.dll/SqmSetUserId
DynamicLoader: sqmapi.dll/SqmCreateNewId
DynamicLoader: sqmapi.dll/SqmReadSharedMachineId
DynamicLoader: sqmapi.dll/SqmReadSharedUserId
DynamicLoader: sqmapi.dll/SqmWriteSharedMachineId
DynamicLoader: sqmapi.dll/SqmWriteSharedUserId
DynamicLoader: sqmapi.dll/SqmIsWindowsOptedIn
DynamicLoader: urlmon.dll/
DynamicLoader: ADVAPI32.dll/AddMandatoryAce
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: kernel32.dll/WerRegisterMemoryBlock
DynamicLoader: kernel32.dll/WerUnregisterMemoryBlock
DynamicLoader: USER32.dll/RegisterWindowMessageW
DynamicLoader: RPCRT4.dll/UuidCreateSequential
DynamicLoader: RPCRT4.dll/RpcServerUseProtseqW
DynamicLoader: RPCRT4.dll/RpcServerRegisterIfEx
DynamicLoader: RPCRT4.dll/RpcServerInqBindings
DynamicLoader: RPCRT4.dll/RpcEpRegisterW
DynamicLoader: RPCRT4.dll/RpcServerListen
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: USER32.dll/RegisterClassExW
DynamicLoader: USER32.dll/CreateWindowExW
DynamicLoader: USER32.dll/DefWindowProcW
DynamicLoader: USER32.dll/SetWindowLongW
DynamicLoader: urlmon.dll/
DynamicLoader: kernel32.dll/RegisterApplicationRestart
DynamicLoader: SHELL32.dll/SHGetFolderPathW
DynamicLoader: SHELL32.dll/
DynamicLoader: urlmon.dll/CoInternetCreateZoneManager
DynamicLoader: USER32.dll/AllowSetForegroundWindow
DynamicLoader: WININET.dll/InternetInitializeAutoProxyDll
DynamicLoader: RASAPI32.dll/RasEnumEntriesW
DynamicLoader: RASAPI32.dll/RasConnectionNotificationW
DynamicLoader: rtutils.dll/TraceRegisterExA
DynamicLoader: rtutils.dll/TracePrintfExA
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: profapi.dll/
DynamicLoader: SHLWAPI.dll/PathCanonicalizeW
DynamicLoader: SHLWAPI.dll/PathRemoveFileSpecW
DynamicLoader: SHLWAPI.dll/PathFindFileNameW
DynamicLoader: sechost.dll/NotifyServiceStatusChangeA
DynamicLoader: sensapi.dll/IsNetworkAlive
DynamicLoader: RPCRT4.dll/RpcBindingFromStringBindingW
DynamicLoader: RPCRT4.dll/RpcBindingSetAuthInfoExW
DynamicLoader: RPCRT4.dll/NdrClientCall2
DynamicLoader: NLAapi.dll/NSPStartup
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: USER32.dll/PostThreadMessageW
DynamicLoader: comctl32.dll/LoadIconWithScaleDown
DynamicLoader: IEUI.dll/InitGadgets
DynamicLoader: ieproxy.dll/DllGetClassObject
DynamicLoader: ieproxy.dll/DllCanUnloadNow
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: UxTheme.dll/OpenThemeData
DynamicLoader: comctl32.dll/
DynamicLoader: UxTheme.dll/IsAppThemed
DynamicLoader: comctl32.dll/ImageList_LoadImageW
DynamicLoader: comctl32.dll/ImageList_GetIconSize
DynamicLoader: UxTheme.dll/IsCompositionActive
DynamicLoader: UxTheme.dll/SetWindowTheme
DynamicLoader: UxTheme.dll/OpenThemeData
DynamicLoader: comctl32.dll/ImageList_Create
DynamicLoader: comctl32.dll/ImageList_ReplaceIcon
DynamicLoader: OLEAUT32.dll/
DynamicLoader: comctl32.dll/ImageList_AddMasked
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: IMM32.DLL/ImmIsIME
DynamicLoader: urlmon.dll/CoInternetCreateSecurityManager
DynamicLoader: MSCTF.dll/SetInputScopes2
DynamicLoader: UxTheme.dll/EnableThemeDialogTexture
DynamicLoader: urlmon.dll/
DynamicLoader: urlmon.dll/CreateUri
DynamicLoader: kernel32.dll/InitializeSRWLock
DynamicLoader: kernel32.dll/AcquireSRWLockExclusive
DynamicLoader: kernel32.dll/AcquireSRWLockShared
DynamicLoader: kernel32.dll/ReleaseSRWLockExclusive
DynamicLoader: kernel32.dll/ReleaseSRWLockShared
DynamicLoader: VERSION.dll/GetFileVersionInfoSizeW
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: USER32.dll/MsgWaitForMultipleObjectsEx
DynamicLoader: VERSION.dll/GetFileVersionInfoW
DynamicLoader: VERSION.dll/VerQueryValueW
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: UxTheme.dll/IsThemeActive
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: IEUI.dll/CreateGadget
DynamicLoader: IEUI.dll/SetGadgetMessageFilter
DynamicLoader: IEUI.dll/SetGadgetStyle
DynamicLoader: IEUI.dll/SetGadgetRootInfo
DynamicLoader: xmllite.dll/CreateXmlReader
DynamicLoader: xmllite.dll/CreateXmlReaderInputWithEncodingName
DynamicLoader: IEUI.dll/FindStdColor
DynamicLoader: IEUI.dll/InvalidateGadget
DynamicLoader: IEUI.dll/SetGadgetParent
DynamicLoader: IEUI.dll/GetGadgetTicket
DynamicLoader: IEUI.dll/SetGadgetRect
DynamicLoader: urlmon.dll/
DynamicLoader: urlmon.dll/
DynamicLoader: kernel32.dll/GetThreadUILanguage
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: SHELL32.dll/
DynamicLoader: SHELL32.dll/SHGetInstanceExplorer
DynamicLoader: WININET.dll/InternetSetOptionW
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: propsys.dll/PSCreateMemoryPropertyStore
DynamicLoader: propsys.dll/PSPropertyBag_WriteStr
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: OLEAUT32.dll/
DynamicLoader: propsys.dll/PSPropertyBag_WriteGUID
DynamicLoader: propsys.dll/PSPropertyBag_ReadGUID
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: RPCRT4.dll/RpcBindingToStringBindingW
DynamicLoader: RPCRT4.dll/RpcStringBindingParseW
DynamicLoader: RPCRT4.dll/RpcStringFreeW
DynamicLoader: RPCRT4.dll/I_RpcBindingInqLocalClientPID
DynamicLoader: RPCRT4.dll/RpcServerInqCallAttributesW
DynamicLoader: RPCRT4.dll/RpcImpersonateClient
DynamicLoader: RPCRT4.dll/RpcRevertToSelf
DynamicLoader: RPCRT4.dll/NdrServerCall2
DynamicLoader: RPCRT4.dll/RpcBindingInqObject
DynamicLoader: comctl32.dll/
DynamicLoader: RPCRT4.dll/RpcStringBindingComposeW
DynamicLoader: RPCRT4.dll/RpcBindingFromStringBindingW
DynamicLoader: RPCRT4.dll/RpcBindingSetAuthInfoExW
DynamicLoader: RPCRT4.dll/NdrClientCall2
DynamicLoader: USER32.dll/PostMessageW
DynamicLoader: OLEAUT32.dll/DllGetClassObject
DynamicLoader: OLEAUT32.dll/DllCanUnloadNow
DynamicLoader: SXS.DLL/SxsOleAut32MapIIDToProxyStubCLSID
DynamicLoader: ADVAPI32.dll/RegQueryValueW
DynamicLoader: SXS.DLL/SxsOleAut32MapIIDToTLBPath
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: ADVAPI32.dll/RegOpenKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: SXS.DLL/SxsOleAut32MapConfiguredClsidToReferenceClsid
DynamicLoader: SXS.DLL/SxsOleAut32RedirectTypeLibrary
DynamicLoader: IEUI.dll/PeekMessageExW
DynamicLoader: ole32.dll/CoInitialize
DynamicLoader: ole32.dll/RegisterDragDrop
DynamicLoader: msfeeds.dll/MsfeedsCreateInstance
DynamicLoader: SHELL32.dll/SHGetSpecialFolderPathW
DynamicLoader: SHELL32.dll/
DynamicLoader: SHELL32.dll/SHGetFolderPathW
DynamicLoader: SHELL32.dll/SHCreateDirectoryExW
DynamicLoader: WININET.dll/FindFirstUrlCacheContainerW
DynamicLoader: WININET.dll/FindNextUrlCacheContainerW
DynamicLoader: WININET.dll/FindCloseUrlCache
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: USER32.dll/GetWindowLongW
DynamicLoader: USER32.dll/IsWindow
DynamicLoader: USER32.dll/SendMessageW
DynamicLoader: USER32.dll/PeekMessageW
DynamicLoader: RPCRT4.dll/RpcBindingFree
DynamicLoader: propsys.dll/PSStringFromPropertyKey
DynamicLoader: propsys.dll/PSGetPropertyDescription
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: propsys.dll/PropVariantToString
DynamicLoader: propsys.dll/InitPropVariantFromStringAsVector
DynamicLoader: propsys.dll/PSCoerceToCanonicalValue
DynamicLoader: urlmon.dll/
DynamicLoader: SHELL32.dll/SHGetKnownFolderPath
DynamicLoader: urlmon.dll/URLDownloadToFileW
DynamicLoader: IEUI.dll/WaitMessageEx
DynamicLoader: urlmon.dll/CoInternetCreateSecurityManager
DynamicLoader: urlmon.dll/CoInternetCreateZoneManager
DynamicLoader: urlmon.dll/CoInternetIsFeatureEnabledForUrl
DynamicLoader: WININET.dll/InternetGetConnectedState
DynamicLoader: urlmon.dll/URLDownloadToCacheFileW
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: CRYPTSP.dll/SystemFunction035
DynamicLoader: schannel.DLL/SpUserModeInitialize
DynamicLoader: ADVAPI32.dll/RegCreateKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: CRYPT32.dll/CertDuplicateStore
DynamicLoader: CRYPT32.dll/CertControlStore
DynamicLoader: CRYPT32.dll/CertCloseStore
DynamicLoader: Secur32.dll/FreeContextBuffer
DynamicLoader: ncrypt.dll/SslOpenProvider
DynamicLoader: ncrypt.dll/GetSChannelInterface
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: ncrypt.dll/SslIncrementProviderReferenceCount
DynamicLoader: ncrypt.dll/SslImportKey
DynamicLoader: bcryptprimitives.dll/GetCipherInterface
DynamicLoader: ncrypt.dll/SslLookupCipherSuiteInfo
DynamicLoader: CRYPT32.dll/CertDuplicateCertificateContext
DynamicLoader: wintrust.dll/HTTPSCertificateTrust
DynamicLoader: wintrust.dll/HTTPSFinalProv
DynamicLoader: wintrust.dll/SoftpubInitialize
DynamicLoader: wintrust.dll/SoftpubLoadMessage
DynamicLoader: wintrust.dll/SoftpubLoadSignature
DynamicLoader: wintrust.dll/SoftpubCheckCert
DynamicLoader: wintrust.dll/SoftpubCleanup
DynamicLoader: CRYPTSP.dll/CryptAcquireContextA
DynamicLoader: WINHTTP.dll/WinHttpOpen
DynamicLoader: WINHTTP.dll/WinHttpSetTimeouts
DynamicLoader: WINHTTP.dll/WinHttpSetOption
DynamicLoader: WINHTTP.dll/WinHttpCrackUrl
DynamicLoader: SHLWAPI.dll/StrCmpNW
DynamicLoader: WINHTTP.dll/WinHttpConnect
DynamicLoader: WINHTTP.dll/WinHttpOpenRequest
DynamicLoader: WINHTTP.dll/WinHttpGetDefaultProxyConfiguration
DynamicLoader: WINHTTP.dll/WinHttpGetIEProxyConfigForCurrentUser
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: NSI.dll/NsiAllocateAndGetTable
DynamicLoader: CFGMGR32.dll/CM_Open_Class_Key_ExW
DynamicLoader: iphlpapi.DLL/ConvertInterfaceGuidToLuid
DynamicLoader: iphlpapi.DLL/GetIfEntry2
DynamicLoader: iphlpapi.DLL/GetIpForwardTable2
DynamicLoader: iphlpapi.DLL/GetIpNetEntry2
DynamicLoader: iphlpapi.DLL/FreeMibTable
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: NSI.dll/NsiFreeTable
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: WINHTTP.dll/WinHttpGetProxyForUrl
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: WINHTTP.dll/WinHttpSendRequest
DynamicLoader: ws2_32.DLL/GetAddrInfoW
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: ws2_32.DLL/WSASocketW
DynamicLoader: ws2_32.DLL/
DynamicLoader: ws2_32.DLL/
DynamicLoader: ws2_32.DLL/
DynamicLoader: ws2_32.DLL/WSAIoctl
DynamicLoader: ws2_32.DLL/FreeAddrInfoW
DynamicLoader: ws2_32.DLL/
DynamicLoader: ws2_32.DLL/
DynamicLoader: ws2_32.DLL/WSARecv
DynamicLoader: ws2_32.DLL/WSASend
DynamicLoader: WINHTTP.dll/WinHttpReceiveResponse
DynamicLoader: WINHTTP.dll/WinHttpQueryHeaders
DynamicLoader: SHLWAPI.dll/StrStrIW
DynamicLoader: WINHTTP.dll/WinHttpQueryDataAvailable
DynamicLoader: WINHTTP.dll/WinHttpReadData
DynamicLoader: WINHTTP.dll/WinHttpCloseHandle
DynamicLoader: RPCRT4.dll/RpcBindingFree
DynamicLoader: CRYPT32.dll/CertDuplicateCertificateChain
DynamicLoader: CRYPT32.dll/CertGetCertificateContextProperty
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: CRYPT32.dll/CertFreeCertificateChain
DynamicLoader: CRYPT32.dll/CertFreeCertificateContext
DynamicLoader: ncrypt.dll/SslEncryptPacket
DynamicLoader: ncrypt.dll/SslDecryptPacket
DynamicLoader: WININET.dll/DeleteUrlCacheEntryW
DynamicLoader: urlmon.dll/CoInternetQueryInfo
DynamicLoader: WININET.dll/CommitUrlCacheEntryA
DynamicLoader: ADVAPI32.dll/EventWrite
DynamicLoader: ADVAPI32.dll/EventRegister
DynamicLoader: ADVAPI32.dll/EventUnregister
DynamicLoader: kernel32.dll/InitializeSRWLock
DynamicLoader: kernel32.dll/AcquireSRWLockExclusive
DynamicLoader: kernel32.dll/AcquireSRWLockShared
DynamicLoader: kernel32.dll/ReleaseSRWLockExclusive
DynamicLoader: kernel32.dll/ReleaseSRWLockShared
DynamicLoader: kernel32.dll/SetProcessDEPPolicy
DynamicLoader: USER32.dll/SetProcessDPIAware
DynamicLoader: SHELL32.dll/SetCurrentProcessExplicitAppUserModelID
DynamicLoader: USER32.dll/GetShellWindow
DynamicLoader: USER32.dll/GetWindowThreadProcessId
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: IEFRAME.dll/
DynamicLoader: kernel32.dll/WerSetFlags
DynamicLoader: comctl32.dll/PropertySheetW
DynamicLoader: comctl32.dll/PropertySheetA
DynamicLoader: comdlg32.dll/PageSetupDlgW
DynamicLoader: comdlg32.dll/PrintDlgW
DynamicLoader: kernel32.dll/InitializeSRWLock
DynamicLoader: kernel32.dll/AcquireSRWLockExclusive
DynamicLoader: kernel32.dll/AcquireSRWLockShared
DynamicLoader: kernel32.dll/ReleaseSRWLockExclusive
DynamicLoader: kernel32.dll/ReleaseSRWLockShared
DynamicLoader: kernel32.dll/InitializeSRWLock
DynamicLoader: kernel32.dll/AcquireSRWLockExclusive
DynamicLoader: kernel32.dll/AcquireSRWLockShared
DynamicLoader: kernel32.dll/ReleaseSRWLockExclusive
DynamicLoader: kernel32.dll/ReleaseSRWLockShared
DynamicLoader: kernel32.dll/InitializeSRWLock
DynamicLoader: kernel32.dll/AcquireSRWLockExclusive
DynamicLoader: kernel32.dll/AcquireSRWLockShared
DynamicLoader: kernel32.dll/ReleaseSRWLockExclusive
DynamicLoader: kernel32.dll/ReleaseSRWLockShared
DynamicLoader: kernel32.dll/InitializeSRWLock
DynamicLoader: kernel32.dll/AcquireSRWLockExclusive
DynamicLoader: kernel32.dll/AcquireSRWLockShared
DynamicLoader: kernel32.dll/ReleaseSRWLockExclusive
DynamicLoader: kernel32.dll/ReleaseSRWLockShared
DynamicLoader: kernel32.dll/InitializeSRWLock
DynamicLoader: kernel32.dll/AcquireSRWLockExclusive
DynamicLoader: kernel32.dll/AcquireSRWLockShared
DynamicLoader: kernel32.dll/ReleaseSRWLockExclusive
DynamicLoader: kernel32.dll/ReleaseSRWLockShared
DynamicLoader: kernel32.dll/InitializeSRWLock
DynamicLoader: kernel32.dll/AcquireSRWLockExclusive
DynamicLoader: kernel32.dll/AcquireSRWLockShared
DynamicLoader: kernel32.dll/ReleaseSRWLockExclusive
DynamicLoader: kernel32.dll/ReleaseSRWLockShared
DynamicLoader: IEShims.dll/IEShims_Initialize
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: USER32.dll/SetWindowsHookExW
DynamicLoader: USER32.dll/FindWindowExA
DynamicLoader: kernel32.dll/WaitForSingleObject
DynamicLoader: USER32.dll/GetWindowThreadProcessId
DynamicLoader: kernel32.dll/CreateProcessW
DynamicLoader: kernel32.dll/CreateProcessA
DynamicLoader: ADVAPI32.dll/RegQueryValueA
DynamicLoader: ntdll.dll/LdrRegisterDllNotification
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: kernel32.dll/WerRegisterMemoryBlock
DynamicLoader: kernel32.dll/WerUnregisterMemoryBlock
DynamicLoader: USER32.dll/RegisterWindowMessageW
DynamicLoader: RPCRT4.dll/RpcServerUseProtseqW
DynamicLoader: RPCRT4.dll/RpcServerRegisterIfEx
DynamicLoader: RpcRtRemote.dll/I_RpcExtInitializeExtensionPoint
DynamicLoader: RPCRT4.dll/RpcServerInqBindings
DynamicLoader: RPCRT4.dll/RpcEpRegisterW
DynamicLoader: RPCRT4.dll/RpcServerListen
DynamicLoader: SHELL32.dll/SHGetInstanceExplorer
DynamicLoader: USER32.dll/RegisterClassExW
DynamicLoader: USER32.dll/CreateWindowExW
DynamicLoader: USER32.dll/DefWindowProcW
DynamicLoader: USER32.dll/SetWindowLongW
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: USER32.dll/MsgWaitForMultipleObjectsEx
DynamicLoader: urlmon.dll/
DynamicLoader: SHELL32.dll/SHGetFolderPathW
DynamicLoader: ADVAPI32.dll/TraceMessage
DynamicLoader: ADVAPI32.dll/TraceMessageVa
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: sqmapi.dll/SqmGetSession
DynamicLoader: sqmapi.dll/SqmEndSession
DynamicLoader: sqmapi.dll/SqmStartSession
DynamicLoader: sqmapi.dll/SqmStartUpload
DynamicLoader: sqmapi.dll/SqmWaitForUploadComplete
DynamicLoader: sqmapi.dll/SqmSet
DynamicLoader: sqmapi.dll/SqmSetBool
DynamicLoader: sqmapi.dll/SqmSetBits
DynamicLoader: sqmapi.dll/SqmSetString
DynamicLoader: sqmapi.dll/SqmIncrement
DynamicLoader: sqmapi.dll/SqmSetIfMax
DynamicLoader: sqmapi.dll/SqmSetIfMin
DynamicLoader: sqmapi.dll/SqmAddToAverage
DynamicLoader: sqmapi.dll/SqmAddToStreamDWord
DynamicLoader: sqmapi.dll/SqmAddToStreamString
DynamicLoader: sqmapi.dll/SqmSetAppId
DynamicLoader: sqmapi.dll/SqmSetAppVersion
DynamicLoader: sqmapi.dll/SqmSetMachineId
DynamicLoader: sqmapi.dll/SqmSetUserId
DynamicLoader: sqmapi.dll/SqmCreateNewId
DynamicLoader: sqmapi.dll/SqmReadSharedMachineId
DynamicLoader: sqmapi.dll/SqmReadSharedUserId
DynamicLoader: sqmapi.dll/SqmWriteSharedMachineId
DynamicLoader: sqmapi.dll/SqmWriteSharedUserId
DynamicLoader: sqmapi.dll/SqmIsWindowsOptedIn
DynamicLoader: ADVAPI32.dll/OpenThreadToken
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: SHELL32.dll/
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: profapi.dll/
DynamicLoader: propsys.dll/PSCreateMemoryPropertyStore
DynamicLoader: propsys.dll/PSPropertyBag_WriteStr
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: OLEAUT32.dll/
DynamicLoader: propsys.dll/PSPropertyBag_WriteGUID
DynamicLoader: propsys.dll/PSPropertyBag_ReadGUID
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: comctl32.dll/
DynamicLoader: RPCRT4.dll/RpcStringBindingComposeW
DynamicLoader: RPCRT4.dll/RpcBindingFromStringBindingW
DynamicLoader: RPCRT4.dll/RpcBindingSetAuthInfoExW
DynamicLoader: RPCRT4.dll/RpcStringFreeW
DynamicLoader: RPCRT4.dll/NdrClientCall2
DynamicLoader: USER32.dll/PostMessageW
DynamicLoader: USER32.dll/PeekMessageW
DynamicLoader: USER32.dll/TranslateMessage
DynamicLoader: USER32.dll/GetWindowLongW
DynamicLoader: USER32.dll/DispatchMessageW
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: WININET.dll/InternetSetOptionW
DynamicLoader: sechost.dll/LookupAccountNameLocalW
DynamicLoader: RPCRT4.dll/RpcBindingFree
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: ole32.dll/NdrOleInitializeExtension
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ieproxy.dll/DllGetClassObject
DynamicLoader: ieproxy.dll/DllCanUnloadNow
DynamicLoader: SHELL32.dll/SHChangeNotifyRegisterThread
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/ImageList_Destroy
DynamicLoader: comctl32.dll/ImageList_LoadImageW
DynamicLoader: comctl32.dll/ImageList_Add
DynamicLoader: WININET.dll/GetUrlCacheEntryInfoExW
DynamicLoader: MLANG.dll/
DynamicLoader: RPCRT4.dll/RpcBindingToStringBindingW
DynamicLoader: WININET.dll/GetUrlCacheEntryInfoExA
DynamicLoader: RPCRT4.dll/RpcStringBindingParseW
DynamicLoader: RPCRT4.dll/I_RpcBindingInqLocalClientPID
DynamicLoader: RPCRT4.dll/RpcServerInqCallAttributesW
DynamicLoader: RPCRT4.dll/RpcImpersonateClient
DynamicLoader: RPCRT4.dll/RpcRevertToSelf
DynamicLoader: RPCRT4.dll/NdrServerCall2
DynamicLoader: RPCRT4.dll/RpcBindingInqObject
DynamicLoader: UxTheme.dll/OpenThemeData
DynamicLoader: comctl32.dll/
DynamicLoader: UxTheme.dll/IsAppThemed
DynamicLoader: WININET.dll/InternetQueryOptionA
DynamicLoader: GDI32.dll/GetLayout
DynamicLoader: GDI32.dll/GdiRealizationInfo
DynamicLoader: GDI32.dll/FontIsLinked
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: GDI32.dll/GetTextFaceAliasW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: GDI32.dll/GetFontAssocStatus
DynamicLoader: ADVAPI32.dll/RegQueryValueExA
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: GDI32.dll/GetTextFaceAliasW
DynamicLoader: ole32.dll/CoInitialize
DynamicLoader: ole32.dll/RegisterDragDrop
DynamicLoader: UxTheme.dll/SetWindowTheme
DynamicLoader: UxTheme.dll/IsThemeActive
DynamicLoader: UxTheme.dll/OpenThemeData
DynamicLoader: GDI32.dll/GetTextExtentExPointWPri
DynamicLoader: urlmon.dll/
DynamicLoader: apphelp.dll/ApphelpCheckShellObject
DynamicLoader: kernel32.dll/FindActCtxSectionStringW
DynamicLoader: kernel32.dll/GetSystemWindowsDirectoryW
DynamicLoader: AcroIEHelper.dll/StubInit
DynamicLoader: AcroIEHelper.dll/StubSetSite
DynamicLoader: AcroIEHelper.dll/StubOnQuit
DynamicLoader: ADVAPI32.dll/RegOpenKeyExA
DynamicLoader: ADVAPI32.dll/RegEnumKeyA
DynamicLoader: ADVAPI32.dll/RegQueryValueExA
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegEnumKeyExA
DynamicLoader: ADVAPI32.dll/RegEnumKeyExA
DynamicLoader: SHLWAPI.dll/PathFileExistsA
DynamicLoader: SHLWAPI.dll/PathFileExistsA
DynamicLoader: SHLWAPI.dll/PathFileExistsA
DynamicLoader: ADVAPI32.dll/RegEnumKeyExA
DynamicLoader: ADVAPI32.dll/RegQueryValueA
DynamicLoader: OLEAUT32.dll/DllGetClassObject
DynamicLoader: OLEAUT32.dll/DllCanUnloadNow
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: OLEAUT32.dll/
DynamicLoader: USER32.dll/ChangeWindowMessageFilter
DynamicLoader: DWMAPI.DLL/DwmSetWindowAttribute
DynamicLoader: SXS.DLL/SxsOleAut32MapIIDToProxyStubCLSID
DynamicLoader: ADVAPI32.dll/RegQueryValueW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: USER32.dll/IsWindow
DynamicLoader: USER32.dll/SendMessageW
DynamicLoader: OLEAUT32.dll/BSTR_UserSize
DynamicLoader: OLEAUT32.dll/BSTR_UserMarshal
DynamicLoader: OLEAUT32.dll/BSTR_UserUnmarshal
DynamicLoader: OLEAUT32.dll/BSTR_UserFree
DynamicLoader: OLEAUT32.dll/VARIANT_UserSize
DynamicLoader: OLEAUT32.dll/VARIANT_UserMarshal
DynamicLoader: OLEAUT32.dll/VARIANT_UserUnmarshal
DynamicLoader: OLEAUT32.dll/VARIANT_UserFree
DynamicLoader: OLEAUT32.dll/LPSAFEARRAY_UserSize
DynamicLoader: OLEAUT32.dll/LPSAFEARRAY_UserMarshal
DynamicLoader: OLEAUT32.dll/LPSAFEARRAY_UserUnmarshal
DynamicLoader: OLEAUT32.dll/LPSAFEARRAY_UserFree
DynamicLoader: urlmon.dll/CreateUri
DynamicLoader: kernel32.dll/InitializeSRWLock
DynamicLoader: kernel32.dll/AcquireSRWLockExclusive
DynamicLoader: kernel32.dll/AcquireSRWLockShared
DynamicLoader: kernel32.dll/ReleaseSRWLockExclusive
DynamicLoader: kernel32.dll/ReleaseSRWLockShared
DynamicLoader: ADVAPI32.dll/AddMandatoryAce
DynamicLoader: VERSION.dll/GetFileVersionInfoSizeW
DynamicLoader: VERSION.dll/GetFileVersionInfoW
DynamicLoader: VERSION.dll/VerQueryValueW
DynamicLoader: urlmon.dll/
DynamicLoader: apphelp.dll/ApphelpCheckShellObject
DynamicLoader: RASAPI32.dll/RasConnectionNotificationW
DynamicLoader: sechost.dll/NotifyServiceStatusChangeA
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: urlmon.dll/CoInternetCreateSecurityManager
DynamicLoader: urlmon.dll/CoInternetCreateZoneManager
DynamicLoader: urlmon.dll/CoInternetIsFeatureEnabledForUrl
DynamicLoader: DWMAPI.DLL/DwmInvalidateIconicBitmaps
DynamicLoader: urlmon.dll/RevokeBindStatusCallback
DynamicLoader: urlmon.dll/CreateIUriBuilder
DynamicLoader: urlmon.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: SHELL32.dll/SHGetFolderPathW
DynamicLoader: SHELL32.dll/
DynamicLoader: WININET.dll/CreateUrlCacheContainerW
DynamicLoader: WININET.dll/GetUrlCacheEntryInfoA
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/VariantClear
DynamicLoader: urlmon.dll/IntlPercentEncodeNormalize
DynamicLoader: urlmon.dll/
DynamicLoader: WININET.dll/GetUrlCacheEntryInfoA
DynamicLoader: urlmon.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/RegQueryValueExA
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ole32.dll/CoGetObjectContext
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: UxTheme.dll/IsAppThemed
DynamicLoader: ImgUtil.dll/DecodeImage
DynamicLoader: OLEAUT32.dll/
DynamicLoader: urlmon.dll/
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/RevokeDragDrop
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: comctl32.dll/
DynamicLoader: actxprxy.dll/DllGetClassObject
DynamicLoader: actxprxy.dll/DllCanUnloadNow
DynamicLoader: mmcss.dll/ServiceMain
DynamicLoader: mmcss.dll/SvchostPushServiceGlobals
Encrypts a single HTTP packet
http_request: GET /favicon.ico HTTP/1.1 Accept: */* Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: ieonline.microsoft.com Connection: Keep-Alive
CAPE extracted potentially suspicious content
regsvr32.exe: Extracted PE Image: 32-bit DLL
regsvr32.exe: Extracted Shellcode
regsvr32.exe: Extracted Shellcode: 32-bit DLL
regsvr32.exe: Extracted PE Image: 32-bit DLL
iexplore.exe: Extracted Shellcode
iexplore.exe: Extracted Shellcode
iexplore.exe: Extracted Shellcode
iexplore.exe: Extracted Shellcode
Performs some HTTP requests
url: http://www.bing.com/favicon.ico
url: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
url: http://crl3.digicert.com/Omniroot2025.crl
Uses Windows utilities for basic functionality
command: "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -Embedding
command: "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:1624 CREDAT:79873
command: "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:1576 CREDAT:79873
A script process created a new process
wscript.exe: "C:\Windows\System32\regsvr32.exe" -s C:\Users\user\AppData\Local\Temp\\xBjMNtgfJT.txt
Suspicious JavaScript was executed by a script process
Process executing suspicious JavaScript: wscript.exe
Stack pivoting was detected when using a critical API
process: iexplore.exe:1624
Creates a hidden or system file
file: C:\Users\user\AppData\Roaming\Microsoft\Windows\IETldCache\Low
Likely virus infection of existing system binary
file: c:\users\user\favorites\links\suggested sites.url
Attempts to modify proxy settings

Screenshots


Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
N 72.21.91.29 [VT] United States
N 204.79.197.200 [VT] United States

DNS

Name Response Post-Analysis Lookup
www.bing.com [VT] CNAME dual-a-0001.a-msedge.net [VT]
CNAME a-0001.a-afdentry.net.trafficmanager.net [VT]
A 204.79.197.200 [VT]
A 13.107.21.200 [VT]
io.laurela.at [VT]
ieonline.microsoft.com [VT] CNAME any.edge.bing.com [VT]
ocsp.digicert.com [VT] CNAME cs9.wac.phicdn.net [VT]
A 72.21.91.29 [VT]
crl3.digicert.com [VT]

Summary

C:\Users\user\AppData\Local\Temp\look_presentation_z8d.js
C:\Windows\SysWOW64\wshom.ocx
C:\Users\user\AppData\Local\Temp\TDgnIZmgAFhb.YUvnDDXFtfz
C:\Windows\sysnative\C_28591.NLS
C:\Users\user\AppData\Local\Temp\xBjMNtgfJT.txt
C:\Windows\SysWOW64\shell32.dll
C:\Windows\SysWOW64\ieframe.dll
C:\Users\user\AppData\Local\Temp\regsvr32.exe
C:\Windows\System32\regsvr32.exe
C:\
C:\Windows
\??\MountPointManager
C:\Windows\System32
C:\Windows\SysWOW64\regsvr32.exe
C:\Users\user\AppData\Local\Microsoft\Windows\Caches
C:\Users\user\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000d.db
C:\Users\user\Desktop\desktop.ini
C:\Windows\SysWOW64\propsys.dll
C:\Windows\sysnative\propsys.dll
C:\Windows\System32\regsvr32.exe:Zone.Identifier
C:\Windows\WindowsShell.Manifest
\Device\KsecDD
C:\Users\user\AppData\Local\Temp\WINSPOOL.DRV
C:\Windows\System32\winspool.drv
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Users
C:\Users\user
C:\Users\user\AppData
C:\Users\user\AppData\Local
C:\Users\user\AppData\Local\Temp
C:\Windows\sysnative\C_1252.NLS
C:\Windows\sysnative\*.dll
C:\Windows\SysWOW64\stdole2.tlb
C:\Windows\System32\mshtml.tlb
C:\Windows\SysWOW64\wbem\WmiPrvSE.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\inf\hdaudio.inf
C:\Windows\sysnative\DriverStore\en-US\hdaudio.inf_loc
C:\Windows\inf\hdaudio.PNF
C:\Windows\sysnative\wbem\Logs\
\??\pipe\PIPE_EVENTROOT\CIMV2PROVIDERSUBSYSTEM
C:\Windows\System32\wbem\Logs\
C:\Windows\SysWOW64\wininet.dll
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies
C:\Users\user\AppData\Local\Microsoft\Windows\History
C:\Users\user\AppData\Local\Microsoft\Windows\History\desktop.ini
C:\Users\user\AppData\Local\Microsoft\Windows\History\History.IE5
C:\Users\user\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
C:\Users\user\AppData\Local\Microsoft\Windows\History\History.IE5\
C:\Users\user\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
C:\Program Files (x86)\Internet Explorer\dnsapi.DLL
C:\Windows\System32\dnsapi.dll
C:\Program Files (x86)\Internet Explorer\iphlpapi.DLL
C:\Windows\System32\IPHLPAPI.DLL
C:\Program Files (x86)\Internet Explorer\WINNSI.DLL
C:\Windows\System32\winnsi.dll
C:\Program Files (x86)\Internet Explorer\sqmapi.dll
C:\Sessions\1\BaseNamedObjects\
C:\Sessions\1\BaseNamedObjects\Isolation Signal Registry (EF04D782-6D8D-11EA-8662-000C2940B9FB, 0)
C:\Users\user\Desktop
C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
C:\Program Files (x86)\Common Files\Adobe
C:\Program Files (x86)\Common Files\Adobe\Acrobat
C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX
C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL
C:\Program Files (x86)
C:\Program Files (x86)\Microsoft Office
C:\Program Files (x86)\Microsoft Office\Office14
C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
C:\Program Files (x86)\Java
C:\Program Files (x86)\Java\jre7
C:\Program Files (x86)\Java\jre7\bin
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\
C:\Users\user\AppData\Local\Microsoft\Windows
C:\Users\user\AppData\Local\Microsoft\Windows\
C:\Users\user\AppData\Local\Microsoft
C:\Users\user\AppData\Local\Microsoft\
C:\Users\user\AppData\Local\
C:\Users\user\AppData\
C:\Users\user\
C:\Users\
C:
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\Low
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\Low\
C:\Users\user\AppData\Roaming\Microsoft\Windows
C:\Users\user\AppData\Roaming\Microsoft\Windows\
C:\Users\user\AppData\Roaming\Microsoft
C:\Users\user\AppData\Roaming\Microsoft\
C:\Users\user\AppData\Roaming
C:\Users\user\AppData\Roaming\
C:\Users\user\AppData\Local\Microsoft\Windows\History\Low
C:\Users\user\AppData\Local\Microsoft\Windows\History\Low\
C:\Users\user\AppData\Local\Microsoft\Windows\History\
C:\Users\user\Favorites
C:\Users\user\Favorites\
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized\
C:\Users\user\AppData\Roaming\Microsoft\Windows\PrivacIE
C:\Users\user\AppData\Roaming\Microsoft\Windows\PrivacIE\Low
C:\Users\user\AppData\Roaming\Microsoft\Windows\PrivacIE\Low\
C:\Users\user\AppData\Roaming\Microsoft\Windows\PrivacIE\
C:\Users\user\AppData\Roaming\Microsoft\Windows\IECompatCache
C:\Users\user\AppData\Roaming\Microsoft\Windows\IECompatCache\Low
C:\Users\user\AppData\Roaming\Microsoft\Windows\IECompatCache\Low\
C:\Users\user\AppData\Roaming\Microsoft\Windows\IECompatCache\
C:\Users\user\AppData\Roaming\Microsoft\Windows\IETldCache
C:\Users\user\AppData\Roaming\Microsoft\Windows\IETldCache\Low
C:\Users\user\AppData\Roaming\Microsoft\Windows\IETldCache\Low\
C:\Users\user\AppData\Roaming\Microsoft\Windows\IETldCache\
C:\Users\user\AppData\Local\Temp\Low
C:\Users\user\AppData\Local\Temp\Low\
C:\Users\user\AppData\Local\Temp\
C:\ProgramData\Microsoft\Network\Connections\Pbk\rasphone.pbk
C:\ProgramData\Microsoft\Network\Connections\Pbk\*.pbk
C:\Windows\System32\ras\*.pbk
C:\Users\user\AppData\Roaming\Microsoft\Network\Connections\Pbk\rasphone.pbk
C:\Users\user\AppData\Roaming\Microsoft\Network\Connections\Pbk\*.pbk
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{EF04D784-6D8D-11EA-8662-000C2940B9FB}.dat
C:\Program Files (x86)\Internet Explorer\ieproxy.dll
C:\Users\user\AppData\Local\Temp\~DF0E844F624C179E48.TMP
C:\Windows\System32\url.dll
C:\Users\user\Favorites\Links
C:\Users\desktop.ini
C:\Users\user\Favorites\desktop.ini
C:\Users\user\Favorites\Links\desktop.ini
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\frameiconcache.dat
C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{EF04D785-6D8D-11EA-8662-000C2940B9FB}.dat
C:\Users\user\AppData\Local\Temp\~DFFD72D1F8B14D3863.TMP
C:\Users\user\Favorites\Links\Web Slice Gallery.url
C:\Users\user\AppData\Local\Microsoft\Feeds
C:\Users\user\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~
C:\Users\user\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\28c8b86deab549a1.customDestinations-ms
C:\Windows\sysnative\LogFiles\Scm\fb3c354d-297a-4eb2-9b58-090f6361906b
C:\Program Files (x86)\Internet Explorer\IEShims.dll
C:\Windows\Fonts\staticcache.dat
C:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
C:\Windows\winsxs
C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
C:\Program Files (x86)\Internet Explorer\iexplore.exe.Local\
C:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc
C:\Windows\AppPatch\sysmain.sdb
C:\Program Files (x86)\Microsoft Office\Office14\
C:\Program Files (x86)\Microsoft Office\Office14\*.*
C:\Program Files (x86)\Java\jre7\bin\java.exe
C:\Program Files (x86)\Java\jre7\bin\client\jvm.dll
C:\Program Files (x86)\Java\jre7\bin\server\jvm.dll
C:\Users\user\AppData\Roaming\Microsoft\Windows\Themes\
C:\Users\user\AppData\Roaming\Microsoft\Windows\Themes\slideshow.ini
C:\Users\Public\Desktop
C:\Users\Public
C:\Users\Public\desktop.ini
C:\Users\Public\Desktop\desktop.ini
C:\Windows\sysnative\ieframe.dll
C:\Users\user\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\Links
C:\Users\user\{1777F761-68AD-4D8A-87BD-30B759FA33DD}
C:\Users\user\Searches
C:\Users\user\Searches\desktop.ini
C:\Users\user\Videos
C:\Users\user\Videos\desktop.ini
C:\Users\user\Pictures
C:\Users\user\Pictures\desktop.ini
C:\Users\user\Contacts
C:\Users\user\Contacts\desktop.ini
C:\Users\user\Music
C:\Users\user\Music\desktop.ini
C:\Users\user\Downloads
C:\Users\user\Downloads\desktop.ini
C:\Users\user\Documents
C:\Users\user\Documents\desktop.ini
C:\Users\user\Links
C:\Users\user\Links\desktop.ini
C:\Users\user\Saved Games
C:\Users\user\Saved Games\desktop.ini
C:\Sessions\1\BaseNamedObjects\Isolation Signal Registry (17AE3910-6D8E-11EA-8662-000C2940B9FB, 0)
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{17AE3912-6D8E-11EA-8662-000C2940B9FB}.dat
C:\Users\user\AppData\Local\Temp\~DFA96300A9575CFE3F.TMP
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{17AE3913-6D8E-11EA-8662-000C2940B9FB}.dat
C:\Users\user\AppData\Local\Temp\~DF5C4E6CB5735A4B5D.TMP
C:\Users\user\AppData\LocalLow\Microsoft\Internet Explorer\Services\
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R8OP9ZJC\favicon[1].ico
C:\Users\user\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
C:\Users\user\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\*
C:\Users\user\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\*
C:\Users\user\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\*
C:\Windows\System32\en-US\WINHTTP.dll.mui
C:\Users\user\AppData\LocalLow
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203
C:\Users\user\Favorites\Links\Suggested Sites.url
C:\Users\user\AppData\Local\Temp\www6F66.tmp
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\82CB34DD3343FE727DF8890D352E0D8F
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\82CB34DD3343FE727DF8890D352E0D8F
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\J6NWIC74\favicon[1].ico
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1P0THEGK\favicon[1].png
C:\Users\user\AppData\Local\Temp\wwwD4D0.tmp
C:\Users\user\AppData\Local\Temp\wwwE832.tmp
C:\Users\user\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4W7O9ARC\ErrorPageTemplate[1]
C:\Users\user\AppData\Roaming\Microsoft\Windows\PrivacIE\index.dat
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R8OP9ZJC\errorPageStrings[1]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1P0THEGK\httpErrorPagesScripts[1]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4W7O9ARC\background_gradient[1]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R8OP9ZJC\noConnect[1]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R8OP9ZJC\noConnect[2]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1P0THEGK\down[1]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1P0THEGK\down[2]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4W7O9ARC\favcenter[1]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4W7O9ARC\favcenter[2]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R8OP9ZJC\tools[1]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R8OP9ZJC\tools[2]
C:\Windows\sysnative\Tasks
C:\Windows\sysnative\Tasks\*
C:\Windows\sysnative\Tasks\User_Feed_Synchronization-{243FB163-19F2-4B67-BE7D-3C18AB6EBB3E}
C:\Users\user\AppData\Local\Temp\look_presentation_z8d.js
C:\Windows\SysWOW64\wshom.ocx
C:\Windows\SysWOW64\shell32.dll
C:\Windows\SysWOW64\ieframe.dll
C:\
C:\Windows
C:\Windows\System32
C:\Users\user\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000d.db
C:\Users\user\Desktop\desktop.ini
C:\Windows\WindowsShell.Manifest
\Device\KsecDD
C:\Users\user\AppData\Local\Temp\xBjMNtgfJT.txt
C:\Windows\System32\winspool.drv
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\sysnative\C_1252.NLS
C:\Windows\SysWOW64\stdole2.tlb
C:\Windows\System32\mshtml.tlb
C:\Windows\SysWOW64\wbem\WmiPrvSE.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\inf\hdaudio.PNF
\??\pipe\PIPE_EVENTROOT\CIMV2PROVIDERSUBSYSTEM
C:\Windows\SysWOW64\wininet.dll
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
C:\Users\user\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
C:\Windows\System32\dnsapi.dll
C:\Windows\System32\IPHLPAPI.DLL
C:\Windows\System32\winnsi.dll
C:\Program Files (x86)\Internet Explorer\sqmapi.dll
C:\Sessions\1\BaseNamedObjects\Isolation Signal Registry (EF04D782-6D8D-11EA-8662-000C2940B9FB, 0)
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{EF04D784-6D8D-11EA-8662-000C2940B9FB}.dat
C:\Program Files (x86)\Internet Explorer\ieproxy.dll
C:\Users\user\AppData\Local\Temp\~DF0E844F624C179E48.TMP
C:\Windows\System32\url.dll
C:\Users\desktop.ini
C:\Users
C:\Users\user
C:\Users\user\Favorites\desktop.ini
C:\Users\user\Favorites
C:\Users\user\Favorites\Links\desktop.ini
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\frameiconcache.dat
C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{EF04D785-6D8D-11EA-8662-000C2940B9FB}.dat
C:\Users\user\AppData\Local\Temp\~DFFD72D1F8B14D3863.TMP
C:\Users\user\Favorites\Links
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\28c8b86deab549a1.customDestinations-ms
C:\Windows\sysnative\LogFiles\Scm\fb3c354d-297a-4eb2-9b58-090f6361906b
C:\Program Files (x86)\Internet Explorer\IEShims.dll
C:\Windows\Fonts\staticcache.dat
C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL
C:\Windows\AppPatch\sysmain.sdb
C:\Program Files (x86)\Microsoft Office\Office14\
C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
C:\Users\user\AppData\Roaming\Microsoft\Windows\Themes\slideshow.ini
C:\Users\Public\desktop.ini
C:\Users\Public
C:\Users\Public\Desktop\desktop.ini
C:\Windows\sysnative\ieframe.dll
C:\Users\user\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\Links
C:\Users\user\{1777F761-68AD-4D8A-87BD-30B759FA33DD}
C:\Users\user\Searches\desktop.ini
C:\Users\user\Videos\desktop.ini
C:\Users\user\Pictures\desktop.ini
C:\Users\user\Contacts\desktop.ini
C:\Users\user\Music\desktop.ini
C:\Users\user\Downloads\desktop.ini
C:\Users\user\Documents\desktop.ini
C:\Users\user\Links\desktop.ini
C:\Users\user\Saved Games\desktop.ini
C:\Sessions\1\BaseNamedObjects\Isolation Signal Registry (17AE3910-6D8E-11EA-8662-000C2940B9FB, 0)
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{17AE3912-6D8E-11EA-8662-000C2940B9FB}.dat
C:\Users\user\AppData\Local\Temp\~DFA96300A9575CFE3F.TMP
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{17AE3913-6D8E-11EA-8662-000C2940B9FB}.dat
C:\Users\user\AppData\Local\Temp\~DF5C4E6CB5735A4B5D.TMP
C:\Users\user\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
C:\Windows\System32\en-US\WINHTTP.dll.mui
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203
C:\Users\user\Favorites\Links\Suggested Sites.url
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\82CB34DD3343FE727DF8890D352E0D8F
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\82CB34DD3343FE727DF8890D352E0D8F
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1P0THEGK\favicon[1].png
C:\Users\user\AppData\Local\Temp\www6F66.tmp
C:\Users\user\AppData\Local\Temp\wwwD4D0.tmp
C:\Users\user\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
C:\Users\user\AppData\Roaming\Microsoft\Windows\PrivacIE\index.dat
C:\Users\user\AppData\Local\Temp\TDgnIZmgAFhb.YUvnDDXFtfz
C:\Users\user\AppData\Local\Temp\xBjMNtgfJT.txt
\??\pipe\PIPE_EVENTROOT\CIMV2PROVIDERSUBSYSTEM
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
C:\Users\user\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{EF04D784-6D8D-11EA-8662-000C2940B9FB}.dat
C:\Users\user\AppData\Local\Temp\~DF0E844F624C179E48.TMP
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{EF04D785-6D8D-11EA-8662-000C2940B9FB}.dat
C:\Users\user\AppData\Local\Temp\~DFFD72D1F8B14D3863.TMP
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{17AE3912-6D8E-11EA-8662-000C2940B9FB}.dat
C:\Users\user\AppData\Local\Temp\~DFA96300A9575CFE3F.TMP
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{17AE3913-6D8E-11EA-8662-000C2940B9FB}.dat
C:\Users\user\AppData\Local\Temp\~DF5C4E6CB5735A4B5D.TMP
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R8OP9ZJC\favicon[1].ico
C:\Users\user\AppData\Local\Temp\www6F66.tmp
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\82CB34DD3343FE727DF8890D352E0D8F
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\82CB34DD3343FE727DF8890D352E0D8F
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\J6NWIC74\favicon[1].ico
C:\Users\user\Favorites\Links\Suggested Sites.url
C:\Users\user\AppData\Local\Temp\wwwD4D0.tmp
C:\Users\user\AppData\Local\Temp\wwwE832.tmp
C:\Users\user\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4W7O9ARC\ErrorPageTemplate[1]
C:\Users\user\AppData\Roaming\Microsoft\Windows\PrivacIE\index.dat
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R8OP9ZJC\errorPageStrings[1]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1P0THEGK\httpErrorPagesScripts[1]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4W7O9ARC\background_gradient[1]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R8OP9ZJC\noConnect[1]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R8OP9ZJC\noConnect[2]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1P0THEGK\down[1]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1P0THEGK\down[2]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4W7O9ARC\favcenter[1]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4W7O9ARC\favcenter[2]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R8OP9ZJC\tools[1]
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R8OP9ZJC\tools[2]
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{EF04D785-6D8D-11EA-8662-000C2940B9FB}.dat
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{EF04D784-6D8D-11EA-8662-000C2940B9FB}.dat
C:\Users\user\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1P0THEGK\favicon[1].png
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Option
HKEY_CURRENT_USER\Software\Classes
HKEY_CURRENT_USER\Software\Classes\Interface\{00000134-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Extensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\RemoteRpcDll
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BFE
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows\DisabledProcesses\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\DA0C75D6
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows\DisabledSessions\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\GlobalSession
HKEY_CURRENT_USER\Software\Classes\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}\1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}\1.0\409
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}\1.0\9
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}\1.0\0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}\1.0\0\win32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}\1.0\0\win32\(Default)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Codepage
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\28591
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesRecycleBin
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetIcon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\wscript.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Desktop\NameSpace\{031E4825-7B94-4dc3-B131-E946B44C8DD5}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Desktop\NameSpace\{031E4825-7B94-4dc3-B131-E946B44C8DD5}\SuppressionPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Desktop\NameSpace\{04731B67-D933-450a-90E6-4ACD2E9408FE}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Desktop\NameSpace\{04731B67-D933-450a-90E6-4ACD2E9408FE}\SuppressionPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Desktop\NameSpace\{0875DCB6-C686-4243-9432-ADCCF0B9F2D7}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Desktop\NameSpace\{0875DCB6-C686-4243-9432-ADCCF0B9F2D7}\SuppressionPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Desktop\NameSpace\{11016101-E366-4D22-BC06-4ADA335C892B}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Desktop\NameSpace\{11016101-E366-4D22-BC06-4ADA335C892B}\SuppressionPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Desktop\NameSpace\{138508bc-1e03-49ea-9c8f-ea9e1d05d65d}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Desktop\NameSpace\{138508bc-1e03-49ea-9c8f-ea9e1d05d65d}\SuppressionPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Desktop\NameSpace\{26EE0668-A00A-44D7-9371-BEB064C98683}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Desktop\NameSpace\{26EE0668-A00A-44D7-9371-BEB064C98683}\SuppressionPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Desktop\NameSpace\{4336a54d-038b-4685-ab02-99bb52d3fb8b}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Desktop\NameSpace\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\SuppressionPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Desktop\NameSpace\{450D8FBA-AD25-11D0-98A8-0800361B1103}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Desktop\NameSpace\{450D8FBA-AD25-11D0-98A8-0800361B1103}\SuppressionPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Desktop\NameSpace\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Desktop\NameSpace\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}\SuppressionPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Desktop\NameSpace\{59031a47-3f72-44a7-89c5-5595fe6b30ee}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Desktop\NameSpace\{59031a47-3f72-44a7-89c5-5595fe6b30ee}\SuppressionPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Desktop\NameSpace\{645FF040-5081-101B-9F08-00AA002F954E}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Desktop\NameSpace\{645FF040-5081-101B-9F08-00AA002F954E}\SuppressionPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Desktop\NameSpace\{89D83576-6BD1-4c86-9454-BEB04E94C819}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Desktop\NameSpace\{89D83576-6BD1-4c86-9454-BEB04E94C819}\SuppressionPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Desktop\NameSpace\{9343812e-1c37-4a49-a12e-4b2d810d956b}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Desktop\NameSpace\{9343812e-1c37-4a49-a12e-4b2d810d956b}\SuppressionPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Desktop\NameSpace\{B4FB3F98-C1EA-428d-A78A-D1F5659CBA93}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Desktop\NameSpace\{B4FB3F98-C1EA-428d-A78A-D1F5659CBA93}\SuppressionPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Desktop\NameSpace\{BD7A2E7B-21CB-41b2-A086-B309680C6B7E}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Desktop\NameSpace\{BD7A2E7B-21CB-41b2-A086-B309680C6B7E}\SuppressionPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Desktop\NameSpace\{daf95313-e44d-46af-be1b-cbacea2c3065}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Desktop\NameSpace\{daf95313-e44d-46af-be1b-cbacea2c3065}\SuppressionPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Desktop\NameSpace\{e345f35f-9397-435c-8f95-4e922c26259e}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Desktop\NameSpace\{e345f35f-9397-435c-8f95-4e922c26259e}\SuppressionPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Desktop\NameSpace\{ED228FDF-9EA8-4870-83b1-96b02CFE0D52}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Desktop\NameSpace\{ED228FDF-9EA8-4870-83b1-96b02CFE0D52}\SuppressionPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Desktop\NameSpace\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Desktop\NameSpace\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\SuppressionPolicy
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\Desktop\NameSpace
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\Desktop\NameSpace\DelegateFolders
HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\CallForAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\RestrictedAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORDISPLAY
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideFolderVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\UseDropHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORPARSING
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsParseDisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\MapNetDriveVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForInfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideInWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideOnDesktopPerUser
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsAliasedNotifications
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsUniversalDelegate
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\NoFileFolderJunction
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\PinToNameSpaceTree
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HasNavigationEnum
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{20D04FE0-3AEA-1069-A2D8-08002B30309D}
HKEY_CLASSES_ROOT\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder\CallForAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder\RestrictedAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder\WantsFORDISPLAY
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder\HideFolderVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder\UseDropHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder\WantsFORPARSING
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder\WantsParseDisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder\QueryForOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder\MapNetDriveVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder\QueryForInfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder\HideInWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder\HideOnDesktopPerUser
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder\WantsAliasedNotifications
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder\WantsUniversalDelegate
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder\NoFileFolderJunction
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder\PinToNameSpaceTree
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder\HasNavigationEnum
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{208D2C60-3AEA-1069-A2D7-08002B30309D}
HKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\CallForAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\RestrictedAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\WantsFORDISPLAY
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\HideFolderVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\UseDropHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\WantsFORPARSING
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\WantsParseDisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\QueryForOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\MapNetDriveVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\QueryForInfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\HideInWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\HideOnDesktopPerUser
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\WantsAliasedNotifications
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\WantsUniversalDelegate
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\NoFileFolderJunction
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\PinToNameSpaceTree
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\HasNavigationEnum
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{871C5380-42A0-1069-A2EA-08002B30309D}
HKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32\LoadWithoutCOM
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Blocked
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Blocked
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppCompat
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{871c5380-42a0-1069-a2ea-08002b30309d}\InProcServer32
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\ieframe.dll
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{871C5380-42A0-1069-A2EA-08002B30309D} {000214E6-0000-0000-C000-000000000046} 0xFFFF
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SQMClient\Windows
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{871C5380-42A0-1069-A2EA-08002B30309D}
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE\wscript.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE\*
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_HKLM_only
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ALLOW_REVERSE_SOLIDUS_IN_USERINFO_KB932562
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_ALLOW_REVERSE_SOLIDUS_IN_USERINFO_KB932562
HKEY_CLASSES_ROOT\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder\CallForAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder\RestrictedAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder\WantsFORDISPLAY
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder\HideFolderVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder\UseDropHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder\WantsFORPARSING
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder\WantsParseDisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder\QueryForOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder\MapNetDriveVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder\QueryForInfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder\HideInWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder\HideOnDesktopPerUser
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder\WantsAliasedNotifications
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder\WantsUniversalDelegate
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder\NoFileFolderJunction
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder\PinToNameSpaceTree
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder\HasNavigationEnum
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{645FF040-5081-101B-9F08-00AA002F954E}
HKEY_CLASSES_ROOT\CLSID\{26EE0668-A00A-44D7-9371-BEB064C98683}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26EE0668-A00A-44D7-9371-BEB064C98683}\ShellFolder\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26EE0668-A00A-44D7-9371-BEB064C98683}\ShellFolder\CallForAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26EE0668-A00A-44D7-9371-BEB064C98683}\ShellFolder\RestrictedAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26EE0668-A00A-44D7-9371-BEB064C98683}\ShellFolder\WantsFORDISPLAY
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26EE0668-A00A-44D7-9371-BEB064C98683}\ShellFolder\HideFolderVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26EE0668-A00A-44D7-9371-BEB064C98683}\ShellFolder\UseDropHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26EE0668-A00A-44D7-9371-BEB064C98683}\ShellFolder\WantsFORPARSING
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26EE0668-A00A-44D7-9371-BEB064C98683}\ShellFolder\WantsParseDisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26EE0668-A00A-44D7-9371-BEB064C98683}\ShellFolder\QueryForOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26EE0668-A00A-44D7-9371-BEB064C98683}\ShellFolder\MapNetDriveVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26EE0668-A00A-44D7-9371-BEB064C98683}\ShellFolder\QueryForInfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26EE0668-A00A-44D7-9371-BEB064C98683}\ShellFolder\HideInWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26EE0668-A00A-44D7-9371-BEB064C98683}\ShellFolder\HideOnDesktopPerUser
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26EE0668-A00A-44D7-9371-BEB064C98683}\ShellFolder\WantsAliasedNotifications
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26EE0668-A00A-44D7-9371-BEB064C98683}\ShellFolder\WantsUniversalDelegate
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26EE0668-A00A-44D7-9371-BEB064C98683}\ShellFolder\NoFileFolderJunction
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26EE0668-A00A-44D7-9371-BEB064C98683}\ShellFolder\PinToNameSpaceTree
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26EE0668-A00A-44D7-9371-BEB064C98683}\ShellFolder\HasNavigationEnum
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{26EE0668-A00A-44D7-9371-BEB064C98683}\ShellFolder
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{26EE0668-A00A-44D7-9371-BEB064C98683}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{26EE0668-A00A-44D7-9371-BEB064C98683}
HKEY_CLASSES_ROOT\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\ShellFolder\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\ShellFolder\CallForAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\ShellFolder\RestrictedAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\ShellFolder\WantsFORDISPLAY
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\ShellFolder\HideFolderVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\ShellFolder\UseDropHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\ShellFolder\WantsFORPARSING
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\ShellFolder\WantsParseDisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\ShellFolder\QueryForOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\ShellFolder\MapNetDriveVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\ShellFolder\QueryForInfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\ShellFolder\HideInWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\ShellFolder\HideOnDesktopPerUser
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\ShellFolder\WantsAliasedNotifications
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\ShellFolder\WantsUniversalDelegate
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\ShellFolder\NoFileFolderJunction
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\ShellFolder\PinToNameSpaceTree
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\ShellFolder\HasNavigationEnum
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\ShellFolder
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{59031A47-3F72-44A7-89C5-5595FE6B30EE}
HKEY_CLASSES_ROOT\CLSID\{031E4825-7B94-4DC3-B131-E946B44C8DD5}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{031E4825-7B94-4DC3-B131-E946B44C8DD5}\ShellFolder\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{031E4825-7B94-4DC3-B131-E946B44C8DD5}\ShellFolder\CallForAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{031E4825-7B94-4DC3-B131-E946B44C8DD5}\ShellFolder\RestrictedAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{031E4825-7B94-4DC3-B131-E946B44C8DD5}\ShellFolder\WantsFORDISPLAY
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{031E4825-7B94-4DC3-B131-E946B44C8DD5}\ShellFolder\HideFolderVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{031E4825-7B94-4DC3-B131-E946B44C8DD5}\ShellFolder\UseDropHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{031E4825-7B94-4DC3-B131-E946B44C8DD5}\ShellFolder\WantsFORPARSING
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{031E4825-7B94-4DC3-B131-E946B44C8DD5}\ShellFolder\WantsParseDisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{031E4825-7B94-4DC3-B131-E946B44C8DD5}\ShellFolder\QueryForOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{031E4825-7B94-4DC3-B131-E946B44C8DD5}\ShellFolder\MapNetDriveVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{031E4825-7B94-4DC3-B131-E946B44C8DD5}\ShellFolder\QueryForInfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{031E4825-7B94-4DC3-B131-E946B44C8DD5}\ShellFolder\HideInWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{031E4825-7B94-4DC3-B131-E946B44C8DD5}\ShellFolder\HideOnDesktopPerUser
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{031E4825-7B94-4DC3-B131-E946B44C8DD5}\ShellFolder\WantsAliasedNotifications
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{031E4825-7B94-4DC3-B131-E946B44C8DD5}\ShellFolder\WantsUniversalDelegate
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{031E4825-7B94-4DC3-B131-E946B44C8DD5}\ShellFolder\NoFileFolderJunction
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{031E4825-7B94-4DC3-B131-E946B44C8DD5}\ShellFolder\PinToNameSpaceTree
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{031E4825-7B94-4DC3-B131-E946B44C8DD5}\ShellFolder\HasNavigationEnum
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{031E4825-7B94-4DC3-B131-E946B44C8DD5}\ShellFolder
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{031E4825-7B94-4DC3-B131-E946B44C8DD5}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{031E4825-7B94-4DC3-B131-E946B44C8DD5}
HKEY_CLASSES_ROOT\CLSID\{04731B67-D933-450A-90E6-4ACD2E9408FE}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{04731B67-D933-450A-90E6-4ACD2E9408FE}\ShellFolder\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{04731B67-D933-450A-90E6-4ACD2E9408FE}\ShellFolder\CallForAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{04731B67-D933-450A-90E6-4ACD2E9408FE}\ShellFolder\RestrictedAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{04731B67-D933-450A-90E6-4ACD2E9408FE}\ShellFolder\WantsFORDISPLAY
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{04731B67-D933-450A-90E6-4ACD2E9408FE}\ShellFolder\HideFolderVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{04731B67-D933-450A-90E6-4ACD2E9408FE}\ShellFolder\UseDropHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{04731B67-D933-450A-90E6-4ACD2E9408FE}\ShellFolder\WantsFORPARSING
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{04731B67-D933-450A-90E6-4ACD2E9408FE}\ShellFolder\WantsParseDisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{04731B67-D933-450A-90E6-4ACD2E9408FE}\ShellFolder\QueryForOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{04731B67-D933-450A-90E6-4ACD2E9408FE}\ShellFolder\MapNetDriveVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{04731B67-D933-450A-90E6-4ACD2E9408FE}\ShellFolder\QueryForInfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{04731B67-D933-450A-90E6-4ACD2E9408FE}\ShellFolder\HideInWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{04731B67-D933-450A-90E6-4ACD2E9408FE}\ShellFolder\HideOnDesktopPerUser
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{04731B67-D933-450A-90E6-4ACD2E9408FE}\ShellFolder\WantsAliasedNotifications
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{04731B67-D933-450A-90E6-4ACD2E9408FE}\ShellFolder\WantsUniversalDelegate
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{04731B67-D933-450A-90E6-4ACD2E9408FE}\ShellFolder\NoFileFolderJunction
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{04731B67-D933-450A-90E6-4ACD2E9408FE}\ShellFolder\PinToNameSpaceTree
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{04731B67-D933-450A-90E6-4ACD2E9408FE}\ShellFolder\HasNavigationEnum
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{04731B67-D933-450A-90E6-4ACD2E9408FE}\ShellFolder
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{04731B67-D933-450A-90E6-4ACD2E9408FE}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{04731B67-D933-450A-90E6-4ACD2E9408FE}
HKEY_CLASSES_ROOT\CLSID\{0875DCB6-C686-4243-9432-ADCCF0B9F2D7}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0875DCB6-C686-4243-9432-ADCCF0B9F2D7}\ShellFolder\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0875DCB6-C686-4243-9432-ADCCF0B9F2D7}\ShellFolder\CallForAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0875DCB6-C686-4243-9432-ADCCF0B9F2D7}\ShellFolder\RestrictedAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0875DCB6-C686-4243-9432-ADCCF0B9F2D7}\ShellFolder\WantsFORDISPLAY
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0875DCB6-C686-4243-9432-ADCCF0B9F2D7}\ShellFolder\HideFolderVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0875DCB6-C686-4243-9432-ADCCF0B9F2D7}\ShellFolder\UseDropHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0875DCB6-C686-4243-9432-ADCCF0B9F2D7}\ShellFolder\WantsFORPARSING
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0875DCB6-C686-4243-9432-ADCCF0B9F2D7}\ShellFolder\WantsParseDisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0875DCB6-C686-4243-9432-ADCCF0B9F2D7}\ShellFolder\QueryForOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0875DCB6-C686-4243-9432-ADCCF0B9F2D7}\ShellFolder\MapNetDriveVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0875DCB6-C686-4243-9432-ADCCF0B9F2D7}\ShellFolder\QueryForInfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0875DCB6-C686-4243-9432-ADCCF0B9F2D7}\ShellFolder\HideInWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0875DCB6-C686-4243-9432-ADCCF0B9F2D7}\ShellFolder\HideOnDesktopPerUser
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0875DCB6-C686-4243-9432-ADCCF0B9F2D7}\ShellFolder\WantsAliasedNotifications
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0875DCB6-C686-4243-9432-ADCCF0B9F2D7}\ShellFolder\WantsUniversalDelegate
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0875DCB6-C686-4243-9432-ADCCF0B9F2D7}\ShellFolder\NoFileFolderJunction
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0875DCB6-C686-4243-9432-ADCCF0B9F2D7}\ShellFolder\PinToNameSpaceTree
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0875DCB6-C686-4243-9432-ADCCF0B9F2D7}\ShellFolder\HasNavigationEnum
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{0875DCB6-C686-4243-9432-ADCCF0B9F2D7}\ShellFolder
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{0875DCB6-C686-4243-9432-ADCCF0B9F2D7}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{0875DCB6-C686-4243-9432-ADCCF0B9F2D7}
HKEY_CLASSES_ROOT\CLSID\{11016101-E366-4D22-BC06-4ADA335C892B}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11016101-E366-4D22-BC06-4ADA335C892B}\ShellFolder\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11016101-E366-4D22-BC06-4ADA335C892B}\ShellFolder\CallForAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11016101-E366-4D22-BC06-4ADA335C892B}\ShellFolder\RestrictedAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11016101-E366-4D22-BC06-4ADA335C892B}\ShellFolder\WantsFORDISPLAY
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11016101-E366-4D22-BC06-4ADA335C892B}\ShellFolder\HideFolderVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11016101-E366-4D22-BC06-4ADA335C892B}\ShellFolder\UseDropHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11016101-E366-4D22-BC06-4ADA335C892B}\ShellFolder\WantsFORPARSING
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11016101-E366-4D22-BC06-4ADA335C892B}\ShellFolder\WantsParseDisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11016101-E366-4D22-BC06-4ADA335C892B}\ShellFolder\QueryForOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11016101-E366-4D22-BC06-4ADA335C892B}\ShellFolder\MapNetDriveVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11016101-E366-4D22-BC06-4ADA335C892B}\ShellFolder\QueryForInfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11016101-E366-4D22-BC06-4ADA335C892B}\ShellFolder\HideInWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11016101-E366-4D22-BC06-4ADA335C892B}\ShellFolder\HideOnDesktopPerUser
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11016101-E366-4D22-BC06-4ADA335C892B}\ShellFolder\WantsAliasedNotifications
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11016101-E366-4D22-BC06-4ADA335C892B}\ShellFolder\WantsUniversalDelegate
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11016101-E366-4D22-BC06-4ADA335C892B}\ShellFolder\NoFileFolderJunction
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11016101-E366-4D22-BC06-4ADA335C892B}\ShellFolder\PinToNameSpaceTree
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11016101-E366-4D22-BC06-4ADA335C892B}\ShellFolder\HasNavigationEnum
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{11016101-E366-4D22-BC06-4ADA335C892B}\ShellFolder
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{11016101-E366-4D22-BC06-4ADA335C892B}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{11016101-E366-4D22-BC06-4ADA335C892B}
HKEY_CLASSES_ROOT\CLSID\{138508BC-1E03-49EA-9C8F-EA9E1D05D65D}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{138508BC-1E03-49EA-9C8F-EA9E1D05D65D}\ShellFolder\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{138508BC-1E03-49EA-9C8F-EA9E1D05D65D}\ShellFolder\CallForAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{138508BC-1E03-49EA-9C8F-EA9E1D05D65D}\ShellFolder\RestrictedAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{138508BC-1E03-49EA-9C8F-EA9E1D05D65D}\ShellFolder\WantsFORDISPLAY
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{138508BC-1E03-49EA-9C8F-EA9E1D05D65D}\ShellFolder\HideFolderVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{138508BC-1E03-49EA-9C8F-EA9E1D05D65D}\ShellFolder\UseDropHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{138508BC-1E03-49EA-9C8F-EA9E1D05D65D}\ShellFolder\WantsFORPARSING
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{138508BC-1E03-49EA-9C8F-EA9E1D05D65D}\ShellFolder\WantsParseDisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{138508BC-1E03-49EA-9C8F-EA9E1D05D65D}\ShellFolder\QueryForOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{138508BC-1E03-49EA-9C8F-EA9E1D05D65D}\ShellFolder\MapNetDriveVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{138508BC-1E03-49EA-9C8F-EA9E1D05D65D}\ShellFolder\QueryForInfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{138508BC-1E03-49EA-9C8F-EA9E1D05D65D}\ShellFolder\HideInWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{138508BC-1E03-49EA-9C8F-EA9E1D05D65D}\ShellFolder\HideOnDesktopPerUser
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{138508BC-1E03-49EA-9C8F-EA9E1D05D65D}\ShellFolder\WantsAliasedNotifications
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{138508BC-1E03-49EA-9C8F-EA9E1D05D65D}\ShellFolder\WantsUniversalDelegate
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{138508BC-1E03-49EA-9C8F-EA9E1D05D65D}\ShellFolder\NoFileFolderJunction
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{138508BC-1E03-49EA-9C8F-EA9E1D05D65D}\ShellFolder\PinToNameSpaceTree
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{138508BC-1E03-49EA-9C8F-EA9E1D05D65D}\ShellFolder\HasNavigationEnum
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{138508BC-1E03-49EA-9C8F-EA9E1D05D65D}\ShellFolder
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{138508BC-1E03-49EA-9C8F-EA9E1D05D65D}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{138508BC-1E03-49EA-9C8F-EA9E1D05D65D}
HKEY_CLASSES_ROOT\CLSID\{4336A54D-038B-4685-AB02-99BB52D3FB8B}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4336A54D-038B-4685-AB02-99BB52D3FB8B}\ShellFolder\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4336A54D-038B-4685-AB02-99BB52D3FB8B}\ShellFolder\CallForAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4336A54D-038B-4685-AB02-99BB52D3FB8B}\ShellFolder\RestrictedAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4336A54D-038B-4685-AB02-99BB52D3FB8B}\ShellFolder\WantsFORDISPLAY
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4336A54D-038B-4685-AB02-99BB52D3FB8B}\ShellFolder\HideFolderVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4336A54D-038B-4685-AB02-99BB52D3FB8B}\ShellFolder\UseDropHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4336A54D-038B-4685-AB02-99BB52D3FB8B}\ShellFolder\WantsFORPARSING
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4336A54D-038B-4685-AB02-99BB52D3FB8B}\ShellFolder\WantsParseDisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4336A54D-038B-4685-AB02-99BB52D3FB8B}\ShellFolder\QueryForOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4336A54D-038B-4685-AB02-99BB52D3FB8B}\ShellFolder\MapNetDriveVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4336A54D-038B-4685-AB02-99BB52D3FB8B}\ShellFolder\QueryForInfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4336A54D-038B-4685-AB02-99BB52D3FB8B}\ShellFolder\HideInWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4336A54D-038B-4685-AB02-99BB52D3FB8B}\ShellFolder\HideOnDesktopPerUser
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4336A54D-038B-4685-AB02-99BB52D3FB8B}\ShellFolder\WantsAliasedNotifications
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4336A54D-038B-4685-AB02-99BB52D3FB8B}\ShellFolder\WantsUniversalDelegate
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4336A54D-038B-4685-AB02-99BB52D3FB8B}\ShellFolder\NoFileFolderJunction
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4336A54D-038B-4685-AB02-99BB52D3FB8B}\ShellFolder\PinToNameSpaceTree
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4336A54D-038B-4685-AB02-99BB52D3FB8B}\ShellFolder\HasNavigationEnum
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{4336A54D-038B-4685-AB02-99BB52D3FB8B}\ShellFolder
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{4336A54D-038B-4685-AB02-99BB52D3FB8B}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{4336A54D-038B-4685-AB02-99BB52D3FB8B}
HKEY_CLASSES_ROOT\CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\ShellFolder\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\ShellFolder\CallForAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\ShellFolder\RestrictedAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\ShellFolder\WantsFORDISPLAY
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\ShellFolder\HideFolderVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\ShellFolder\UseDropHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\ShellFolder\WantsFORPARSING
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\ShellFolder\WantsParseDisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\ShellFolder\QueryForOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\ShellFolder\MapNetDriveVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\ShellFolder\QueryForInfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\ShellFolder\HideInWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\ShellFolder\HideOnDesktopPerUser
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\ShellFolder\WantsAliasedNotifications
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\ShellFolder\WantsUniversalDelegate
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\ShellFolder\NoFileFolderJunction
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\ShellFolder\PinToNameSpaceTree
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\ShellFolder\HasNavigationEnum
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\ShellFolder
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{450D8FBA-AD25-11D0-98A8-0800361B1103}
HKEY_CLASSES_ROOT\CLSID\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}\ShellFolder\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}\ShellFolder\CallForAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}\ShellFolder\RestrictedAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}\ShellFolder\WantsFORDISPLAY
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}\ShellFolder\HideFolderVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}\ShellFolder\UseDropHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}\ShellFolder\WantsFORPARSING
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}\ShellFolder\WantsParseDisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}\ShellFolder\QueryForOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}\ShellFolder\MapNetDriveVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}\ShellFolder\QueryForInfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}\ShellFolder\HideInWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}\ShellFolder\HideOnDesktopPerUser
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}\ShellFolder\WantsAliasedNotifications
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}\ShellFolder\WantsUniversalDelegate
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}\ShellFolder\NoFileFolderJunction
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}\ShellFolder\PinToNameSpaceTree
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}\ShellFolder\HasNavigationEnum
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}\ShellFolder
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}
HKEY_CLASSES_ROOT\CLSID\{89D83576-6BD1-4C86-9454-BEB04E94C819}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{89D83576-6BD1-4C86-9454-BEB04E94C819}\ShellFolder\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{89D83576-6BD1-4C86-9454-BEB04E94C819}\ShellFolder\CallForAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{89D83576-6BD1-4C86-9454-BEB04E94C819}\ShellFolder\RestrictedAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{89D83576-6BD1-4C86-9454-BEB04E94C819}\ShellFolder\WantsFORDISPLAY
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{89D83576-6BD1-4C86-9454-BEB04E94C819}\ShellFolder\HideFolderVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{89D83576-6BD1-4C86-9454-BEB04E94C819}\ShellFolder\UseDropHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{89D83576-6BD1-4C86-9454-BEB04E94C819}\ShellFolder\WantsFORPARSING
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{89D83576-6BD1-4C86-9454-BEB04E94C819}\ShellFolder\WantsParseDisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{89D83576-6BD1-4C86-9454-BEB04E94C819}\ShellFolder\QueryForOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{89D83576-6BD1-4C86-9454-BEB04E94C819}\ShellFolder\MapNetDriveVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{89D83576-6BD1-4C86-9454-BEB04E94C819}\ShellFolder\QueryForInfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{89D83576-6BD1-4C86-9454-BEB04E94C819}\ShellFolder\HideInWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{89D83576-6BD1-4C86-9454-BEB04E94C819}\ShellFolder\HideOnDesktopPerUser
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{89D83576-6BD1-4C86-9454-BEB04E94C819}\ShellFolder\WantsAliasedNotifications
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{89D83576-6BD1-4C86-9454-BEB04E94C819}\ShellFolder\WantsUniversalDelegate
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{89D83576-6BD1-4C86-9454-BEB04E94C819}\ShellFolder\NoFileFolderJunction
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{89D83576-6BD1-4C86-9454-BEB04E94C819}\ShellFolder\PinToNameSpaceTree
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{89D83576-6BD1-4C86-9454-BEB04E94C819}\ShellFolder\HasNavigationEnum
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{89D83576-6BD1-4C86-9454-BEB04E94C819}\ShellFolder
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{89D83576-6BD1-4C86-9454-BEB04E94C819}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{89D83576-6BD1-4C86-9454-BEB04E94C819}
HKEY_CLASSES_ROOT\CLSID\{9343812E-1C37-4A49-A12E-4B2D810D956B}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9343812E-1C37-4A49-A12E-4B2D810D956B}\ShellFolder\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9343812E-1C37-4A49-A12E-4B2D810D956B}\ShellFolder\CallForAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9343812E-1C37-4A49-A12E-4B2D810D956B}\ShellFolder\RestrictedAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9343812E-1C37-4A49-A12E-4B2D810D956B}\ShellFolder\WantsFORDISPLAY
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9343812E-1C37-4A49-A12E-4B2D810D956B}\ShellFolder\HideFolderVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9343812E-1C37-4A49-A12E-4B2D810D956B}\ShellFolder\UseDropHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9343812E-1C37-4A49-A12E-4B2D810D956B}\ShellFolder\WantsFORPARSING
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9343812E-1C37-4A49-A12E-4B2D810D956B}\ShellFolder\WantsParseDisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9343812E-1C37-4A49-A12E-4B2D810D956B}\ShellFolder\QueryForOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9343812E-1C37-4A49-A12E-4B2D810D956B}\ShellFolder\MapNetDriveVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9343812E-1C37-4A49-A12E-4B2D810D956B}\ShellFolder\QueryForInfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9343812E-1C37-4A49-A12E-4B2D810D956B}\ShellFolder\HideInWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9343812E-1C37-4A49-A12E-4B2D810D956B}\ShellFolder\HideOnDesktopPerUser
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9343812E-1C37-4A49-A12E-4B2D810D956B}\ShellFolder\WantsAliasedNotifications
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9343812E-1C37-4A49-A12E-4B2D810D956B}\ShellFolder\WantsUniversalDelegate
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9343812E-1C37-4A49-A12E-4B2D810D956B}\ShellFolder\NoFileFolderJunction
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9343812E-1C37-4A49-A12E-4B2D810D956B}\ShellFolder\PinToNameSpaceTree
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9343812E-1C37-4A49-A12E-4B2D810D956B}\ShellFolder\HasNavigationEnum
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{9343812E-1C37-4A49-A12E-4B2D810D956B}\ShellFolder
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{9343812E-1C37-4A49-A12E-4B2D810D956B}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{9343812E-1C37-4A49-A12E-4B2D810D956B}
HKEY_CLASSES_ROOT\CLSID\{B4FB3F98-C1EA-428D-A78A-D1F5659CBA93}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B4FB3F98-C1EA-428D-A78A-D1F5659CBA93}\ShellFolder\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B4FB3F98-C1EA-428D-A78A-D1F5659CBA93}\ShellFolder\CallForAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B4FB3F98-C1EA-428D-A78A-D1F5659CBA93}\ShellFolder\RestrictedAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B4FB3F98-C1EA-428D-A78A-D1F5659CBA93}\ShellFolder\WantsFORDISPLAY
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B4FB3F98-C1EA-428D-A78A-D1F5659CBA93}\ShellFolder\HideFolderVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B4FB3F98-C1EA-428D-A78A-D1F5659CBA93}\ShellFolder\UseDropHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B4FB3F98-C1EA-428D-A78A-D1F5659CBA93}\ShellFolder\WantsFORPARSING
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B4FB3F98-C1EA-428D-A78A-D1F5659CBA93}\ShellFolder\WantsParseDisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B4FB3F98-C1EA-428D-A78A-D1F5659CBA93}\ShellFolder\QueryForOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B4FB3F98-C1EA-428D-A78A-D1F5659CBA93}\ShellFolder\MapNetDriveVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B4FB3F98-C1EA-428D-A78A-D1F5659CBA93}\ShellFolder\QueryForInfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B4FB3F98-C1EA-428D-A78A-D1F5659CBA93}\ShellFolder\HideInWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B4FB3F98-C1EA-428D-A78A-D1F5659CBA93}\ShellFolder\HideOnDesktopPerUser
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B4FB3F98-C1EA-428D-A78A-D1F5659CBA93}\ShellFolder\WantsAliasedNotifications
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B4FB3F98-C1EA-428D-A78A-D1F5659CBA93}\ShellFolder\WantsUniversalDelegate
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B4FB3F98-C1EA-428D-A78A-D1F5659CBA93}\ShellFolder\NoFileFolderJunction
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B4FB3F98-C1EA-428D-A78A-D1F5659CBA93}\ShellFolder\PinToNameSpaceTree
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B4FB3F98-C1EA-428D-A78A-D1F5659CBA93}\ShellFolder\HasNavigationEnum
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{B4FB3F98-C1EA-428D-A78A-D1F5659CBA93}\ShellFolder
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{B4FB3F98-C1EA-428D-A78A-D1F5659CBA93}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{B4FB3F98-C1EA-428D-A78A-D1F5659CBA93}
HKEY_CLASSES_ROOT\CLSID\{BD7A2E7B-21CB-41B2-A086-B309680C6B7E}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD7A2E7B-21CB-41B2-A086-B309680C6B7E}\ShellFolder\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD7A2E7B-21CB-41B2-A086-B309680C6B7E}\ShellFolder\CallForAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD7A2E7B-21CB-41B2-A086-B309680C6B7E}\ShellFolder\RestrictedAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD7A2E7B-21CB-41B2-A086-B309680C6B7E}\ShellFolder\WantsFORDISPLAY
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD7A2E7B-21CB-41B2-A086-B309680C6B7E}\ShellFolder\HideFolderVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD7A2E7B-21CB-41B2-A086-B309680C6B7E}\ShellFolder\UseDropHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD7A2E7B-21CB-41B2-A086-B309680C6B7E}\ShellFolder\WantsFORPARSING
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD7A2E7B-21CB-41B2-A086-B309680C6B7E}\ShellFolder\WantsParseDisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD7A2E7B-21CB-41B2-A086-B309680C6B7E}\ShellFolder\QueryForOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD7A2E7B-21CB-41B2-A086-B309680C6B7E}\ShellFolder\MapNetDriveVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD7A2E7B-21CB-41B2-A086-B309680C6B7E}\ShellFolder\QueryForInfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD7A2E7B-21CB-41B2-A086-B309680C6B7E}\ShellFolder\HideInWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD7A2E7B-21CB-41B2-A086-B309680C6B7E}\ShellFolder\HideOnDesktopPerUser
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD7A2E7B-21CB-41B2-A086-B309680C6B7E}\ShellFolder\WantsAliasedNotifications
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD7A2E7B-21CB-41B2-A086-B309680C6B7E}\ShellFolder\WantsUniversalDelegate
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD7A2E7B-21CB-41B2-A086-B309680C6B7E}\ShellFolder\NoFileFolderJunction
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD7A2E7B-21CB-41B2-A086-B309680C6B7E}\ShellFolder\PinToNameSpaceTree
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD7A2E7B-21CB-41B2-A086-B309680C6B7E}\ShellFolder\HasNavigationEnum
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{BD7A2E7B-21CB-41B2-A086-B309680C6B7E}\ShellFolder
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{BD7A2E7B-21CB-41B2-A086-B309680C6B7E}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{BD7A2E7B-21CB-41B2-A086-B309680C6B7E}
HKEY_CLASSES_ROOT\CLSID\{DAF95313-E44D-46AF-BE1B-CBACEA2C3065}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DAF95313-E44D-46AF-BE1B-CBACEA2C3065}\ShellFolder\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DAF95313-E44D-46AF-BE1B-CBACEA2C3065}\ShellFolder\CallForAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DAF95313-E44D-46AF-BE1B-CBACEA2C3065}\ShellFolder\RestrictedAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DAF95313-E44D-46AF-BE1B-CBACEA2C3065}\ShellFolder\WantsFORDISPLAY
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DAF95313-E44D-46AF-BE1B-CBACEA2C3065}\ShellFolder\HideFolderVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DAF95313-E44D-46AF-BE1B-CBACEA2C3065}\ShellFolder\UseDropHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DAF95313-E44D-46AF-BE1B-CBACEA2C3065}\ShellFolder\WantsFORPARSING
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DAF95313-E44D-46AF-BE1B-CBACEA2C3065}\ShellFolder\WantsParseDisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DAF95313-E44D-46AF-BE1B-CBACEA2C3065}\ShellFolder\QueryForOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DAF95313-E44D-46AF-BE1B-CBACEA2C3065}\ShellFolder\MapNetDriveVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DAF95313-E44D-46AF-BE1B-CBACEA2C3065}\ShellFolder\QueryForInfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DAF95313-E44D-46AF-BE1B-CBACEA2C3065}\ShellFolder\HideInWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DAF95313-E44D-46AF-BE1B-CBACEA2C3065}\ShellFolder\HideOnDesktopPerUser
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DAF95313-E44D-46AF-BE1B-CBACEA2C3065}\ShellFolder\WantsAliasedNotifications
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DAF95313-E44D-46AF-BE1B-CBACEA2C3065}\ShellFolder\WantsUniversalDelegate
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DAF95313-E44D-46AF-BE1B-CBACEA2C3065}\ShellFolder\NoFileFolderJunction
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DAF95313-E44D-46AF-BE1B-CBACEA2C3065}\ShellFolder\PinToNameSpaceTree
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DAF95313-E44D-46AF-BE1B-CBACEA2C3065}\ShellFolder\HasNavigationEnum
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{DAF95313-E44D-46AF-BE1B-CBACEA2C3065}\ShellFolder
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{DAF95313-E44D-46AF-BE1B-CBACEA2C3065}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{DAF95313-E44D-46AF-BE1B-CBACEA2C3065}
HKEY_CLASSES_ROOT\CLSID\{E345F35F-9397-435C-8F95-4E922C26259E}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E345F35F-9397-435C-8F95-4E922C26259E}\ShellFolder\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E345F35F-9397-435C-8F95-4E922C26259E}\ShellFolder\CallForAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E345F35F-9397-435C-8F95-4E922C26259E}\ShellFolder\RestrictedAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E345F35F-9397-435C-8F95-4E922C26259E}\ShellFolder\WantsFORDISPLAY
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E345F35F-9397-435C-8F95-4E922C26259E}\ShellFolder\HideFolderVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E345F35F-9397-435C-8F95-4E922C26259E}\ShellFolder\UseDropHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E345F35F-9397-435C-8F95-4E922C26259E}\ShellFolder\WantsFORPARSING
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E345F35F-9397-435C-8F95-4E922C26259E}\ShellFolder\WantsParseDisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E345F35F-9397-435C-8F95-4E922C26259E}\ShellFolder\QueryForOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E345F35F-9397-435C-8F95-4E922C26259E}\ShellFolder\MapNetDriveVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E345F35F-9397-435C-8F95-4E922C26259E}\ShellFolder\QueryForInfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E345F35F-9397-435C-8F95-4E922C26259E}\ShellFolder\HideInWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E345F35F-9397-435C-8F95-4E922C26259E}\ShellFolder\HideOnDesktopPerUser
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E345F35F-9397-435C-8F95-4E922C26259E}\ShellFolder\WantsAliasedNotifications
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E345F35F-9397-435C-8F95-4E922C26259E}\ShellFolder\WantsUniversalDelegate
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E345F35F-9397-435C-8F95-4E922C26259E}\ShellFolder\NoFileFolderJunction
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E345F35F-9397-435C-8F95-4E922C26259E}\ShellFolder\PinToNameSpaceTree
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E345F35F-9397-435C-8F95-4E922C26259E}\ShellFolder\HasNavigationEnum
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{E345F35F-9397-435C-8F95-4E922C26259E}\ShellFolder
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{E345F35F-9397-435C-8F95-4E922C26259E}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{E345F35F-9397-435C-8F95-4E922C26259E}
HKEY_CLASSES_ROOT\CLSID\{ED228FDF-9EA8-4870-83B1-96B02CFE0D52}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED228FDF-9EA8-4870-83B1-96B02CFE0D52}\ShellFolder\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED228FDF-9EA8-4870-83B1-96B02CFE0D52}\ShellFolder\CallForAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED228FDF-9EA8-4870-83B1-96B02CFE0D52}\ShellFolder\RestrictedAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED228FDF-9EA8-4870-83B1-96B02CFE0D52}\ShellFolder\WantsFORDISPLAY
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED228FDF-9EA8-4870-83B1-96B02CFE0D52}\ShellFolder\HideFolderVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED228FDF-9EA8-4870-83B1-96B02CFE0D52}\ShellFolder\UseDropHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED228FDF-9EA8-4870-83B1-96B02CFE0D52}\ShellFolder\WantsFORPARSING
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED228FDF-9EA8-4870-83B1-96B02CFE0D52}\ShellFolder\WantsParseDisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED228FDF-9EA8-4870-83B1-96B02CFE0D52}\ShellFolder\QueryForOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED228FDF-9EA8-4870-83B1-96B02CFE0D52}\ShellFolder\MapNetDriveVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED228FDF-9EA8-4870-83B1-96B02CFE0D52}\ShellFolder\QueryForInfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED228FDF-9EA8-4870-83B1-96B02CFE0D52}\ShellFolder\HideInWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED228FDF-9EA8-4870-83B1-96B02CFE0D52}\ShellFolder\HideOnDesktopPerUser
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED228FDF-9EA8-4870-83B1-96B02CFE0D52}\ShellFolder\WantsAliasedNotifications
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED228FDF-9EA8-4870-83B1-96B02CFE0D52}\ShellFolder\WantsUniversalDelegate
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED228FDF-9EA8-4870-83B1-96B02CFE0D52}\ShellFolder\NoFileFolderJunction
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED228FDF-9EA8-4870-83B1-96B02CFE0D52}\ShellFolder\PinToNameSpaceTree
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED228FDF-9EA8-4870-83B1-96B02CFE0D52}\ShellFolder\HasNavigationEnum
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{ED228FDF-9EA8-4870-83B1-96B02CFE0D52}\ShellFolder
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{ED228FDF-9EA8-4870-83B1-96B02CFE0D52}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{ED228FDF-9EA8-4870-83B1-96B02CFE0D52}
HKEY_CLASSES_ROOT\CLSID\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\ShellFolder\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\ShellFolder\CallForAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\ShellFolder\RestrictedAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\ShellFolder\WantsFORDISPLAY
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\ShellFolder\HideFolderVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\ShellFolder\UseDropHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\ShellFolder\WantsFORPARSING
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\ShellFolder\WantsParseDisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\ShellFolder\QueryForOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\ShellFolder\MapNetDriveVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\ShellFolder\QueryForInfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\ShellFolder\HideInWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\ShellFolder\HideOnDesktopPerUser
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\ShellFolder\WantsAliasedNotifications
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\ShellFolder\WantsUniversalDelegate
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\ShellFolder\NoFileFolderJunction
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\ShellFolder\PinToNameSpaceTree
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\ShellFolder\HasNavigationEnum
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\ShellFolder
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\App Paths\regsvr32.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\regsvr32.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\Generation
HKEY_CLASSES_ROOT\Drive\shellex\FolderExtensions
HKEY_CLASSES_ROOT\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}\DriveMask
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DontShowSuperHidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ClassicShell
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\SeparateProcess
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetCrawling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSimpleStartMenu
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowCompColor
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\DontPrettyPath
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowInfoTip
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideIcons
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\MapNetDrvBtn
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\WebView
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Filter
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\SeparateProcess
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\NoNetCrawling
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\AutoCheckSelect
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\IconsOnly
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowTypeOverlay
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Shell\RegisteredApplications\UrlAssociations\Directory\OpenWithProgids
HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\Directory
HKEY_CLASSES_ROOT\Directory
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\CurVer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\Data
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\Generation
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\ShellEx\IconHandler
HKEY_CLASSES_ROOT\Folder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\ShellEx\IconHandler
HKEY_CLASSES_ROOT\AllFilesystemObjects
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\ShellEx\IconHandler
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\Data
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\DocObject
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\Generation
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\AllowFileCLSIDJunctions
HKEY_CLASSES_ROOT\.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe\(Default)
HKEY_CLASSES_ROOT\.exe\OpenWithProgids
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\OpenWithProgids
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\UserChoice
HKEY_CLASSES_ROOT\exefile
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\CurVer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\ShellEx\IconHandler
HKEY_CLASSES_ROOT\SystemFileAssociations\.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\ShellEx\IconHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe\Content Type
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\NeverShowExt
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\PropertyBag
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\KnownFolders
HKEY_CURRENT_USER
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Desktop
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\AccessProviders
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\AccessProviders\MartaExtension
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\KnownFolderSettings
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\PropertyBag
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\PropertyBag
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\PropertyBag
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-120665959-548228820-2376508522-1001
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-120665959-548228820-2376508522-1001\ProfileImagePath
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\KindMap
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\KindMap\.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\Open
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command\DelegateExecute
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\DropTarget
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Associations
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations
HKEY_CLASSES_ROOT\.ade
HKEY_CLASSES_ROOT\.adp
HKEY_CLASSES_ROOT\.app
HKEY_CLASSES_ROOT\.asp
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.asp\(Default)
HKEY_CLASSES_ROOT\.bas
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.bas\(Default)
HKEY_CLASSES_ROOT\.bat
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.bat\(Default)
HKEY_CLASSES_ROOT\.cer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.cer\(Default)
HKEY_CLASSES_ROOT\.chm
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.chm\(Default)
HKEY_CLASSES_ROOT\.cmd
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.cmd\(Default)
HKEY_CLASSES_ROOT\.com
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.com\(Default)
HKEY_CLASSES_ROOT\.cpl
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.cpl\(Default)
HKEY_CLASSES_ROOT\.crt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.crt\(Default)
HKEY_CLASSES_ROOT\.csh
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_INITIALIZE_URLACTION_SHELLEXECUTE_TO_ALLOW_KB936610
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_INITIALIZE_URLACTION_SHELLEXECUTE_TO_ALLOW_KB936610
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Security
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Security\DisableSecuritySettingsCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Security\DisableSecuritySettingsCheck
HKEY_LOCAL_MACHINE\System\Setup
HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Flags
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Flags
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Flags
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Flags
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Flags
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\wscript.exe
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\*
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\wscript.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\*
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONES_DEFAULT_DRIVE_INTRANET_KB941000
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_ZONES_DEFAULT_DRIVE_INTRANET_KB941000
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\SpecialFoldersCacheSize
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\SpecialFoldersCacheSize
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\SpecialFoldersCacheSize
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\SpecialFoldersCacheSize
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN\wscript.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN\*
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1806
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1806
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\TransparentEnabled
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command\command
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\Progid
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellCompatibility\ProgIDs\exefile
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\InheritConsoleHandles
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\ddeexec
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\SetWorkingDirectoryFromTarget
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\NoWorkingDirectory
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\SourcePath
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\DevicePath
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-GB
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-GB
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\crypt32
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DebugHeapFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\DisableImprovedZoneCheck
HKEY_LOCAL_MACHINE\system\CurrentControlSet\control\NetworkProvider\HwOrder
DisableUserModeCallbackFilter
HKEY_CURRENT_USER\Software\Classes\.txt
HKEY_LOCAL_MACHINE\Software\Classes\.txt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.txt\(Default)
HKEY_CURRENT_USER\Software\Classes\txtfile
HKEY_LOCAL_MACHINE\Software\Classes\txtfile
HKEY_CURRENT_USER\Software\Classes\txtfile\AutoRegister
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\txtfile\AutoRegister
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\UseFilter
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\xBjMNtgfJT.txt
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\InstallDate
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Hostname
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\System\DNSclient
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Domain
HKEY_CURRENT_USER\Software\Classes\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en
HKEY_CURRENT_USER\Software\Classes\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\TreatAs
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\Progid
HKEY_CURRENT_USER\Software\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\ThreadingModel
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocHandler32
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocHandler
HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\WBEM\CIMOM\EnableObjectValidation
HKEY_CURRENT_USER\Software\Classes\Interface\{D30C1661-CDAF-11D0-8A3E-00C04FC9E26E}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D30C1661-CDAF-11D0-8A3E-00C04FC9E26E}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D30C1661-CDAF-11D0-8A3E-00C04FC9E26E}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\Interface\{D30C1661-CDAF-11D0-8A3E-00C04FC9E26E}\ProxyStubClsid32
HKEY_CURRENT_USER\Software\Classes\Interface\{D30C1661-CDAF-11D0-8A3E-00C04FC9E26E}\Forward
HKEY_CURRENT_USER\Software\Classes\Interface\{D30C1661-CDAF-11D0-8A3E-00C04FC9E26E}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D30C1661-CDAF-11D0-8A3E-00C04FC9E26E}\TypeLib\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D30C1661-CDAF-11D0-8A3E-00C04FC9E26E}\TypeLib\Version
HKEY_CURRENT_USER\Software\Classes\TypeLib\{EAB22AC0-30C1-11CF-A7EB-0000C05BAE0B}
HKEY_CURRENT_USER\Software\Classes\TypeLib\{EAB22AC0-30C1-11CF-A7EB-0000C05BAE0B}\1.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{EAB22AC0-30C1-11CF-A7EB-0000C05BAE0B}\1.1
HKEY_CURRENT_USER\Software\Classes\TypeLib\{EAB22AC0-30C1-11CF-A7EB-0000C05BAE0B}\1.1\0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{EAB22AC0-30C1-11CF-A7EB-0000C05BAE0B}\1.1\0
HKEY_CURRENT_USER\Software\Classes\TypeLib\{EAB22AC0-30C1-11CF-A7EB-0000C05BAE0B}\1.1\0\win32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{EAB22AC0-30C1-11CF-A7EB-0000C05BAE0B}\1.1\0\win32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{EAB22AC0-30C1-11CF-A7EB-0000C05BAE0B}\1.1\0\win32\(Default)
HKEY_CURRENT_USER\Software\Classes\TypeLib\{00020430-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{00020430-0000-0000-C000-000000000046}
HKEY_CURRENT_USER\Software\Classes\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0
HKEY_CURRENT_USER\Software\Classes\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0
HKEY_CURRENT_USER\Software\Classes\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win32\(Default)
HKEY_CURRENT_USER\Software\Classes\Interface\{0002DF05-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0002DF05-0000-0000-C000-000000000046}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0002DF05-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\Interface\{0002DF05-0000-0000-C000-000000000046}\ProxyStubClsid32
HKEY_CURRENT_USER\Software\Classes\Interface\{0002DF05-0000-0000-C000-000000000046}\Forward
HKEY_CURRENT_USER\Software\Classes\Interface\{0002DF05-0000-0000-C000-000000000046}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0002DF05-0000-0000-C000-000000000046}\TypeLib\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0002DF05-0000-0000-C000-000000000046}\TypeLib\Version
HKEY_CURRENT_USER\Software\Classes\Interface\{332C4425-26CB-11D0-B483-00C04FD90119}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{332C4425-26CB-11D0-B483-00C04FD90119}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{332C4425-26CB-11D0-B483-00C04FD90119}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\Interface\{332C4425-26CB-11D0-B483-00C04FD90119}\ProxyStubClsid32
HKEY_CURRENT_USER\Software\Classes\Interface\{332C4425-26CB-11D0-B483-00C04FD90119}\Forward
HKEY_CURRENT_USER\Software\Classes\Interface\{332C4425-26CB-11D0-B483-00C04FD90119}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{332C4425-26CB-11D0-B483-00C04FD90119}\TypeLib\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{332C4425-26CB-11D0-B483-00C04FD90119}\TypeLib\Version
HKEY_CURRENT_USER\Software\Classes\TypeLib\{3050F1C5-98B5-11CF-BB82-00AA00BDCE0B}
HKEY_CURRENT_USER\Software\Classes\TypeLib\{3050F1C5-98B5-11CF-BB82-00AA00BDCE0B}\4.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{3050F1C5-98B5-11CF-BB82-00AA00BDCE0B}\4.0
HKEY_CURRENT_USER\Software\Classes\TypeLib\{3050F1C5-98B5-11CF-BB82-00AA00BDCE0B}\4.0\0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{3050F1C5-98B5-11CF-BB82-00AA00BDCE0B}\4.0\0
HKEY_CURRENT_USER\Software\Classes\TypeLib\{3050F1C5-98B5-11CF-BB82-00AA00BDCE0B}\4.0\0\win32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{3050F1C5-98B5-11CF-BB82-00AA00BDCE0B}\4.0\0\win32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{3050F1C5-98B5-11CF-BB82-00AA00BDCE0B}\4.0\0\win32\(Default)
HKEY_LOCAL_MACHINE\Software\Microsoft\OleAut
HKEY_CURRENT_USER\Software\Classes\Interface\{3050F1FF-98B5-11CF-BB82-00AA00BDCE0B}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3050F1FF-98B5-11CF-BB82-00AA00BDCE0B}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3050F1FF-98B5-11CF-BB82-00AA00BDCE0B}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\Interface\{3050F1FF-98B5-11CF-BB82-00AA00BDCE0B}\ProxyStubClsid32
HKEY_CURRENT_USER\Software\Classes\Interface\{3050F1FF-98B5-11CF-BB82-00AA00BDCE0B}\Forward
HKEY_CURRENT_USER\Software\Classes\Interface\{3050F1FF-98B5-11CF-BB82-00AA00BDCE0B}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3050F1FF-98B5-11CF-BB82-00AA00BDCE0B}\TypeLib\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3050F1FF-98B5-11CF-BB82-00AA00BDCE0B}\TypeLib\Version
HKEY_USERS\S-1-5-19_Classes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1F87137D-0E7C-44D5-8C73-4EFFB68962F2}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F87137D-0E7C-44D5-8C73-4EFFB68962F2}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F87137D-0E7C-44D5-8C73-4EFFB68962F2}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1F87137D-0E7C-44D5-8C73-4EFFB68962F2}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F87137D-0E7C-44D5-8C73-4EFFB68962F2}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F87137D-0E7C-44D5-8C73-4EFFB68962F2}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F87137D-0E7C-44D5-8C73-4EFFB68962F2}\LocalServer32\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F87137D-0E7C-44D5-8C73-4EFFB68962F2}\LocalServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F87137D-0E7C-44D5-8C73-4EFFB68962F2}\LocalServer32\ServerExecutable
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F87137D-0E7C-44D5-8C73-4EFFB68962F2}\AppID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{1F87137D-0E7C-44D5-8C73-4EFFB68962F2}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{1F87137D-0E7C-44D5-8C73-4EFFB68962F2}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{1F87137D-0E7C-44D5-8C73-4EFFB68962F2}\LocalService
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{1F87137D-0E7C-44D5-8C73-4EFFB68962F2}\DllSurrogate
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{1F87137D-0E7C-44D5-8C73-4EFFB68962F2}\RunAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{1F87137D-0E7C-44D5-8C73-4EFFB68962F2}\ActivateAtStorage
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{1F87137D-0E7C-44D5-8C73-4EFFB68962F2}\ROTFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{1F87137D-0E7C-44D5-8C73-4EFFB68962F2}\AppIDFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{1F87137D-0E7C-44D5-8C73-4EFFB68962F2}\LaunchPermission
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\LegacyAuthenticationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\LegacyImpersonationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{1F87137D-0E7C-44D5-8C73-4EFFB68962F2}\AuthenticationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{1F87137D-0E7C-44D5-8C73-4EFFB68962F2}\RemoteServerName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{1F87137D-0E7C-44D5-8C73-4EFFB68962F2}\SRPTrustLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{1F87137D-0E7C-44D5-8C73-4EFFB68962F2}\PreferredServerBitness
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{1F87137D-0E7C-44D5-8C73-4EFFB68962F2}\LoadUserSettings
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F87137D-0E7C-44D5-8C73-4EFFB68962F2}\Elevation
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerRequestOverride
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Power\PowerRequestOverride
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Power\PowerRequestOverride\Driver
HKEY_USERS\S-1-5-21-120665959-548228820-2376508522-1001_Classes
HKEY_USERS\S-1-5-21-120665959-548228820-2376508522-1001_CLASSES\CLSID\{0002DF01-0000-0000-C000-000000000046}
HKEY_USERS\S-1-5-21-120665959-548228820-2376508522-1001_Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAs
HKEY_USERS\S-1-5-21-120665959-548228820-2376508522-1001_Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\ProgID\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\LocalServer32\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\LocalServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\LocalServer32\ServerExecutable
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\AppID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\Elevation
HKEY_USERS\S-1-5-21-120665959-548228820-2376508522-1001_Classes\Wow6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAs
HKEY_USERS\S-1-5-21-120665959-548228820-2376508522-1001_Classes\Wow6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\ProgID\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\LocalServer32\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\LocalServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\LocalServer32\ServerExecutable
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\AppID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\Elevation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\iexplore.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\IEXPLORE.EXE\Path
HKEY_USERS\S-1-5-21-120665959-548228820-2376508522-1001_CLASSES\CLSID\{A47979D2-C419-11D9-A5B4-001185AD2B89}
HKEY_USERS\S-1-5-21-120665959-548228820-2376508522-1001_Classes\CLSID\{A47979D2-C419-11D9-A5B4-001185AD2B89}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A47979D2-C419-11D9-A5B4-001185AD2B89}\TreatAs
HKEY_USERS\S-1-5-21-120665959-548228820-2376508522-1001_Classes\CLSID\{A47979D2-C419-11D9-A5B4-001185AD2B89}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A47979D2-C419-11D9-A5B4-001185AD2B89}\Progid
HKEY_USERS\S-1-5-21-120665959-548228820-2376508522-1001_Classes\Wow6432Node\CLSID\{A47979D2-C419-11D9-A5B4-001185AD2B89}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A47979D2-C419-11D9-A5B4-001185AD2B89}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A47979D2-C419-11D9-A5B4-001185AD2B89}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A47979D2-C419-11D9-A5B4-001185AD2B89}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A47979D2-C419-11D9-A5B4-001185AD2B89}\AppID
HKEY_USERS\S-1-5-21-120665959-548228820-2376508522-1001_Classes\CLSID\{A47979D2-C419-11D9-A5B4-001185AD2B89}\LocalServer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A47979D2-C419-11D9-A5B4-001185AD2B89}\LocalServer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A47979D2-C419-11D9-A5B4-001185AD2B89}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A47979D2-C419-11D9-A5B4-001185AD2B89}\Elevation
HKEY_USERS\S-1-5-21-120665959-548228820-2376508522-1001_Classes\Wow6432Node\CLSID\{A47979D2-C419-11D9-A5B4-001185AD2B89}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A47979D2-C419-11D9-A5B4-001185AD2B89}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A47979D2-C419-11D9-A5B4-001185AD2B89}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A47979D2-C419-11D9-A5B4-001185AD2B89}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A47979D2-C419-11D9-A5B4-001185AD2B89}\AppID
HKEY_USERS\S-1-5-21-120665959-548228820-2376508522-1001_Classes\Wow6432Node\CLSID\{A47979D2-C419-11D9-A5B4-001185AD2B89}\LocalServer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A47979D2-C419-11D9-A5B4-001185AD2B89}\LocalServer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A47979D2-C419-11D9-A5B4-001185AD2B89}\Elevation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\ActivationFailureLoggingLevel
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\##?#IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&2848384c&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\#
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\##?#IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&2848384c&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\##?#IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&2848384c&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\DeviceInstance
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\##?#STORAGE#Volume#{ff79f28c-2ffb-11e7-a8f3-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\#
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\##?#STORAGE#Volume#{ff79f28c-2ffb-11e7-a8f3-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\##?#STORAGE#Volume#{ff79f28c-2ffb-11e7-a8f3-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\DeviceInstance
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\##?#STORAGE#Volume#{ff79f28c-2ffb-11e7-a8f3-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\#
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\##?#STORAGE#Volume#{ff79f28c-2ffb-11e7-a8f3-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\##?#STORAGE#Volume#{ff79f28c-2ffb-11e7-a8f3-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\DeviceInstance
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&2848384C&0&1.0.0
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&2848384C&0&1.0.0\Device Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&2848384C&0&1.0.0\Device Parameters\Icons
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PerHwIdStorage\LastUpdateTime
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&2848384C&0&1.0.0\CustomPropertyCacheDate
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&2848384C&0&1.0.0\HardwareID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PerHwIdStorage\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PerHwIdStorage\IDE#NECVMWar_VMware_SATA_CD01_______________1.00____
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PerHwIdStorage\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PerHwIdStorage\NECVMWar_VMware_SATA_CD01_______________1.00____
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PerHwIdStorage\GenCdRom
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&2848384C&0&1.0.0\CompatibleIDs
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&2848384C&0&1.0.0\CustomPropertyHwIdKey
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&2848384C&0&1.0.0\Device Parameters\DeviceGroups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&2848384C&0&1.0.0\Device Parameters\DeviceGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&2848384C&0&1.0.0\Device Parameters\NoMediaIcons
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&2848384C&0&1.0.0\Device Parameters\Label
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\IDE\DISKVMWARE_VIRTUAL_SATA_HARD_DRIVE__________00000001\6&158E87A7&0&0.0.0
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\IDE\DISKVMWARE_VIRTUAL_SATA_HARD_DRIVE__________00000001\6&158E87A7&0&0.0.0\Device Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\IDE\DISKVMWARE_VIRTUAL_SATA_HARD_DRIVE__________00000001\6&158E87A7&0&0.0.0\Device Parameters\Icons
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\IDE\DISKVMWARE_VIRTUAL_SATA_HARD_DRIVE__________00000001\6&158E87A7&0&0.0.0\CustomPropertyCacheDate
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\IDE\DISKVMWARE_VIRTUAL_SATA_HARD_DRIVE__________00000001\6&158E87A7&0&0.0.0\HardwareID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PerHwIdStorage\IDE#DiskVMware_Virtual_SATA_Hard_Drive__________00000001
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PerHwIdStorage\IDE#VMware_Virtual_SATA_Hard_Drive__________00000001
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PerHwIdStorage\IDE#DiskVMware_Virtual_SATA_Hard_Drive__________
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PerHwIdStorage\VMware_Virtual_SATA_Hard_Drive__________00000001
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PerHwIdStorage\GenDisk
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\IDE\DISKVMWARE_VIRTUAL_SATA_HARD_DRIVE__________00000001\6&158E87A7&0&0.0.0\CompatibleIDs
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\IDE\DISKVMWARE_VIRTUAL_SATA_HARD_DRIVE__________00000001\6&158E87A7&0&0.0.0\CustomPropertyHwIdKey
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\IDE\DISKVMWARE_VIRTUAL_SATA_HARD_DRIVE__________00000001\6&158E87A7&0&0.0.0\Device Parameters\DeviceGroups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\IDE\DISKVMWARE_VIRTUAL_SATA_HARD_DRIVE__________00000001\6&158E87A7&0&0.0.0\Device Parameters\DeviceGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\IDE\DISKVMWARE_VIRTUAL_SATA_HARD_DRIVE__________00000001\6&158E87A7&0&0.0.0\Device Parameters\NoMediaIcons
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\IDE\DISKVMWARE_VIRTUAL_SATA_HARD_DRIVE__________00000001\6&158E87A7&0&0.0.0\Device Parameters\Label
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Power\SecurityDescriptors\ActivePowerScheme
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Power\User\PowerSchemes
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Power\User\PowerSchemes\ActivePowerScheme
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Power\SecurityDescriptors\381b4222-f694-41f0-9685-ff5bb260df2e
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Power\SecurityDescriptors\94ac6d29-73ce-41a6-809f-6363ba21b47e
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Power\User\PowerSchemes\381b4222-f694-41f0-9685-ff5bb260df2e
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Power\User\PowerSchemes\381b4222-f694-41f0-9685-ff5bb260df2e\238c9fa8-0aad-41ed-83f4-97be242c8f20
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Power\PowerSettings\238c9fa8-0aad-41ed-83f4-97be242c8f20
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Power\PowerSettings\238C9FA8-0AAD-41ED-83F4-97BE242C8F20\94ac6d29-73ce-41a6-809f-6363ba21b47e
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Power\PowerSettings\238C9FA8-0AAD-41ED-83F4-97BE242C8F20\94AC6D29-73CE-41A6-809F-6363BA21B47E\DefaultPowerSchemeValues
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Power\PowerSettings\238C9FA8-0AAD-41ED-83F4-97BE242C8F20\94AC6D29-73CE-41A6-809F-6363BA21B47E\DefaultPowerSchemeValues\381b4222-f694-41f0-9685-ff5bb260df2e
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Power\PowerSettings\238C9FA8-0AAD-41ED-83F4-97BE242C8F20\94AC6D29-73CE-41A6-809F-6363BA21B47E\DefaultPowerSchemeValues\381b4222-f694-41f0-9685-ff5bb260df2e\ACSettingIndex
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Power\PowerSettings\238C9FA8-0AAD-41ED-83F4-97BE242C8F20\94AC6D29-73CE-41A6-809F-6363BA21B47E\ValueMin
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Power\PowerSettings\238C9FA8-0AAD-41ED-83F4-97BE242C8F20\94AC6D29-73CE-41A6-809F-6363BA21B47E\1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Power\PowerSettings\238C9FA8-0AAD-41ED-83F4-97BE242C8F20\94AC6D29-73CE-41A6-809F-6363BA21B47E\1\SettingValue
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Power\SecurityDescriptors\a7066653-8d6c-40a8-910e-a1f54b84c7e5
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Power\User\PowerSchemes\381b4222-f694-41f0-9685-ff5bb260df2e\4f971e89-eebd-4455-a8de-9e59040e7347
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Power\PowerSettings\4f971e89-eebd-4455-a8de-9e59040e7347
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Power\PowerSettings\4f971e89-eebd-4455-a8de-9e59040e7347\a7066653-8d6c-40a8-910e-a1f54b84c7e5
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Power\PowerSettings\4f971e89-eebd-4455-a8de-9e59040e7347\A7066653-8D6C-40A8-910E-A1F54B84C7E5\DefaultPowerSchemeValues
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Power\PowerSettings\4f971e89-eebd-4455-a8de-9e59040e7347\A7066653-8D6C-40A8-910E-A1F54B84C7E5\DefaultPowerSchemeValues\381b4222-f694-41f0-9685-ff5bb260df2e
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Power\PowerSettings\4f971e89-eebd-4455-a8de-9e59040e7347\A7066653-8D6C-40A8-910E-A1F54B84C7E5\DefaultPowerSchemeValues\381b4222-f694-41f0-9685-ff5bb260df2e\ACSettingIndex
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Power\PowerSettings\4f971e89-eebd-4455-a8de-9e59040e7347\A7066653-8D6C-40A8-910E-A1F54B84C7E5\ValueMin
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Power\PowerSettings\4f971e89-eebd-4455-a8de-9e59040e7347\A7066653-8D6C-40A8-910E-A1F54B84C7E5\0
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Power\PowerSettings\4f971e89-eebd-4455-a8de-9e59040e7347\A7066653-8D6C-40A8-910E-A1F54B84C7E5\0\SettingValue
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\HDAUDIO\FUNC_01&VEN_15AD&DEV_1975&SUBSYS_15AD1975&REV_1001\5&1D3E533D&0&0001
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\HDAUDIO\FUNC_01&VEN_15AD&DEV_1975&SUBSYS_15AD1975&REV_1001\5&1D3E533D&0&0001\DeviceDesc
HKEY_USERS\S-1-5-21-120665959-548228820-2376508522-1001
HKEY_USERS\S-1-5-21-120665959-548228820-2376508522-1001\Control Panel\International
HKEY_USERS\S-1-5-21-120665959-548228820-2376508522-1001\Control Panel\International\LocaleName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\HDAUDIO\FUNC_01&VEN_15AD&DEV_1975&SUBSYS_15AD1975&REV_1001\5&1D3E533D&0&0001\Properties
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\HDAUDIO\FUNC_01&VEN_15AD&DEV_1975&SUBSYS_15AD1975&REV_1001\5&1D3E533D&0&0001\Properties\{b3f8fa53-0004-438e-9003-51a46e139bfc}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\HDAUDIO\FUNC_01&VEN_15AD&DEV_1975&SUBSYS_15AD1975&REV_1001\5&1D3E533D&0&0001\Properties\{b3f8fa53-0004-438e-9003-51a46e139bfc}\00000007
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\HDAUDIO\FUNC_01&VEN_15AD&DEV_1975&SUBSYS_15AD1975&REV_1001\5&1D3E533D&0&0001\Properties\{b3f8fa53-0004-438e-9003-51a46e139bfc}\00000007\00000000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\HDAUDIO\FUNC_01&VEN_15AD&DEV_1975&SUBSYS_15AD1975&REV_1001\5&1D3E533D&0&0001\Properties\{b3f8fa53-0004-438e-9003-51a46e139bfc}\00000007\00000000\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\HDAUDIO\FUNC_01&VEN_15AD&DEV_1975&SUBSYS_15AD1975&REV_1001\5&1D3E533D&0&0001\Properties\{b3f8fa53-0004-438e-9003-51a46e139bfc}\00000007\00000000\Data
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{6994ad04-93ef-11d0-a3cc-00a0c9223196}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#hdaudio#func_01&ven_15ad&dev_1975&subsys_15ad1975&rev_1001#5&1d3e533d&0&0001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#elineoutwave
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#hdaudio#func_01&ven_15ad&dev_1975&subsys_15ad1975&rev_1001#5&1d3e533d&0&0001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#HDAUDIO#FUNC_01&VEN_15AD&DEV_1975&SUBSYS_15AD1975&REV_1001#5&1D3E533D&0&0001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\DeviceInstance
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#HDAUDIO#FUNC_01&VEN_15AD&DEV_1975&SUBSYS_15AD1975&REV_1001#5&1D3E533D&0&0001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#eLineOutWave\Control
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#HDAUDIO#FUNC_01&VEN_15AD&DEV_1975&SUBSYS_15AD1975&REV_1001#5&1D3E533D&0&0001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#eLineOutWave\Control\Linked
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\Properties
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{eb115ffc-10c8-4964-831d-6dcb02e6f23f}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{EB115FFC-10C8-4964-831D-6DCB02E6F23F}\##?#HDAUDIO#FUNC_01&VEN_15AD&DEV_1975&SUBSYS_15AD1975&REV_1001#5&1d3e533d&0&0001#{eb115ffc-10c8-4964-831d-6dcb02e6f23f}\#elineoutwave
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{EB115FFC-10C8-4964-831D-6DCB02E6F23F}\##?#HDAUDIO#FUNC_01&VEN_15AD&DEV_1975&SUBSYS_15AD1975&REV_1001#5&1d3e533d&0&0001#{eb115ffc-10c8-4964-831d-6dcb02e6f23f}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{EB115FFC-10C8-4964-831D-6DCB02E6F23F}\##?#HDAUDIO#FUNC_01&VEN_15AD&DEV_1975&SUBSYS_15AD1975&REV_1001#5&1D3E533D&0&0001#{eb115ffc-10c8-4964-831d-6dcb02e6f23f}\DeviceInstance
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{EB115FFC-10C8-4964-831D-6DCB02E6F23F}\##?#HDAUDIO#FUNC_01&VEN_15AD&DEV_1975&SUBSYS_15AD1975&REV_1001#5&1D3E533D&0&0001#{eb115ffc-10c8-4964-831d-6dcb02e6f23f}\#eLineOutWave\Control
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{EB115FFC-10C8-4964-831D-6DCB02E6F23F}\##?#HDAUDIO#FUNC_01&VEN_15AD&DEV_1975&SUBSYS_15AD1975&REV_1001#5&1D3E533D&0&0001#{eb115ffc-10c8-4964-831d-6dcb02e6f23f}\#eLineOutWave\Control\Linked
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{EB115FFC-10C8-4964-831D-6DCB02E6F23F}\Properties
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#hdaudio#func_01&ven_15ad&dev_1975&subsys_15ad1975&rev_1001#5&1d3e533d&0&0001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#elineouttopo
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#HDAUDIO#FUNC_01&VEN_15AD&DEV_1975&SUBSYS_15AD1975&REV_1001#5&1D3E533D&0&0001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#eLineOutTopo\Control
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#HDAUDIO#FUNC_01&VEN_15AD&DEV_1975&SUBSYS_15AD1975&REV_1001#5&1D3E533D&0&0001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#eLineOutTopo\Control\Linked
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#HDAUDIO#FUNC_01&VEN_15AD&DEV_1975&SUBSYS_15AD1975&REV_1001#5&1d3e533d&0&0001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#eLineOutTopo
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#HDAUDIO#FUNC_01&VEN_15AD&DEV_1975&SUBSYS_15AD1975&REV_1001#5&1d3e533d&0&0001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#HDAUDIO#FUNC_01&VEN_15AD&DEV_1975&SUBSYS_15AD1975&REV_1001#5&1d3e533d&0&0001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#eLineOutWave
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#HDAUDIO#FUNC_01&VEN_15AD&DEV_1975&SUBSYS_15AD1975&REV_1001#5&1d3e533d&0&0001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#eMicInTopo
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#HDAUDIO#FUNC_01&VEN_15AD&DEV_1975&SUBSYS_15AD1975&REV_1001#5&1d3e533d&0&0001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#eMicInWave
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\HDAUDIO\FUNC_01&VEN_15AD&DEV_1975&SUBSYS_15AD1975&REV_1001\5&1D3E533D&0&0001\Capabilities
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\HDAUDIO\FUNC_01&VEN_15AD&DEV_1975&SUBSYS_15AD1975&REV_1001\5&1D3E533D&0&0001\ConfigFlags
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#HDAUDIO#FUNC_01&VEN_15AD&DEV_1975&SUBSYS_15AD1975&REV_1001#5&1D3E533D&0&0001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#eLineOutTopo\Properties
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#HDAUDIO#FUNC_01&VEN_15AD&DEV_1975&SUBSYS_15AD1975&REV_1001#5&1D3E533D&0&0001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#eLineOutTopo\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#HDAUDIO#FUNC_01&VEN_15AD&DEV_1975&SUBSYS_15AD1975&REV_1001#5&1D3E533D&0&0001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#eLineOutTopo\Properties\{840b8171-b0ad-410f-8581-cccc0382cfef}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#HDAUDIO#FUNC_01&VEN_15AD&DEV_1975&SUBSYS_15AD1975&REV_1001#5&1D3E533D&0&0001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#eLineOutTopo\Properties\{840b8171-b0ad-410f-8581-cccc0382cfef}\00000000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#HDAUDIO#FUNC_01&VEN_15AD&DEV_1975&SUBSYS_15AD1975&REV_1001#5&1D3E533D&0&0001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#eLineOutTopo\Properties\{840b8171-b0ad-410f-8581-cccc0382cfef}\00000000\00000000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#HDAUDIO#FUNC_01&VEN_15AD&DEV_1975&SUBSYS_15AD1975&REV_1001#5&1D3E533D&0&0001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#eLineOutTopo\Properties\{840b8171-b0ad-410f-8581-cccc0382cfef}\00000000\00000000\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#HDAUDIO#FUNC_01&VEN_15AD&DEV_1975&SUBSYS_15AD1975&REV_1001#5&1D3E533D&0&0001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#eLineOutTopo\Properties\{840b8171-b0ad-410f-8581-cccc0382cfef}\00000000\00000000\Data
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#HDAUDIO#FUNC_01&VEN_15AD&DEV_1975&SUBSYS_15AD1975&REV_1001#5&1D3E533D&0&0001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#eLineOutWave\Properties
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Logging Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Logging
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Log File Max Size
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ProcessID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\EnablePrivateObjectHeap
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ContextLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ObjectLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\IdentifierLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Sink Transmit Buffer Size
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Cimom
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\DefaultRpcStackSize
HKEY_LOCAL_MACHINE\Software\Classes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\wmiprvse.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000134-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\6A7AE7C1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B7B31DF9-D515-11D3-A11C-00105A1F515A}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B7B31DF9-D515-11D3-A11C-00105A1F515A}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B7B31DF9-D515-11D3-A11C-00105A1F515A}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{07435309-D440-41B7-83F3-EB82DB6C622F}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{07435309-D440-41B7-83F3-EB82DB6C622F}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{07435309-D440-41B7-83F3-EB82DB6C622F}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{21CD80A2-B305-4F37-9D4C-4534A8D9B568}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{21CD80A2-B305-4F37-9D4C-4534A8D9B568}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{21CD80A2-B305-4F37-9D4C-4534A8D9B568}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{06413D98-405C-4A5A-8D6F-19B8B7C6ACF7}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{06413D98-405C-4A5A-8D6F-19B8B7C6ACF7}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{06413D98-405C-4A5A-8D6F-19B8B7C6ACF7}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\EnableObjectValidation
HKEY_CLASSES_ROOT\CLSID\{D2D588B5-D081-11d0-99E0-00C04FC2F8EC}\InProcServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D2D588B5-D081-11D0-99E0-00C04FC2F8EC}\InprocServer32\(Default)
HKEY_CLASSES_ROOT\CLSID\{D2D588B5-D081-11d0-99E0-00C04FC2F8EC}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D2D588B5-D081-11D0-99E0-00C04FC2F8EC}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D2D588B5-D081-11D0-99E0-00C04FC2F8EC}\InprocServer32\Synchronization
HKEY_CLASSES_ROOT\CLSID\{D2D588B5-D081-11d0-99E0-00C04FC2F8EC}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D2D588B5-D081-11D0-99E0-00C04FC2F8EC}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D2D588B5-D081-11D0-99E0-00C04FC2F8EC}\AppId
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{027947E1-D731-11CE-A357-000000000001}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{027947E1-D731-11CE-A357-000000000001}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{027947E1-D731-11CE-A357-000000000001}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\system\Setup
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\minint
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ConfigValueEssNeedsLoading
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\Root
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\Root
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\default
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\default
HKEY_CLASSES_ROOT\CLSID\{fe9af5c0-d3b6-11ce-a5b6-00aa00680c3f}\InProcServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FE9AF5C0-D3B6-11CE-A5B6-00AA00680C3F}\InprocServer32\(Default)
HKEY_CLASSES_ROOT\CLSID\{fe9af5c0-d3b6-11ce-a5b6-00aa00680c3f}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FE9AF5C0-D3B6-11CE-A5B6-00AA00680C3F}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FE9AF5C0-D3B6-11CE-A5B6-00AA00680C3F}\InprocServer32\Synchronization
HKEY_CLASSES_ROOT\CLSID\{fe9af5c0-d3b6-11ce-a5b6-00aa00680c3f}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FE9AF5C0-D3B6-11CE-A5B6-00AA00680C3F}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FE9AF5C0-D3B6-11CE-A5B6-00AA00680C3F}\AppId
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\SecuredHostProviders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\SecuredHostProviders\ROOT\default:__Win32Provider.Name="RegProv"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F50A28CF-5C9C-4F7E-9D80-E25E16E18C59}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F50A28CF-5C9C-4F7E-9D80-E25E16E18C59}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F50A28CF-5C9C-4F7E-9D80-E25E16E18C59}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6B3FC272-BF37-4968-933A-6DF9222A2607}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6B3FC272-BF37-4968-933A-6DF9222A2607}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6B3FC272-BF37-4968-933A-6DF9222A2607}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0FC8C622-1728-4149-A57F-AD19D0970710}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0FC8C622-1728-4149-A57F-AD19D0970710}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0FC8C622-1728-4149-A57F-AD19D0970710}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FEC1B0AC-5808-4033-A915-C0185934581E}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FEC1B0AC-5808-4033-A915-C0185934581E}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FEC1B0AC-5808-4033-A915-C0185934581E}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EB658B8A-7A64-4DDC-9B8D-A92610DB0206}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EB658B8A-7A64-4DDC-9B8D-A92610DB0206}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EB658B8A-7A64-4DDC-9B8D-A92610DB0206}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{7C857801-7381-11CF-884D-00AA004B2E24}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{7C857801-7381-11CF-884D-00AA004B2E24}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{7C857801-7381-11CF-884D-00AA004B2E24}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocHandler
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\wmi
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\wmi
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\WBEM\CIMOM\ProcessID
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\WBEM\CIMOM\EnablePrivateObjectHeap
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\WBEM\CIMOM\ContextLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\WBEM\CIMOM\ObjectLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\WBEM\CIMOM\IdentifierLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F87137D-0E7C-44D5-8C73-4EFFB68962F2}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F87137D-0E7C-44D5-8C73-4EFFB68962F2}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F87137D-0E7C-44D5-8C73-4EFFB68962F2}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B7B31DF9-D515-11D3-A11C-00105A1F515A}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B7B31DF9-D515-11D3-A11C-00105A1F515A}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{07435309-D440-41B7-83F3-EB82DB6C622F}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{07435309-D440-41B7-83F3-EB82DB6C622F}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{21CD80A2-B305-4F37-9D4C-4534A8D9B568}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{21CD80A2-B305-4F37-9D4C-4534A8D9B568}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{06413D98-405C-4A5A-8D6F-19B8B7C6ACF7}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{06413D98-405C-4A5A-8D6F-19B8B7C6ACF7}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\WBEM\CIMOM\SecuredHostProviders\ROOT\default:__Win32Provider.Name="RegProv"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\CompatibleHostProviders
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\WBEM\CIMOM\CompatibleHostProviders\ROOT\default:__Win32Provider.Name="RegProv"
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\WBEM\CIMOM\DefaultSecuredHost
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{027947E1-D731-11CE-A357-000000000001}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{027947E1-D731-11CE-A357-000000000001}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F50A28CF-5C9C-4F7E-9D80-E25E16E18C59}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F50A28CF-5C9C-4F7E-9D80-E25E16E18C59}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6B3FC272-BF37-4968-933A-6DF9222A2607}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6B3FC272-BF37-4968-933A-6DF9222A2607}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0FC8C622-1728-4149-A57F-AD19D0970710}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0FC8C622-1728-4149-A57F-AD19D0970710}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FEC1B0AC-5808-4033-A915-C0185934581E}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FEC1B0AC-5808-4033-A915-C0185934581E}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EB658B8A-7A64-4DDC-9B8D-A92610DB0206}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EB658B8A-7A64-4DDC-9B8D-A92610DB0206}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7C857801-7381-11CF-884D-00AA004B2E24}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7C857801-7381-11CF-884D-00AA004B2E24}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-120665959-548228820-2376508522-1001\State
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-120665959-548228820-2376508522-1001\Preference
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\WBEM\CIMOM\Logging
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\WBEM\CIMOM\Log File Max Size
HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\29D0DF42-74DB-4350-C66D-E8275AF19C4B
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main
HKEY_USERS\S-1-5-21-120665959-548228820-2376508522-1001\Software\Microsoft\Internet Explorer\Main\IE10RunOnceLastShown
HKEY_USERS\S-1-5-21-120665959-548228820-2376508522-1001\Software\Microsoft\Internet Explorer\Main\IE10RunOnceLastShown_TIMESTAMP
HKEY_USERS\S-1-5-21-120665959-548228820-2376508522-1001\Software\Microsoft\Internet Explorer\Main\IE8RunOnceLastShown
HKEY_USERS\S-1-5-21-120665959-548228820-2376508522-1001\Software\Microsoft\Internet Explorer\Main\IE8RunOnceLastShown_TIMESTAMP
HKEY_USERS\S-1-5-21-120665959-548228820-2376508522-1001\Software\Microsoft\Internet Explorer\Main\Check_Associations
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\DEPOff
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLESAFESEARCHPATH_KB963027
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_ENABLESAFESEARCHPATH_KB963027
HKEY_LOCAL_MACHINE\Software\Policies
HKEY_CURRENT_USER\Software\Policies
HKEY_CURRENT_USER\Software
HKEY_LOCAL_MACHINE\Software
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Low Rights
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ProtectedModeOffForAllZones
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\TabProcGrowth
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\TabProcGrowth
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Low Rights
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\LuaOffLoRIEOn
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Setup
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Setup\HaveCreatedQuickLaunchItems
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\FromCacheTimeout
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\SecureProtocols
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\SecureProtocols
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\SecureProtocols
\xe8\x8d\xb0\xc3\x9aEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CertificateRevocation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DisableKeepAlive
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DisablePassport
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\IdnEnabled
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CacheMode
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnableHttp1_1
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnableHttp1_1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnableHttp1_1
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyHttp1.1
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyHttp1.1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyHttp1.1
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyHttp1.1
\xef\xb6\xb8\xc3\x9aEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnableNegotiate
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DisableBasicOverClearChannel
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\Feature_ClientAuthCertFilter
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\Feature_ClientAuthCertFilter
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ClientAuthBuiltInUI
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\SyncMode5
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\SessionStartTimeDefaultDeltaSecs
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache
\xef\xb3\x90\xc3\x9aEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Signature
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\PerUserItem
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
\xef\xb3\x90\xc3\x9aEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\PerUserItem
\xef\xb6\x90\xc3\x9aEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix
\xef\xb3\x90\xc3\x9aEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CacheLimit
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\PerUserItem
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
\xef\xb3\x90\xc3\x9aEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\PerUserItem
\xef\xb3\x90\xc3\x9aEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix
\xe8\x8d\xb0\xc3\x9aEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CacheLimit
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\PerUserItem
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
\xef\xb3\x90\xc3\x9aEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\PerUserItem
\xef\xb3\x90\xc3\x9aEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix
\xe8\x8d\xb0\xc3\x9aEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CacheLimit
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\DOMStore
\xe5\x96\x90\xc2\x9bEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\DOMStore\CacheRepair
\xe5\x9a\x90\xc2\x9bEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\DOMStore\CachePath
\xe5\x96\x90\xc2\x9bEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\DOMStore\CachePrefix
\xe5\x96\x90\xc2\x9bEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\DOMStore\CacheLimit
\xe5\x96\x90\xc2\x9bEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\DOMStore\CacheOptions
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat
\xe5\x96\x90\xc2\x9bEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat\CacheRepair
\xe5\x9a\x90\xc2\x9bEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat\CachePath
\xe5\x96\x90\xc2\x9bEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat\CachePrefix
\xe5\x96\x90\xc2\x9bEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat\CacheLimit
\xe5\x96\x90\xc2\x9bEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat\CacheOptions
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\iecompat
\xe5\x96\x90\xc2\x9bEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\iecompat\CacheRepair
\xe5\x9a\x90\xc2\x9bEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\iecompat\CachePath
\xe5\x96\x90\xc2\x9bEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\iecompat\CachePrefix
\xe5\x96\x90\xc2\x9bEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\iecompat\CacheLimit
\xe5\x96\x90\xc2\x9bEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\iecompat\CacheOptions
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld
\xe5\x99\xb8\xc2\x9bEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld\CacheRepair
\xe5\x9a\x90\xc2\x9bEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld\CachePath
\xe5\x96\x90\xc2\x9bEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld\CachePrefix
\xe5\x96\x90\xc2\x9bEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld\CacheLimit
\xe5\x96\x90\xc2\x9bEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld\CacheOptions
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\PrivacIE:
\xe5\x96\x90\xc2\x9bEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\PrivacIE:\CacheRepair
\xe5\x9a\x98\xc2\x9bEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\PrivacIE:\CachePath
\xe5\x96\x90\xc2\x9bEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\PrivacIE:\CachePrefix
\xe5\x96\x90\xc2\x9bEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\PrivacIE:\CacheLimit
\xe5\x96\x90\xc2\x9bEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\PrivacIE:\CacheOptions
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnableAutoProxyResultCache
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\DisplayScriptDownloadFailureUI
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\MBCSServername
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\MBCSAPIforCrack
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\RETRY_HEADERONLYPOST_ONCONNECTIONRESET
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\RETRY_HEADERONLYPOST_ONCONNECTIONRESET
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BUFFERBREAKING_818408
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BUFFERBREAKING_818408
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SKIP_POST_RETRY_ON_INTERNETWRITEFILE_KB895954
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_SKIP_POST_RETRY_ON_INTERNETWRITEFILE_KB895954
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\UTF8ServerNameRes
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DisableWorkerThreadHibernation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\DisableWorkerThreadHibernation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DisableReadRange
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\SocketSendBufferLength
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\SocketReceiveBufferLength
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\KeepAliveTimeout
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MaxHttpRedirects
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MaxConnectionsPerServer
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\MaxConnectionsPerServer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MaxConnectionsPer1_0Server
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\MaxConnectionsPer1_0Server
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MaxConnectionsPerProxy
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ServerInfoTimeout
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ConnectTimeOut
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ConnectTimeOut
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ConnectRetries
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ConnectRetries
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\SendTimeOut
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\SendTimeOut
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ReceiveTimeOut
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ReceiveTimeOut
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DisableNTLMPreAuth
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ScavengeCacheLowerBound
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CertCacheNoValidate
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\ScavengeCacheFileLifeTime
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\ScavengeCacheFileLimit
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\ScavengeCacheFileLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\ScavengeCacheFileLimit
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_FIX_CHUNKED_PROXY_SCRIPT_DOWNLOAD_KB843289
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_FIX_CHUNKED_PROXY_SCRIPT_DOWNLOAD_KB843289
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_USE_CNAME_FOR_SPN_KB911149
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_USE_CNAME_FOR_SPN_KB911149
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_NOTIFY_UNVERIFIED_SPN_KB2385266
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_DISABLE_NOTIFY_UNVERIFIED_SPN_KB2385266
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_COMPAT_USE_CONNECTION_BASED_NEGOTIATE_AUTH_KB2151543
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_COMPAT_USE_CONNECTION_BASED_NEGOTIATE_AUTH_KB2151543
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ALLOW_LONG_INTERNATIONAL_FILENAMES
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_ALLOW_LONG_INTERNATIONAL_FILENAMES
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\HttpDefaultExpiryTimeSecs
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\FtpDefaultExpiryTimeSecs
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PERMIT_CACHE_FOR_AUTHENTICATED_FTP_KB910274
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_PERMIT_CACHE_FOR_AUTHENTICATED_FTP_KB910274
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_UNICODE_HANDLE_CLOSING_CALLBACK
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_DISABLE_UNICODE_HANDLE_CLOSING_CALLBACK
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_DISABLE_UNICODE_HANDLE_CLOSING_CALLBACK\iexplore.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_DISABLE_UNICODE_HANDLE_CLOSING_CALLBACK\*
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISALLOW_NULL_IN_RESPONSE_HEADERS
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_DISALLOW_NULL_IN_RESPONSE_HEADERS
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DIGEST_NO_EXTRAS_IN_URI
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_DIGEST_NO_EXTRAS_IN_URI
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_ENABLE_PASSPORT_SESSION_STORE_KB948608
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_EXCLUDE_INVALID_CLIENT_CERT_KB929477
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_EXCLUDE_INVALID_CLIENT_CERT_KB929477
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_USE_UTF8_FOR_BASIC_AUTH_KB967545
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_USE_UTF8_FOR_BASIC_AUTH_KB967545
\xe9\x9f\xa8\xc2\x9bEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DisableCachingOfSSLPages
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\PerUserCookies
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\LeashLegacyCookies
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DialupUseLanSettings
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\DialupUseLanSettings
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\SendExtraCRLF
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WpadSearchAllDomains
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\BypassHTTPNoCacheCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\BypassHTTPNoCacheCheck
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\BypassSSLNoCacheCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\BypassSSLNoCacheCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\EnableHttpTrace
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\NoCheckAutodialOverRide
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\NoCheckAutodialOverRide
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RELEASE_KEYS_ON_UNLOAD_KB975619
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_RELEASE_KEYS_ON_UNLOAD_KB975619
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITY_FLAG_IGNORE_REVOCATION_KB2275828
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_SECURITY_FLAG_IGNORE_REVOCATION_KB2275828
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DontUseDNSLoadBalancing
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\DontUseDNSLoadBalancing
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ShareCredsWithWinHttp
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MimeExclusionListForCache
\xe9\x9f\xa8\xc2\x9bEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MimeExclusionListForCache
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\HeaderExclusionListForCache
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DnsCacheEnabled
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DnsCacheEntries
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DnsCacheTimeout
\xe9\x9f\xa8\xc2\x9bEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnPost
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnAlwaysOnPost
\xe9\x9f\xa8\xc2\x9bEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnZoneCrossing
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnBadCertRecving
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnPostRedirect
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AlwaysDrainOnRedirect
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnHTTPSToHTTPRedirect
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\TcpAutotuning
HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadOverride
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnableAutodial
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\NoNetAutodial
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\GlobalUserOffline
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\BadProxyExpiresTime
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RETURN_FAILED_CONNECT_CONTENT_KB942615
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_RETURN_FAILED_CONNECT_CONTENT_KB942615
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\DisableBranchCache
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ProxySettingsPerUser
\xe9\x9f\xa8\xc2\x9bEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings
\xe9\x9f\xa8\xc2\x9bEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MigrateProxy
\xe9\x9f\xa8\xc2\x9bEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyOverride
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
\xe9\xad\x90\xc2\x9bEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
\xe9\xad\x90\xc2\x9bEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FrameTabWindow
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FrameTabWindow
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FrameMerging
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FrameMerging
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\SessionMerging
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\SessionMerging
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\AdminTabProcs
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\AdminTabProcs
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\HangResistance
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\HangResistance
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Safety\PrivacIE
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Safety\PrivacIE
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\New Windows
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\New Windows\DetourDialogs
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\New Windows
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SQM
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SQM\ServerFreezeOnUpload
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SQM
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\BrowserEmulation\ClearableListData
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\BrowserEmulation
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\BrowserEmulation\UnattendLoaded
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\BrowserEmulation\TLDUpdates
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbars\Restrictions
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbars\Restrictions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\Flags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}
HKEY_CURRENT_USER\Software\Classes\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\TreatAs
HKEY_CLASSES_ROOT\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\InProcServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\InprocServer32\(Default)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\VerCache
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\LoadTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{B4F3A835-0E21-4959-BA22-42B3008E02FF}
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{B4F3A835-0E21-4959-BA22-42B3008E02FF}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\Flags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{B4F3A835-0E21-4959-BA22-42B3008E02FF}
HKEY_CURRENT_USER\Software\Classes\CLSID\{B4F3A835-0E21-4959-BA22-42B3008E02FF}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\TreatAs
HKEY_CLASSES_ROOT\CLSID\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\InProcServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\InprocServer32\(Default)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\VerCache
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\LoadTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{DBC80044-A445-435B-BC74-9C25C1C588A9}
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{DBC80044-A445-435B-BC74-9C25C1C588A9}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{DBC80044-A445-435B-BC74-9C25C1C588A9}\Flags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{DBC80044-A445-435B-BC74-9C25C1C588A9}
HKEY_CURRENT_USER\Software\Classes\CLSID\{DBC80044-A445-435B-BC74-9C25C1C588A9}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DBC80044-A445-435B-BC74-9C25C1C588A9}\TreatAs
HKEY_CLASSES_ROOT\CLSID\{DBC80044-A445-435B-BC74-9C25C1C588A9}\InProcServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DBC80044-A445-435B-BC74-9C25C1C588A9}\InprocServer32\(Default)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{DBC80044-A445-435B-BC74-9C25C1C588A9}\VerCache
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore\LoadTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar
HKEY_CURRENT_USER\Software\AppDataLow
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\InternetRegistry
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PageSetup
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Passport\LowDAMap
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\LowRegistry
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Zoom
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IETld\LowMic
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IGNORE_POLICIES_ZONEMAP_IF_ESC_ENABLED_KB918915
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_IGNORE_POLICIES_ZONEMAP_IF_ESC_ENABLED_KB918915
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILECHECK
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILECHECK
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_UNC_SAVEDFILECHECK\iexplore.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_UNC_SAVEDFILECHECK\*
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\iexplore.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\iexplore.exe
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Security\DisableFixSecuritySettings
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Security\DisableFixSecuritySettings
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1001
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1001
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1004
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1004
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1200
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1201
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1201
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1405
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1405
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1800
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1800
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1803
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1803
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1804
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1804
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1806
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1806
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1001
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1004
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1201
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1800
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1804
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1806
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1806
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1000
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1000
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1000
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1000
HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Zones
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\SecuritySafe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData
HKEY_USERS\S-1-5-21-120665959-548228820-2376508522-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigCustomUA
HKEY_CLASSES_ROOT\AutoProxyTypes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AutoProxyTypes\Application/x-internet-signup
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AutoProxyTypes\Application/x-internet-signup\Flags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AutoProxyTypes\Application/x-ns-proxy-autoconfig
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Window_Min_Width
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Window_Min_Height
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoProxyDetectType
HKEY_LOCAL_MACHINE\Software\Microsoft\DirectUI
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\AdminActive
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{EF04D784-6D8D-11EA-8662-000C2940B9FB}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\GipActivityBypass
HKEY_CURRENT_USER\Software\Classes\Interface\{1AC7516E-E6BB-4A69-B63F-E841904DC5A6}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1AC7516E-E6BB-4A69-B63F-E841904DC5A6}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1AC7516E-E6BB-4A69-B63F-E841904DC5A6}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\CLSID\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}\InProcServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}\InProcServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}\InprocHandler
HKEY_CURRENT_USER\Software\Classes\Interface\{7673B35E-907A-449D-A49F-E5CE47F0B0B2}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7673B35E-907A-449D-A49F-E5CE47F0B0B2}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7673B35E-907A-449D-A49F-E5CE47F0B0B2}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing\Groups
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\TabbedBrowsing
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\WindowsSearch
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\WindowsSearch\EnabledScopes
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Feeds
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Feeds
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Search
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Search\CurrentVersion
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Window_Placement
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBar7Position
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FullScreen
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\IEAK
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\IEAK
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\IE8RunOnceLastShown
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\CommandBar
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\CommandBar
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000809
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\UseIE7AutoComplete
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONES_CHECK_ZONEMAP_POLICY_KB941001
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_ZONES_CHECK_ZONEMAP_POLICY_KB941001
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\SearchControlWidth
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Segoe UI
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\SearchMigrated
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\SearchMigratedInstalled
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\SearchMigratedDefaultName
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\SearchMigratedDefaultURL
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl\provider
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\DefaultScope
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\Deleted
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\DisplayName
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ShowSearchSuggestions
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ShowSearchSuggestions
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\ShowSearchSuggestionsGlobal
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\ShowSearchSuggestionsGlobal
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURL_JSON
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURL_JSON
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURL_JSONFallback
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURL_JSONFallback
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURL
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURL
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURLFallback
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\PreviewURL
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\PreviewURL
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\PreviewURLFallback
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\PreviewURLFallback
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconURL
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconURL
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconURLFallback
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\Codepage
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\Codepage
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SortIndex
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE\iexplore.exe
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_USE_IETLDLIST_FOR_DOMAIN_DETERMINATION
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_USE_IETLDLIST_FOR_DOMAIN_DETERMINATION
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IETld
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IETld\IETldDllVersionLow
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IETld\IETldDllVersionHigh
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IETld\IETldVersionLow
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IETld\IETldVersionHigh
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing\Enabled
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Locked
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\Enabled
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\LinksBar
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\TestHandler
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\LinksFolderMigrate
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Migration
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Migration\IE Installed Date
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\MarketingLinksMigrate
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\CascadeFolderBands
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Advanced\CascadeFolderBands
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\DefaultItemWidth
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing\ActivityMeterTimerInterval
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing\ActivityMeterDisable
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0\Path
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0\Handler
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0\FeedUrl
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\iexplore.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F3CE0F7C-4901-4ACC-8648-D5D44B04EF8F}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F3CE0F7C-4901-4ACC-8648-D5D44B04EF8F}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F3CE0F7C-4901-4ACC-8648-D5D44B04EF8F}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F3CE0F7C-4901-4ACC-8648-D5D44B04EF8F}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F3CE0F7C-4901-4ACC-8648-D5D44B04EF8F}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F3CE0F7C-4901-4ACC-8648-D5D44B04EF8F}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F3CE0F7C-4901-4ACC-8648-D5D44B04EF8F}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F3CE0F7C-4901-4ACC-8648-D5D44B04EF8F}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F3CE0F7C-4901-4ACC-8648-D5D44B04EF8F}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F3CE0F7C-4901-4ACC-8648-D5D44B04EF8F}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F3CE0F7C-4901-4ACC-8648-D5D44B04EF8F}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F3CE0F7C-4901-4ACC-8648-D5D44B04EF8F}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F3CE0F7C-4901-4ACC-8648-D5D44B04EF8F}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F3CE0F7C-4901-4ACC-8648-D5D44B04EF8F}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F3CE0F7C-4901-4ACC-8648-D5D44B04EF8F}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F3CE0F7C-4901-4ACC-8648-D5D44B04EF8F}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F3CE0F7C-4901-4ACC-8648-D5D44B04EF8F}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F3CE0F7C-4901-4ACC-8648-D5D44B04EF8F}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F3CE0F7C-4901-4ACC-8648-D5D44B04EF8F}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F3CE0F7C-4901-4ACC-8648-D5D44B04EF8F}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F3CE0F7C-4901-4ACC-8648-D5D44B04EF8F}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F3CE0F7C-4901-4ACC-8648-D5D44B04EF8F}\PropertyBag
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing\QuickTabsThreshold
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{2670000A-7350-4f3c-8081-5663EE0C6C49}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{2670000A-7350-4f3c-8081-5663EE0C6C49}\clsid
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDON_MANAGEMENT
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDON_MANAGEMENT
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_ADDON_MANAGEMENT\iexplore.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_ADDON_MANAGEMENT\*
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Ext
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Ext
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{2670000A-7350-4F3C-8081-5663EE0C6C49}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{2670000A-7350-4F3C-8081-5663EE0C6C49}
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore\Type
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore\Count
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore\Time
HKEY_LOCAL_MACHINE\Software\Microsoft\Ole
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\MaximumAllowedAllocationSize
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\{2670000A-7350-4F3C-8081-5663EE0C6C49}
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{2670000A-7350-4F3C-8081-5663EE0C6C49}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{2670000A-7350-4f3c-8081-5663EE0C6C49}\Lang0409
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{2670000A-7350-4f3c-8081-5663EE0C6C49}\ButtonText
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{2670000A-7350-4f3c-8081-5663EE0C6C49}\MenuText
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{2670000A-7350-4f3c-8081-5663EE0C6C49}\MenuCustomize
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{2670000A-7350-4f3c-8081-5663EE0C6C49}\MenuStatusBar
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\Extensions\CmdMapping
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\Extensions\CmdMapping\{2670000A-7350-4f3c-8081-5663EE0C6C49}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{2670000A-7350-4f3c-8081-5663EE0C6C49}\Default Visible
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\clsid
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\iexplore
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\iexplore\Type
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\iexplore\Count
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\iexplore\Time
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\Lang0409
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\ButtonText
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\MenuText
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\MenuCustomize
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\MenuStatusBar
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\Extensions\CmdMapping\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\Default Visible
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Restrictions
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Restrictions
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{2670000A-7350-4f3c-8081-5663EE0C6C49}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\Icon
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IEDevTools
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\IEDevTools
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksExplorer
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\LinksExplorer
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing\ThumbnailBehavior
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBar7Height
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Url History
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Url History
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Url History
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Url History
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Url History\DaysToKeep
HKEY_CURRENT_USER\Software\Classes\Interface\{9EC704BA-E1D4-45C5-9B59-BFAE07D9F04E}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9EC704BA-E1D4-45C5-9B59-BFAE07D9F04E}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9EC704BA-E1D4-45C5-9B59-BFAE07D9F04E}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\Interface\{B40C43F1-F039-44D2-AEB7-87F5AF8ABC3D}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B40C43F1-F039-44D2-AEB7-87F5AF8ABC3D}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B40C43F1-F039-44D2-AEB7-87F5AF8ABC3D}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\Interface\{D358F4E1-0465-4965-9DD5-CAE303D2C345}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D358F4E1-0465-4965-9DD5-CAE303D2C345}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D358F4E1-0465-4965-9DD5-CAE303D2C345}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\Interface\{F704B7E0-4760-46FF-BBDB-7439E0A2A814}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F704B7E0-4760-46FF-BBDB-7439E0A2A814}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F704B7E0-4760-46FF-BBDB-7439E0A2A814}\ProxyStubClsid32\(Default)
\xeb\xbf\x88\xc2\xa3EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\iexplore_RASAPI32\EnableFileTracing
\xeb\xbf\x88\xc2\xa3EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\iexplore_RASAPI32\FileTracingMask
\xeb\xbf\x88\xc2\xa3EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\iexplore_RASAPI32\EnableConsoleTracing
\xeb\xbf\x88\xc2\xa3EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\iexplore_RASAPI32\ConsoleTracingMask
\xeb\xbf\x88\xc2\xa3EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\iexplore_RASAPI32\MaxFileSize
\xeb\xbf\x88\xc2\xa3EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\iexplore_RASAPI32\FileDirectory
\xeb\xbf\x88\xc2\xa3EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\iexplore_RASMANCS\EnableFileTracing
\xeb\xbf\x88\xc2\xa3EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\iexplore_RASMANCS\FileTracingMask
\xeb\xbf\x88\xc2\xa3EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\iexplore_RASMANCS\EnableConsoleTracing
\xeb\xbf\x88\xc2\xa3EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\iexplore_RASMANCS\ConsoleTracingMask
\xeb\xbf\x88\xc2\xa3EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\iexplore_RASMANCS\MaxFileSize
\xeb\xbf\x88\xc2\xa3EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\iexplore_RASMANCS\FileDirectory
\xeb\xbf\x88\xc2\xa3EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\Links
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\Links\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\Links\Order
\xeb\xbf\x88\xc2\xa3EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\Links\Order
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0\DisplayName
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0\DisplayMask
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0\Expiration
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0\ErrorState
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\App Paths\iexplore.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\iexplore.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\IEXPLORE.EXE\DontUseDesktopChangeRouter
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\SecurityService
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\SecurityService\DefaultAuthLevel
HKEY_CURRENT_USER\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00020400-0000-0000-C000-000000000046}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00020400-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\CLSID\{00020420-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00020420-0000-0000-C000-000000000046}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00020420-0000-0000-C000-000000000046}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020420-0000-0000-C000-000000000046}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00020420-0000-0000-C000-000000000046}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00020420-0000-0000-C000-000000000046}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00020420-0000-0000-C000-000000000046}\InprocHandler
HKEY_CURRENT_USER\Software\Classes\Interface\{48A98A1F-5CDD-47EE-9286-DB04A3EB7CE1}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{48A98A1F-5CDD-47EE-9286-DB04A3EB7CE1}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{48A98A1F-5CDD-47EE-9286-DB04A3EB7CE1}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing\UseMRUSwitching
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NormalizeLinkNetPidls
HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\System.NamespaceCLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\{28636AA6-953D-11D2-B5D6-00C04FD918D0} 6
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FrameShutdownDelay
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FrameShutdownDelay
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IETld\StaleIETldCache
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Control Panel
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Control Panel
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Privacy
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Privacy\ClearBrowsingHistoryOnExit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\iexplore.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcSs
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcSs\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\nsiproxy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\nsiproxy\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\nsi
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\nsi\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NlaSvc
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NlaSvc\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\netprofm
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\netprofm\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\netprofm\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\netprofm\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\netprofm\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\netprofm\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\netprofm\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\netprofm\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\netprofm\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\netprofm\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WSearch
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WSearch\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WSearch\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WSearch\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WSearch\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WSearch\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WSearch\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WSearch\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WSearch\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WSearch\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioSrv
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioSrv\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioSrv\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioSrv\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioSrv\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioSrv\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioSrv\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioSrv\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioSrv\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioSrv\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FontCache
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FontCache\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FontCache\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FontCache\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FontCache\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FontCache\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FontCache\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FontCache\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FontCache\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FontCache\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gpsvc
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gpsvc\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gpsvc\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gpsvc\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gpsvc\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gpsvc\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gpsvc\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gpsvc\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gpsvc\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gpsvc\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MMCSS
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MMCSS\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MMCSS\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MMCSS\WOW64
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MMCSS\RequiredPrivileges
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\AcRedir
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\TabShutdownDelay
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\TabShutdownDelay
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1777F761-68AD-4D8A-87BD-30B759FA33DD}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{1777F761-68AD-4D8A-87BD-30B759FA33DD}\PropertyBag
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Favorites
HKEY_CURRENT_USER\Software\Classes\AppID\iexplore.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE\AppCompat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\AppCompat\RaiseDefaultAuthnLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\DefaultAccessPermission
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\74DD1FC8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFileMenu
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Window Title
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\StatusBarWeb
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\StatusBarWeb
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\LinksBar
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Enable Browser Extensions
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\CommandBar
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoBandCustomize
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBar7Layout
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBarLayout
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\AlwaysShowMenus
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\AlwaysShowMenus
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
\xeb\xb6\x90\xc3\x82EY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Segoe UI
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Marlett
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_ADDON_MANAGEMENT
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{18df081c-e8ad-4283-a596-fa578c2ebdc3}\InProcServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\AcroIEHelperShim.dll
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Type
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Count
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Time
HKEY_CLASSES_ROOT\CLSID\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\InprocServer32
\xee\x9e\xa0\xc3\x83EY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{b4f3a835-0e21-4959-ba22-42b3008e02ff}\InProcServer32
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\URLREDIR.DLL
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\Type
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\Count
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\Time
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{dbc80044-a445-435b-bc74-9c25c1c588a9}\InProcServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\jp2ssv.dll
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore\Type
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore\Count
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore\Time
HKEY_LOCAL_MACHINE\SOFTWARE
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\JavaSoft
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\JavaSoft\Java Plug-in
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\JavaSoft\Java Plug-in\10.0.0
\xde\xa0\xc3\x84EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\JavaSoft\Java Plug-in\10.0.0\UseNewJavaPlugin
HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Runtime Environment
HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Runtime Environment\1.7.0
\xde\xa0\xc3\x84EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\JavaSoft\Java Runtime Environment\1.7.0\JavaHome
HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA}\InprocServer32
\xde\xa0\xc3\x84EY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA}\InprocServer32\(Default)
HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0000-ABCDEFFEDCBB}\InprocServer32
\xde\xa0\xc3\x84EY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0000-ABCDEFFEDCBB}\InprocServer32\(Default)
HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0000-ABCDEFFEDCBC}\InprocServer32
\xde\xa0\xc3\x84EY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0000-ABCDEFFEDCBC}\InprocServer32\(Default)
HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\InprocServer32
\xde\xa0\xc3\x84EY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA}\InprocServer32
\xde\xa0\xc3\x84EY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0000-ABCDEFFEDCBB}\InprocServer32
\xde\xa0\xc3\x84EY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0000-ABCDEFFEDCBB}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0000-ABCDEFFEDCBC}\InprocServer32
\xde\xa0\xc3\x84EY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0000-ABCDEFFEDCBC}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\InprocServer32
\xde\xa0\xc3\x84EY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\TabbedBrowsing
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\TravelLog
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\TravelLog
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{EAB22AC0-30C1-11CF-A7EB-0000C05BAE0B}
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\AddToFavoritesInitialSelection
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\AddToFeedsInitialSelection
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
HKEY_CURRENT_USER\Control Panel\Personalization\Desktop Slideshow
HKEY_CURRENT_USER\Control Panel\Personalization\Desktop Slideshow\Interval
HKEY_CURRENT_USER\Control Panel\Personalization\Desktop Slideshow\Shuffle
HKEY_CURRENT_USER\Control Panel\Personalization\Desktop Slideshow\AnimationDuration
HKEY_LOCAL_MACHINE\Control Panel\Personalization\Desktop Slideshow
HKEY_CURRENT_USER\Control Panel\Personalization\Desktop Slideshow\Flags
HKEY_CURRENT_USER\Software\Classes\Interface\{85CB6900-4D95-11CF-960C-0080C7F4EE85}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{85CB6900-4D95-11CF-960C-0080C7F4EE85}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\Interface\{85CB6900-4D95-11CF-960C-0080C7F4EE85}\Forward
HKEY_CURRENT_USER\Software\Classes\Interface\{85CB6900-4D95-11CF-960C-0080C7F4EE85}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{85CB6900-4D95-11CF-960C-0080C7F4EE85}\TypeLib\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{85CB6900-4D95-11CF-960C-0080C7F4EE85}\TypeLib\Version
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{EAB22AC0-30C1-11CF-A7EB-0000C05BAE0B}\1.1\0\win64
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{EAB22AC0-30C1-11CF-A7EB-0000C05BAE0B}\1.1\0\win64\(Default)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\UsersFiles\NameSpace
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UsersFiles\NameSpace\DelegateFolders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UsersFiles\NameSpace\DelegateFolders\SuppressionPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UsersFiles\NameSpace\DelegateFolders\(Default)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UsersFiles\NameSpace
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\UsersFiles\NameSpace\DelegateFolders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UsersFiles\NameSpace\DelegateFolders\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UsersFiles\NameSpace\DelegateFolders\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\SuppressionPolicy
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UsersFiles\NameSpace\DelegateFolders
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\UsersFiles\NameSpace
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\UsersFiles\NameSpace\DelegateFolders
HKEY_CLASSES_ROOT\.url
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.URL\(Default)
HKEY_CLASSES_ROOT\.url\OpenWithProgids
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.url\OpenWithProgids
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.url
HKEY_CLASSES_ROOT\InternetShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\InternetShortcut\CurVer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\InternetShortcut\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\InternetShortcut\ShellEx\IconHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\InternetShortcut\ShellEx\IconHandler\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\InternetShortcut\DocObject
HKEY_CLASSES_ROOT\SystemFileAssociations\.url
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.URL\PerceivedType
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\InternetShortcut\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.URL\Content Type
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\InternetShortcut\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\InternetShortcut\CLSID\(Default)
HKEY_CLASSES_ROOT\CLSID\{FBF23B40-E3F0-101B-8488-00AA003E56F8}\Implemented Categories\{00021490-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\InternetShortcut\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\InternetShortcut\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\InternetShortcut\NeverShowExt
HKEY_CLASSES_ROOT\.tmp
HKEY_CLASSES_ROOT\.tmp\OpenWithProgids
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tmp\OpenWithProgids
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tmp
HKEY_CLASSES_ROOT\Unknown
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Unknown\CurVer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Unknown\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Unknown\ShellEx\IconHandler
HKEY_CLASSES_ROOT\SystemFileAssociations\.tmp
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Unknown\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Unknown\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Unknown\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Unknown\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Unknown\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Unknown\NeverShowExt
\xea\xab\x90\xc3\x96EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CertificateRevocation
\xea\xab\x90\xc3\x96EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnableNegotiate
\xeb\xab\x90\xc3\x96EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Signature
\xe2\x96\x90\xc2\x97EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\PerUserItem
\xe2\x96\x90\xc2\x97EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix
\xe2\x96\x90\xc2\x97EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CacheLimit
\xe2\x96\x90\xc2\x97EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\PerUserItem
\xe2\x96\x90\xc2\x97EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix
\xe2\x96\x90\xc2\x97EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CacheLimit
\xe2\x96\x90\xc2\x97EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\PerUserItem
\xe2\x96\x90\xc2\x97EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix
\xe2\x96\x90\xc2\x97EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CacheLimit
\xe2\x96\x90\xc2\x97EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\DOMStore\CacheRepair
\xe2\x96\x90\xc2\x97EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\DOMStore\CachePath
\xe2\x96\x90\xc2\x97EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\DOMStore\CachePrefix
\xe2\x96\x90\xc2\x97EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\DOMStore\CacheLimit
\xe2\x96\x90\xc2\x97EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\DOMStore\CacheOptions
\xe2\x96\x90\xc2\x97EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat\CacheRepair
\xe2\x96\x90\xc2\x97EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat\CachePath
\xe2\x96\x90\xc2\x97EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat\CachePrefix
\xe2\x96\x90\xc2\x97EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat\CacheLimit
\xe2\x96\x90\xc2\x97EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat\CacheOptions
\xe2\x96\x90\xc2\x97EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\iecompat\CacheRepair
\xe2\x96\x90\xc2\x97EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\iecompat\CachePath
\xe2\x96\x90\xc2\x97EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\iecompat\CachePrefix
\xe2\x96\x90\xc2\x97EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\iecompat\CacheLimit
\xe2\x96\x90\xc2\x97EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\iecompat\CacheOptions
\xe2\x96\x90\xc2\x97EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld\CacheRepair
\xe2\x96\x90\xc2\x97EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld\CachePath
\xe2\x96\x90\xc2\x97EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld\CachePrefix
\xe2\x96\x90\xc2\x97EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld\CacheLimit
\xe2\x96\x90\xc2\x97EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld\CacheOptions
\xe2\x96\x90\xc2\x97EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\PrivacIE:\CacheRepair
\xe2\x96\x90\xc2\x97EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\PrivacIE:\CachePath
\xe2\x96\x90\xc2\x97EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\PrivacIE:\CachePrefix
\xe2\x96\x90\xc2\x97EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\PrivacIE:\CacheLimit
\xe2\x96\x90\xc2\x97EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\PrivacIE:\CacheOptions
\xec\x8b\x90\xc3\x96EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DisableCachingOfSSLPages
\xec\x8b\x90\xc3\x96EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MimeExclusionListForCache
\xec\x8b\x90\xc3\x96EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnPost
\xec\x8b\x90\xc3\x96EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnZoneCrossing
\xec\x8b\x90\xc3\x96EY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
\xec\x8b\x90\xc3\x96EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MigrateProxy
\xec\x8b\x90\xc3\x96EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable
\xec\x98\xb8\xc3\x96EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
\xec\x8b\x90\xc3\x96EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_UNC_SAVEDFILECHECK
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN
\xe8\xa9\x88\xc2\x98EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
\xe8\x9e\xa0\xc2\x98EY_LOCAL_MACHINE\SOFTWARE\Classes\AutoProxyTypes\Application/x-internet-signup\DllFile
\xe8\x9e\xa0\xc2\x98EY_LOCAL_MACHINE\SOFTWARE\Classes\AutoProxyTypes\Application/x-internet-signup\FileExtensions
\xe8\x9e\xa0\xc2\x98EY_LOCAL_MACHINE\SOFTWARE\Classes\AutoProxyTypes\Application/x-internet-signup\Default
\xe8\xa2\x90\xc2\x98EY_LOCAL_MACHINE\SOFTWARE\Classes\AutoProxyTypes\Application/x-ns-proxy-autoconfig\DllFile
\xe8\x9e\xa0\xc2\x98EY_LOCAL_MACHINE\SOFTWARE\Classes\AutoProxyTypes\Application/x-ns-proxy-autoconfig\FileExtensions
\xe8\xa2\x98\xc2\x98EY_LOCAL_MACHINE\SOFTWARE\Classes\AutoProxyTypes\Application/x-ns-proxy-autoconfig\Default
\xe8\x9e\xa0\xc2\x98EY_LOCAL_MACHINE\SOFTWARE\Classes\AutoProxyTypes\Application/x-ns-proxy-autoconfig\Flags
\xe8\xac\x88\xc2\x98EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
\xe4\xa4\x90\xe3\x80\x80
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{17AE3912-6D8E-11EA-8662-000C2940B9FB}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\MaxSxSHashCount
HKEY_CURRENT_USER\Software\Classes\CLSID\{00020424-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00020424-0000-0000-C000-000000000046}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00020424-0000-0000-C000-000000000046}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020424-0000-0000-C000-000000000046}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00020424-0000-0000-C000-000000000046}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00020424-0000-0000-C000-000000000046}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00020424-0000-0000-C000-000000000046}\InprocHandler
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\UDTAlignmentPolicy
\xe9\xaf\x98\xc2\x9cEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\Links\Order
HKEY_CURRENT_USER\Software\Classes\Interface\{6D5140C1-7436-11CE-8034-00AA006009FA}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6D5140C1-7436-11CE-8034-00AA006009FA}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6D5140C1-7436-11CE-8034-00AA006009FA}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\Interface\{B722BCCB-4E68-101B-A2BC-00AA00404770}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B722BCCB-4E68-101B-A2BC-00AA00404770}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B722BCCB-4E68-101B-A2BC-00AA00404770}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler
HKEY_CURRENT_USER\Software\Classes\CLSID\{D5E8041D-920F-45E9-B8FB-B1DEB82C6E5E}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D5E8041D-920F-45E9-B8FB-B1DEB82C6E5E}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D5E8041D-920F-45E9-B8FB-B1DEB82C6E5E}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D5E8041D-920F-45E9-B8FB-B1DEB82C6E5E}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D5E8041D-920F-45E9-B8FB-B1DEB82C6E5E}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D5E8041D-920F-45E9-B8FB-B1DEB82C6E5E}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D5E8041D-920F-45E9-B8FB-B1DEB82C6E5E}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D5E8041D-920F-45E9-B8FB-B1DEB82C6E5E}\InprocHandler
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Use FormSuggest
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Main
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Use FormSuggest
HKEY_CURRENT_USER\Software\Classes\Interface\{EAB22AC1-30C1-11CF-A7EB-0000C05BAE0B}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAB22AC1-30C1-11CF-A7EB-0000C05BAE0B}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAB22AC1-30C1-11CF-A7EB-0000C05BAE0B}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\Interface\{EAB22AC1-30C1-11CF-A7EB-0000C05BAE0B}\ProxyStubClsid32
HKEY_CURRENT_USER\Software\Classes\Interface\{EAB22AC1-30C1-11CF-A7EB-0000C05BAE0B}\Forward
HKEY_CURRENT_USER\Software\Classes\Interface\{EAB22AC1-30C1-11CF-A7EB-0000C05BAE0B}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAB22AC1-30C1-11CF-A7EB-0000C05BAE0B}\TypeLib\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAB22AC1-30C1-11CF-A7EB-0000C05BAE0B}\TypeLib\Version
HKEY_CURRENT_USER\Software\Classes\Interface\{9706DA66-D17C-48A5-B42D-39963D174DC0}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9706DA66-D17C-48A5-B42D-39963D174DC0}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9706DA66-D17C-48A5-B42D-39963D174DC0}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\Interface\{5C193B57-4EC0-4387-B98E-BEBF10136422}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5C193B57-4EC0-4387-B98E-BEBF10136422}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5C193B57-4EC0-4387-B98E-BEBF10136422}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1A10
HKEY_CLASSES_ROOT\MIME\Database\Content Type\image/x-icon
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\image/x-icon\Extension
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing\QuickTabsLastUsed
HKEY_CURRENT_USER\Software\Classes\InternetShortcut\CurVer
HKEY_CURRENT_USER\Software\Classes\InternetShortcut
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LsaExtensionConfig\SspiCli
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\LsaExtensionConfig\SspiCli\CheckSignatureDll
\xe9\xaf\x98\xc2\x9cEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\LsaExtensionConfig\SspiCli\CheckSignatureDll
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\LsaExtensionConfig\SspiCli\CheckSignatureRoutine
\xe9\xaf\x98\xc2\x9cEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\LsaExtensionConfig\SspiCli\CheckSignatureRoutine
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SecurityProviders
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\credssp.dll
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\credssp.dll\Name
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\credssp.dll\Comment
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\credssp.dll\Capabilities
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\credssp.dll\RpcId
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\credssp.dll\Version
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\credssp.dll\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\credssp.dll\TokenSize
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SaslProfiles
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\Schannel
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\UserContextLockCount
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\UserContextListCount
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\My\Certificates
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\My\CRLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\My\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Providers\Trust\Certificate\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Providers\Trust\Initialization\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Providers\Trust\Message\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Message\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Message\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Providers\Trust\Signature\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Providers\Trust\CertCheck\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Providers\Trust\DiagnosticPolicy\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Providers\Trust\Cleanup\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\State
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Security\Safety Warning Level
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Safer
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Safer
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\TrustedPublisher\Safer
HKEY_LOCAL_MACHINE\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\WinHttpSettings
\xec\xaf\x98\xc2\x9cEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\WinHttpSettings
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-0c-29-dc-04-c0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\ChainEngine\Config
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\EnableInetUnknownAuth
\xee\xaf\x98\xc2\x9cEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\WinHttpSettings
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DebugFlags
\xec\x9f\xb8\xc3\xafEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
\xec\xa0\x98\xc3\xafEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\InprocServer32\(Default)
\xea\x9e\xa0\xc2\xb1EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\JavaSoft\Java Plug-in\10.0.0\UseNewJavaPlugin
\xea\x9e\xa0\xc2\xb1EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\JavaSoft\Java Runtime Environment\1.7.0\JavaHome
\xea\x9e\xa0\xc2\xb1EY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA}\InprocServer32\(Default)
\xea\x9e\xa0\xc2\xb1EY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0000-ABCDEFFEDCBB}\InprocServer32\(Default)
\xea\x9e\xa0\xc2\xb1EY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0000-ABCDEFFEDCBC}\InprocServer32\(Default)
\xea\x9e\xa0\xc2\xb1EY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\InprocServer32\(Default)
\xea\x9e\xa0\xc2\xb1EY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA}\InprocServer32\(Default)
\xea\x9e\xa0\xc2\xb1EY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0000-ABCDEFFEDCBB}\InprocServer32\(Default)
\xea\x9e\xa0\xc2\xb1EY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0000-ABCDEFFEDCBC}\InprocServer32\(Default)
\xea\x9e\xa0\xc2\xb1EY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\InprocServer32\(Default)
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\MenuUserExpanded
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL\Prefixes
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{cfbfae00-17a6-11d0-99cb-00c04fd64497}\InProcServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CFBFAE00-17A6-11D0-99CB-00C04FD64497}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{CFBFAE00-17A6-11D0-99CB-00C04FD64497}
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{CFBFAE00-17A6-11D0-99CB-00C04FD64497}\iexplore
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CFBFAE00-17A6-11D0-99CB-00C04FD64497}\iexplore\Type
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CFBFAE00-17A6-11D0-99CB-00C04FD64497}\iexplore\Count
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CFBFAE00-17A6-11D0-99CB-00C04FD64497}\iexplore\Time
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\NavigationDelay
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{5F226421-415D-408D-9A09-0DCD94E25B48}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{5F226421-415D-408D-9A09-0DCD94E25B48}\1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{5F226421-415D-408D-9A09-0DCD94E25B48}\1.0\0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{5F226421-415D-408D-9A09-0DCD94E25B48}\1.0\0\win32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{5F226421-415D-408D-9A09-0DCD94E25B48}\1.0\0\win32\(Default)
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\AutoSearch
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MSHTML_AUTOLOAD_IEFRAME
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MSHTML_AUTOLOAD_IEFRAME
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MSHTML_AUTOLOAD_IEFRAME\iexplore.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MSHTML_AUTOLOAD_IEFRAME\*
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\Scripts\3\IEFontSize
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\Scripts\3\IEFontSizePrivate
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\Scripts\3\IEPropFontName
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\Scripts\3\IEFixedFontName
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2301
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\CoInternetCombineIUriCacheSize
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\CoInternetCombineIUriCacheSize
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CoInternetCombineIUriCacheSize
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\CoInternetCombineIUriCacheSize
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SHIM_MSHELP_COMBINE
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_SHIM_MSHELP_COMBINE
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_SHIM_MSHELP_COMBINE\iexplore.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_SHIM_MSHELP_COMBINE\*
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SUBDOWNLOAD_LOCKDOWN
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_SUBDOWNLOAD_LOCKDOWN
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_SUBDOWNLOAD_LOCKDOWN\iexplore.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_SUBDOWNLOAD_LOCKDOWN\*
HKEY_CLASSES_ROOT\.css
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.css\Content Type
HKEY_CURRENT_USER\SOFTWARE\Classes\PROTOCOLS\Filter\text/css
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/css
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CUSTOM_IMAGE_MIME_TYPES_KB910561
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_CUSTOM_IMAGE_MIME_TYPES_KB910561
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_Cross_Domain_Redirect_Mitigation
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_Cross_Domain_Redirect_Mitigation
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BEHAVIORS
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BEHAVIORS
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BEHAVIORS\iexplore.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2000
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Default Behaviors
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default Behaviors\discovery
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BINARY_CALLER_SERVICE_PROVIDER
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BINARY_CALLER_SERVICE_PROVIDER
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\DxTrans
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\DxTrans
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1400
HKEY_CLASSES_ROOT\.js
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.js\Content Type
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_FEEDS
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_FEEDS
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_FEEDS\iexplore.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_FEEDS\*
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_SCRIPT
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BLOCK_LMZ_SCRIPT
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BLOCK_LMZ_SCRIPT\iexplore.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BLOCK_LMZ_SCRIPT\*
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PhishingFilter
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV8
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\PhishingFilter
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\PhishingFilter\EnabledV8
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnIntranet
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnIntranet
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\
HKEY_CURRENT_USER\Software\Classes\Interface\{9D973E3B-F610-4F03-83D3-AED90C3237AC}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9D973E3B-F610-4F03-83D3-AED90C3237AC}\SynchronousInterface
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9D973E3B-F610-4F03-83D3-AED90C3237AC}\SynchronousInterface\(Default)
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Safety\PrivacIE
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_STATUS_BAR_THROTTLING
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_STATUS_BAR_THROTTLING
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IEDDE_REGISTER_URLECHO
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_IEDDE_REGISTER_URLECHO
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESPECT_OBJECTSAFETY_POLICY_KB905547
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_RESPECT_OBJECTSAFETY_POLICY_KB905547
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F414C260-6AC0-11CF-B6D1-00AA00BBBB58}
HKEY_LOCAL_MACHINE\Software\Microsoft\COM3
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SCRIPTURL_MITIGATION
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_SCRIPTURL_MITIGATION
HKEY_CLASSES_ROOT\.jpg
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.jpg\Content Type
HKEY_CURRENT_USER\SOFTWARE\Classes\PROTOCOLS\Filter\image/jpeg
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\image/jpeg
HKEY_CLASSES_ROOT\.png
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.png\Content Type
HKEY_CURRENT_USER\SOFTWARE\Classes\PROTOCOLS\Filter\image/png
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\image/png
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_IMG
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BLOCK_LMZ_IMG
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BLOCK_LMZ_IMG\iexplore.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BLOCK_LMZ_IMG\*
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Feed Discovery
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Feed Discovery
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Feed Discovery\Enabled
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Feed Discovery\
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Feed Discovery\
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Feeds
HKEY_CURRENT_USER\Software\Microsoft\Ftp
HKEY_CURRENT_USER\Software\Microsoft\FTP\Use Web Based FTP
HKEY_LOCAL_MACHINE\Software\Microsoft\Ftp
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Services
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Services\SelectionActivityButtonDisable
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Services
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Activities
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Activities
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\No3DBorder
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\No3DBorder
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\UrlEncoding
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\UrlEncoding
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\UrlEncoding
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Suggested Sites
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Suggested Sites\Enabled
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Suggested Sites
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\PhishingFilter
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ACTIVEX_INACTIVATE_MODE_REMOVAL_REVERT
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_ACTIVEX_INACTIVATE_MODE_REMOVAL_REVERT
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DD522ACC-F821-461A-A407-50B198B896DC}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DD522ACC-F821-461A-A407-50B198B896DC}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DD522ACC-F821-461A-A407-50B198B896DC}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DD522ACC-F821-461A-A407-50B198B896DC}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DD522ACC-F821-461A-A407-50B198B896DC}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DD522ACC-F821-461A-A407-50B198B896DC}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DD522ACC-F821-461A-A407-50B198B896DC}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\InProcServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\InProcServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\InprocHandler
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\DeviceClasses\{53F5630D-B6BF-11D0-94F2-00A0C91EFB8B}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\DeviceClasses\{53F5630D-B6BF-11D0-94F2-00A0C91EFB8B}\Icons
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\DeviceClasses\{53F5630D-B6BF-11D0-94F2-00A0C91EFB8B}\NoMediaIcons
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\DeviceClasses\{53F5630D-B6BF-11D0-94F2-00A0C91EFB8B}\Label
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\RemoteRpcDll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\DA0C75D6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\GlobalSession
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}\1.0\0\win32\(Default)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\28591
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesRecycleBin
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetIcon
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Desktop\NameSpace\{031E4825-7B94-4dc3-B131-E946B44C8DD5}\SuppressionPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Desktop\NameSpace\{04731B67-D933-450a-90E6-4ACD2E9408FE}\SuppressionPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Desktop\NameSpace\{0875DCB6-C686-4243-9432-ADCCF0B9F2D7}\SuppressionPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Desktop\NameSpace\{11016101-E366-4D22-BC06-4ADA335C892B}\SuppressionPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Desktop\NameSpace\{138508bc-1e03-49ea-9c8f-ea9e1d05d65d}\SuppressionPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Desktop\NameSpace\{26EE0668-A00A-44D7-9371-BEB064C98683}\SuppressionPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Desktop\NameSpace\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\SuppressionPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Desktop\NameSpace\{450D8FBA-AD25-11D0-98A8-0800361B1103}\SuppressionPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Desktop\NameSpace\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}\SuppressionPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Desktop\NameSpace\{59031a47-3f72-44a7-89c5-5595fe6b30ee}\SuppressionPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Desktop\NameSpace\{645FF040-5081-101B-9F08-00AA002F954E}\SuppressionPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Desktop\NameSpace\{89D83576-6BD1-4c86-9454-BEB04E94C819}\SuppressionPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Desktop\NameSpace\{9343812e-1c37-4a49-a12e-4b2d810d956b}\SuppressionPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Desktop\NameSpace\{B4FB3F98-C1EA-428d-A78A-D1F5659CBA93}\SuppressionPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Desktop\NameSpace\{BD7A2E7B-21CB-41b2-A086-B309680C6B7E}\SuppressionPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Desktop\NameSpace\{daf95313-e44d-46af-be1b-cbacea2c3065}\SuppressionPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Desktop\NameSpace\{e345f35f-9397-435c-8f95-4e922c26259e}\SuppressionPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Desktop\NameSpace\{ED228FDF-9EA8-4870-83b1-96b02CFE0D52}\SuppressionPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Desktop\NameSpace\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\SuppressionPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\CallForAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\RestrictedAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORDISPLAY
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideFolderVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\UseDropHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORPARSING
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsParseDisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\MapNetDriveVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForInfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideInWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideOnDesktopPerUser
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsAliasedNotifications
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsUniversalDelegate
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\NoFileFolderJunction
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\PinToNameSpaceTree
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HasNavigationEnum
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{20D04FE0-3AEA-1069-A2D8-08002B30309D}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder\CallForAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder\RestrictedAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder\WantsFORDISPLAY
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder\HideFolderVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder\UseDropHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder\WantsFORPARSING
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder\WantsParseDisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder\QueryForOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder\MapNetDriveVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder\QueryForInfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder\HideInWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder\HideOnDesktopPerUser
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder\WantsAliasedNotifications
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder\WantsUniversalDelegate
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder\NoFileFolderJunction
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder\PinToNameSpaceTree
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder\HasNavigationEnum
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{208D2C60-3AEA-1069-A2D7-08002B30309D}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\CallForAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\RestrictedAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\WantsFORDISPLAY
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\HideFolderVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\UseDropHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\WantsFORPARSING
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\WantsParseDisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\QueryForOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\MapNetDriveVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\QueryForInfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\HideInWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\HideOnDesktopPerUser
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\WantsAliasedNotifications
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\WantsUniversalDelegate
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\NoFileFolderJunction
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\PinToNameSpaceTree
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\HasNavigationEnum
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{871C5380-42A0-1069-A2EA-08002B30309D}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32\LoadWithoutCOM
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{871C5380-42A0-1069-A2EA-08002B30309D} {000214E6-0000-0000-C000-000000000046} 0xFFFF
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE\wscript.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE\*
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_HKLM_only
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder\CallForAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder\RestrictedAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder\WantsFORDISPLAY
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder\HideFolderVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder\UseDropHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder\WantsFORPARSING
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder\WantsParseDisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder\QueryForOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder\MapNetDriveVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder\QueryForInfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder\HideInWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder\HideOnDesktopPerUser
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder\WantsAliasedNotifications
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder\WantsUniversalDelegate
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder\NoFileFolderJunction
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder\PinToNameSpaceTree
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder\HasNavigationEnum
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{645FF040-5081-101B-9F08-00AA002F954E}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26EE0668-A00A-44D7-9371-BEB064C98683}\ShellFolder\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26EE0668-A00A-44D7-9371-BEB064C98683}\ShellFolder\CallForAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26EE0668-A00A-44D7-9371-BEB064C98683}\ShellFolder\RestrictedAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26EE0668-A00A-44D7-9371-BEB064C98683}\ShellFolder\WantsFORDISPLAY
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26EE0668-A00A-44D7-9371-BEB064C98683}\ShellFolder\HideFolderVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26EE0668-A00A-44D7-9371-BEB064C98683}\ShellFolder\UseDropHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26EE0668-A00A-44D7-9371-BEB064C98683}\ShellFolder\WantsFORPARSING
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26EE0668-A00A-44D7-9371-BEB064C98683}\ShellFolder\WantsParseDisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26EE0668-A00A-44D7-9371-BEB064C98683}\ShellFolder\QueryForOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26EE0668-A00A-44D7-9371-BEB064C98683}\ShellFolder\MapNetDriveVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26EE0668-A00A-44D7-9371-BEB064C98683}\ShellFolder\QueryForInfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26EE0668-A00A-44D7-9371-BEB064C98683}\ShellFolder\HideInWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26EE0668-A00A-44D7-9371-BEB064C98683}\ShellFolder\HideOnDesktopPerUser
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26EE0668-A00A-44D7-9371-BEB064C98683}\ShellFolder\WantsAliasedNotifications
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26EE0668-A00A-44D7-9371-BEB064C98683}\ShellFolder\WantsUniversalDelegate
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26EE0668-A00A-44D7-9371-BEB064C98683}\ShellFolder\NoFileFolderJunction
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26EE0668-A00A-44D7-9371-BEB064C98683}\ShellFolder\PinToNameSpaceTree
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26EE0668-A00A-44D7-9371-BEB064C98683}\ShellFolder\HasNavigationEnum
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{26EE0668-A00A-44D7-9371-BEB064C98683}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\ShellFolder\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\ShellFolder\CallForAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\ShellFolder\RestrictedAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\ShellFolder\WantsFORDISPLAY
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\ShellFolder\HideFolderVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\ShellFolder\UseDropHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\ShellFolder\WantsFORPARSING
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\ShellFolder\WantsParseDisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\ShellFolder\QueryForOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\ShellFolder\MapNetDriveVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\ShellFolder\QueryForInfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\ShellFolder\HideInWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\ShellFolder\HideOnDesktopPerUser
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\ShellFolder\WantsAliasedNotifications
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\ShellFolder\WantsUniversalDelegate
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\ShellFolder\NoFileFolderJunction
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\ShellFolder\PinToNameSpaceTree
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\ShellFolder\HasNavigationEnum
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{59031A47-3F72-44A7-89C5-5595FE6B30EE}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{031E4825-7B94-4DC3-B131-E946B44C8DD5}\ShellFolder\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{031E4825-7B94-4DC3-B131-E946B44C8DD5}\ShellFolder\CallForAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{031E4825-7B94-4DC3-B131-E946B44C8DD5}\ShellFolder\RestrictedAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{031E4825-7B94-4DC3-B131-E946B44C8DD5}\ShellFolder\WantsFORDISPLAY
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{031E4825-7B94-4DC3-B131-E946B44C8DD5}\ShellFolder\HideFolderVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{031E4825-7B94-4DC3-B131-E946B44C8DD5}\ShellFolder\UseDropHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{031E4825-7B94-4DC3-B131-E946B44C8DD5}\ShellFolder\WantsFORPARSING
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{031E4825-7B94-4DC3-B131-E946B44C8DD5}\ShellFolder\WantsParseDisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{031E4825-7B94-4DC3-B131-E946B44C8DD5}\ShellFolder\QueryForOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{031E4825-7B94-4DC3-B131-E946B44C8DD5}\ShellFolder\MapNetDriveVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{031E4825-7B94-4DC3-B131-E946B44C8DD5}\ShellFolder\QueryForInfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{031E4825-7B94-4DC3-B131-E946B44C8DD5}\ShellFolder\HideInWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{031E4825-7B94-4DC3-B131-E946B44C8DD5}\ShellFolder\HideOnDesktopPerUser
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{031E4825-7B94-4DC3-B131-E946B44C8DD5}\ShellFolder\WantsAliasedNotifications
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{031E4825-7B94-4DC3-B131-E946B44C8DD5}\ShellFolder\WantsUniversalDelegate
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{031E4825-7B94-4DC3-B131-E946B44C8DD5}\ShellFolder\NoFileFolderJunction
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{031E4825-7B94-4DC3-B131-E946B44C8DD5}\ShellFolder\PinToNameSpaceTree
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{031E4825-7B94-4DC3-B131-E946B44C8DD5}\ShellFolder\HasNavigationEnum
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{031E4825-7B94-4DC3-B131-E946B44C8DD5}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{04731B67-D933-450A-90E6-4ACD2E9408FE}\ShellFolder\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{04731B67-D933-450A-90E6-4ACD2E9408FE}\ShellFolder\CallForAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{04731B67-D933-450A-90E6-4ACD2E9408FE}\ShellFolder\RestrictedAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{04731B67-D933-450A-90E6-4ACD2E9408FE}\ShellFolder\WantsFORDISPLAY
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{04731B67-D933-450A-90E6-4ACD2E9408FE}\ShellFolder\HideFolderVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{04731B67-D933-450A-90E6-4ACD2E9408FE}\ShellFolder\UseDropHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{04731B67-D933-450A-90E6-4ACD2E9408FE}\ShellFolder\WantsFORPARSING
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{04731B67-D933-450A-90E6-4ACD2E9408FE}\ShellFolder\WantsParseDisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{04731B67-D933-450A-90E6-4ACD2E9408FE}\ShellFolder\QueryForOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{04731B67-D933-450A-90E6-4ACD2E9408FE}\ShellFolder\MapNetDriveVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{04731B67-D933-450A-90E6-4ACD2E9408FE}\ShellFolder\QueryForInfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{04731B67-D933-450A-90E6-4ACD2E9408FE}\ShellFolder\HideInWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{04731B67-D933-450A-90E6-4ACD2E9408FE}\ShellFolder\HideOnDesktopPerUser
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{04731B67-D933-450A-90E6-4ACD2E9408FE}\ShellFolder\WantsAliasedNotifications
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{04731B67-D933-450A-90E6-4ACD2E9408FE}\ShellFolder\WantsUniversalDelegate
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{04731B67-D933-450A-90E6-4ACD2E9408FE}\ShellFolder\NoFileFolderJunction
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{04731B67-D933-450A-90E6-4ACD2E9408FE}\ShellFolder\PinToNameSpaceTree
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{04731B67-D933-450A-90E6-4ACD2E9408FE}\ShellFolder\HasNavigationEnum
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{04731B67-D933-450A-90E6-4ACD2E9408FE}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0875DCB6-C686-4243-9432-ADCCF0B9F2D7}\ShellFolder\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0875DCB6-C686-4243-9432-ADCCF0B9F2D7}\ShellFolder\CallForAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0875DCB6-C686-4243-9432-ADCCF0B9F2D7}\ShellFolder\RestrictedAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0875DCB6-C686-4243-9432-ADCCF0B9F2D7}\ShellFolder\WantsFORDISPLAY
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0875DCB6-C686-4243-9432-ADCCF0B9F2D7}\ShellFolder\HideFolderVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0875DCB6-C686-4243-9432-ADCCF0B9F2D7}\ShellFolder\UseDropHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0875DCB6-C686-4243-9432-ADCCF0B9F2D7}\ShellFolder\WantsFORPARSING
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0875DCB6-C686-4243-9432-ADCCF0B9F2D7}\ShellFolder\WantsParseDisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0875DCB6-C686-4243-9432-ADCCF0B9F2D7}\ShellFolder\QueryForOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0875DCB6-C686-4243-9432-ADCCF0B9F2D7}\ShellFolder\MapNetDriveVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0875DCB6-C686-4243-9432-ADCCF0B9F2D7}\ShellFolder\QueryForInfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0875DCB6-C686-4243-9432-ADCCF0B9F2D7}\ShellFolder\HideInWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0875DCB6-C686-4243-9432-ADCCF0B9F2D7}\ShellFolder\HideOnDesktopPerUser
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0875DCB6-C686-4243-9432-ADCCF0B9F2D7}\ShellFolder\WantsAliasedNotifications
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0875DCB6-C686-4243-9432-ADCCF0B9F2D7}\ShellFolder\WantsUniversalDelegate
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0875DCB6-C686-4243-9432-ADCCF0B9F2D7}\ShellFolder\NoFileFolderJunction
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0875DCB6-C686-4243-9432-ADCCF0B9F2D7}\ShellFolder\PinToNameSpaceTree
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0875DCB6-C686-4243-9432-ADCCF0B9F2D7}\ShellFolder\HasNavigationEnum
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{0875DCB6-C686-4243-9432-ADCCF0B9F2D7}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11016101-E366-4D22-BC06-4ADA335C892B}\ShellFolder\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11016101-E366-4D22-BC06-4ADA335C892B}\ShellFolder\CallForAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11016101-E366-4D22-BC06-4ADA335C892B}\ShellFolder\RestrictedAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11016101-E366-4D22-BC06-4ADA335C892B}\ShellFolder\WantsFORDISPLAY
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11016101-E366-4D22-BC06-4ADA335C892B}\ShellFolder\HideFolderVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11016101-E366-4D22-BC06-4ADA335C892B}\ShellFolder\UseDropHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11016101-E366-4D22-BC06-4ADA335C892B}\ShellFolder\WantsFORPARSING
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11016101-E366-4D22-BC06-4ADA335C892B}\ShellFolder\WantsParseDisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11016101-E366-4D22-BC06-4ADA335C892B}\ShellFolder\QueryForOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11016101-E366-4D22-BC06-4ADA335C892B}\ShellFolder\MapNetDriveVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11016101-E366-4D22-BC06-4ADA335C892B}\ShellFolder\QueryForInfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11016101-E366-4D22-BC06-4ADA335C892B}\ShellFolder\HideInWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11016101-E366-4D22-BC06-4ADA335C892B}\ShellFolder\HideOnDesktopPerUser
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11016101-E366-4D22-BC06-4ADA335C892B}\ShellFolder\WantsAliasedNotifications
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11016101-E366-4D22-BC06-4ADA335C892B}\ShellFolder\WantsUniversalDelegate
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11016101-E366-4D22-BC06-4ADA335C892B}\ShellFolder\NoFileFolderJunction
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11016101-E366-4D22-BC06-4ADA335C892B}\ShellFolder\PinToNameSpaceTree
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11016101-E366-4D22-BC06-4ADA335C892B}\ShellFolder\HasNavigationEnum
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{11016101-E366-4D22-BC06-4ADA335C892B}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{138508BC-1E03-49EA-9C8F-EA9E1D05D65D}\ShellFolder\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{138508BC-1E03-49EA-9C8F-EA9E1D05D65D}\ShellFolder\CallForAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{138508BC-1E03-49EA-9C8F-EA9E1D05D65D}\ShellFolder\RestrictedAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{138508BC-1E03-49EA-9C8F-EA9E1D05D65D}\ShellFolder\WantsFORDISPLAY
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{138508BC-1E03-49EA-9C8F-EA9E1D05D65D}\ShellFolder\HideFolderVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{138508BC-1E03-49EA-9C8F-EA9E1D05D65D}\ShellFolder\UseDropHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{138508BC-1E03-49EA-9C8F-EA9E1D05D65D}\ShellFolder\WantsFORPARSING
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{138508BC-1E03-49EA-9C8F-EA9E1D05D65D}\ShellFolder\WantsParseDisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{138508BC-1E03-49EA-9C8F-EA9E1D05D65D}\ShellFolder\QueryForOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{138508BC-1E03-49EA-9C8F-EA9E1D05D65D}\ShellFolder\MapNetDriveVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{138508BC-1E03-49EA-9C8F-EA9E1D05D65D}\ShellFolder\QueryForInfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{138508BC-1E03-49EA-9C8F-EA9E1D05D65D}\ShellFolder\HideInWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{138508BC-1E03-49EA-9C8F-EA9E1D05D65D}\ShellFolder\HideOnDesktopPerUser
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{138508BC-1E03-49EA-9C8F-EA9E1D05D65D}\ShellFolder\WantsAliasedNotifications
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{138508BC-1E03-49EA-9C8F-EA9E1D05D65D}\ShellFolder\WantsUniversalDelegate
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{138508BC-1E03-49EA-9C8F-EA9E1D05D65D}\ShellFolder\NoFileFolderJunction
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{138508BC-1E03-49EA-9C8F-EA9E1D05D65D}\ShellFolder\PinToNameSpaceTree
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{138508BC-1E03-49EA-9C8F-EA9E1D05D65D}\ShellFolder\HasNavigationEnum
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{138508BC-1E03-49EA-9C8F-EA9E1D05D65D}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4336A54D-038B-4685-AB02-99BB52D3FB8B}\ShellFolder\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4336A54D-038B-4685-AB02-99BB52D3FB8B}\ShellFolder\CallForAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4336A54D-038B-4685-AB02-99BB52D3FB8B}\ShellFolder\RestrictedAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4336A54D-038B-4685-AB02-99BB52D3FB8B}\ShellFolder\WantsFORDISPLAY
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4336A54D-038B-4685-AB02-99BB52D3FB8B}\ShellFolder\HideFolderVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4336A54D-038B-4685-AB02-99BB52D3FB8B}\ShellFolder\UseDropHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4336A54D-038B-4685-AB02-99BB52D3FB8B}\ShellFolder\WantsFORPARSING
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4336A54D-038B-4685-AB02-99BB52D3FB8B}\ShellFolder\WantsParseDisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4336A54D-038B-4685-AB02-99BB52D3FB8B}\ShellFolder\QueryForOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4336A54D-038B-4685-AB02-99BB52D3FB8B}\ShellFolder\MapNetDriveVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4336A54D-038B-4685-AB02-99BB52D3FB8B}\ShellFolder\QueryForInfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4336A54D-038B-4685-AB02-99BB52D3FB8B}\ShellFolder\HideInWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4336A54D-038B-4685-AB02-99BB52D3FB8B}\ShellFolder\HideOnDesktopPerUser
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4336A54D-038B-4685-AB02-99BB52D3FB8B}\ShellFolder\WantsAliasedNotifications
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4336A54D-038B-4685-AB02-99BB52D3FB8B}\ShellFolder\WantsUniversalDelegate
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4336A54D-038B-4685-AB02-99BB52D3FB8B}\ShellFolder\NoFileFolderJunction
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4336A54D-038B-4685-AB02-99BB52D3FB8B}\ShellFolder\PinToNameSpaceTree
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4336A54D-038B-4685-AB02-99BB52D3FB8B}\ShellFolder\HasNavigationEnum
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{4336A54D-038B-4685-AB02-99BB52D3FB8B}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\ShellFolder\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\ShellFolder\CallForAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\ShellFolder\RestrictedAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\ShellFolder\WantsFORDISPLAY
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\ShellFolder\HideFolderVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\ShellFolder\UseDropHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\ShellFolder\WantsFORPARSING
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\ShellFolder\WantsParseDisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\ShellFolder\QueryForOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\ShellFolder\MapNetDriveVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\ShellFolder\QueryForInfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\ShellFolder\HideInWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\ShellFolder\HideOnDesktopPerUser
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\ShellFolder\WantsAliasedNotifications
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\ShellFolder\WantsUniversalDelegate
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\ShellFolder\NoFileFolderJunction
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\ShellFolder\PinToNameSpaceTree
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\ShellFolder\HasNavigationEnum
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{450D8FBA-AD25-11D0-98A8-0800361B1103}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}\ShellFolder\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}\ShellFolder\CallForAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}\ShellFolder\RestrictedAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}\ShellFolder\WantsFORDISPLAY
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}\ShellFolder\HideFolderVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}\ShellFolder\UseDropHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}\ShellFolder\WantsFORPARSING
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}\ShellFolder\WantsParseDisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}\ShellFolder\QueryForOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}\ShellFolder\MapNetDriveVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}\ShellFolder\QueryForInfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}\ShellFolder\HideInWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}\ShellFolder\HideOnDesktopPerUser
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}\ShellFolder\WantsAliasedNotifications
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}\ShellFolder\WantsUniversalDelegate
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}\ShellFolder\NoFileFolderJunction
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}\ShellFolder\PinToNameSpaceTree
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}\ShellFolder\HasNavigationEnum
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{89D83576-6BD1-4C86-9454-BEB04E94C819}\ShellFolder\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{89D83576-6BD1-4C86-9454-BEB04E94C819}\ShellFolder\CallForAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{89D83576-6BD1-4C86-9454-BEB04E94C819}\ShellFolder\RestrictedAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{89D83576-6BD1-4C86-9454-BEB04E94C819}\ShellFolder\WantsFORDISPLAY
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{89D83576-6BD1-4C86-9454-BEB04E94C819}\ShellFolder\HideFolderVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{89D83576-6BD1-4C86-9454-BEB04E94C819}\ShellFolder\UseDropHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{89D83576-6BD1-4C86-9454-BEB04E94C819}\ShellFolder\WantsFORPARSING
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{89D83576-6BD1-4C86-9454-BEB04E94C819}\ShellFolder\WantsParseDisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{89D83576-6BD1-4C86-9454-BEB04E94C819}\ShellFolder\QueryForOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{89D83576-6BD1-4C86-9454-BEB04E94C819}\ShellFolder\MapNetDriveVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{89D83576-6BD1-4C86-9454-BEB04E94C819}\ShellFolder\QueryForInfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{89D83576-6BD1-4C86-9454-BEB04E94C819}\ShellFolder\HideInWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{89D83576-6BD1-4C86-9454-BEB04E94C819}\ShellFolder\HideOnDesktopPerUser
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{89D83576-6BD1-4C86-9454-BEB04E94C819}\ShellFolder\WantsAliasedNotifications
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{89D83576-6BD1-4C86-9454-BEB04E94C819}\ShellFolder\WantsUniversalDelegate
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{89D83576-6BD1-4C86-9454-BEB04E94C819}\ShellFolder\NoFileFolderJunction
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{89D83576-6BD1-4C86-9454-BEB04E94C819}\ShellFolder\PinToNameSpaceTree
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{89D83576-6BD1-4C86-9454-BEB04E94C819}\ShellFolder\HasNavigationEnum
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{89D83576-6BD1-4C86-9454-BEB04E94C819}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9343812E-1C37-4A49-A12E-4B2D810D956B}\ShellFolder\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9343812E-1C37-4A49-A12E-4B2D810D956B}\ShellFolder\CallForAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9343812E-1C37-4A49-A12E-4B2D810D956B}\ShellFolder\RestrictedAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9343812E-1C37-4A49-A12E-4B2D810D956B}\ShellFolder\WantsFORDISPLAY
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9343812E-1C37-4A49-A12E-4B2D810D956B}\ShellFolder\HideFolderVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9343812E-1C37-4A49-A12E-4B2D810D956B}\ShellFolder\UseDropHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9343812E-1C37-4A49-A12E-4B2D810D956B}\ShellFolder\WantsFORPARSING
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9343812E-1C37-4A49-A12E-4B2D810D956B}\ShellFolder\WantsParseDisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9343812E-1C37-4A49-A12E-4B2D810D956B}\ShellFolder\QueryForOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9343812E-1C37-4A49-A12E-4B2D810D956B}\ShellFolder\MapNetDriveVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9343812E-1C37-4A49-A12E-4B2D810D956B}\ShellFolder\QueryForInfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9343812E-1C37-4A49-A12E-4B2D810D956B}\ShellFolder\HideInWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9343812E-1C37-4A49-A12E-4B2D810D956B}\ShellFolder\HideOnDesktopPerUser
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Nod