Analysis

Category Package Started Completed Duration Options Log
FILE exe 2020-03-24 06:17:59 2020-03-24 06:21:47 228 seconds Show Options Show Log
route = internet
procdump = 1
2020-03-24 06:18:00,000 [root] INFO: Date set to: 03-24-20, time set to: 06:18:00, timeout set to: 200
2020-03-24 06:18:00,015 [root] DEBUG: Starting analyzer from: C:\mwtpukcyb
2020-03-24 06:18:00,015 [root] DEBUG: Storing results at: C:\JrCesO
2020-03-24 06:18:00,015 [root] DEBUG: Pipe server name: \\.\PIPE\isvGNj
2020-03-24 06:18:00,015 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2020-03-24 06:18:00,015 [root] INFO: Automatically selected analysis package "exe"
2020-03-24 06:18:00,296 [root] DEBUG: Started auxiliary module Browser
2020-03-24 06:18:00,296 [root] DEBUG: Started auxiliary module Curtain
2020-03-24 06:18:00,296 [modules.auxiliary.digisig] DEBUG: Checking for a digitial signature.
2020-03-24 06:18:00,686 [modules.auxiliary.digisig] DEBUG: File is not signed.
2020-03-24 06:18:00,686 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2020-03-24 06:18:00,686 [root] DEBUG: Started auxiliary module DigiSig
2020-03-24 06:18:00,686 [root] DEBUG: Started auxiliary module Disguise
2020-03-24 06:18:00,686 [root] DEBUG: Started auxiliary module Human
2020-03-24 06:18:00,686 [root] DEBUG: Started auxiliary module Screenshots
2020-03-24 06:18:00,686 [root] DEBUG: Started auxiliary module Sysmon
2020-03-24 06:18:00,686 [root] DEBUG: Started auxiliary module Usage
2020-03-24 06:18:00,686 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2020-03-24 06:18:00,686 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2020-03-24 06:18:00,701 [lib.api.process] INFO: Successfully executed process from path "C:\Users\user\AppData\Local\Temp\exe.bin" with arguments "" with pid 828
2020-03-24 06:18:00,701 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2020-03-24 06:18:00,701 [lib.api.process] INFO: 32-bit DLL to inject is C:\mwtpukcyb\dll\ZKXxlkn.dll, loader C:\mwtpukcyb\bin\CerQwWS.exe
2020-03-24 06:18:00,842 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\isvGNj.
2020-03-24 06:18:00,842 [root] DEBUG: Loader: Injecting process 828 (thread 1064) with C:\mwtpukcyb\dll\ZKXxlkn.dll.
2020-03-24 06:18:00,842 [root] DEBUG: Process image base: 0x01330000
2020-03-24 06:18:00,842 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\mwtpukcyb\dll\ZKXxlkn.dll.
2020-03-24 06:18:00,842 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-03-24 06:18:00,842 [root] DEBUG: Successfully injected DLL C:\mwtpukcyb\dll\ZKXxlkn.dll.
2020-03-24 06:18:00,842 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 828
2020-03-24 06:18:02,854 [lib.api.process] INFO: Successfully resumed process with pid 828
2020-03-24 06:18:02,854 [root] INFO: Added new process to list with pid: 828
2020-03-24 06:18:02,885 [root] DEBUG: Terminate processes on terminate_event enabled.
2020-03-24 06:18:02,885 [root] DEBUG: Process dumps enabled.
2020-03-24 06:18:02,931 [root] INFO: Disabling sleep skipping.
2020-03-24 06:18:02,931 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-03-24 06:18:02,931 [root] INFO: Disabling sleep skipping.
2020-03-24 06:18:02,931 [root] INFO: Disabling sleep skipping.
2020-03-24 06:18:02,931 [root] INFO: Disabling sleep skipping.
2020-03-24 06:18:02,931 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 828 at 0x748b0000, image base 0x1330000, stack from 0x286000-0x290000
2020-03-24 06:18:02,931 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\exe.bin".
2020-03-24 06:18:02,931 [root] INFO: Monitor successfully loaded in process with pid 828.
2020-03-24 06:18:02,963 [root] DEBUG: DLL loaded at 0x74440000: C:\Windows\system32\PROPSYS (0xf5000 bytes).
2020-03-24 06:18:02,963 [root] DEBUG: DLL loaded at 0x75980000: C:\Windows\syswow64\OLEAUT32 (0x8f000 bytes).
2020-03-24 06:18:02,963 [root] DEBUG: DLL loaded at 0x742A0000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32 (0x19e000 bytes).
2020-03-24 06:18:02,963 [root] DEBUG: DLL loaded at 0x74EB0000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2020-03-24 06:18:02,979 [root] DEBUG: DLL loaded at 0x74870000: C:\Windows\system32\ntmarta (0x21000 bytes).
2020-03-24 06:18:02,979 [root] DEBUG: DLL loaded at 0x76EA0000: C:\Windows\syswow64\WLDAP32 (0x45000 bytes).
2020-03-24 06:18:02,994 [root] DEBUG: DLL loaded at 0x748A0000: C:\Windows\system32\profapi (0xb000 bytes).
2020-03-24 06:18:03,009 [root] DEBUG: DLL loaded at 0x75A70000: C:\Windows\syswow64\SETUPAPI (0x19d000 bytes).
2020-03-24 06:18:03,009 [root] DEBUG: DLL loaded at 0x75A10000: C:\Windows\syswow64\CFGMGR32 (0x27000 bytes).
2020-03-24 06:18:03,009 [root] DEBUG: DLL loaded at 0x75D40000: C:\Windows\syswow64\DEVOBJ (0x12000 bytes).
2020-03-24 06:18:03,009 [root] DEBUG: DLL unloaded from 0x75E70000.
2020-03-24 06:18:03,009 [root] DEBUG: DLL loaded at 0x74AF0000: C:\Windows\system32\apphelp (0x4c000 bytes).
2020-03-24 06:18:03,056 [root] DEBUG: DLL loaded at 0x74810000: C:\Windows\System32\shdocvw (0x2e000 bytes).
2020-03-24 06:18:03,088 [root] DEBUG: DLL loaded at 0x74F40000: C:\Windows\SysWOW64\urlmon (0x136000 bytes).
2020-03-24 06:18:03,119 [root] DEBUG: DLL loaded at 0x75600000: C:\Windows\syswow64\WININET (0xf5000 bytes).
2020-03-24 06:18:03,119 [root] DEBUG: DLL loaded at 0x76CA0000: C:\Windows\syswow64\iertutil (0x1fb000 bytes).
2020-03-24 06:18:03,134 [root] DEBUG: DLL loaded at 0x75790000: C:\Windows\syswow64\CRYPT32 (0x11d000 bytes).
2020-03-24 06:18:03,134 [root] DEBUG: DLL loaded at 0x755F0000: C:\Windows\syswow64\MSASN1 (0xc000 bytes).
2020-03-24 06:18:03,197 [root] INFO: Announced 32-bit process name: adobe.exe pid: 2208
2020-03-24 06:18:03,197 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2020-03-24 06:18:03,197 [lib.api.process] INFO: 32-bit DLL to inject is C:\mwtpukcyb\dll\ZKXxlkn.dll, loader C:\mwtpukcyb\bin\CerQwWS.exe
2020-03-24 06:18:03,197 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\isvGNj.
2020-03-24 06:18:03,197 [root] DEBUG: Loader: Injecting process 2208 (thread 2212) with C:\mwtpukcyb\dll\ZKXxlkn.dll.
2020-03-24 06:18:03,197 [root] DEBUG: Process image base: 0x00F40000
2020-03-24 06:18:03,197 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\mwtpukcyb\dll\ZKXxlkn.dll.
2020-03-24 06:18:03,197 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-03-24 06:18:03,197 [root] DEBUG: Successfully injected DLL C:\mwtpukcyb\dll\ZKXxlkn.dll.
2020-03-24 06:18:03,197 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2208
2020-03-24 06:18:03,213 [root] INFO: Announced 32-bit process name: adobe.exe pid: 2208
2020-03-24 06:18:03,213 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2020-03-24 06:18:03,213 [lib.api.process] INFO: 32-bit DLL to inject is C:\mwtpukcyb\dll\ZKXxlkn.dll, loader C:\mwtpukcyb\bin\CerQwWS.exe
2020-03-24 06:18:03,213 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\isvGNj.
2020-03-24 06:18:03,213 [root] DEBUG: Loader: Injecting process 2208 (thread 2212) with C:\mwtpukcyb\dll\ZKXxlkn.dll.
2020-03-24 06:18:03,213 [root] DEBUG: Process image base: 0x00F40000
2020-03-24 06:18:03,213 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\mwtpukcyb\dll\ZKXxlkn.dll.
2020-03-24 06:18:03,213 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-03-24 06:18:03,213 [root] DEBUG: Successfully injected DLL C:\mwtpukcyb\dll\ZKXxlkn.dll.
2020-03-24 06:18:03,213 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2208
2020-03-24 06:18:03,213 [root] DEBUG: DLL unloaded from 0x74F40000.
2020-03-24 06:18:03,229 [root] DEBUG: DLL unloaded from 0x75E70000.
2020-03-24 06:18:03,229 [root] DEBUG: DLL unloaded from 0x74810000.
2020-03-24 06:18:03,229 [root] DEBUG: DLL unloaded from 0x74440000.
2020-03-24 06:18:03,229 [root] DEBUG: Terminate processes on terminate_event enabled.
2020-03-24 06:18:03,229 [root] DEBUG: Process dumps enabled.
2020-03-24 06:18:03,229 [root] INFO: Disabling sleep skipping.
2020-03-24 06:18:03,229 [root] DEBUG: DLL loaded at 0x74830000: C:\Windows\System32\shdocvw (0x2e000 bytes).
2020-03-24 06:18:03,229 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-03-24 06:18:03,229 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 2208 at 0x748b0000, image base 0xf40000, stack from 0x3c6000-0x3d0000
2020-03-24 06:18:03,229 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\adobe.exe".
2020-03-24 06:18:03,229 [root] INFO: Added new process to list with pid: 2208
2020-03-24 06:18:03,229 [root] INFO: Monitor successfully loaded in process with pid 2208.
2020-03-24 06:18:03,229 [root] DEBUG: DLL unloaded from 0x75E70000.
2020-03-24 06:18:03,229 [root] DEBUG: DLL unloaded from 0x74830000.
2020-03-24 06:18:03,243 [root] DEBUG: set_caller_info: Adding region at 0x000A0000 to caller regions list (ntdll::LdrGetProcedureAddress).
2020-03-24 06:18:03,243 [root] DEBUG: DLL unloaded from 0x74440000.
2020-03-24 06:18:03,243 [root] DEBUG: DLL unloaded from 0x75E70000.
2020-03-24 06:18:03,243 [root] DEBUG: DLL loaded at 0x74800000: C:\Windows\System32\shdocvw (0x2e000 bytes).
2020-03-24 06:18:03,243 [root] DEBUG: DLL loaded at 0x74F40000: C:\Windows\SysWOW64\urlmon (0x136000 bytes).
2020-03-24 06:18:03,243 [root] DEBUG: DLL loaded at 0x75E70000: C:\Windows\syswow64\SHELL32 (0xc4a000 bytes).
2020-03-24 06:18:03,243 [root] DEBUG: DLL loaded at 0x75600000: C:\Windows\syswow64\WININET (0xf5000 bytes).
2020-03-24 06:18:03,243 [root] DEBUG: DLL loaded at 0x75600000: C:\Windows\syswow64\WININET (0xf5000 bytes).
2020-03-24 06:18:03,243 [root] DEBUG: DLL loaded at 0x76CA0000: C:\Windows\syswow64\iertutil (0x1fb000 bytes).
2020-03-24 06:18:03,243 [root] DEBUG: DLL loaded at 0x74F40000: C:\Windows\syswow64\urlmon (0x136000 bytes).
2020-03-24 06:18:03,243 [root] DEBUG: DLL loaded at 0x75790000: C:\Windows\syswow64\CRYPT32 (0x11d000 bytes).
2020-03-24 06:18:03,243 [root] DEBUG: DLL loaded at 0x75980000: C:\Windows\syswow64\OLEAUT32 (0x8f000 bytes).
2020-03-24 06:18:03,243 [root] DEBUG: DLL loaded at 0x755F0000: C:\Windows\syswow64\MSASN1 (0xc000 bytes).
2020-03-24 06:18:03,243 [root] DEBUG: DLL loaded at 0x75790000: C:\Windows\syswow64\CRYPT32 (0x11d000 bytes).
2020-03-24 06:18:03,243 [root] DEBUG: DLL loaded at 0x755F0000: C:\Windows\syswow64\MSASN1 (0xc000 bytes).
2020-03-24 06:18:03,243 [root] DEBUG: DLL loaded at 0x76CA0000: C:\Windows\syswow64\iertutil (0x1fb000 bytes).
2020-03-24 06:18:03,259 [root] DEBUG: DLL loaded at 0x75D00000: C:\Windows\syswow64\WS2_32 (0x35000 bytes).
2020-03-24 06:18:03,259 [root] DEBUG: DLL loaded at 0x75130000: C:\Windows\syswow64\NSI (0x6000 bytes).
2020-03-24 06:18:03,259 [root] DEBUG: DLL loaded at 0x74840000: C:\Windows\system32\IPHLPAPI (0x1c000 bytes).
2020-03-24 06:18:03,259 [root] DEBUG: DLL loaded at 0x74830000: C:\Windows\system32\WINNSI (0x7000 bytes).
2020-03-24 06:18:03,259 [root] DEBUG: set_caller_info: Adding region at 0x001C0000 to caller regions list (advapi32::LookupPrivilegeValueW).
2020-03-24 06:18:03,259 [root] DEBUG: DLL loaded at 0x742A0000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32 (0x19e000 bytes).
2020-03-24 06:18:03,259 [root] INFO: Announced 32-bit process name: cmd.exe pid: 2876
2020-03-24 06:18:03,259 [root] INFO: Announced 64-bit process name: explorer.exe pid: 1632
2020-03-24 06:18:03,259 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2020-03-24 06:18:03,259 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2020-03-24 06:18:03,259 [lib.api.process] INFO: 32-bit DLL to inject is C:\mwtpukcyb\dll\ZKXxlkn.dll, loader C:\mwtpukcyb\bin\CerQwWS.exe
2020-03-24 06:18:03,276 [lib.api.process] INFO: 64-bit DLL to inject is C:\mwtpukcyb\dll\uMEXMJni.dll, loader C:\mwtpukcyb\bin\VijTvkxN.exe
2020-03-24 06:18:03,276 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\isvGNj.
2020-03-24 06:18:03,276 [root] DEBUG: Loader: Injecting process 2876 (thread 2872) with C:\mwtpukcyb\dll\ZKXxlkn.dll.
2020-03-24 06:18:03,276 [root] DEBUG: Process image base: 0x49E70000
2020-03-24 06:18:03,276 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\mwtpukcyb\dll\ZKXxlkn.dll.
2020-03-24 06:18:03,276 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-03-24 06:18:03,276 [root] DEBUG: Successfully injected DLL C:\mwtpukcyb\dll\ZKXxlkn.dll.
2020-03-24 06:18:03,276 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2876
2020-03-24 06:18:03,276 [root] INFO: Announced 32-bit process name: cmd.exe pid: 2876
2020-03-24 06:18:03,276 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2020-03-24 06:18:03,276 [lib.api.process] INFO: 32-bit DLL to inject is C:\mwtpukcyb\dll\ZKXxlkn.dll, loader C:\mwtpukcyb\bin\CerQwWS.exe
2020-03-24 06:18:03,276 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\isvGNj.
2020-03-24 06:18:03,276 [root] DEBUG: Loader: Injecting process 2876 (thread 2872) with C:\mwtpukcyb\dll\ZKXxlkn.dll.
2020-03-24 06:18:03,276 [root] DEBUG: Process image base: 0x49E70000
2020-03-24 06:18:03,276 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\mwtpukcyb\dll\ZKXxlkn.dll.
2020-03-24 06:18:03,276 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\isvGNj.
2020-03-24 06:18:03,276 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-03-24 06:18:03,276 [root] DEBUG: Loader: Injecting process 1632 (thread 0) with C:\mwtpukcyb\dll\uMEXMJni.dll.
2020-03-24 06:18:03,276 [root] DEBUG: Successfully injected DLL C:\mwtpukcyb\dll\ZKXxlkn.dll.
2020-03-24 06:18:03,276 [root] DEBUG: InjectDll: No thread ID supplied. Initial thread ID 1636, handle 0x84
2020-03-24 06:18:03,276 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2876
2020-03-24 06:18:03,276 [root] DEBUG: Process image base: 0x00000000FF900000
2020-03-24 06:18:03,290 [root] DEBUG: InjectDllViaIAT: Not a new process, aborting IAT patch
2020-03-24 06:18:03,290 [root] DEBUG: DLL unloaded from 0x74F40000.
2020-03-24 06:18:03,290 [root] DEBUG: InjectDll: IAT patching failed, falling back to thread injection.
2020-03-24 06:18:03,290 [root] DEBUG: DLL unloaded from 0x75E70000.
2020-03-24 06:18:03,290 [root] DEBUG: DLL unloaded from 0x74800000.
2020-03-24 06:18:03,290 [root] DEBUG: Terminate processes on terminate_event enabled.
2020-03-24 06:18:03,290 [root] DEBUG: DLL unloaded from 0x74440000.
2020-03-24 06:18:03,290 [root] DEBUG: Process dumps enabled.
2020-03-24 06:18:03,290 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 828
2020-03-24 06:18:03,290 [root] DEBUG: GetHookCallerBase: thread 1064 (handle 0x0), return address 0x013313A1, allocation base 0x01330000.
2020-03-24 06:18:03,290 [root] INFO: Disabling sleep skipping.
2020-03-24 06:18:03,306 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x01330000.
2020-03-24 06:18:03,306 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-03-24 06:18:03,306 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x01330000.
2020-03-24 06:18:03,306 [root] DEBUG: DumpProcess: Module entry point VA is 0x00001574.
2020-03-24 06:18:03,306 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-03-24 06:18:03,306 [root] DEBUG: Terminate processes on terminate_event enabled.
2020-03-24 06:18:03,306 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 2876 at 0x748b0000, image base 0x49e70000, stack from 0x2f3000-0x3f0000
2020-03-24 06:18:03,306 [root] DEBUG: Process dumps enabled.
2020-03-24 06:18:03,306 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\cmd \c ""C:\Users\user\AppData\Local\Temp\a.bat" ".
2020-03-24 06:18:03,306 [root] INFO: Disabling sleep skipping.
2020-03-24 06:18:03,306 [root] INFO: Added new process to list with pid: 2876
2020-03-24 06:18:03,306 [root] INFO: Monitor successfully loaded in process with pid 2876.
2020-03-24 06:18:03,306 [root] INFO: Added new CAPE file to list with path: C:\JrCesO\CAPE\828_1730882917318724232020
2020-03-24 06:18:03,306 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x37200.
2020-03-24 06:18:03,306 [root] DEBUG: DLL unloaded from 0x75140000.
2020-03-24 06:18:03,322 [root] DEBUG: DLL unloaded from 0x74870000.
2020-03-24 06:18:03,322 [root] INFO: Notified of termination of process with pid 828.
2020-03-24 06:18:03,338 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2876
2020-03-24 06:18:03,338 [root] DEBUG: GetHookCallerBase: thread 2872 (handle 0x0), return address 0x49E77302, allocation base 0x49E70000.
2020-03-24 06:18:03,338 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x49E70000.
2020-03-24 06:18:03,338 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-03-24 06:18:03,338 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x49E70000.
2020-03-24 06:18:03,338 [root] DEBUG: DumpProcess: Module entry point VA is 0x0000829A.
2020-03-24 06:18:03,354 [root] INFO: Added new CAPE file to list with path: C:\JrCesO\CAPE\2876_2017058830318724232020
2020-03-24 06:18:03,354 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x48200.
2020-03-24 06:18:03,354 [root] DEBUG: DLL unloaded from 0x75140000.
2020-03-24 06:18:03,354 [root] INFO: Notified of termination of process with pid 2876.
2020-03-24 06:18:03,368 [root] WARNING: Unable to place hook on LockResource
2020-03-24 06:18:03,368 [root] WARNING: Unable to hook LockResource
2020-03-24 06:18:03,415 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 1632 at 0x00000000741C0000, image base 0x00000000FF900000, stack from 0x0000000006CE2000-0x0000000006CF0000
2020-03-24 06:18:03,431 [root] DEBUG: Commandline: C:\Windows\explorer.exe.
2020-03-24 06:18:03,431 [root] INFO: Added new process to list with pid: 1632
2020-03-24 06:18:03,431 [root] INFO: Monitor successfully loaded in process with pid 1632.
2020-03-24 06:18:03,431 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2020-03-24 06:18:03,431 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2020-03-24 06:18:03,447 [root] DEBUG: Successfully injected DLL C:\mwtpukcyb\dll\uMEXMJni.dll.
2020-03-24 06:18:03,447 [root] DEBUG: DLL loaded at 0x74EB0000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2020-03-24 06:18:03,447 [root] DEBUG: DLL loaded at 0x75A70000: C:\Windows\syswow64\SETUPAPI (0x19d000 bytes).
2020-03-24 06:18:03,447 [root] DEBUG: DLL loaded at 0x75A10000: C:\Windows\syswow64\CFGMGR32 (0x27000 bytes).
2020-03-24 06:18:03,447 [root] DEBUG: DLL loaded at 0x75D40000: C:\Windows\syswow64\DEVOBJ (0x12000 bytes).
2020-03-24 06:18:03,447 [root] DEBUG: DLL loaded at 0x740C0000: C:\Windows\system32\propsys (0xf5000 bytes).
2020-03-24 06:18:03,447 [root] DEBUG: DLL loaded at 0x74870000: C:\Windows\system32\ntmarta (0x21000 bytes).
2020-03-24 06:18:03,463 [root] DEBUG: DLL loaded at 0x76EA0000: C:\Windows\syswow64\WLDAP32 (0x45000 bytes).
2020-03-24 06:18:03,463 [root] DEBUG: DLL unloaded from 0x75E70000.
2020-03-24 06:18:03,540 [root] DEBUG: DLL loaded at 0x74C70000: C:\Windows\system32\CRYPTSP (0x16000 bytes).
2020-03-24 06:18:03,540 [root] DEBUG: DLL loaded at 0x74C30000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2020-03-24 06:18:03,555 [root] DEBUG: DLL loaded at 0x748A0000: C:\Windows\system32\RpcRtRemote (0xe000 bytes).
2020-03-24 06:18:03,572 [root] DEBUG: DLL loaded at 0x74820000: C:\Windows\system32\mssprxy (0xc000 bytes).
2020-03-24 06:18:03,618 [root] DEBUG: DLL loaded at 0x74AF0000: C:\Windows\system32\apphelp (0x4c000 bytes).
2020-03-24 06:18:03,711 [root] DEBUG: set_caller_info: Adding region at 0x000007FEFCB00000 to caller regions list (msvcrt::memcpy).
2020-03-24 06:18:03,711 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF71F0000 to caller regions list (ntdll::LdrGetDllHandle).
2020-03-24 06:18:03,727 [root] DEBUG: DLL loaded at 0x73C40000: C:\Windows\system32\wpdshext (0x238000 bytes).
2020-03-24 06:18:03,775 [root] DEBUG: DLL loaded at 0x747E0000: C:\Windows\system32\WINMM (0x32000 bytes).
2020-03-24 06:18:03,822 [root] DEBUG: DLL loaded at 0x73F30000: C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus (0x190000 bytes).
2020-03-24 06:18:03,868 [root] DEBUG: DLL loaded at 0x744E0000: C:\Windows\System32\shdocvw (0x2e000 bytes).
2020-03-24 06:18:03,900 [root] DEBUG: DLL loaded at 0x72F70000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2020-03-24 06:18:03,930 [root] DEBUG: DLL loaded at 0x744A0000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2020-03-24 06:18:03,961 [root] DEBUG: DLL loaded at 0x747D0000: C:\Windows\system32\profapi (0xb000 bytes).
2020-03-24 06:18:03,993 [root] INFO: Announced 32-bit process name: eeclnt.exe pid: 1576
2020-03-24 06:18:03,993 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2020-03-24 06:18:03,993 [lib.api.process] INFO: 32-bit DLL to inject is C:\mwtpukcyb\dll\ZKXxlkn.dll, loader C:\mwtpukcyb\bin\CerQwWS.exe
2020-03-24 06:18:03,993 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\isvGNj.
2020-03-24 06:18:03,993 [root] DEBUG: Loader: Injecting process 1576 (thread 2292) with C:\mwtpukcyb\dll\ZKXxlkn.dll.
2020-03-24 06:18:03,993 [root] DEBUG: Process image base: 0x00240000
2020-03-24 06:18:03,993 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\mwtpukcyb\dll\ZKXxlkn.dll.
2020-03-24 06:18:03,993 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-03-24 06:18:04,009 [root] DEBUG: Successfully injected DLL C:\mwtpukcyb\dll\ZKXxlkn.dll.
2020-03-24 06:18:04,009 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1576
2020-03-24 06:18:04,009 [root] INFO: Announced 32-bit process name: eeclnt.exe pid: 1576
2020-03-24 06:18:04,009 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2020-03-24 06:18:04,009 [lib.api.process] INFO: 32-bit DLL to inject is C:\mwtpukcyb\dll\ZKXxlkn.dll, loader C:\mwtpukcyb\bin\CerQwWS.exe
2020-03-24 06:18:04,023 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\isvGNj.
2020-03-24 06:18:04,023 [root] DEBUG: Loader: Injecting process 1576 (thread 2292) with C:\mwtpukcyb\dll\ZKXxlkn.dll.
2020-03-24 06:18:04,023 [root] DEBUG: Process image base: 0x00240000
2020-03-24 06:18:04,023 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\mwtpukcyb\dll\ZKXxlkn.dll.
2020-03-24 06:18:04,023 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-03-24 06:18:04,023 [root] DEBUG: Successfully injected DLL C:\mwtpukcyb\dll\ZKXxlkn.dll.
2020-03-24 06:18:04,023 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1576
2020-03-24 06:18:04,023 [root] DEBUG: DLL unloaded from 0x73C40000.
2020-03-24 06:18:04,039 [root] DEBUG: Terminate processes on terminate_event enabled.
2020-03-24 06:18:04,039 [root] DEBUG: DLL unloaded from 0x74F40000.
2020-03-24 06:18:04,039 [root] DEBUG: Process dumps enabled.
2020-03-24 06:18:04,039 [root] DEBUG: DLL unloaded from 0x72F70000.
2020-03-24 06:18:04,039 [root] INFO: Disabling sleep skipping.
2020-03-24 06:18:04,039 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-03-24 06:18:04,039 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 1576 at 0x748b0000, image base 0x240000, stack from 0x4d6000-0x4e0000
2020-03-24 06:18:04,039 [root] DEBUG: DLL unloaded from 0x75D60000.
2020-03-24 06:18:04,039 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Roaming\Windows\eeclnt.exe" 258.
2020-03-24 06:18:04,055 [root] INFO: Added new process to list with pid: 1576
2020-03-24 06:18:04,055 [root] DEBUG: DLL unloaded from 0x75E70000.
2020-03-24 06:18:04,055 [root] INFO: Monitor successfully loaded in process with pid 1576.
2020-03-24 06:18:04,055 [root] DEBUG: DLL unloaded from 0x744E0000.
2020-03-24 06:18:04,055 [root] DEBUG: set_caller_info: Adding region at 0x00160000 to caller regions list (ntdll::LdrGetProcedureAddress).
2020-03-24 06:18:04,055 [root] DEBUG: DLL unloaded from 0x74820000.
2020-03-24 06:18:04,055 [root] DEBUG: DLL unloaded from 0x740C0000.
2020-03-24 06:18:04,055 [root] DEBUG: DLL loaded at 0x75E70000: C:\Windows\syswow64\SHELL32 (0xc4a000 bytes).
2020-03-24 06:18:04,055 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2208
2020-03-24 06:18:04,055 [root] DEBUG: DLL loaded at 0x75600000: C:\Windows\syswow64\WININET (0xf5000 bytes).
2020-03-24 06:18:04,055 [root] DEBUG: GetHookCallerBase: thread 2212 (handle 0x0), return address 0x001C4E1C, allocation base 0x001C0000.
2020-03-24 06:18:04,055 [root] DEBUG: DLL loaded at 0x74F40000: C:\Windows\syswow64\urlmon (0x136000 bytes).
2020-03-24 06:18:04,055 [root] DEBUG: DumpInterestingRegions: Dumping calling region at 0x001C0000.
2020-03-24 06:18:04,071 [root] DEBUG: DLL loaded at 0x75980000: C:\Windows\syswow64\OLEAUT32 (0x8f000 bytes).
2020-03-24 06:18:04,071 [root] DEBUG: DLL loaded at 0x75790000: C:\Windows\syswow64\CRYPT32 (0x11d000 bytes).
2020-03-24 06:18:04,071 [root] DEBUG: DLL loaded at 0x755F0000: C:\Windows\syswow64\MSASN1 (0xc000 bytes).
2020-03-24 06:18:04,071 [root] DEBUG: DLL loaded at 0x76CA0000: C:\Windows\syswow64\iertutil (0x1fb000 bytes).
2020-03-24 06:18:04,071 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\JrCesO\CAPE\2208_409754685418724232020
2020-03-24 06:18:04,071 [root] DEBUG: DLL loaded at 0x75D00000: C:\Windows\syswow64\WS2_32 (0x35000 bytes).
2020-03-24 06:18:04,071 [root] DEBUG: DLL loaded at 0x75130000: C:\Windows\syswow64\NSI (0x6000 bytes).
2020-03-24 06:18:04,071 [root] DEBUG: DLL loaded at 0x74840000: C:\Windows\system32\IPHLPAPI (0x1c000 bytes).
2020-03-24 06:18:04,071 [root] DEBUG: DLL loaded at 0x74830000: C:\Windows\system32\WINNSI (0x7000 bytes).
2020-03-24 06:18:04,071 [root] INFO: Added new CAPE file to list with path: C:\JrCesO\CAPE\2208_409754685418724232020
2020-03-24 06:18:04,071 [root] DEBUG: set_caller_info: Adding region at 0x00250000 to caller regions list (advapi32::LookupPrivilegeValueW).
2020-03-24 06:18:04,086 [root] DEBUG: DumpRegion: Dumped stack region from 0x001C0000, size 0x11000.
2020-03-24 06:18:04,086 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00F40000.
2020-03-24 06:18:04,086 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-03-24 06:18:04,086 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00F40000.
2020-03-24 06:18:04,086 [root] DEBUG: DumpProcess: Module entry point VA is 0x00007B54.
2020-03-24 06:18:04,086 [root] INFO: Added new CAPE file to list with path: C:\JrCesO\CAPE\2208_5887885665418724232020
2020-03-24 06:18:04,086 [root] INFO: Announced 64-bit process name: msiexec.exe pid: 1308
2020-03-24 06:18:04,086 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x9e00.
2020-03-24 06:18:04,101 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2020-03-24 06:18:04,101 [lib.api.process] INFO: 64-bit DLL to inject is C:\mwtpukcyb\dll\uMEXMJni.dll, loader C:\mwtpukcyb\bin\VijTvkxN.exe
2020-03-24 06:18:04,101 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\isvGNj.
2020-03-24 06:18:04,101 [root] DEBUG: Loader: Injecting process 1308 (thread 1432) with C:\mwtpukcyb\dll\uMEXMJni.dll.
2020-03-24 06:18:04,101 [root] DEBUG: Process image base: 0x00000000FF5D0000
2020-03-24 06:18:04,101 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\mwtpukcyb\dll\uMEXMJni.dll.
2020-03-24 06:18:04,118 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-03-24 06:18:04,118 [root] DEBUG: Successfully injected DLL C:\mwtpukcyb\dll\uMEXMJni.dll.
2020-03-24 06:18:04,118 [root] DEBUG: DLL unloaded from 0x75140000.
2020-03-24 06:18:04,118 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 1308
2020-03-24 06:18:04,118 [root] DEBUG: DLL unloaded from 0x74870000.
2020-03-24 06:18:04,118 [root] INFO: Notified of termination of process with pid 2208.
2020-03-24 06:18:04,118 [root] DEBUG: DLL loaded at 0x74AF0000: C:\Windows\system32\apphelp (0x4c000 bytes).
2020-03-24 06:18:04,134 [root] INFO: Announced 64-bit process name: msiexec.exe pid: 1308
2020-03-24 06:18:04,134 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2020-03-24 06:18:04,134 [lib.api.process] INFO: 64-bit DLL to inject is C:\mwtpukcyb\dll\uMEXMJni.dll, loader C:\mwtpukcyb\bin\VijTvkxN.exe
2020-03-24 06:18:04,134 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\isvGNj.
2020-03-24 06:18:04,134 [root] DEBUG: Loader: Injecting process 1308 (thread 1432) with C:\mwtpukcyb\dll\uMEXMJni.dll.
2020-03-24 06:18:04,134 [root] DEBUG: Process image base: 0x00000000FF5D0000
2020-03-24 06:18:04,148 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\mwtpukcyb\dll\uMEXMJni.dll.
2020-03-24 06:18:04,148 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-03-24 06:18:04,148 [root] DEBUG: Successfully injected DLL C:\mwtpukcyb\dll\uMEXMJni.dll.
2020-03-24 06:18:04,148 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 1308
2020-03-24 06:18:04,196 [root] INFO: Announced 64-bit process name: msiexec.exe pid: 1308
2020-03-24 06:18:04,196 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2020-03-24 06:18:04,196 [lib.api.process] INFO: 64-bit DLL to inject is C:\mwtpukcyb\dll\uMEXMJni.dll, loader C:\mwtpukcyb\bin\VijTvkxN.exe
2020-03-24 06:18:04,196 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\isvGNj.
2020-03-24 06:18:04,196 [root] DEBUG: Loader: Injecting process 1308 (thread 0) with C:\mwtpukcyb\dll\uMEXMJni.dll.
2020-03-24 06:18:04,196 [root] DEBUG: InjectDll: No thread ID supplied. Initial thread ID 1432, handle 0x84
2020-03-24 06:18:04,196 [root] DEBUG: Process image base: 0x00000000FF5D0000
2020-03-24 06:18:04,196 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\mwtpukcyb\dll\uMEXMJni.dll.
2020-03-24 06:18:04,196 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-03-24 06:18:04,211 [root] DEBUG: Successfully injected DLL C:\mwtpukcyb\dll\uMEXMJni.dll.
2020-03-24 06:18:04,211 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 1308
2020-03-24 06:18:04,211 [root] INFO: Announced 64-bit process name: msiexec.exe pid: 1308
2020-03-24 06:18:04,211 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2020-03-24 06:18:04,211 [lib.api.process] INFO: 64-bit DLL to inject is C:\mwtpukcyb\dll\uMEXMJni.dll, loader C:\mwtpukcyb\bin\VijTvkxN.exe
2020-03-24 06:18:04,211 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\isvGNj.
2020-03-24 06:18:04,211 [root] DEBUG: Loader: Injecting process 1308 (thread 0) with C:\mwtpukcyb\dll\uMEXMJni.dll.
2020-03-24 06:18:04,211 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2020-03-24 06:18:04,226 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed (SessionId=1).
2020-03-24 06:18:04,226 [root] DEBUG: Failed to inject DLL C:\mwtpukcyb\dll\uMEXMJni.dll.
2020-03-24 06:18:04,226 [lib.api.process] ERROR: Unable to inject into 64-bit process with pid 1308, error: -15
2020-03-24 06:18:04,226 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 1576
2020-03-24 06:18:04,226 [root] DEBUG: GetHookCallerBase: thread 2292 (handle 0x0), return address 0x00254E1C, allocation base 0x00250000.
2020-03-24 06:18:04,226 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00240000.
2020-03-24 06:18:04,226 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-03-24 06:18:04,226 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00240000.
2020-03-24 06:18:04,226 [root] DEBUG: DumpProcess: Module entry point VA is 0x00007B54.
2020-03-24 06:18:04,243 [root] INFO: Added new CAPE file to list with path: C:\JrCesO\CAPE\1576_104797940418724232020
2020-03-24 06:18:04,243 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x9e00.
2020-03-24 06:18:04,243 [root] DEBUG: DumpInterestingRegions: Dumping calling region at 0x00250000.
2020-03-24 06:18:04,243 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\JrCesO\CAPE\1576_1860967434418724232020
2020-03-24 06:18:04,257 [root] INFO: Added new CAPE file to list with path: C:\JrCesO\CAPE\1576_1860967434418724232020
2020-03-24 06:18:04,257 [root] DEBUG: DumpRegion: Dumped stack region from 0x00250000, size 0x11000.
2020-03-24 06:18:04,257 [root] DEBUG: DLL unloaded from 0x75140000.
2020-03-24 06:18:04,257 [root] INFO: Notified of termination of process with pid 1576.
2020-03-24 06:18:04,321 [root] DEBUG: Terminate processes on terminate_event enabled.
2020-03-24 06:18:04,321 [root] DEBUG: Process dumps enabled.
2020-03-24 06:18:04,321 [root] INFO: Disabling sleep skipping.
2020-03-24 06:18:04,321 [root] WARNING: Unable to place hook on LockResource
2020-03-24 06:18:04,321 [root] WARNING: Unable to hook LockResource
2020-03-24 06:18:04,335 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-03-24 06:18:04,335 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 1308 at 0x00000000741C0000, image base 0x00000000FF5D0000, stack from 0x0000000000295000-0x00000000002A0000
2020-03-24 06:18:04,335 [root] DEBUG: Commandline: C:\Windows\sysnative\msiexec.exe "259".
2020-03-24 06:18:04,335 [root] INFO: Added new process to list with pid: 1308
2020-03-24 06:18:04,335 [root] INFO: Monitor successfully loaded in process with pid 1308.
2020-03-24 06:18:04,398 [root] DEBUG: set_caller_info: Adding region at 0x0000000000080000 to caller regions list (ntdll::LdrGetProcedureAddress).
2020-03-24 06:18:04,398 [root] DEBUG: set_caller_info: Adding region at 0x0000000000310000 to caller regions list (ntdll::RtlDecompressBuffer).
2020-03-24 06:18:04,398 [root] DEBUG: set_caller_info: Adding region at 0x00000000001F0000 to caller regions list (ntdll::LdrLoadDll).
2020-03-24 06:18:04,414 [root] DEBUG: DLL loaded at 0x000007FEFEC80000: C:\Windows\system32\WININET (0x12a000 bytes).
2020-03-24 06:18:04,414 [root] DEBUG: DLL loaded at 0x000007FEFEB00000: C:\Windows\system32\urlmon (0x178000 bytes).
2020-03-24 06:18:04,430 [root] DEBUG: DLL loaded at 0x000007FEFEDB0000: C:\Windows\system32\OLEAUT32 (0xd7000 bytes).
2020-03-24 06:18:04,430 [root] DEBUG: DLL loaded at 0x000007FEFD1F0000: C:\Windows\system32\CRYPT32 (0x167000 bytes).
2020-03-24 06:18:04,430 [root] DEBUG: DLL loaded at 0x000007FEFD100000: C:\Windows\system32\MSASN1 (0xf000 bytes).
2020-03-24 06:18:04,430 [root] DEBUG: DLL loaded at 0x000007FEFF1C0000: C:\Windows\system32\iertutil (0x259000 bytes).
2020-03-24 06:18:04,476 [root] DEBUG: DLL loaded at 0x000007FEFEE90000: C:\Windows\system32\WS2_32 (0x4d000 bytes).
2020-03-24 06:18:04,476 [root] DEBUG: DLL loaded at 0x000007FEFE2F0000: C:\Windows\system32\NSI (0x8000 bytes).
2020-03-24 06:18:04,492 [root] DEBUG: DLL loaded at 0x000007FEFAF10000: C:\Windows\system32\IPHLPAPI (0x27000 bytes).
2020-03-24 06:18:04,492 [root] DEBUG: DLL loaded at 0x000007FEFAED0000: C:\Windows\system32\WINNSI (0xb000 bytes).
2020-03-24 06:18:04,523 [root] DEBUG: set_caller_info: Adding region at 0x00000000000F0000 to caller regions list (kernel32::SetErrorMode).
2020-03-24 06:18:04,523 [root] DEBUG: set_caller_info: Adding region at 0x0000000000220000 to caller regions list (ntdll::NtCreateFile).
2020-03-24 06:18:04,555 [root] DEBUG: DLL unloaded from 0x000007FEFD430000.
2020-03-24 06:18:04,601 [root] INFO: Announced starting service "WanServer"
2020-03-24 06:18:04,601 [root] INFO: Attaching to Service Control Manager (services.exe - pid 460)
2020-03-24 06:18:04,601 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2020-03-24 06:18:04,617 [lib.api.process] INFO: 64-bit DLL to inject is C:\mwtpukcyb\dll\uMEXMJni.dll, loader C:\mwtpukcyb\bin\VijTvkxN.exe
2020-03-24 06:18:04,617 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\isvGNj.
2020-03-24 06:18:04,617 [root] DEBUG: Loader: Injecting process 460 (thread 0) with C:\mwtpukcyb\dll\uMEXMJni.dll.
2020-03-24 06:18:04,617 [root] DEBUG: InjectDll: No thread ID supplied. Initial thread ID 2256, handle 0x84
2020-03-24 06:18:04,617 [root] DEBUG: Process image base: 0x00000000FFA10000
2020-03-24 06:18:04,617 [root] DEBUG: InjectDllViaIAT: Not a new process, aborting IAT patch
2020-03-24 06:18:04,632 [root] DEBUG: InjectDll: IAT patching failed, falling back to thread injection.
2020-03-24 06:18:04,632 [root] DEBUG: Terminate processes on terminate_event enabled.
2020-03-24 06:18:04,632 [root] DEBUG: Process dumps enabled.
2020-03-24 06:18:04,632 [root] INFO: Disabling sleep skipping.
2020-03-24 06:18:04,648 [root] WARNING: Unable to place hook on LockResource
2020-03-24 06:18:04,648 [root] WARNING: Unable to hook LockResource
2020-03-24 06:18:04,648 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 460 at 0x00000000741C0000, image base 0x00000000FFA10000, stack from 0x0000000002926000-0x0000000002930000
2020-03-24 06:18:04,648 [root] DEBUG: Commandline: C:\Windows\sysnative\services.exe.
2020-03-24 06:18:04,648 [root] INFO: Added new process to list with pid: 460
2020-03-24 06:18:04,648 [root] INFO: Monitor successfully loaded in process with pid 460.
2020-03-24 06:18:04,648 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2020-03-24 06:18:04,664 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2020-03-24 06:18:04,664 [root] DEBUG: Successfully injected DLL C:\mwtpukcyb\dll\uMEXMJni.dll.
2020-03-24 06:18:05,709 [root] INFO: Announced 32-bit process name: eeclnt.exe pid: 2316
2020-03-24 06:18:05,709 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2020-03-24 06:18:05,709 [lib.api.process] INFO: 32-bit DLL to inject is C:\mwtpukcyb\dll\ZKXxlkn.dll, loader C:\mwtpukcyb\bin\CerQwWS.exe
2020-03-24 06:18:05,724 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\isvGNj.
2020-03-24 06:18:05,724 [root] DEBUG: Loader: Injecting process 2316 (thread 1628) with C:\mwtpukcyb\dll\ZKXxlkn.dll.
2020-03-24 06:18:05,724 [root] DEBUG: Process image base: 0x00C20000
2020-03-24 06:18:05,724 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\mwtpukcyb\dll\ZKXxlkn.dll.
2020-03-24 06:18:05,724 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-03-24 06:18:05,724 [root] DEBUG: Successfully injected DLL C:\mwtpukcyb\dll\ZKXxlkn.dll.
2020-03-24 06:18:05,724 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2316
2020-03-24 06:18:05,740 [root] INFO: Announced 32-bit process name: eeclnt.exe pid: 2316
2020-03-24 06:18:05,740 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2020-03-24 06:18:05,740 [lib.api.process] INFO: 32-bit DLL to inject is C:\mwtpukcyb\dll\ZKXxlkn.dll, loader C:\mwtpukcyb\bin\CerQwWS.exe
2020-03-24 06:18:05,740 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\isvGNj.
2020-03-24 06:18:05,740 [root] DEBUG: Loader: Injecting process 2316 (thread 1628) with C:\mwtpukcyb\dll\ZKXxlkn.dll.
2020-03-24 06:18:05,740 [root] DEBUG: Process image base: 0x00C20000
2020-03-24 06:18:05,756 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\mwtpukcyb\dll\ZKXxlkn.dll.
2020-03-24 06:18:05,756 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-03-24 06:18:05,756 [root] DEBUG: Successfully injected DLL C:\mwtpukcyb\dll\ZKXxlkn.dll.
2020-03-24 06:18:05,756 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2316
2020-03-24 06:18:05,756 [root] DEBUG: Terminate processes on terminate_event enabled.
2020-03-24 06:18:05,772 [root] DEBUG: Process dumps enabled.
2020-03-24 06:18:05,772 [root] INFO: Disabling sleep skipping.
2020-03-24 06:18:05,772 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-03-24 06:18:05,772 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 2316 at 0x74480000, image base 0xc20000, stack from 0x366000-0x370000
2020-03-24 06:18:05,772 [root] DEBUG: Commandline: C:\Users\user\AppData\Roaming\Windows\eeclnt.exe "260".
2020-03-24 06:18:05,786 [root] INFO: Added new process to list with pid: 2316
2020-03-24 06:18:05,786 [root] INFO: Monitor successfully loaded in process with pid 2316.
2020-03-24 06:18:05,786 [root] DEBUG: set_caller_info: Adding region at 0x00110000 to caller regions list (ntdll::LdrGetProcedureAddress).
2020-03-24 06:18:05,786 [root] DEBUG: DLL loaded at 0x75E70000: C:\Windows\syswow64\SHELL32 (0xc4a000 bytes).
2020-03-24 06:18:05,786 [root] DEBUG: DLL loaded at 0x75600000: C:\Windows\syswow64\WININET (0xf5000 bytes).
2020-03-24 06:18:05,786 [root] DEBUG: DLL loaded at 0x74F40000: C:\Windows\syswow64\urlmon (0x136000 bytes).
2020-03-24 06:18:05,802 [root] DEBUG: DLL loaded at 0x75980000: C:\Windows\syswow64\OLEAUT32 (0x8f000 bytes).
2020-03-24 06:18:05,802 [root] DEBUG: DLL loaded at 0x75790000: C:\Windows\syswow64\CRYPT32 (0x11d000 bytes).
2020-03-24 06:18:05,802 [root] DEBUG: DLL loaded at 0x755F0000: C:\Windows\syswow64\MSASN1 (0xc000 bytes).
2020-03-24 06:18:05,802 [root] DEBUG: DLL loaded at 0x76CA0000: C:\Windows\syswow64\iertutil (0x1fb000 bytes).
2020-03-24 06:18:05,802 [root] DEBUG: DLL loaded at 0x75D00000: C:\Windows\syswow64\WS2_32 (0x35000 bytes).
2020-03-24 06:18:05,802 [root] DEBUG: DLL loaded at 0x75130000: C:\Windows\syswow64\NSI (0x6000 bytes).
2020-03-24 06:18:05,818 [root] DEBUG: DLL loaded at 0x74940000: C:\Windows\system32\IPHLPAPI (0x1c000 bytes).
2020-03-24 06:18:05,818 [root] DEBUG: DLL loaded at 0x74930000: C:\Windows\system32\WINNSI (0x7000 bytes).
2020-03-24 06:18:05,818 [root] DEBUG: set_caller_info: Adding region at 0x00200000 to caller regions list (advapi32::LookupPrivilegeValueW).
2020-03-24 06:18:05,818 [root] INFO: Announced 64-bit process name: msiexec.exe pid: 740
2020-03-24 06:18:05,818 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2020-03-24 06:18:05,818 [lib.api.process] INFO: 64-bit DLL to inject is C:\mwtpukcyb\dll\uMEXMJni.dll, loader C:\mwtpukcyb\bin\VijTvkxN.exe
2020-03-24 06:18:05,818 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\isvGNj.
2020-03-24 06:18:05,834 [root] DEBUG: Loader: Injecting process 740 (thread 884) with C:\mwtpukcyb\dll\uMEXMJni.dll.
2020-03-24 06:18:05,834 [root] DEBUG: Process image base: 0x00000000FF5D0000
2020-03-24 06:18:05,834 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\mwtpukcyb\dll\uMEXMJni.dll.
2020-03-24 06:18:05,834 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-03-24 06:18:05,834 [root] DEBUG: Successfully injected DLL C:\mwtpukcyb\dll\uMEXMJni.dll.
2020-03-24 06:18:05,834 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 740
2020-03-24 06:18:05,834 [root] DEBUG: DLL loaded at 0x74AF0000: C:\Windows\system32\apphelp (0x4c000 bytes).
2020-03-24 06:18:05,849 [root] INFO: Announced 64-bit process name: msiexec.exe pid: 740
2020-03-24 06:18:05,849 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2020-03-24 06:18:05,849 [lib.api.process] INFO: 64-bit DLL to inject is C:\mwtpukcyb\dll\uMEXMJni.dll, loader C:\mwtpukcyb\bin\VijTvkxN.exe
2020-03-24 06:18:05,849 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\isvGNj.
2020-03-24 06:18:05,849 [root] DEBUG: Loader: Injecting process 740 (thread 884) with C:\mwtpukcyb\dll\uMEXMJni.dll.
2020-03-24 06:18:05,849 [root] DEBUG: Process image base: 0x00000000FF5D0000
2020-03-24 06:18:05,865 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\mwtpukcyb\dll\uMEXMJni.dll.
2020-03-24 06:18:05,865 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-03-24 06:18:05,865 [root] DEBUG: Successfully injected DLL C:\mwtpukcyb\dll\uMEXMJni.dll.
2020-03-24 06:18:05,865 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 740
2020-03-24 06:18:05,881 [root] INFO: Announced 64-bit process name: msiexec.exe pid: 740
2020-03-24 06:18:05,881 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2020-03-24 06:18:05,881 [lib.api.process] INFO: 64-bit DLL to inject is C:\mwtpukcyb\dll\uMEXMJni.dll, loader C:\mwtpukcyb\bin\VijTvkxN.exe
2020-03-24 06:18:05,881 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\isvGNj.
2020-03-24 06:18:05,895 [root] DEBUG: Loader: Injecting process 740 (thread 0) with C:\mwtpukcyb\dll\uMEXMJni.dll.
2020-03-24 06:18:05,895 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2020-03-24 06:18:05,895 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed, falling back to thread injection.
2020-03-24 06:18:05,895 [root] DEBUG: Terminate processes on terminate_event enabled.
2020-03-24 06:18:05,895 [root] DEBUG: Process dumps enabled.
2020-03-24 06:18:05,911 [root] INFO: Disabling sleep skipping.
2020-03-24 06:18:05,911 [root] WARNING: Unable to place hook on LockResource
2020-03-24 06:18:05,911 [root] WARNING: Unable to hook LockResource
2020-03-24 06:18:05,911 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-03-24 06:18:05,911 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 740 at 0x00000000741C0000, image base 0x00000000FF5D0000, stack from 0x0000000000235000-0x0000000000240000
2020-03-24 06:18:05,911 [root] DEBUG: Commandline: C:\Windows\sysnative\msiexec.exe "261".
2020-03-24 06:18:05,911 [root] INFO: Added new process to list with pid: 740
2020-03-24 06:18:05,927 [root] INFO: Monitor successfully loaded in process with pid 740.
2020-03-24 06:18:05,927 [root] DEBUG: set_caller_info: Adding region at 0x0000000000110000 to caller regions list (ntdll::LdrLoadDll).
2020-03-24 06:18:05,927 [root] DEBUG: DLL loaded at 0x0000000002070000: C:\mwtpukcyb\dll\uMEXMJni (0xd8000 bytes).
2020-03-24 06:18:05,927 [root] DEBUG: DLL unloaded from 0x0000000076FF0000.
2020-03-24 06:18:05,927 [root] DEBUG: DLL unloaded from 0x0000000002070000.
2020-03-24 06:18:05,943 [root] DEBUG: Error 998 (0x3e6) - InjectDllViaThread: RtlCreateUserThread injection failed: Invalid access to memory location.
2020-03-24 06:18:05,943 [root] DEBUG: InjectDll: DLL injection via thread failed.
2020-03-24 06:18:05,943 [root] DEBUG: Failed to inject DLL C:\mwtpukcyb\dll\uMEXMJni.dll.
2020-03-24 06:18:05,943 [lib.api.process] ERROR: Unable to inject into 64-bit process with pid 740, error: -8
2020-03-24 06:18:05,943 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2316
2020-03-24 06:18:05,943 [root] DEBUG: set_caller_info: Adding region at 0x0000000000100000 to caller regions list (ntdll::LdrGetProcedureAddress).
2020-03-24 06:18:05,943 [root] DEBUG: GetHookCallerBase: thread 1628 (handle 0x0), return address 0x00204E1C, allocation base 0x00200000.
2020-03-24 06:18:05,943 [root] DEBUG: set_caller_info: Adding region at 0x0000000000050000 to caller regions list (ntdll::LdrGetProcedureAddress).
2020-03-24 06:18:05,943 [root] DEBUG: DumpInterestingRegions: Dumping calling region at 0x00200000.
2020-03-24 06:18:05,943 [root] DEBUG: set_caller_info: Adding region at 0x00000000001C0000 to caller regions list (ntdll::RtlDecompressBuffer).
2020-03-24 06:18:05,959 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\JrCesO\CAPE\2316_548731984518724232020
2020-03-24 06:18:05,959 [root] DEBUG: set_caller_info: Adding region at 0x0000000000210000 to caller regions list (ntdll::LdrLoadDll).
2020-03-24 06:18:05,973 [root] DEBUG: DLL loaded at 0x000007FEFEC80000: C:\Windows\system32\WININET (0x12a000 bytes).
2020-03-24 06:18:05,973 [root] DEBUG: DLL loaded at 0x000007FEFEB00000: C:\Windows\system32\urlmon (0x178000 bytes).
2020-03-24 06:18:05,973 [root] INFO: Added new CAPE file to list with path: C:\JrCesO\CAPE\2316_548731984518724232020
2020-03-24 06:18:05,973 [root] DEBUG: DLL loaded at 0x000007FEFEDB0000: C:\Windows\system32\OLEAUT32 (0xd7000 bytes).
2020-03-24 06:18:05,973 [root] DEBUG: DumpRegion: Dumped stack region from 0x00200000, size 0x11000.
2020-03-24 06:18:05,990 [root] DEBUG: DLL loaded at 0x000007FEFD1F0000: C:\Windows\system32\CRYPT32 (0x167000 bytes).
2020-03-24 06:18:05,990 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00C20000.
2020-03-24 06:18:05,990 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-03-24 06:18:05,990 [root] DEBUG: DLL loaded at 0x000007FEFD100000: C:\Windows\system32\MSASN1 (0xf000 bytes).
2020-03-24 06:18:05,990 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00C20000.
2020-03-24 06:18:05,990 [root] DEBUG: DLL loaded at 0x000007FEFF1C0000: C:\Windows\system32\iertutil (0x259000 bytes).
2020-03-24 06:18:05,990 [root] DEBUG: DumpProcess: Module entry point VA is 0x00007B54.
2020-03-24 06:18:05,990 [root] DEBUG: DLL loaded at 0x000007FEFEE90000: C:\Windows\system32\WS2_32 (0x4d000 bytes).
2020-03-24 06:18:06,006 [root] INFO: Added new CAPE file to list with path: C:\JrCesO\CAPE\2316_1429197540518724232020
2020-03-24 06:18:06,006 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x9e00.
2020-03-24 06:18:06,006 [root] DEBUG: DLL loaded at 0x000007FEFE2F0000: C:\Windows\system32\NSI (0x8000 bytes).
2020-03-24 06:18:06,006 [root] DEBUG: DLL unloaded from 0x75140000.
2020-03-24 06:18:06,006 [root] DEBUG: DLL loaded at 0x000007FEFAF10000: C:\Windows\system32\IPHLPAPI (0x27000 bytes).
2020-03-24 06:18:06,006 [root] INFO: Notified of termination of process with pid 2316.
2020-03-24 06:18:06,020 [root] DEBUG: DLL loaded at 0x000007FEFAED0000: C:\Windows\system32\WINNSI (0xb000 bytes).
2020-03-24 06:18:06,020 [root] DEBUG: set_caller_info: Adding region at 0x0000000000250000 to caller regions list (kernel32::SetErrorMode).
2020-03-24 06:18:06,020 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 1308
2020-03-24 06:18:06,020 [root] DEBUG: GetHookCallerBase: thread 1432 (handle 0x0), return address 0x00000000001F5574, allocation base 0x00000000001F0000.
2020-03-24 06:18:06,020 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\system32\cryptbase (0xf000 bytes).
2020-03-24 06:18:06,020 [root] DEBUG: DumpInterestingRegions: Dumping calling region at 0x00000000001F0000.
2020-03-24 06:18:06,036 [root] DEBUG: DLL loaded at 0x000007FEFBB00000: C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32 (0x1f4000 bytes).
2020-03-24 06:18:06,036 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\system32\cryptbase (0xf000 bytes).
2020-03-24 06:18:06,036 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\JrCesO\CAPE\1308_1683309490618724232020
2020-03-24 06:18:06,036 [root] INFO: Added new CAPE file to list with path: C:\JrCesO\CAPE\1308_1683309490618724232020
2020-03-24 06:18:06,052 [root] DEBUG: DumpRegion: Dumped stack region from 0x00000000001F0000, size 0x13000.
2020-03-24 06:18:06,052 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00000000FF5D0000.
2020-03-24 06:18:06,052 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-03-24 06:18:06,052 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00000000FF5D0000.
2020-03-24 06:18:06,052 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000000170C0.
2020-03-24 06:18:06,068 [root] DEBUG: DLL loaded at 0x000007FEFC190000: C:\Windows\system32\ntmarta (0x2d000 bytes).
2020-03-24 06:18:06,084 [root] INFO: Added new CAPE file to list with path: C:\JrCesO\CAPE\1308_1835944768618724232020
2020-03-24 06:18:06,084 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x1ec00.
2020-03-24 06:18:06,084 [root] DEBUG: DLL loaded at 0x000007FEFE860000: C:\Windows\system32\WLDAP32 (0x52000 bytes).
2020-03-24 06:18:06,084 [root] DEBUG: DLL unloaded from 0x000007FEFF190000.
2020-03-24 06:18:06,098 [root] INFO: Notified of termination of process with pid 1308.
2020-03-24 06:18:06,115 [root] DEBUG: DLL loaded at 0x000007FEFC710000: C:\Windows\system32\dnsapi (0x5b000 bytes).
2020-03-24 06:18:06,115 [root] DEBUG: set_caller_info: Adding region at 0x000007FEFEEE0000 to caller regions list (ntdll::NtAllocateVirtualMemory).
2020-03-24 06:18:06,130 [root] DEBUG: DLL loaded at 0x000007FEFAD70000: C:\Windows\system32\dhcpcsvc (0x18000 bytes).
2020-03-24 06:18:06,130 [root] DEBUG: DLL loaded at 0x000007FEFCB70000: C:\Windows\system32\Cryptdll (0x14000 bytes).
2020-03-24 06:18:06,161 [root] DEBUG: DLL loaded at 0x000007FEFB300000: C:\Windows\system32\NLAapi (0x15000 bytes).
2020-03-24 06:18:06,161 [root] DEBUG: DLL loaded at 0x000007FEF5700000: C:\Windows\system32\napinsp (0x15000 bytes).
2020-03-24 06:18:06,177 [root] DEBUG: DLL loaded at 0x000007FEF56E0000: C:\Windows\system32\pnrpnsp (0x19000 bytes).
2020-03-24 06:18:06,177 [root] DEBUG: DLL loaded at 0x000007FEFC890000: C:\Windows\System32\mswsock (0x55000 bytes).
2020-03-24 06:18:06,207 [root] DEBUG: DLL loaded at 0x000007FEF90A0000: C:\Windows\System32\winrnr (0xb000 bytes).
2020-03-24 06:18:06,552 [root] DEBUG: DLL loaded at 0x000007FEFAE20000: C:\Windows\System32\fwpuclnt (0x53000 bytes).
2020-03-24 06:18:06,582 [root] DEBUG: DLL loaded at 0x000007FEFA030000: C:\Windows\system32\rasadhlp (0x8000 bytes).
2020-03-24 06:18:06,582 [root] DEBUG: set_caller_info: Adding region at 0x0000000000620000 to caller regions list (ws2_32::gethostbyname).
2020-03-24 06:18:08,502 [root] DEBUG: DLL loaded at 0x000007FEFC8F0000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2020-03-24 06:18:08,532 [root] DEBUG: DLL loaded at 0x000007FEFC5F0000: C:\Windows\system32\rsaenh (0x47000 bytes).
2020-03-24 06:18:08,563 [root] DEBUG: DLL unloaded from 0x0000000076FF0000.
2020-03-24 06:18:08,579 [root] DEBUG: DLL loaded at 0x000007FEFD360000: C:\Windows\system32\wintrust (0x3a000 bytes).
2020-03-24 06:18:08,579 [root] DEBUG: DLL loaded at 0x000007FEFC680000: C:\Windows\system32\schannel (0x57000 bytes).
2020-03-24 06:18:08,595 [root] DEBUG: set_caller_info: Adding region at 0x0000000000C60000 to caller regions list (wininet::InternetSetOptionA).
2020-03-24 06:18:08,611 [root] DEBUG: DLL loaded at 0x000007FEF54D0000: C:\Windows\system32\RASAPI32 (0x62000 bytes).
2020-03-24 06:18:08,611 [root] DEBUG: DLL loaded at 0x000007FEF54B0000: C:\Windows\system32\rasman (0x1c000 bytes).
2020-03-24 06:18:08,625 [root] DEBUG: DLL loaded at 0x000007FEFBA20000: C:\Windows\system32\sensapi (0x9000 bytes).
2020-03-24 06:18:08,641 [root] DEBUG: DLL loaded at 0x000007FEFA720000: C:\Windows\system32\rtutils (0x11000 bytes).
2020-03-24 06:18:08,657 [root] DEBUG: DLL unloaded from 0x000007FEFE300000.
2020-03-24 06:18:08,657 [root] DEBUG: DLL unloaded from 0x000007FEFEC80000.
2020-03-24 06:18:08,657 [root] DEBUG: DLL unloaded from 0x000007FEF54B0000.
2020-03-24 06:18:08,657 [root] DEBUG: DLL loaded at 0x000007FEFC290000: C:\Windows\System32\wshtcpip (0x7000 bytes).
2020-03-24 06:18:08,673 [root] DEBUG: set_caller_info: Adding region at 0x00000000024D0000 to caller regions list (ws2_32::setsockopt).
2020-03-24 06:18:08,673 [root] DEBUG: RtlDispatchException: Unhandled exception! Address 0x000007FEFEEE0000, code 0xc0000005, flags 0x0, parameters 0x0 and 0xe7fee8e0.
2020-03-24 06:18:10,670 [root] DEBUG: DLL unloaded from 0x000007FEFD430000.
2020-03-24 06:18:10,717 [root] INFO: Announced starting service "WerSvc"
2020-03-24 06:18:10,732 [root] INFO: Announced 64-bit process name: svchost.exe pid: 2908
2020-03-24 06:18:10,732 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2020-03-24 06:18:10,732 [lib.api.process] INFO: 64-bit DLL to inject is C:\mwtpukcyb\dll\uMEXMJni.dll, loader C:\mwtpukcyb\bin\VijTvkxN.exe
2020-03-24 06:18:10,732 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\isvGNj.
2020-03-24 06:18:10,747 [root] DEBUG: Loader: Injecting process 2908 (thread 880) with C:\mwtpukcyb\dll\uMEXMJni.dll.
2020-03-24 06:18:10,747 [root] DEBUG: Process image base: 0x00000000FFA10000
2020-03-24 06:18:10,747 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\mwtpukcyb\dll\uMEXMJni.dll.
2020-03-24 06:18:10,747 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-03-24 06:18:10,747 [root] DEBUG: Successfully injected DLL C:\mwtpukcyb\dll\uMEXMJni.dll.
2020-03-24 06:18:10,747 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2908
2020-03-24 06:18:10,763 [root] INFO: Announced 64-bit process name: svchost.exe pid: 2908
2020-03-24 06:18:10,763 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2020-03-24 06:18:10,763 [lib.api.process] INFO: 64-bit DLL to inject is C:\mwtpukcyb\dll\uMEXMJni.dll, loader C:\mwtpukcyb\bin\VijTvkxN.exe
2020-03-24 06:18:10,763 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\isvGNj.
2020-03-24 06:18:10,763 [root] DEBUG: Loader: Injecting process 2908 (thread 880) with C:\mwtpukcyb\dll\uMEXMJni.dll.
2020-03-24 06:18:10,763 [root] DEBUG: Process image base: 0x00000000FFA10000
2020-03-24 06:18:10,779 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\mwtpukcyb\dll\uMEXMJni.dll.
2020-03-24 06:18:10,779 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-03-24 06:18:10,779 [root] DEBUG: Successfully injected DLL C:\mwtpukcyb\dll\uMEXMJni.dll.
2020-03-24 06:18:10,779 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2908
2020-03-24 06:18:10,779 [root] DEBUG: Terminate processes on terminate_event enabled.
2020-03-24 06:18:10,795 [root] DEBUG: Process dumps enabled.
2020-03-24 06:18:10,795 [root] INFO: Disabling sleep skipping.
2020-03-24 06:18:10,795 [root] WARNING: Unable to place hook on LockResource
2020-03-24 06:18:10,795 [root] WARNING: Unable to hook LockResource
2020-03-24 06:18:10,809 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-03-24 06:18:10,809 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 2908 at 0x00000000741C0000, image base 0x00000000FFA10000, stack from 0x00000000000B5000-0x00000000000C0000
2020-03-24 06:18:10,809 [root] DEBUG: Commandline: C:\Windows\sysnative\svchost.exe -k WerSvcGroup.
2020-03-24 06:18:10,809 [root] INFO: Added new process to list with pid: 2908
2020-03-24 06:18:10,809 [root] INFO: Monitor successfully loaded in process with pid 2908.
2020-03-24 06:18:10,825 [root] DEBUG: DLL loaded at 0x000007FEF4CE0000: c:\windows\system32\wersvc (0x18000 bytes).
2020-03-24 06:18:10,825 [root] DEBUG: DLL unloaded from 0x000007FEF4CE0000.
2020-03-24 06:18:10,857 [root] DEBUG: DLL loaded at 0x000007FEF2D50000: C:\Windows\System32\faultrep (0x5c000 bytes).
2020-03-24 06:18:10,872 [root] DEBUG: RtlDispatchException: Unhandled exception! Address 0x000007FEFEEE0000, code 0xc0000005, flags 0x0, parameters 0x0 and 0xe7fee8e0.
2020-03-24 06:18:10,872 [root] DEBUG: DLL loaded at 0x000007FEF8CA0000: C:\Windows\System32\wer (0x7c000 bytes).
2020-03-24 06:18:10,888 [root] DEBUG: DLL unloaded from 0x000007FEF8CA0000.
2020-03-24 06:18:10,904 [root] DEBUG: DLL loaded at 0x000007FEFD560000: C:\Windows\system32\SHELL32 (0xd88000 bytes).
2020-03-24 06:18:10,904 [root] DEBUG: DLL loaded at 0x000007FEFD020000: C:\Windows\System32\profapi (0xf000 bytes).
2020-03-24 06:18:10,904 [root] DEBUG: DLL unloaded from 0x000007FEFD020000.
2020-03-24 06:18:10,904 [root] DEBUG: DLL loaded at 0x000007FEFC3B0000: C:\Windows\System32\USERENV (0x1e000 bytes).
2020-03-24 06:18:10,920 [root] INFO: Announced 64-bit process name: WerFault.exe pid: 2640
2020-03-24 06:18:10,920 [root] INFO: Announced 64-bit process name: WerFault.exe pid: 1340
2020-03-24 06:18:10,934 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2020-03-24 06:18:10,934 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2020-03-24 06:18:10,934 [lib.api.process] INFO: 64-bit DLL to inject is C:\mwtpukcyb\dll\uMEXMJni.dll, loader C:\mwtpukcyb\bin\VijTvkxN.exe
2020-03-24 06:18:10,934 [lib.api.process] INFO: 64-bit DLL to inject is C:\mwtpukcyb\dll\uMEXMJni.dll, loader C:\mwtpukcyb\bin\VijTvkxN.exe
2020-03-24 06:18:10,934 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\isvGNj.
2020-03-24 06:18:10,934 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\isvGNj.
2020-03-24 06:18:10,934 [root] DEBUG: Loader: Injecting process 2640 (thread 2072) with C:\mwtpukcyb\dll\uMEXMJni.dll.
2020-03-24 06:18:10,934 [root] DEBUG: Loader: Injecting process 1340 (thread 2064) with C:\mwtpukcyb\dll\uMEXMJni.dll.
2020-03-24 06:18:10,934 [root] DEBUG: Process image base: 0x00000000FFA00000
2020-03-24 06:18:10,934 [root] DEBUG: Process image base: 0x00000000FFA00000
2020-03-24 06:18:10,950 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\mwtpukcyb\dll\uMEXMJni.dll.
2020-03-24 06:18:10,950 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\mwtpukcyb\dll\uMEXMJni.dll.
2020-03-24 06:18:10,950 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-03-24 06:18:10,950 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-03-24 06:18:10,950 [root] DEBUG: Successfully injected DLL C:\mwtpukcyb\dll\uMEXMJni.dll.
2020-03-24 06:18:10,950 [root] DEBUG: Successfully injected DLL C:\mwtpukcyb\dll\uMEXMJni.dll.
2020-03-24 06:18:10,950 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2640
2020-03-24 06:18:10,950 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 1340
2020-03-24 06:18:10,950 [root] DEBUG: DLL loaded at 0x000007FEFCEF0000: C:\Windows\system32\apphelp (0x57000 bytes).
2020-03-24 06:18:10,966 [root] INFO: Announced 64-bit process name: WerFault.exe pid: 1340
2020-03-24 06:18:10,966 [root] INFO: Announced 64-bit process name: WerFault.exe pid: 2640
2020-03-24 06:18:10,966 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2020-03-24 06:18:10,966 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2020-03-24 06:18:10,966 [lib.api.process] INFO: 64-bit DLL to inject is C:\mwtpukcyb\dll\uMEXMJni.dll, loader C:\mwtpukcyb\bin\VijTvkxN.exe
2020-03-24 06:18:10,966 [lib.api.process] INFO: 64-bit DLL to inject is C:\mwtpukcyb\dll\uMEXMJni.dll, loader C:\mwtpukcyb\bin\VijTvkxN.exe
2020-03-24 06:18:10,966 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\isvGNj.
2020-03-24 06:18:10,966 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\isvGNj.
2020-03-24 06:18:10,966 [root] DEBUG: Loader: Injecting process 1340 (thread 2064) with C:\mwtpukcyb\dll\uMEXMJni.dll.
2020-03-24 06:18:10,982 [root] DEBUG: Loader: Injecting process 2640 (thread 2072) with C:\mwtpukcyb\dll\uMEXMJni.dll.
2020-03-24 06:18:10,982 [root] DEBUG: Process image base: 0x00000000FFA00000
2020-03-24 06:18:10,982 [root] DEBUG: Process image base: 0x00000000FFA00000
2020-03-24 06:18:10,982 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\mwtpukcyb\dll\uMEXMJni.dll.
2020-03-24 06:18:10,982 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\mwtpukcyb\dll\uMEXMJni.dll.
2020-03-24 06:18:10,982 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-03-24 06:18:10,982 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-03-24 06:18:10,982 [root] DEBUG: Successfully injected DLL C:\mwtpukcyb\dll\uMEXMJni.dll.
2020-03-24 06:18:10,982 [root] DEBUG: Successfully injected DLL C:\mwtpukcyb\dll\uMEXMJni.dll.
2020-03-24 06:18:10,982 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 1340
2020-03-24 06:18:10,982 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2640
2020-03-24 06:18:10,997 [root] DEBUG: DLL unloaded from 0x000007FEF2D50000.
2020-03-24 06:18:10,997 [root] DEBUG: DLL unloaded from 0x000007FEF2D50000.
2020-03-24 06:18:11,013 [root] DEBUG: Terminate processes on terminate_event enabled.
2020-03-24 06:18:11,013 [root] DEBUG: Terminate processes on terminate_event enabled.
2020-03-24 06:18:11,013 [root] DEBUG: Process dumps enabled.
2020-03-24 06:18:11,013 [root] DEBUG: Process dumps enabled.
2020-03-24 06:18:11,029 [root] INFO: Disabling sleep skipping.
2020-03-24 06:18:11,029 [root] INFO: Disabling sleep skipping.
2020-03-24 06:18:11,029 [root] WARNING: Unable to place hook on LockResource
2020-03-24 06:18:11,029 [root] WARNING: Unable to place hook on LockResource
2020-03-24 06:18:11,029 [root] WARNING: Unable to hook LockResource
2020-03-24 06:18:11,029 [root] WARNING: Unable to hook LockResource
2020-03-24 06:18:11,043 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-03-24 06:18:11,043 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-03-24 06:18:11,043 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 1340 at 0x00000000741C0000, image base 0x00000000FFA00000, stack from 0x00000000001B5000-0x00000000001C0000
2020-03-24 06:18:11,043 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 2640 at 0x00000000741C0000, image base 0x00000000FFA00000, stack from 0x00000000001D5000-0x00000000001E0000
2020-03-24 06:18:11,043 [root] DEBUG: Commandline: C:\Windows\sysnative\WerFault.exe -u -p 740 -s 924.
2020-03-24 06:18:11,043 [root] DEBUG: Commandline: C:\Windows\sysnative\WerFault.exe -u -p 740 -s 896.
2020-03-24 06:18:11,043 [root] INFO: Added new process to list with pid: 1340
2020-03-24 06:18:11,043 [root] INFO: Monitor successfully loaded in process with pid 1340.
2020-03-24 06:18:11,043 [root] INFO: Added new process to list with pid: 2640
2020-03-24 06:18:11,043 [root] INFO: Monitor successfully loaded in process with pid 2640.
2020-03-24 06:18:11,075 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 1340
2020-03-24 06:18:11,075 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2640
2020-03-24 06:18:11,075 [root] DEBUG: GetHookCallerBase: thread 2064 (handle 0x0), return address 0x00000000FFA447E8, allocation base 0x00000000FFA00000.
2020-03-24 06:18:11,075 [root] DEBUG: GetHookCallerBase: thread 2072 (handle 0x0), return address 0x00000000FFA447E8, allocation base 0x00000000FFA00000.
2020-03-24 06:18:11,075 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00000000FFA00000.
2020-03-24 06:18:11,075 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00000000FFA00000.
2020-03-24 06:18:11,075 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-03-24 06:18:11,091 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-03-24 06:18:11,091 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00000000FFA00000.
2020-03-24 06:18:11,091 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00000000FFA00000.
2020-03-24 06:18:11,091 [root] DEBUG: DumpProcess: Module entry point VA is 0x0000000000044920.
2020-03-24 06:18:11,091 [root] DEBUG: DumpProcess: Module entry point VA is 0x0000000000044920.
2020-03-24 06:18:11,091 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\system32\cryptbase (0xf000 bytes).
2020-03-24 06:18:11,091 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\system32\cryptbase (0xf000 bytes).
2020-03-24 06:18:11,107 [root] DEBUG: Error 2 (0x2) - savePeFileToDisk: There was a problem renaming the file: The system cannot find the file specified.
2020-03-24 06:18:11,121 [root] DEBUG: Error 2 (0x2) - savePeFileToDisk: There was a problem deleting the file: C:\Windows\system32\CapeOutput.bin: The system cannot find the file specified.
2020-03-24 06:18:11,121 [root] INFO: Notified of termination of process with pid 2640.
2020-03-24 06:18:11,121 [root] INFO: Notified of termination of process with pid 740.
2020-03-24 06:18:11,121 [root] INFO: Added new CAPE file to list with path: C:\JrCesO\CAPE\1340_21311257581118724232020
2020-03-24 06:18:11,121 [root] DEBUG: Terminate Event: Attempting to dump process 740
2020-03-24 06:18:11,121 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x65600.
2020-03-24 06:18:11,138 [root] INFO: Notified of termination of process with pid 1340.
2020-03-24 06:18:12,667 [root] DEBUG: DLL unloaded from 0x000007FEF4CE0000.
2020-03-24 06:20:10,898 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2908
2020-03-24 06:20:10,898 [root] DEBUG: GetHookCallerBase: thread 880 (handle 0x0), return address 0x00000000FFA11D42, allocation base 0x00000000FFA10000.
2020-03-24 06:20:10,914 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00000000FFA10000.
2020-03-24 06:20:10,914 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-03-24 06:20:10,914 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00000000FFA10000.
2020-03-24 06:20:10,914 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000246C.
2020-03-24 06:20:10,961 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\System32\cryptbase (0xf000 bytes).
2020-03-24 06:20:10,976 [root] INFO: Added new CAPE file to list with path: C:\JrCesO\CAPE\2908_7351490863020724232020
2020-03-24 06:20:10,976 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x6600.
2020-03-24 06:20:10,976 [root] DEBUG: DLL unloaded from 0x000007FEFF190000.
2020-03-24 06:20:10,993 [root] INFO: Notified of termination of process with pid 2908.
2020-03-24 06:20:19,713 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF8390000 to caller regions list (ntdll::NtDuplicateObject).
2020-03-24 06:20:19,729 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF45C0000 to caller regions list (ntdll::NtDuplicateObject).
2020-03-24 06:21:23,782 [root] INFO: Analysis timeout hit (200 seconds), terminating analysis.
2020-03-24 06:21:23,782 [root] INFO: Created shutdown mutex.
2020-03-24 06:21:24,796 [lib.api.process] INFO: Terminate event set for process 1632
2020-03-24 06:21:24,796 [root] DEBUG: Terminate Event: Attempting to dump process 1632
2020-03-24 06:21:24,796 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00000000FF900000.
2020-03-24 06:21:24,796 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-03-24 06:21:24,796 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00000000FF900000.
2020-03-24 06:21:24,812 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000002B790.
2020-03-24 06:21:24,875 [root] INFO: Added new CAPE file to list with path: C:\JrCesO\CAPE\1632_3113985142421624232020
2020-03-24 06:21:24,875 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x2baa00.
2020-03-24 06:21:24,875 [lib.api.process] INFO: Termination confirmed for process 1632
2020-03-24 06:21:24,875 [root] DEBUG: Terminate Event: CAPE shutdown complete for process 1632
2020-03-24 06:21:24,875 [root] INFO: Terminate event set for process 1632.
2020-03-24 06:21:24,890 [root] INFO: Terminating process 1632 before shutdown.
2020-03-24 06:21:24,890 [root] INFO: Waiting for process 1632 to exit.
2020-03-24 06:21:25,891 [root] INFO: Shutting down package.
2020-03-24 06:21:25,892 [root] INFO: Stopping auxiliary modules.
2020-03-24 06:21:25,894 [root] INFO: Finishing auxiliary modules.
2020-03-24 06:21:25,895 [root] INFO: Shutting down pipe server and dumping dropped files.
2020-03-24 06:21:25,897 [root] WARNING: File at path "C:\JrCesO\debugger" does not exist, skip.
2020-03-24 06:21:25,898 [root] INFO: Analysis completed.

MalScore

10.0

Malicious

Machine

Name Label Manager Started On Shutdown On
target-01 target-01 ESX 2020-03-24 06:18:00 2020-03-24 06:21:41

File Details

File Name exe.bin
File Size 226304 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 53c1fd5ac99b5690b278ffcc5a49a598
SHA1 656850fe87ead292ceb4844c9a003f9fac354ef6
SHA256 e9b12791e0ab3a952fa09afd29e5a1416abd917edf5c913af7573adf8ccc39b0
SHA512 ef39eb51ccb8959c9e3ad70e232bb9193dca7ccf43e3df251a7aa807594f34af1140f59a325c3ab02473b2063a9ea0cc3e8aa9692dfe7125b60183f3e2023847
CRC32 1F301AD2
Ssdeep 3072:DWnu5sNw0Y92CstYXt8GAlrs9K1OGof0IspA3Ame8yFyQj:639CAYXt8GKrsg1OGof0Rvmal
TrID
  • 41.0% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
  • 36.3% (.EXE) Win64 Executable (generic) (27625/18/4)
  • 8.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
  • 5.9% (.EXE) Win32 Executable (generic) (4508/7/1)
  • 2.6% (.EXE) OS/2 Executable (generic) (2029/13)
ClamAV None matched
Yara None matched
CAPE Yara None matched
Resubmit sample

Signatures

SetUnhandledExceptionFilter detected (possible anti-debug)
Behavioural detection: Executable code extraction
At least one process apparently crashed during execution
Yara rule detections observed from a process memory dump/dropped files/CAPE
Hit: PID 2208 trigged the Yara rule 'embedded_win_api'
Hit: PID 2208 trigged the Yara rule 'shellcode_patterns'
Hit: PID 1576 trigged the Yara rule 'embedded_win_api'
Hit: PID 1576 trigged the Yara rule 'shellcode_patterns'
Hit: PID 2316 trigged the Yara rule 'embedded_win_api'
Hit: PID 2316 trigged the Yara rule 'shellcode_patterns'
Hit: PID 1308 trigged the Yara rule 'embedded_win_api'
Possible date expiration check, exits too soon after checking local time
process: exe.bin, PID 828
Creates RWX memory
Dynamic (imported) function loading detected
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/OleInitialize
DynamicLoader: ole32.dll/OleUninitialize
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: comctl32.dll/
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/IsProcessorFeaturePresent
DynamicLoader: kernel32.dll/FindActCtxSectionStringW
DynamicLoader: kernel32.dll/LoadLibraryA
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: ntdll.dll/memcpy
DynamicLoader: ntdll.dll/RtlDecompressBuffer
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: kernel32.dll/GetModuleHandleW
DynamicLoader: kernel32.dll/GetCommandLineW
DynamicLoader: kernel32.dll/Sleep
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: kernel32.dll/WideCharToMultiByte
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsW
DynamicLoader: kernel32.dll/SetFileAttributesW
DynamicLoader: kernel32.dll/GetModuleFileNameW
DynamicLoader: kernel32.dll/SetEnvironmentVariableW
DynamicLoader: kernel32.dll/ReadFile
DynamicLoader: kernel32.dll/GetFileSize
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/MultiByteToWideChar
DynamicLoader: kernel32.dll/GetModuleHandleA
DynamicLoader: kernel32.dll/Process32NextW
DynamicLoader: kernel32.dll/Process32FirstW
DynamicLoader: kernel32.dll/CreateToolhelp32Snapshot
DynamicLoader: kernel32.dll/FreeLibrary
DynamicLoader: kernel32.dll/GetComputerNameA
DynamicLoader: kernel32.dll/GetComputerNameW
DynamicLoader: kernel32.dll/GetSystemInfo
DynamicLoader: kernel32.dll/CreateMutexA
DynamicLoader: kernel32.dll/OpenMutexA
DynamicLoader: kernel32.dll/ExitProcess
DynamicLoader: kernel32.dll/lstrcmpiW
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: kernel32.dll/Wow64DisableWow64FsRedirection
DynamicLoader: kernel32.dll/GetSystemDirectoryW
DynamicLoader: kernel32.dll/Wow64RevertWow64FsRedirection
DynamicLoader: kernel32.dll/TerminateProcess
DynamicLoader: kernel32.dll/ResumeThread
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/VirtualAllocEx
DynamicLoader: kernel32.dll/WriteProcessMemory
DynamicLoader: kernel32.dll/VirtualFreeEx
DynamicLoader: kernel32.dll/VirtualQueryEx
DynamicLoader: kernel32.dll/ReadProcessMemory
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/EnterCriticalSection
DynamicLoader: kernel32.dll/LeaveCriticalSection
DynamicLoader: kernel32.dll/DeleteCriticalSection
DynamicLoader: kernel32.dll/InitializeCriticalSection
DynamicLoader: kernel32.dll/HeapReAlloc
DynamicLoader: kernel32.dll/HeapFree
DynamicLoader: kernel32.dll/GetProcessHeap
DynamicLoader: kernel32.dll/HeapAlloc
DynamicLoader: kernel32.dll/GetProcAddress
DynamicLoader: kernel32.dll/GetTickCount
DynamicLoader: kernel32.dll/GetEnvironmentVariableW
DynamicLoader: kernel32.dll/DeleteFileW
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/LoadLibraryA
DynamicLoader: USER32.dll/wsprintfW
DynamicLoader: USER32.dll/wsprintfA
DynamicLoader: ADVAPI32.dll/CryptHashData
DynamicLoader: ADVAPI32.dll/CryptDeriveKey
DynamicLoader: ADVAPI32.dll/CryptEncrypt
DynamicLoader: ADVAPI32.dll/CryptDestroyHash
DynamicLoader: ADVAPI32.dll/CryptDestroyKey
DynamicLoader: ADVAPI32.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValueA
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivileges
DynamicLoader: ADVAPI32.dll/GetUserNameW
DynamicLoader: ADVAPI32.dll/RevertToSelf
DynamicLoader: ADVAPI32.dll/ImpersonateLoggedOnUser
DynamicLoader: ADVAPI32.dll/DeleteService
DynamicLoader: ADVAPI32.dll/ControlService
DynamicLoader: ADVAPI32.dll/QueryServiceStatus
DynamicLoader: ADVAPI32.dll/OpenSCManagerW
DynamicLoader: ADVAPI32.dll/CreateServiceW
DynamicLoader: ADVAPI32.dll/OpenServiceW
DynamicLoader: ADVAPI32.dll/CloseServiceHandle
DynamicLoader: ADVAPI32.dll/ChangeServiceConfig2W
DynamicLoader: ADVAPI32.dll/StartServiceW
DynamicLoader: ADVAPI32.dll/RegSetValueExW
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/CreateProcessAsUserW
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegDeleteValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/CryptCreateHash
DynamicLoader: ADVAPI32.dll/CryptAcquireContextW
DynamicLoader: SHELL32.dll/ShellExecuteW
DynamicLoader: SHELL32.dll/CommandLineToArgvW
DynamicLoader: SHELL32.dll/SHFileOperationW
DynamicLoader: SHELL32.dll/SHCreateDirectoryExW
DynamicLoader: WININET.dll/InternetReadFile
DynamicLoader: WININET.dll/HttpQueryInfoA
DynamicLoader: WININET.dll/HttpSendRequestA
DynamicLoader: WININET.dll/HttpAddRequestHeadersA
DynamicLoader: WININET.dll/InternetCloseHandle
DynamicLoader: WININET.dll/InternetConnectA
DynamicLoader: WININET.dll/InternetSetOptionA
DynamicLoader: WININET.dll/InternetOpenA
DynamicLoader: WININET.dll/HttpOpenRequestA
DynamicLoader: WININET.dll/InternetSetOptionW
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: IPHLPAPI.DLL/GetAdaptersInfo
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/StringFromGUID2
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: SHELL32.dll/
DynamicLoader: ADVAPI32.dll/OpenThreadToken
DynamicLoader: propsys.dll/PSLookupPropertyHandlerCLSID
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: propsys.dll/PSCreatePropertyStoreFromObject
DynamicLoader: propsys.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: propsys.dll/PropVariantToStringAlloc
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: propsys.dll/PSCreateMemoryPropertyStore
DynamicLoader: propsys.dll/PropVariantToBuffer
DynamicLoader: propsys.dll/PropVariantToUInt64
DynamicLoader: propsys.dll/PropVariantToBoolean
DynamicLoader: SHELL32.dll/
DynamicLoader: propsys.dll/InitPropVariantFromBuffer
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: ADVAPI32.dll/SaferIdentifyLevel
DynamicLoader: ADVAPI32.dll/SaferComputeTokenFromLevel
DynamicLoader: ADVAPI32.dll/SaferCloseLevel
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/IsProcessorFeaturePresent
DynamicLoader: kernel32.dll/FindActCtxSectionStringW
DynamicLoader: kernel32.dll/LoadLibraryA
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: ntdll.dll/memcpy
DynamicLoader: ntdll.dll/RtlDecompressBuffer
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: kernel32.dll/GetModuleHandleW
DynamicLoader: kernel32.dll/GetCommandLineW
DynamicLoader: kernel32.dll/Sleep
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: kernel32.dll/WideCharToMultiByte
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsW
DynamicLoader: kernel32.dll/SetFileAttributesW
DynamicLoader: kernel32.dll/GetModuleFileNameW
DynamicLoader: kernel32.dll/SetEnvironmentVariableW
DynamicLoader: kernel32.dll/ReadFile
DynamicLoader: kernel32.dll/GetFileSize
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/MultiByteToWideChar
DynamicLoader: kernel32.dll/GetModuleHandleA
DynamicLoader: kernel32.dll/Process32NextW
DynamicLoader: kernel32.dll/Process32FirstW
DynamicLoader: kernel32.dll/CreateToolhelp32Snapshot
DynamicLoader: kernel32.dll/FreeLibrary
DynamicLoader: kernel32.dll/GetComputerNameA
DynamicLoader: kernel32.dll/GetComputerNameW
DynamicLoader: kernel32.dll/GetSystemInfo
DynamicLoader: kernel32.dll/CreateMutexA
DynamicLoader: kernel32.dll/OpenMutexA
DynamicLoader: kernel32.dll/ExitProcess
DynamicLoader: kernel32.dll/lstrcmpiW
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: kernel32.dll/Wow64DisableWow64FsRedirection
DynamicLoader: kernel32.dll/GetSystemDirectoryW
DynamicLoader: kernel32.dll/Wow64RevertWow64FsRedirection
DynamicLoader: kernel32.dll/TerminateProcess
DynamicLoader: kernel32.dll/ResumeThread
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/VirtualAllocEx
DynamicLoader: kernel32.dll/WriteProcessMemory
DynamicLoader: kernel32.dll/VirtualFreeEx
DynamicLoader: kernel32.dll/VirtualQueryEx
DynamicLoader: kernel32.dll/ReadProcessMemory
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/EnterCriticalSection
DynamicLoader: kernel32.dll/LeaveCriticalSection
DynamicLoader: kernel32.dll/DeleteCriticalSection
DynamicLoader: kernel32.dll/InitializeCriticalSection
DynamicLoader: kernel32.dll/HeapReAlloc
DynamicLoader: kernel32.dll/HeapFree
DynamicLoader: kernel32.dll/GetProcessHeap
DynamicLoader: kernel32.dll/HeapAlloc
DynamicLoader: kernel32.dll/GetProcAddress
DynamicLoader: kernel32.dll/GetTickCount
DynamicLoader: kernel32.dll/GetEnvironmentVariableW
DynamicLoader: kernel32.dll/DeleteFileW
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/LoadLibraryA
DynamicLoader: USER32.dll/wsprintfW
DynamicLoader: USER32.dll/wsprintfA
DynamicLoader: ADVAPI32.dll/CryptHashData
DynamicLoader: ADVAPI32.dll/CryptDeriveKey
DynamicLoader: ADVAPI32.dll/CryptEncrypt
DynamicLoader: ADVAPI32.dll/CryptDestroyHash
DynamicLoader: ADVAPI32.dll/CryptDestroyKey
DynamicLoader: ADVAPI32.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValueA
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivileges
DynamicLoader: ADVAPI32.dll/GetUserNameW
DynamicLoader: ADVAPI32.dll/RevertToSelf
DynamicLoader: ADVAPI32.dll/ImpersonateLoggedOnUser
DynamicLoader: ADVAPI32.dll/DeleteService
DynamicLoader: ADVAPI32.dll/ControlService
DynamicLoader: ADVAPI32.dll/QueryServiceStatus
DynamicLoader: ADVAPI32.dll/OpenSCManagerW
DynamicLoader: ADVAPI32.dll/CreateServiceW
DynamicLoader: ADVAPI32.dll/OpenServiceW
DynamicLoader: ADVAPI32.dll/CloseServiceHandle
DynamicLoader: ADVAPI32.dll/ChangeServiceConfig2W
DynamicLoader: ADVAPI32.dll/StartServiceW
DynamicLoader: ADVAPI32.dll/RegSetValueExW
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/CreateProcessAsUserW
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegDeleteValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/CryptCreateHash
DynamicLoader: ADVAPI32.dll/CryptAcquireContextW
DynamicLoader: SHELL32.dll/ShellExecuteW
DynamicLoader: SHELL32.dll/CommandLineToArgvW
DynamicLoader: SHELL32.dll/SHFileOperationW
DynamicLoader: SHELL32.dll/SHCreateDirectoryExW
DynamicLoader: WININET.dll/InternetReadFile
DynamicLoader: WININET.dll/HttpQueryInfoA
DynamicLoader: WININET.dll/HttpSendRequestA
DynamicLoader: WININET.dll/HttpAddRequestHeadersA
DynamicLoader: WININET.dll/InternetCloseHandle
DynamicLoader: WININET.dll/InternetConnectA
DynamicLoader: WININET.dll/InternetSetOptionA
DynamicLoader: WININET.dll/InternetOpenA
DynamicLoader: WININET.dll/HttpOpenRequestA
DynamicLoader: WININET.dll/InternetSetOptionW
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: IPHLPAPI.DLL/GetAdaptersInfo
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/SetDefaultPrinterW
DynamicLoader: WINSPOOL.DRV/GetDefaultPrinterW
DynamicLoader: WINSPOOL.DRV/GetPrinterDriverPackagePathW
DynamicLoader: WINSPOOL.DRV/CorePrinterDriverInstalledW
DynamicLoader: WINSPOOL.DRV/GetCorePrinterDriversW
DynamicLoader: WINSPOOL.DRV/UploadPrinterDriverPackageW
DynamicLoader: WINSPOOL.DRV/InstallPrinterDriverFromPackageW
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/AddPrinterConnection2W
DynamicLoader: WINSPOOL.DRV/OpenPrinter2W
DynamicLoader: WINSPOOL.DRV/DeletePrinterKeyW
DynamicLoader: WINSPOOL.DRV/DeletePrinterDataExW
DynamicLoader: WINSPOOL.DRV/EnumPrinterKeyW
DynamicLoader: WINSPOOL.DRV/EnumPrinterDataExW
DynamicLoader: WINSPOOL.DRV/GetPrinterDataExW
DynamicLoader: WINSPOOL.DRV/SetPrinterDataExW
DynamicLoader: WINSPOOL.DRV/DeletePrinterDataW
DynamicLoader: WINSPOOL.DRV/EnumPrinterDataW
DynamicLoader: WINSPOOL.DRV/SpoolerPrinterEvent
DynamicLoader: WINSPOOL.DRV/SetPortW
DynamicLoader: WINSPOOL.DRV/DocumentPropertySheets
DynamicLoader: WINSPOOL.DRV/DevicePropertySheets
DynamicLoader: WINSPOOL.DRV/IsValidDevmodeW
DynamicLoader: WINSPOOL.DRV/IsValidDevmodeA
DynamicLoader: WINSPOOL.DRV/AddPortExW
DynamicLoader: WINSPOOL.DRV/DeletePrintProvidorW
DynamicLoader: WINSPOOL.DRV/AddPrintProvidorW
DynamicLoader: WINSPOOL.DRV/DeletePrintProcessorW
DynamicLoader: WINSPOOL.DRV/DeleteMonitorW
DynamicLoader: WINSPOOL.DRV/AddMonitorW
DynamicLoader: WINSPOOL.DRV/StartDocDlgW
DynamicLoader: WINSPOOL.DRV/AdvancedDocumentPropertiesW
DynamicLoader: WINSPOOL.DRV/AdvancedDocumentPropertiesA
DynamicLoader: WINSPOOL.DRV/DocumentPropertiesW
DynamicLoader: WINSPOOL.DRV/DeviceCapabilitiesW
DynamicLoader: WINSPOOL.DRV/DeletePrinterIC
DynamicLoader: WINSPOOL.DRV/PlayGdiScriptOnPrinterIC
DynamicLoader: WINSPOOL.DRV/CreatePrinterIC
DynamicLoader: WINSPOOL.DRV/SetJobW
DynamicLoader: WINSPOOL.DRV/GetJobW
DynamicLoader: WINSPOOL.DRV/EnumJobsW
DynamicLoader: WINSPOOL.DRV/AddPrinterW
DynamicLoader: WINSPOOL.DRV/SetPrinterW
DynamicLoader: WINSPOOL.DRV/GetPrinterDriverW
DynamicLoader: WINSPOOL.DRV/GetPrinterDriverDirectoryW
DynamicLoader: WINSPOOL.DRV/EnumPrintersW
DynamicLoader: WINSPOOL.DRV/AddPrinterConnectionW
DynamicLoader: WINSPOOL.DRV/DeletePrinterConnectionW
DynamicLoader: WINSPOOL.DRV/AddPrinterDriverExW
DynamicLoader: WINSPOOL.DRV/AddPrinterDriverExA
DynamicLoader: WINSPOOL.DRV/EnumPrinterDriversW
DynamicLoader: WINSPOOL.DRV/DeletePrinterDriverW
DynamicLoader: WINSPOOL.DRV/DeletePrinterDriverExW
DynamicLoader: WINSPOOL.DRV/AddPrintProcessorW
DynamicLoader: WINSPOOL.DRV/EnumPrintProcessorsW
DynamicLoader: WINSPOOL.DRV/GetPrintProcessorDirectoryW
DynamicLoader: WINSPOOL.DRV/EnumPrintProcessorDatatypesW
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/SplDriverUnloadComplete
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/OpenPrinterW
DynamicLoader: WINSPOOL.DRV/OpenPrinterA
DynamicLoader: WINSPOOL.DRV/ResetPrinterW
DynamicLoader: WINSPOOL.DRV/StartDocPrinterW
DynamicLoader: WINSPOOL.DRV/FlushPrinter
DynamicLoader: WINSPOOL.DRV/GetPrinterDataW
DynamicLoader: WINSPOOL.DRV/SetPrinterDataW
DynamicLoader: WINSPOOL.DRV/AddJobW
DynamicLoader: WINSPOOL.DRV/ScheduleJob
DynamicLoader: WINSPOOL.DRV/WaitForPrinterChange
DynamicLoader: WINSPOOL.DRV/FindNextPrinterChangeNotification
DynamicLoader: WINSPOOL.DRV/PrinterMessageBoxW
DynamicLoader: WINSPOOL.DRV/ClosePrinter
DynamicLoader: WINSPOOL.DRV/AddFormW
DynamicLoader: WINSPOOL.DRV/DeleteFormW
DynamicLoader: WINSPOOL.DRV/GetFormW
DynamicLoader: WINSPOOL.DRV/SetFormW
DynamicLoader: WINSPOOL.DRV/EnumFormsW
DynamicLoader: WINSPOOL.DRV/EnumPortsW
DynamicLoader: WINSPOOL.DRV/EnumMonitorsW
DynamicLoader: WINSPOOL.DRV/AddPortW
DynamicLoader: WINSPOOL.DRV/ConfigurePortW
DynamicLoader: WINSPOOL.DRV/DeletePortW
DynamicLoader: WINSPOOL.DRV/GetPrinterW
DynamicLoader: WINSPOOL.DRV/DeletePrinterDriverPackageW
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: kernel32.dll/LoadLibraryA
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: ntdll.dll/memcpy
DynamicLoader: ntdll.dll/RtlDecompressBuffer
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: kernel32.dll/GetModuleHandleW
DynamicLoader: kernel32.dll/GetCommandLineW
DynamicLoader: kernel32.dll/Sleep
DynamicLoader: kernel32.dll/WideCharToMultiByte
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsW
DynamicLoader: kernel32.dll/SetFileAttributesW
DynamicLoader: kernel32.dll/GetModuleFileNameW
DynamicLoader: kernel32.dll/SetEnvironmentVariableW
DynamicLoader: kernel32.dll/ReadFile
DynamicLoader: kernel32.dll/GetFileSize
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/MultiByteToWideChar
DynamicLoader: kernel32.dll/Process32NextW
DynamicLoader: kernel32.dll/Process32FirstW
DynamicLoader: kernel32.dll/CreateToolhelp32Snapshot
DynamicLoader: kernel32.dll/FreeLibrary
DynamicLoader: kernel32.dll/GetComputerNameA
DynamicLoader: kernel32.dll/GetComputerNameW
DynamicLoader: kernel32.dll/GetSystemInfo
DynamicLoader: kernel32.dll/CreateMutexA
DynamicLoader: kernel32.dll/OpenMutexA
DynamicLoader: kernel32.dll/ExitProcess
DynamicLoader: kernel32.dll/GetModuleHandleA
DynamicLoader: kernel32.dll/lstrcmpiW
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: kernel32.dll/GetSystemDirectoryW
DynamicLoader: kernel32.dll/TerminateProcess
DynamicLoader: kernel32.dll/ResumeThread
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/VirtualAllocEx
DynamicLoader: kernel32.dll/WriteProcessMemory
DynamicLoader: kernel32.dll/VirtualFreeEx
DynamicLoader: kernel32.dll/VirtualQueryEx
DynamicLoader: kernel32.dll/ReadProcessMemory
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/EnterCriticalSection
DynamicLoader: kernel32.dll/LeaveCriticalSection
DynamicLoader: kernel32.dll/DeleteCriticalSection
DynamicLoader: kernel32.dll/InitializeCriticalSection
DynamicLoader: kernel32.dll/HeapReAlloc
DynamicLoader: kernel32.dll/HeapFree
DynamicLoader: kernel32.dll/GetProcessHeap
DynamicLoader: kernel32.dll/HeapAlloc
DynamicLoader: kernel32.dll/GetProcAddress
DynamicLoader: kernel32.dll/GetTickCount
DynamicLoader: kernel32.dll/GetEnvironmentVariableW
DynamicLoader: kernel32.dll/DeleteFileW
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/LoadLibraryA
DynamicLoader: USER32.dll/wsprintfW
DynamicLoader: USER32.dll/wsprintfA
DynamicLoader: ADVAPI32.dll/CryptHashData
DynamicLoader: ADVAPI32.dll/CryptDeriveKey
DynamicLoader: ADVAPI32.dll/CryptEncrypt
DynamicLoader: ADVAPI32.dll/CryptDestroyHash
DynamicLoader: ADVAPI32.dll/CryptDestroyKey
DynamicLoader: ADVAPI32.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValueA
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivileges
DynamicLoader: ADVAPI32.dll/GetUserNameW
DynamicLoader: ADVAPI32.dll/RevertToSelf
DynamicLoader: ADVAPI32.dll/ImpersonateLoggedOnUser
DynamicLoader: ADVAPI32.dll/DeleteService
DynamicLoader: ADVAPI32.dll/ControlService
DynamicLoader: ADVAPI32.dll/QueryServiceStatus
DynamicLoader: ADVAPI32.dll/OpenSCManagerW
DynamicLoader: ADVAPI32.dll/CreateServiceW
DynamicLoader: ADVAPI32.dll/OpenServiceW
DynamicLoader: ADVAPI32.dll/CloseServiceHandle
DynamicLoader: ADVAPI32.dll/ChangeServiceConfig2W
DynamicLoader: ADVAPI32.dll/StartServiceW
DynamicLoader: ADVAPI32.dll/RegSetValueExW
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/CreateProcessAsUserW
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegDeleteValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/CryptCreateHash
DynamicLoader: ADVAPI32.dll/CryptAcquireContextW
DynamicLoader: SHELL32.dll/ShellExecuteW
DynamicLoader: SHELL32.dll/CommandLineToArgvW
DynamicLoader: SHELL32.dll/SHFileOperationW
DynamicLoader: SHELL32.dll/SHCreateDirectoryExW
DynamicLoader: WININET.dll/InternetReadFile
DynamicLoader: WININET.dll/HttpQueryInfoA
DynamicLoader: WININET.dll/HttpSendRequestA
DynamicLoader: WININET.dll/HttpAddRequestHeadersA
DynamicLoader: WININET.dll/InternetCloseHandle
DynamicLoader: WININET.dll/InternetConnectA
DynamicLoader: WININET.dll/InternetSetOptionA
DynamicLoader: WININET.dll/InternetOpenA
DynamicLoader: WININET.dll/HttpOpenRequestA
DynamicLoader: WININET.dll/InternetSetOptionW
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: IPHLPAPI.DLL/GetAdaptersInfo
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/IsProcessorFeaturePresent
DynamicLoader: kernel32.dll/FindActCtxSectionStringW
DynamicLoader: kernel32.dll/LoadLibraryA
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: ntdll.dll/memcpy
DynamicLoader: ntdll.dll/RtlDecompressBuffer
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: kernel32.dll/GetModuleHandleW
DynamicLoader: kernel32.dll/GetCommandLineW
DynamicLoader: kernel32.dll/Sleep
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: kernel32.dll/WideCharToMultiByte
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsW
DynamicLoader: kernel32.dll/SetFileAttributesW
DynamicLoader: kernel32.dll/GetModuleFileNameW
DynamicLoader: kernel32.dll/SetEnvironmentVariableW
DynamicLoader: kernel32.dll/ReadFile
DynamicLoader: kernel32.dll/GetFileSize
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/MultiByteToWideChar
DynamicLoader: kernel32.dll/GetModuleHandleA
DynamicLoader: kernel32.dll/Process32NextW
DynamicLoader: kernel32.dll/Process32FirstW
DynamicLoader: kernel32.dll/CreateToolhelp32Snapshot
DynamicLoader: kernel32.dll/FreeLibrary
DynamicLoader: kernel32.dll/GetComputerNameA
DynamicLoader: kernel32.dll/GetComputerNameW
DynamicLoader: kernel32.dll/GetSystemInfo
DynamicLoader: kernel32.dll/CreateMutexA
DynamicLoader: kernel32.dll/OpenMutexA
DynamicLoader: kernel32.dll/ExitProcess
DynamicLoader: kernel32.dll/lstrcmpiW
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: kernel32.dll/Wow64DisableWow64FsRedirection
DynamicLoader: kernel32.dll/GetSystemDirectoryW
DynamicLoader: kernel32.dll/Wow64RevertWow64FsRedirection
DynamicLoader: kernel32.dll/TerminateProcess
DynamicLoader: kernel32.dll/ResumeThread
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/VirtualAllocEx
DynamicLoader: kernel32.dll/WriteProcessMemory
DynamicLoader: kernel32.dll/VirtualFreeEx
DynamicLoader: kernel32.dll/VirtualQueryEx
DynamicLoader: kernel32.dll/ReadProcessMemory
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/EnterCriticalSection
DynamicLoader: kernel32.dll/LeaveCriticalSection
DynamicLoader: kernel32.dll/DeleteCriticalSection
DynamicLoader: kernel32.dll/InitializeCriticalSection
DynamicLoader: kernel32.dll/HeapReAlloc
DynamicLoader: kernel32.dll/HeapFree
DynamicLoader: kernel32.dll/GetProcessHeap
DynamicLoader: kernel32.dll/HeapAlloc
DynamicLoader: kernel32.dll/GetProcAddress
DynamicLoader: kernel32.dll/GetTickCount
DynamicLoader: kernel32.dll/GetEnvironmentVariableW
DynamicLoader: kernel32.dll/DeleteFileW
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/LoadLibraryA
DynamicLoader: USER32.dll/wsprintfW
DynamicLoader: USER32.dll/wsprintfA
DynamicLoader: ADVAPI32.dll/CryptHashData
DynamicLoader: ADVAPI32.dll/CryptDeriveKey
DynamicLoader: ADVAPI32.dll/CryptEncrypt
DynamicLoader: ADVAPI32.dll/CryptDestroyHash
DynamicLoader: ADVAPI32.dll/CryptDestroyKey
DynamicLoader: ADVAPI32.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValueA
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivileges
DynamicLoader: ADVAPI32.dll/GetUserNameW
DynamicLoader: ADVAPI32.dll/RevertToSelf
DynamicLoader: ADVAPI32.dll/ImpersonateLoggedOnUser
DynamicLoader: ADVAPI32.dll/DeleteService
DynamicLoader: ADVAPI32.dll/ControlService
DynamicLoader: ADVAPI32.dll/QueryServiceStatus
DynamicLoader: ADVAPI32.dll/OpenSCManagerW
DynamicLoader: ADVAPI32.dll/CreateServiceW
DynamicLoader: ADVAPI32.dll/OpenServiceW
DynamicLoader: ADVAPI32.dll/CloseServiceHandle
DynamicLoader: ADVAPI32.dll/ChangeServiceConfig2W
DynamicLoader: ADVAPI32.dll/StartServiceW
DynamicLoader: ADVAPI32.dll/RegSetValueExW
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/CreateProcessAsUserW
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegDeleteValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/CryptCreateHash
DynamicLoader: ADVAPI32.dll/CryptAcquireContextW
DynamicLoader: SHELL32.dll/ShellExecuteW
DynamicLoader: SHELL32.dll/CommandLineToArgvW
DynamicLoader: SHELL32.dll/SHFileOperationW
DynamicLoader: SHELL32.dll/SHCreateDirectoryExW
DynamicLoader: WININET.dll/InternetReadFile
DynamicLoader: WININET.dll/HttpQueryInfoA
DynamicLoader: WININET.dll/HttpSendRequestA
DynamicLoader: WININET.dll/HttpAddRequestHeadersA
DynamicLoader: WININET.dll/InternetCloseHandle
DynamicLoader: WININET.dll/InternetConnectA
DynamicLoader: WININET.dll/InternetSetOptionA
DynamicLoader: WININET.dll/InternetOpenA
DynamicLoader: WININET.dll/HttpOpenRequestA
DynamicLoader: WININET.dll/InternetSetOptionW
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: IPHLPAPI.DLL/GetAdaptersInfo
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/SetDefaultPrinterW
DynamicLoader: WINSPOOL.DRV/GetDefaultPrinterW
DynamicLoader: WINSPOOL.DRV/GetPrinterDriverPackagePathW
DynamicLoader: WINSPOOL.DRV/CorePrinterDriverInstalledW
DynamicLoader: WINSPOOL.DRV/GetCorePrinterDriversW
DynamicLoader: WINSPOOL.DRV/UploadPrinterDriverPackageW
DynamicLoader: WINSPOOL.DRV/InstallPrinterDriverFromPackageW
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/AddPrinterConnection2W
DynamicLoader: WINSPOOL.DRV/OpenPrinter2W
DynamicLoader: WINSPOOL.DRV/DeletePrinterKeyW
DynamicLoader: WINSPOOL.DRV/DeletePrinterDataExW
DynamicLoader: WINSPOOL.DRV/EnumPrinterKeyW
DynamicLoader: WINSPOOL.DRV/EnumPrinterDataExW
DynamicLoader: WINSPOOL.DRV/GetPrinterDataExW
DynamicLoader: WINSPOOL.DRV/SetPrinterDataExW
DynamicLoader: WINSPOOL.DRV/DeletePrinterDataW
DynamicLoader: WINSPOOL.DRV/EnumPrinterDataW
DynamicLoader: WINSPOOL.DRV/SpoolerPrinterEvent
DynamicLoader: WINSPOOL.DRV/SetPortW
DynamicLoader: WINSPOOL.DRV/DocumentPropertySheets
DynamicLoader: WINSPOOL.DRV/DevicePropertySheets
DynamicLoader: WINSPOOL.DRV/IsValidDevmodeW
DynamicLoader: WINSPOOL.DRV/IsValidDevmodeA
DynamicLoader: WINSPOOL.DRV/AddPortExW
DynamicLoader: WINSPOOL.DRV/DeletePrintProvidorW
DynamicLoader: WINSPOOL.DRV/AddPrintProvidorW
DynamicLoader: WINSPOOL.DRV/DeletePrintProcessorW
DynamicLoader: WINSPOOL.DRV/DeleteMonitorW
DynamicLoader: WINSPOOL.DRV/AddMonitorW
DynamicLoader: WINSPOOL.DRV/StartDocDlgW
DynamicLoader: WINSPOOL.DRV/AdvancedDocumentPropertiesW
DynamicLoader: WINSPOOL.DRV/AdvancedDocumentPropertiesA
DynamicLoader: WINSPOOL.DRV/DocumentPropertiesW
DynamicLoader: WINSPOOL.DRV/DeviceCapabilitiesW
DynamicLoader: WINSPOOL.DRV/DeletePrinterIC
DynamicLoader: WINSPOOL.DRV/PlayGdiScriptOnPrinterIC
DynamicLoader: WINSPOOL.DRV/CreatePrinterIC
DynamicLoader: WINSPOOL.DRV/SetJobW
DynamicLoader: WINSPOOL.DRV/GetJobW
DynamicLoader: WINSPOOL.DRV/EnumJobsW
DynamicLoader: WINSPOOL.DRV/AddPrinterW
DynamicLoader: WINSPOOL.DRV/SetPrinterW
DynamicLoader: WINSPOOL.DRV/GetPrinterDriverW
DynamicLoader: WINSPOOL.DRV/GetPrinterDriverDirectoryW
DynamicLoader: WINSPOOL.DRV/EnumPrintersW
DynamicLoader: WINSPOOL.DRV/AddPrinterConnectionW
DynamicLoader: WINSPOOL.DRV/DeletePrinterConnectionW
DynamicLoader: WINSPOOL.DRV/AddPrinterDriverExW
DynamicLoader: WINSPOOL.DRV/AddPrinterDriverExA
DynamicLoader: WINSPOOL.DRV/EnumPrinterDriversW
DynamicLoader: WINSPOOL.DRV/DeletePrinterDriverW
DynamicLoader: WINSPOOL.DRV/DeletePrinterDriverExW
DynamicLoader: WINSPOOL.DRV/AddPrintProcessorW
DynamicLoader: WINSPOOL.DRV/EnumPrintProcessorsW
DynamicLoader: WINSPOOL.DRV/GetPrintProcessorDirectoryW
DynamicLoader: WINSPOOL.DRV/EnumPrintProcessorDatatypesW
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/SplDriverUnloadComplete
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/OpenPrinterW
DynamicLoader: WINSPOOL.DRV/OpenPrinterA
DynamicLoader: WINSPOOL.DRV/ResetPrinterW
DynamicLoader: WINSPOOL.DRV/StartDocPrinterW
DynamicLoader: WINSPOOL.DRV/FlushPrinter
DynamicLoader: WINSPOOL.DRV/GetPrinterDataW
DynamicLoader: WINSPOOL.DRV/SetPrinterDataW
DynamicLoader: WINSPOOL.DRV/AddJobW
DynamicLoader: WINSPOOL.DRV/ScheduleJob
DynamicLoader: WINSPOOL.DRV/WaitForPrinterChange
DynamicLoader: WINSPOOL.DRV/FindNextPrinterChangeNotification
DynamicLoader: WINSPOOL.DRV/PrinterMessageBoxW
DynamicLoader: WINSPOOL.DRV/ClosePrinter
DynamicLoader: WINSPOOL.DRV/AddFormW
DynamicLoader: WINSPOOL.DRV/DeleteFormW
DynamicLoader: WINSPOOL.DRV/GetFormW
DynamicLoader: WINSPOOL.DRV/SetFormW
DynamicLoader: WINSPOOL.DRV/EnumFormsW
DynamicLoader: WINSPOOL.DRV/EnumPortsW
DynamicLoader: WINSPOOL.DRV/EnumMonitorsW
DynamicLoader: WINSPOOL.DRV/AddPortW
DynamicLoader: WINSPOOL.DRV/ConfigurePortW
DynamicLoader: WINSPOOL.DRV/DeletePortW
DynamicLoader: WINSPOOL.DRV/GetPrinterW
DynamicLoader: WINSPOOL.DRV/DeletePrinterDriverPackageW
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: kernel32.dll/LoadLibraryA
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: ntdll.dll/memcpy
DynamicLoader: ntdll.dll/RtlDecompressBuffer
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: kernel32.dll/GetModuleHandleW
DynamicLoader: kernel32.dll/GetCommandLineW
DynamicLoader: kernel32.dll/Sleep
DynamicLoader: kernel32.dll/WideCharToMultiByte
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsW
DynamicLoader: kernel32.dll/SetFileAttributesW
DynamicLoader: kernel32.dll/GetModuleFileNameW
DynamicLoader: kernel32.dll/SetEnvironmentVariableW
DynamicLoader: kernel32.dll/ReadFile
DynamicLoader: kernel32.dll/GetFileSize
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/MultiByteToWideChar
DynamicLoader: kernel32.dll/Process32NextW
DynamicLoader: kernel32.dll/Process32FirstW
DynamicLoader: kernel32.dll/CreateToolhelp32Snapshot
DynamicLoader: kernel32.dll/FreeLibrary
DynamicLoader: kernel32.dll/GetComputerNameA
DynamicLoader: kernel32.dll/GetComputerNameW
DynamicLoader: kernel32.dll/GetSystemInfo
DynamicLoader: kernel32.dll/CreateMutexA
DynamicLoader: kernel32.dll/OpenMutexA
DynamicLoader: kernel32.dll/ExitProcess
DynamicLoader: kernel32.dll/GetModuleHandleA
DynamicLoader: kernel32.dll/lstrcmpiW
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: kernel32.dll/GetSystemDirectoryW
DynamicLoader: kernel32.dll/TerminateProcess
DynamicLoader: kernel32.dll/ResumeThread
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/VirtualAllocEx
DynamicLoader: kernel32.dll/WriteProcessMemory
DynamicLoader: kernel32.dll/VirtualFreeEx
DynamicLoader: kernel32.dll/VirtualQueryEx
DynamicLoader: kernel32.dll/ReadProcessMemory
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/EnterCriticalSection
DynamicLoader: kernel32.dll/LeaveCriticalSection
DynamicLoader: kernel32.dll/DeleteCriticalSection
DynamicLoader: kernel32.dll/InitializeCriticalSection
DynamicLoader: kernel32.dll/HeapReAlloc
DynamicLoader: kernel32.dll/HeapFree
DynamicLoader: kernel32.dll/GetProcessHeap
DynamicLoader: kernel32.dll/HeapAlloc
DynamicLoader: kernel32.dll/GetProcAddress
DynamicLoader: kernel32.dll/GetTickCount
DynamicLoader: kernel32.dll/GetEnvironmentVariableW
DynamicLoader: kernel32.dll/DeleteFileW
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/LoadLibraryA
DynamicLoader: USER32.dll/wsprintfW
DynamicLoader: USER32.dll/wsprintfA
DynamicLoader: ADVAPI32.dll/CryptHashData
DynamicLoader: ADVAPI32.dll/CryptDeriveKey
DynamicLoader: ADVAPI32.dll/CryptEncrypt
DynamicLoader: ADVAPI32.dll/CryptDestroyHash
DynamicLoader: ADVAPI32.dll/CryptDestroyKey
DynamicLoader: ADVAPI32.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValueA
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivileges
DynamicLoader: ADVAPI32.dll/GetUserNameW
DynamicLoader: ADVAPI32.dll/RevertToSelf
DynamicLoader: ADVAPI32.dll/ImpersonateLoggedOnUser
DynamicLoader: ADVAPI32.dll/DeleteService
DynamicLoader: ADVAPI32.dll/ControlService
DynamicLoader: ADVAPI32.dll/QueryServiceStatus
DynamicLoader: ADVAPI32.dll/OpenSCManagerW
DynamicLoader: ADVAPI32.dll/CreateServiceW
DynamicLoader: ADVAPI32.dll/OpenServiceW
DynamicLoader: ADVAPI32.dll/CloseServiceHandle
DynamicLoader: ADVAPI32.dll/ChangeServiceConfig2W
DynamicLoader: ADVAPI32.dll/StartServiceW
DynamicLoader: ADVAPI32.dll/RegSetValueExW
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/CreateProcessAsUserW
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegDeleteValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/CryptCreateHash
DynamicLoader: ADVAPI32.dll/CryptAcquireContextW
DynamicLoader: SHELL32.dll/ShellExecuteW
DynamicLoader: SHELL32.dll/CommandLineToArgvW
DynamicLoader: SHELL32.dll/SHFileOperationW
DynamicLoader: SHELL32.dll/SHCreateDirectoryExW
DynamicLoader: WININET.dll/InternetReadFile
DynamicLoader: WININET.dll/HttpQueryInfoA
DynamicLoader: WININET.dll/HttpSendRequestA
DynamicLoader: WININET.dll/HttpAddRequestHeadersA
DynamicLoader: WININET.dll/InternetCloseHandle
DynamicLoader: WININET.dll/InternetConnectA
DynamicLoader: WININET.dll/InternetSetOptionA
DynamicLoader: WININET.dll/InternetOpenA
DynamicLoader: WININET.dll/HttpOpenRequestA
DynamicLoader: WININET.dll/InternetSetOptionW
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: IPHLPAPI.DLL/GetAdaptersInfo
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: WS2_32.dll/closesocket
DynamicLoader: WS2_32.dll/shutdown
DynamicLoader: ntdll.dll/RtlGetNtVersionNumbers
DynamicLoader: Cryptdll.dll/MD5Init
DynamicLoader: Cryptdll.dll/MD5Update
DynamicLoader: Cryptdll.dll/MD5Final
DynamicLoader: kernel32.dll/GetNativeSystemInfo
DynamicLoader: ntdll.dll/RtlGetNtVersionNumbers
DynamicLoader: Cryptdll.dll/MD5Init
DynamicLoader: Cryptdll.dll/MD5Update
DynamicLoader: Cryptdll.dll/MD5Final
DynamicLoader: CRYPTSP.dll/CryptHashData
DynamicLoader: CRYPTSP.dll/CryptDeriveKey
DynamicLoader: CRYPTSP.dll/CryptDestroyHash
DynamicLoader: CRYPTSP.dll/CryptDestroyKey
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: RASAPI32.dll/RasConnectionNotificationW
DynamicLoader: sechost.dll/OpenSCManagerA
DynamicLoader: sechost.dll/NotifyServiceStatusChangeA
DynamicLoader: cryptbase.dll/SystemFunction036
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: wersvc.dll/ServiceMain
DynamicLoader: wersvc.dll/SvchostPushServiceGlobals
DynamicLoader: ADVAPI32.dll/RegGetValueW
DynamicLoader: sechost.dll/ConvertStringSecurityDescriptorToSecurityDescriptorW
DynamicLoader: faultrep.dll/WerpInitiateCrashReporting
DynamicLoader: faultrep.dll/WerpInitiateCrashReporting
DynamicLoader: wer.dll/WerpCreateMachineStore
DynamicLoader: SHELL32.dll/SHGetFolderPathEx
DynamicLoader: wer.dll/WerpCreateMachineStore
DynamicLoader: ole32.dll/StringFromGUID2
DynamicLoader: profapi.dll/
DynamicLoader: USERENV.dll/CreateEnvironmentBlock
DynamicLoader: profapi.dll/
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: SspiCli.dll/GetUserNameExW
DynamicLoader: USERENV.dll/DestroyEnvironmentBlock
DynamicLoader: LPK.dll/LpkEditControl
DynamicLoader: IMM32.dll/ImmDisableIME
DynamicLoader: LPK.dll/LpkEditControl
DynamicLoader: IMM32.dll/ImmDisableIME
Performs HTTP requests potentially not found in PCAP.
url: 153.148.83.172:443//login.asp?id=35
Expresses interest in specific running processes
process: explorer.exe
A process created a hidden window
Process: exe.bin -> C:\Users\user\AppData\Local\Temp\adobe.exe
Process: adobe.exe -> C:\Users\user\AppData\Roaming\Windows\eeclnt.exe
CAPE extracted potentially suspicious content
adobe.exe: Extracted Shellcode
eeclnt.exe: Extracted Shellcode
eeclnt.exe: Extracted Shellcode
msiexec.exe: Extracted Shellcode
Drops a binary and executes it
binary: C:\Users\user\AppData\Roaming\Windows\eeclnt.exe
binary: C:\Users\user\AppData\Roaming\Windows\eeclnt.exe
binary: C:\Users\user\AppData\Local\Temp\adobe.exe
The binary likely contains encrypted or compressed data.
section: name: .data, entropy: 7.14, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x0001d000, virtual_size: 0x0001db1c
Uses Windows utilities for basic functionality
command: cmd /c ""C:\Users\user\AppData\Local\Temp\a.bat" "
Uses Windows utilities for basic functionality
command: C:\Users\user\AppData\Local\Temp\a.bat
Deletes its original binary from disk
Behavioural detection: Injection (Process Hollowing)
Injection: eeclnt.exe(1576) -> msiexec.exe(1308)
Executed a process and injected code into it, probably while unpacking
Injection: eeclnt.exe(1576) -> msiexec.exe(1308)
Behavioural detection: Injection (inter-process)
Behavioural detection: Injection with CreateRemoteThread in a remote process
Tries to unhook or modify Windows functions monitored by Cuckoo
unhook: function_name: shutdown, type: modification
unhook: function_name: closesocket, type: modification
Installs itself for autorun at Windows startup
service name: WanServer
service path: C:\Users\user\AppData\Roaming\Windows\eeclnt.exe "260"
Installs itself for autorun at Windows startup
service name: WanServer
service path: C:\Users\user\AppData\Roaming\Windows\eeclnt.exe "260"
Creates a hidden or system file
file: C:\Users\user\AppData\Roaming\Windows\

Screenshots


Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
N 153.148.83.172 [VT] Japan

DNS

Name Response Post-Analysis Lookup
news.singmicrosoft.ga [VT] CNAME sinkhole.dynu.net [VT]
A 153.148.83.172 [VT]
CNAME a.sinkhole.yourtrap.com [VT]

Summary

C:\Users\user\AppData\Local\Temp\MSVCR110.dat
C:\Users\user\AppData\Local\Temp\adobe.exe
C:\Users\user\AppData\Local\Temp\MSVCR110.dll
C:\Users\user\AppData\Local\Temp\a.bat
C:\Windows\Globalization\Sorting\sortdefault.nls
\??\MountPointManager
C:\Users\user\AppData\Local\Temp\exe
C:\Users\user\AppData\Local\Temp\exe.*
C:\Windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742\msvcr90.dll
C:\Windows
C:\Windows\winsxs
C:\Users\user\AppData\Roaming\Windows\
\Device\KsecDD
C:\Windows\SysWOW64\shell32.dll
C:\Users\user\AppData\Roaming\Windows\MSVCR110.dll
C:\
C:\Users
C:\Users\user\AppData\Local\Microsoft\Windows\Caches
C:\Users\user\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000d.db
C:\Users\desktop.ini
C:\Users\user
C:\Users\user\AppData
C:\Users\user\AppData\Local
C:\Users\user\AppData\Local\Temp
C:\Users\user\AppData\Roaming
C:\Users\user\AppData\Roaming\Windows
C:\Users\user\AppData\Roaming\Windows\desktop.ini
C:\Windows\SysWOW64\propsys.dll
C:\Windows\sysnative\propsys.dll
C:\Users\user\AppData\Roaming\Windows\MSVCR110.dat
C:\Users\user\AppData\Roaming\Windows\eeclnt.exe
C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\a.bat"
C:\Users\user\AppData\Local\Temp\exe.bin
C:\Users\user\AppData\Roaming\Microsoft\Windows\Themes\
C:\Users\user\AppData\Roaming\Microsoft\Windows\Themes\slideshow.ini
C:\Windows\sysnative\ntdll.dll
C:\Windows\sysnative\kernelbase.dll
C:\Windows\Temp
C:\Windows\sysnative\LogFiles\Scm\994c86ad-a929-4b2c-88a0-4e25a107a029
C:\Windows\sysnative\LogFiles\Scm\eaca24ff-236c-401d-a1e7-b3d5267b8a50
C:\Windows\sysnative\LogFiles\Scm\fb3c354d-297a-4eb2-9b58-090f6361906b
C:\ProgramData\Microsoft\Windows\WER\ReportQueue
C:\Windows\WindowsShell.Manifest
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Users\user\AppData\Local\Temp\MSVCR110.dat
\Device\KsecDD
C:\Windows\SysWOW64\shell32.dll
C:\
C:\Users\user\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000d.db
C:\Users\desktop.ini
C:\Users
C:\Users\user
C:\Users\user\AppData
C:\Users\user\AppData\Local
C:\Users\user\AppData\Roaming
C:\Users\user\AppData\Roaming\Windows\desktop.ini
C:\Users\user\AppData\Local\Temp
C:\Users\user\AppData\Local\Temp\MSVCR110.dll
C:\Users\user\AppData\Roaming\Windows\MSVCR110.dll
C:\Users\user\AppData\Roaming\Windows\MSVCR110.dat
C:\Users\user\AppData\Local\Temp\adobe.exe
C:\Users\user\AppData\Roaming\Windows\eeclnt.exe
C:\Users\user\AppData\Local\Temp\a.bat
C:\Users\user\AppData\Roaming\Microsoft\Windows\Themes\slideshow.ini
C:\Windows\sysnative\ntdll.dll
C:\Windows\sysnative\kernelbase.dll
C:\Windows\sysnative\LogFiles\Scm\994c86ad-a929-4b2c-88a0-4e25a107a029
C:\Windows\sysnative\LogFiles\Scm\eaca24ff-236c-401d-a1e7-b3d5267b8a50
C:\Windows\sysnative\LogFiles\Scm\fb3c354d-297a-4eb2-9b58-090f6361906b
C:\Windows\WindowsShell.Manifest
C:\Users\user\AppData\Local\Temp\MSVCR110.dat
C:\Users\user\AppData\Local\Temp\adobe.exe
C:\Users\user\AppData\Local\Temp\MSVCR110.dll
C:\Users\user\AppData\Local\Temp\a.bat
C:\Users\user\AppData\Local\Temp\exe
C:\Users\user\AppData\Roaming\Windows\MSVCR110.dll
C:\Users\user\AppData\Roaming\Windows\MSVCR110.dat
C:\Users\user\AppData\Roaming\Windows\eeclnt.exe
C:\Users\user\AppData\Local\Temp\exe.bin
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-GB
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-GB
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\exe.bin
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\Generation
HKEY_CLASSES_ROOT\.
HKEY_CLASSES_ROOT\.\OpenWithProgids
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.\OpenWithProgids
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.
HKEY_CLASSES_ROOT\Unknown
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Unknown\CurVer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Unknown\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Unknown\ShellEx\IconHandler
HKEY_CLASSES_ROOT\SystemFileAssociations\.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Unknown\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Unknown\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Unknown\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Unknown\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Unknown\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Unknown\NeverShowExt
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\UsersFiles\NameSpace
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\UsersFiles\NameSpace\DelegateFolders
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\UsersFiles\NameSpace\DelegateFolders\SuppressionPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\UsersFiles\NameSpace\DelegateFolders\(Default)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UsersFiles\NameSpace
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\UsersFiles\NameSpace\DelegateFolders
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\UsersFiles\NameSpace\DelegateFolders\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\UsersFiles\NameSpace\DelegateFolders\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\SuppressionPolicy
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UsersFiles\NameSpace\DelegateFolders
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\UsersFiles\NameSpace
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\UsersFiles\NameSpace\DelegateFolders
HKEY_CLASSES_ROOT\CLSID\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\InProcServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\InProcServer32\LoadWithoutCOM
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\KindMap
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\KindMap\.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Unknown\shell\open
HKEY_CLASSES_ROOT\*
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shell\open
HKEY_CLASSES_ROOT\AllFilesystemObjects
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\shell\open
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\App Paths\adobe.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\adobe.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesRecycleBin
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetIcon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\adobe.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups
HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\CallForAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\RestrictedAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORDISPLAY
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideFolderVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\UseDropHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORPARSING
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsParseDisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\MapNetDriveVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForInfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideInWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideOnDesktopPerUser
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsAliasedNotifications
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsUniversalDelegate
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\NoFileFolderJunction
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\PinToNameSpaceTree
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HasNavigationEnum
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{20D04FE0-3AEA-1069-A2D8-08002B30309D}
HKEY_CLASSES_ROOT\Drive\shellex\FolderExtensions
HKEY_CLASSES_ROOT\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}\DriveMask
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\NoFileFolderConnection
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\AccessProviders
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\AccessProviders\MartaExtension
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DontShowSuperHidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ClassicShell
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\SeparateProcess
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetCrawling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSimpleStartMenu
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowCompColor
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\DontPrettyPath
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowInfoTip
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideIcons
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\MapNetDrvBtn
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\WebView
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Filter
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\SeparateProcess
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\NoNetCrawling
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\AutoCheckSelect
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\IconsOnly
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowTypeOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\AllowFileCLSIDJunctions
HKEY_CLASSES_ROOT\.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dll\(Default)
HKEY_CLASSES_ROOT\.dll\OpenWithProgids
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dll\OpenWithProgids
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dll
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dll\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dll\UserChoice
HKEY_CLASSES_ROOT\dllfile
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\dllfile\CurVer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\dllfile\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\dllfile\ShellEx\IconHandler
HKEY_CLASSES_ROOT\SystemFileAssociations\.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.dll\ShellEx\IconHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dll\PerceivedType
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.dll\PerceivedType
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\dllfile\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.dll\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\dllfile\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.dll\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dll\Content Type
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\dllfile\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.dll\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\dllfile\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.dll\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\dllfile\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\dllfile\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.dll\NeverShowExt
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\PropertySystem\PropertyHandlers\.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\PropertySystem\PropertyHandlers\.dll\(Default)
HKEY_CLASSES_ROOT\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\OverrideFileSystemProperties
HKEY_CLASSES_ROOT\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\DisableProcessIsolation
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\NoOplock
HKEY_CLASSES_ROOT\ExplorerCLSIDFlags\{66742402-F9B9-11D1-A202-0000F81FEDEE}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\UseInProcHandlerCache
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\UseOutOfProcHandlerCache
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Shell\RegisteredApplications\UrlAssociations\Directory\OpenWithProgids
HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\Directory
HKEY_CLASSES_ROOT\Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\CurVer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\ShellEx\IconHandler
HKEY_CLASSES_ROOT\Folder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\ShellEx\IconHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\ShellEx\IconHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\ShellEx\PropertyHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\ShellEx\PropertyHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\ShellEx\PropertyHandler
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\MaxUndoItems
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Advanced\MaxUndoItems
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\ShellEx\{2F711B17-773C-41D4-93FA-7F23EDCECB66}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\ShellEx\{2F711B17-773C-41D4-93FA-7F23EDCECB66}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\ShellEx\{2F711B17-773C-41D4-93FA-7F23EDCECB66}
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\CopyFileBufferedSynchronousIo
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\CopyFileChunkSize
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\CopyFileOverlappedCount
HKEY_CLASSES_ROOT\.dat
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dat\(Default)
HKEY_CLASSES_ROOT\.dat\OpenWithProgids
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dat\OpenWithProgids
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dat
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dat\ShellEx\IconHandler
HKEY_CLASSES_ROOT\SystemFileAssociations\.dat
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dat\PerceivedType
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dat\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dat\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dat\Content Type
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dat\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dat\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dat\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dat\NeverShowExt
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\PropertySystem\PropertyHandlers\.dat
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dat\ShellEx\PropertyHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Unknown\ShellEx\PropertyHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\ShellEx\PropertyHandler
HKEY_CLASSES_ROOT\.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe\(Default)
HKEY_CLASSES_ROOT\.exe\OpenWithProgids
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\OpenWithProgids
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\UserChoice
HKEY_CLASSES_ROOT\exefile
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\CurVer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\ShellEx\IconHandler
HKEY_CLASSES_ROOT\SystemFileAssociations\.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\ShellEx\IconHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe\Content Type
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\NeverShowExt
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\PropertySystem\PropertyHandlers\.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\PropertySystem\PropertyHandlers\.exe\(Default)
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DisableUNCCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\EnableExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DelayedExpansion
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DefaultColor
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\CompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\PathCompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\AutoRun
HKEY_CURRENT_USER\Software\Microsoft\Command Processor
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000809
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Option
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{Q65231O0-O2S1-4857-N4PR-N8R7P6RN7Q27}\pzq.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBA
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{01979c6a-42fa-414c-b8aa-eee2c8202018}.check.100
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{01979c6a-42fa-414c-b8aa-eee2c8202018}.check.100\CheckSetting
HKEY_CURRENT_USER\Control Panel\Personalization\Desktop Slideshow
HKEY_CURRENT_USER\Control Panel\Personalization\Desktop Slideshow\Interval
HKEY_CURRENT_USER\Control Panel\Personalization\Desktop Slideshow\Shuffle
HKEY_CURRENT_USER\Control Panel\Personalization\Desktop Slideshow\AnimationDuration
HKEY_LOCAL_MACHINE\Control Panel\Personalization\Desktop Slideshow
HKEY_CURRENT_USER\Control Panel\Personalization\Desktop Slideshow\Flags
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\FileSystem\Win31FileSystem
HKEY_LOCAL_MACHINE\system\CurrentControlSet\control\NetworkProvider\HwOrder
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SQMClient\Windows
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WanServer
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WanServer\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WanServer\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WanServer\WOW64
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Public
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Default
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonW6432Dir
HKEY_USERS\S-1-5-18
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18\ProfileImagePath
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
HKEY_USERS\.DEFAULT\Environment
HKEY_USERS\.DEFAULT\Volatile Environment
HKEY_USERS\.DEFAULT\Volatile Environment\0
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WanServer\Environment
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gpsvc
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gpsvc\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gpsvc\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gpsvc\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gpsvc\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gpsvc\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gpsvc\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gpsvc\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gpsvc\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gpsvc\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\WOW64
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\RequiredPrivileges
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Environment
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioSrv
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioSrv\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioSrv\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioSrv\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioSrv\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioSrv\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioSrv\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioSrv\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioSrv\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioSrv\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FontCache
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FontCache\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FontCache\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FontCache\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FontCache\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FontCache\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FontCache\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FontCache\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FontCache\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FontCache\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MMCSS
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MMCSS\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MMCSS\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MMCSS\WOW64
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MMCSS\RequiredPrivileges
HKEY_CURRENT_USER
HKEY_USERS\.DEFAULT\Control Panel\International
HKEY_USERS\.DEFAULT\Control Panel\International\LocaleName
HKEY_USERS\.DEFAULT\Control Panel\International\sCountry
HKEY_USERS\.DEFAULT\Control Panel\International\sList
HKEY_USERS\.DEFAULT\Control Panel\International\sDecimal
HKEY_USERS\.DEFAULT\Control Panel\International\sThousand
HKEY_USERS\.DEFAULT\Control Panel\International\sGrouping
HKEY_USERS\.DEFAULT\Control Panel\International\sNativeDigits
HKEY_USERS\.DEFAULT\Control Panel\International\sCurrency
HKEY_USERS\.DEFAULT\Control Panel\International\sMonDecimalSep
HKEY_USERS\.DEFAULT\Control Panel\International\sMonThousandSep
HKEY_USERS\.DEFAULT\Control Panel\International\sMonGrouping
HKEY_USERS\.DEFAULT\Control Panel\International\sPositiveSign
HKEY_USERS\.DEFAULT\Control Panel\International\sNegativeSign
HKEY_USERS\.DEFAULT\Control Panel\International\sTimeFormat
HKEY_USERS\.DEFAULT\Control Panel\International\sShortTime
HKEY_USERS\.DEFAULT\Control Panel\International\s1159
HKEY_USERS\.DEFAULT\Control Panel\International\s2359
HKEY_USERS\.DEFAULT\Control Panel\International\sShortDate
HKEY_USERS\.DEFAULT\Control Panel\International\sYearMonth
HKEY_USERS\.DEFAULT\Control Panel\International\sLongDate
HKEY_USERS\.DEFAULT\Control Panel\International\iCountry
HKEY_USERS\.DEFAULT\Control Panel\International\iMeasure
HKEY_USERS\.DEFAULT\Control Panel\International\iPaperSize
HKEY_USERS\.DEFAULT\Control Panel\International\iDigits
HKEY_USERS\.DEFAULT\Control Panel\International\iLZero
HKEY_USERS\.DEFAULT\Control Panel\International\iNegNumber
HKEY_USERS\.DEFAULT\Control Panel\International\NumShape
HKEY_USERS\.DEFAULT\Control Panel\International\iCurrDigits
HKEY_USERS\.DEFAULT\Control Panel\International\iCurrency
HKEY_USERS\.DEFAULT\Control Panel\International\iNegCurr
HKEY_USERS\.DEFAULT\Control Panel\International\iCalendarType
HKEY_USERS\.DEFAULT\Control Panel\International\iFirstDayOfWeek
HKEY_USERS\.DEFAULT\Control Panel\International\iFirstWeekOfYear
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WinSock2\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\AppId_Catalog
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\AppId_Catalog\23F1DDA5-33480874
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\AppId_Catalog\23F1DDA5
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Callout
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\00000005
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64\000000000001
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64\000000000002
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64\000000000003
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64\000000000004
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64\000000000005
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64\000000000006
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64\000000000007
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64\000000000008
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64\000000000009
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64\000000000010
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\00000028
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000001
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000001\DisplayString
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000001\AddressFamily
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000001\ProviderInfo
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000002
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000002\DisplayString
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000002\AddressFamily
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000002\ProviderInfo
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000003
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000003\DisplayString
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000003\AddressFamily
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000003\ProviderInfo
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000004
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000004\DisplayString
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000004\AddressFamily
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000004\ProviderInfo
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000005
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000005\DisplayString
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000005\AddressFamily
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000005\ProviderInfo
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000006
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000006\DisplayString
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000006\AddressFamily
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000006\ProviderInfo
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Winsock2\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\Ws2_32NumHandleBuckets
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\Ws2_32SpinCount
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\WerSvcGroup
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wersvc
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Parameters\ServiceDll
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Parameters\ServiceManifest
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Parameters\ServiceMain
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\ServiceTimeout
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Parameters\ServiceDllUnloadOnStop
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\NoReflection
HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\PropertyBag
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Windows Error Reporting
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\TraceFlags
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\Debug
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-GB
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-GB
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\Generation
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Unknown\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Unknown\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Unknown\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Unknown\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Unknown\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\UsersFiles\NameSpace\DelegateFolders\SuppressionPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\UsersFiles\NameSpace\DelegateFolders\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\UsersFiles\NameSpace\DelegateFolders\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\SuppressionPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\InProcServer32\LoadWithoutCOM
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\KindMap\.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesRecycleBin
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetIcon
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\CallForAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\RestrictedAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORDISPLAY
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideFolderVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\UseDropHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORPARSING
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsParseDisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\MapNetDriveVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForInfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideInWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideOnDesktopPerUser
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsAliasedNotifications
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsUniversalDelegate
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\NoFileFolderJunction
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\PinToNameSpaceTree
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HasNavigationEnum
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{20D04FE0-3AEA-1069-A2D8-08002B30309D}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}\DriveMask
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\NoFileFolderConnection
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\AccessProviders\MartaExtension
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DontShowSuperHidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ClassicShell
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\SeparateProcess
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetCrawling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSimpleStartMenu
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowCompColor
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\DontPrettyPath
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowInfoTip
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideIcons
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\MapNetDrvBtn
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\WebView
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Filter
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\SeparateProcess
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\NoNetCrawling
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\AutoCheckSelect
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\IconsOnly
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowTypeOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\AllowFileCLSIDJunctions
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dll\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dll\PerceivedType
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.dll\PerceivedType
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\dllfile\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.dll\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\dllfile\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.dll\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dll\Content Type
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\dllfile\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.dll\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\dllfile\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\dllfile\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.dll\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\PropertySystem\PropertyHandlers\.dll\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\DisableProcessIsolation
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\NoOplock
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\UseInProcHandlerCache
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\UseOutOfProcHandlerCache
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\NeverShowExt
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\MaxUndoItems
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Advanced\MaxUndoItems
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\CopyFileBufferedSynchronousIo
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\CopyFileChunkSize
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\CopyFileOverlappedCount
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dat\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dat\PerceivedType
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dat\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dat\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dat\Content Type
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dat\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dat\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dat\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe\Content Type
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\PropertySystem\PropertyHandlers\.exe\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DisableUNCCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\EnableExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DelayedExpansion
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DefaultColor
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\CompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\PathCompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\AutoRun
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000809
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{Q65231O0-O2S1-4857-N4PR-N8R7P6RN7Q27}\pzq.rkr
HKEY_CURRENT_USER\Control Panel\Personalization\Desktop Slideshow\Interval
HKEY_CURRENT_USER\Control Panel\Personalization\Desktop Slideshow\Shuffle
HKEY_CURRENT_USER\Control Panel\Personalization\Desktop Slideshow\AnimationDuration
HKEY_CURRENT_USER\Control Panel\Personalization\Desktop Slideshow\Flags
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\FileSystem\Win31FileSystem
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WanServer\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WanServer\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WanServer\WOW64
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Public
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18\ProfileImagePath
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WanServer\Environment
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gpsvc\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gpsvc\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gpsvc\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gpsvc\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gpsvc\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gpsvc\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gpsvc\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gpsvc\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gpsvc\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\WOW64
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\RequiredPrivileges
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Environment
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioSrv\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioSrv\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioSrv\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioSrv\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioSrv\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioSrv\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioSrv\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioSrv\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioSrv\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FontCache\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FontCache\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FontCache\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FontCache\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FontCache\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FontCache\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FontCache\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FontCache\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FontCache\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MMCSS\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MMCSS\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MMCSS\WOW64
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MMCSS\RequiredPrivileges
HKEY_USERS\.DEFAULT\Control Panel\International\LocaleName
HKEY_USERS\.DEFAULT\Control Panel\International\sCountry
HKEY_USERS\.DEFAULT\Control Panel\International\sList
HKEY_USERS\.DEFAULT\Control Panel\International\sDecimal
HKEY_USERS\.DEFAULT\Control Panel\International\sThousand
HKEY_USERS\.DEFAULT\Control Panel\International\sGrouping
HKEY_USERS\.DEFAULT\Control Panel\International\sNativeDigits
HKEY_USERS\.DEFAULT\Control Panel\International\sCurrency
HKEY_USERS\.DEFAULT\Control Panel\International\sMonDecimalSep
HKEY_USERS\.DEFAULT\Control Panel\International\sMonThousandSep
HKEY_USERS\.DEFAULT\Control Panel\International\sMonGrouping
HKEY_USERS\.DEFAULT\Control Panel\International\sPositiveSign
HKEY_USERS\.DEFAULT\Control Panel\International\sNegativeSign
HKEY_USERS\.DEFAULT\Control Panel\International\sTimeFormat
HKEY_USERS\.DEFAULT\Control Panel\International\sShortTime
HKEY_USERS\.DEFAULT\Control Panel\International\s1159
HKEY_USERS\.DEFAULT\Control Panel\International\s2359
HKEY_USERS\.DEFAULT\Control Panel\International\sShortDate
HKEY_USERS\.DEFAULT\Control Panel\International\sYearMonth
HKEY_USERS\.DEFAULT\Control Panel\International\sLongDate
HKEY_USERS\.DEFAULT\Control Panel\International\iCountry
HKEY_USERS\.DEFAULT\Control Panel\International\iMeasure
HKEY_USERS\.DEFAULT\Control Panel\International\iPaperSize
HKEY_USERS\.DEFAULT\Control Panel\International\iDigits
HKEY_USERS\.DEFAULT\Control Panel\International\iLZero
HKEY_USERS\.DEFAULT\Control Panel\International\iNegNumber
HKEY_USERS\.DEFAULT\Control Panel\International\NumShape
HKEY_USERS\.DEFAULT\Control Panel\International\iCurrDigits
HKEY_USERS\.DEFAULT\Control Panel\International\iCurrency
HKEY_USERS\.DEFAULT\Control Panel\International\iNegCurr
HKEY_USERS\.DEFAULT\Control Panel\International\iCalendarType
HKEY_USERS\.DEFAULT\Control Panel\International\iFirstDayOfWeek
HKEY_USERS\.DEFAULT\Control Panel\International\iFirstWeekOfYear
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Callout
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000001\DisplayString
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000001\AddressFamily
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000001\ProviderInfo
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000002\DisplayString
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000002\AddressFamily
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000002\ProviderInfo
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000003\DisplayString
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000003\AddressFamily
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000003\ProviderInfo
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000004\DisplayString
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000004\AddressFamily
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000004\ProviderInfo
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000005\DisplayString
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000005\AddressFamily
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000005\ProviderInfo
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000006\DisplayString
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000006\AddressFamily
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000006\ProviderInfo
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\Ws2_32NumHandleBuckets
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\Ws2_32SpinCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\WerSvcGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Parameters\ServiceDll
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Parameters\ServiceManifest
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Parameters\ServiceMain
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\ServiceTimeout
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Parameters\ServiceDllUnloadOnStop
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\NoReflection
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\TraceFlags
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{Q65231O0-O2S1-4857-N4PR-N8R7P6RN7Q27}\pzq.rkr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBA
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{01979c6a-42fa-414c-b8aa-eee2c8202018}.check.100\CheckSetting
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Type
kernel32.dll.FlsAlloc
kernel32.dll.FlsGetValue
kernel32.dll.FlsSetValue
kernel32.dll.FlsFree
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
setupapi.dll.CM_Get_Device_Interface_List_Size_ExW
setupapi.dll.CM_Get_Device_Interface_List_ExW
comctl32.dll.#386
ole32.dll.OleInitialize
ole32.dll.OleUninitialize
advapi32.dll.UnregisterTraceGuids
comctl32.dll.#321
kernel32.dll.IsProcessorFeaturePresent
kernel32.dll.FindActCtxSectionStringW
kernel32.dll.LoadLibraryA
kernel32.dll.VirtualAlloc
ntdll.dll.memcpy
ntdll.dll.RtlDecompressBuffer
kernel32.dll.SetErrorMode
kernel32.dll.GetModuleHandleW
kernel32.dll.GetCommandLineW
kernel32.dll.Sleep
kernel32.dll.IsWow64Process
kernel32.dll.WideCharToMultiByte
kernel32.dll.ExpandEnvironmentStringsW
kernel32.dll.SetFileAttributesW
kernel32.dll.GetModuleFileNameW
kernel32.dll.SetEnvironmentVariableW
kernel32.dll.ReadFile
kernel32.dll.GetFileSize
kernel32.dll.CreateFileW
kernel32.dll.MultiByteToWideChar
kernel32.dll.GetModuleHandleA
kernel32.dll.Process32NextW
kernel32.dll.Process32FirstW
kernel32.dll.CreateToolhelp32Snapshot
kernel32.dll.FreeLibrary
kernel32.dll.GetComputerNameA
kernel32.dll.GetComputerNameW
kernel32.dll.GetSystemInfo
kernel32.dll.CreateMutexA
kernel32.dll.OpenMutexA
kernel32.dll.ExitProcess
kernel32.dll.lstrcmpiW
kernel32.dll.GetCurrentProcess
kernel32.dll.Wow64DisableWow64FsRedirection
kernel32.dll.GetSystemDirectoryW
kernel32.dll.Wow64RevertWow64FsRedirection
kernel32.dll.TerminateProcess
kernel32.dll.ResumeThread
kernel32.dll.GetVersionExW
kernel32.dll.CloseHandle
kernel32.dll.VirtualAllocEx
kernel32.dll.WriteProcessMemory
kernel32.dll.VirtualFreeEx
kernel32.dll.VirtualQueryEx
kernel32.dll.ReadProcessMemory
kernel32.dll.GetLastError
kernel32.dll.VirtualProtect
kernel32.dll.VirtualFree
kernel32.dll.EnterCriticalSection
kernel32.dll.LeaveCriticalSection
kernel32.dll.DeleteCriticalSection
kernel32.dll.InitializeCriticalSection
kernel32.dll.HeapReAlloc
kernel32.dll.HeapFree
kernel32.dll.GetProcessHeap
kernel32.dll.HeapAlloc
kernel32.dll.GetProcAddress
kernel32.dll.GetTickCount
kernel32.dll.GetEnvironmentVariableW
kernel32.dll.DeleteFileW
kernel32.dll.OpenProcess
user32.dll.wsprintfW
user32.dll.wsprintfA
advapi32.dll.CryptHashData
advapi32.dll.CryptDeriveKey
advapi32.dll.CryptEncrypt
advapi32.dll.CryptDestroyHash
advapi32.dll.CryptDestroyKey
advapi32.dll.CryptReleaseContext
advapi32.dll.InitializeSecurityDescriptor
advapi32.dll.SetSecurityDescriptorDacl
advapi32.dll.LookupPrivilegeValueA
advapi32.dll.AdjustTokenPrivileges
advapi32.dll.GetUserNameW
advapi32.dll.RevertToSelf
advapi32.dll.ImpersonateLoggedOnUser
advapi32.dll.DeleteService
advapi32.dll.ControlService
advapi32.dll.QueryServiceStatus
advapi32.dll.OpenSCManagerW
advapi32.dll.CreateServiceW
advapi32.dll.OpenServiceW
advapi32.dll.CloseServiceHandle
advapi32.dll.ChangeServiceConfig2W
advapi32.dll.StartServiceW
advapi32.dll.RegSetValueExW
advapi32.dll.OpenProcessToken
advapi32.dll.CreateProcessAsUserW
advapi32.dll.RegOpenKeyExW
advapi32.dll.RegDeleteValueW
advapi32.dll.RegCloseKey
advapi32.dll.CryptCreateHash
advapi32.dll.CryptAcquireContextW
shell32.dll.ShellExecuteW
shell32.dll.CommandLineToArgvW
shell32.dll.SHFileOperationW
shell32.dll.SHCreateDirectoryExW
wininet.dll.InternetReadFile
wininet.dll.HttpQueryInfoA
wininet.dll.HttpSendRequestA
wininet.dll.HttpAddRequestHeadersA
wininet.dll.InternetCloseHandle
wininet.dll.InternetConnectA
wininet.dll.InternetSetOptionA
wininet.dll.InternetOpenA
wininet.dll.HttpOpenRequestA
wininet.dll.InternetSetOptionW
ws2_32.dll.#11
ws2_32.dll.#52
ws2_32.dll.#57
ws2_32.dll.#115
ws2_32.dll.#21
ws2_32.dll.#12
iphlpapi.dll.GetAdaptersInfo
ole32.dll.CoTaskMemAlloc
ole32.dll.CoTaskMemFree
ole32.dll.CoInitializeEx
cryptbase.dll.SystemFunction036
ole32.dll.CreateBindCtx
ole32.dll.CoGetApartmentType
ole32.dll.CoRegisterInitializeSpy
comctl32.dll.#236
oleaut32.dll.#6
ole32.dll.CoGetMalloc
comctl32.dll.#320
ole32.dll.StringFromGUID2
comctl32.dll.#324
comctl32.dll.#323
advapi32.dll.RegEnumKeyW
oleaut32.dll.#2
ole32.dll.CoUninitialize
ole32.dll.CoRevokeInitializeSpy
comctl32.dll.#388
oleaut32.dll.#500
oleaut32.dll.#200
comctl32.dll.#385
comctl32.dll.#328
comctl32.dll.#334
ole32.dll.CoCreateInstance
advapi32.dll.SetEntriesInAclW
ntmarta.dll.GetMartaExtensionInterface
advapi32.dll.IsTextUnicode
comctl32.dll.#332
comctl32.dll.#338
comctl32.dll.#339
shell32.dll.#102
advapi32.dll.OpenThreadToken
propsys.dll.PSLookupPropertyHandlerCLSID
advapi32.dll.RegQueryValueExW
propsys.dll.PSCreatePropertyStoreFromObject
propsys.dll.#417
propsys.dll.PropVariantToStringAlloc
ole32.dll.PropVariantClear
propsys.dll.PSCreateMemoryPropertyStore
propsys.dll.PropVariantToBuffer
propsys.dll.PropVariantToUInt64
propsys.dll.PropVariantToBoolean
shell32.dll.#66
propsys.dll.InitPropVariantFromBuffer
comctl32.dll.#336
comctl32.dll.#329
comctl32.dll.#387
comctl32.dll.#327
cryptsp.dll.CryptReleaseContext
kernel32.dll.SetThreadUILanguage
kernel32.dll.CopyFileExW
kernel32.dll.IsDebuggerPresent
kernel32.dll.SetConsoleInputExeNameW
advapi32.dll.SaferIdentifyLevel
advapi32.dll.SaferComputeTokenFromLevel
advapi32.dll.SaferCloseLevel
winspool.drv.#218
winspool.drv.#217
winspool.drv.SetDefaultPrinterW
winspool.drv.GetDefaultPrinterW
winspool.drv.GetPrinterDriverPackagePathW
winspool.drv.CorePrinterDriverInstalledW
winspool.drv.GetCorePrinterDriversW
winspool.drv.UploadPrinterDriverPackageW
winspool.drv.InstallPrinterDriverFromPackageW
winspool.drv.#251
winspool.drv.AddPrinterConnection2W
winspool.drv.OpenPrinter2W
winspool.drv.DeletePrinterKeyW
winspool.drv.DeletePrinterDataExW
winspool.drv.EnumPrinterKeyW
winspool.drv.EnumPrinterDataExW
winspool.drv.GetPrinterDataExW
winspool.drv.SetPrinterDataExW
winspool.drv.DeletePrinterDataW
winspool.drv.EnumPrinterDataW
winspool.drv.SpoolerPrinterEvent
winspool.drv.SetPortW
winspool.drv.DocumentPropertySheets
winspool.drv.DevicePropertySheets
winspool.drv.IsValidDevmodeW
winspool.drv.IsValidDevmodeA
winspool.drv.AddPortExW
winspool.drv.DeletePrintProvidorW
winspool.drv.AddPrintProvidorW
winspool.drv.DeletePrintProcessorW
winspool.drv.DeleteMonitorW
winspool.drv.AddMonitorW
winspool.drv.StartDocDlgW
winspool.drv.AdvancedDocumentPropertiesW
winspool.drv.AdvancedDocumentPropertiesA
winspool.drv.DocumentPropertiesW
winspool.drv.DeviceCapabilitiesW
winspool.drv.DeletePrinterIC
winspool.drv.PlayGdiScriptOnPrinterIC
winspool.drv.CreatePrinterIC
winspool.drv.SetJobW
winspool.drv.GetJobW
winspool.drv.EnumJobsW
winspool.drv.AddPrinterW
winspool.drv.SetPrinterW
winspool.drv.GetPrinterDriverW
winspool.drv.GetPrinterDriverDirectoryW
winspool.drv.EnumPrintersW
winspool.drv.AddPrinterConnectionW
winspool.drv.DeletePrinterConnectionW
winspool.drv.AddPrinterDriverExW
winspool.drv.AddPrinterDriverExA
winspool.drv.EnumPrinterDriversW
winspool.drv.DeletePrinterDriverW
winspool.drv.DeletePrinterDriverExW
winspool.drv.AddPrintProcessorW
winspool.drv.EnumPrintProcessorsW
winspool.drv.GetPrintProcessorDirectoryW
winspool.drv.EnumPrintProcessorDatatypesW
winspool.drv.#207
winspool.drv.#209
winspool.drv.#211
winspool.drv.#212
winspool.drv.SplDriverUnloadComplete
winspool.drv.#213
winspool.drv.#214
winspool.drv.OpenPrinterW
winspool.drv.OpenPrinterA
winspool.drv.ResetPrinterW
winspool.drv.StartDocPrinterW
winspool.drv.FlushPrinter
winspool.drv.GetPrinterDataW
winspool.drv.SetPrinterDataW
winspool.drv.AddJobW
winspool.drv.ScheduleJob
winspool.drv.WaitForPrinterChange
winspool.drv.FindNextPrinterChangeNotification
winspool.drv.PrinterMessageBoxW
winspool.drv.ClosePrinter
winspool.drv.AddFormW
winspool.drv.DeleteFormW
winspool.drv.GetFormW
winspool.drv.SetFormW
winspool.drv.EnumFormsW
winspool.drv.EnumPortsW
winspool.drv.EnumMonitorsW
winspool.drv.AddPortW
winspool.drv.ConfigurePortW
winspool.drv.DeletePortW
winspool.drv.GetPrinterW
winspool.drv.DeletePrinterDriverPackageW
winspool.drv.#234
ws2_32.dll.closesocket
ws2_32.dll.shutdown
ntdll.dll.RtlGetNtVersionNumbers
cryptdll.dll.MD5Init
cryptdll.dll.MD5Update
cryptdll.dll.MD5Final
kernel32.dll.GetNativeSystemInfo
cryptsp.dll.CryptHashData
cryptsp.dll.CryptDeriveKey
cryptsp.dll.CryptDestroyHash
cryptsp.dll.CryptDestroyKey
rasapi32.dll.RasConnectionNotificationW
sechost.dll.OpenSCManagerA
sechost.dll.NotifyServiceStatusChangeA
advapi32.dll.RegDeleteTreeA
advapi32.dll.RegDeleteTreeW
wersvc.dll.ServiceMain
wersvc.dll.SvchostPushServiceGlobals
advapi32.dll.RegGetValueW
sechost.dll.ConvertStringSecurityDescriptorToSecurityDescriptorW
faultrep.dll.WerpInitiateCrashReporting
wer.dll.WerpCreateMachineStore
shell32.dll.SHGetFolderPathEx
profapi.dll.#104
userenv.dll.CreateEnvironmentBlock
sechost.dll.ConvertSidToStringSidW
sspicli.dll.GetUserNameExW
userenv.dll.DestroyEnvironmentBlock
lpk.dll.LpkEditControl
imm32.dll.ImmDisableIME
"C:\Users\user\AppData\Local\Temp\adobe.exe"
C:\Users\user\AppData\Local\Temp\adobe.exe
C:\Users\user\AppData\Local\Temp\exe
"C:\Users\user\AppData\Local\Temp\a.bat"
cmd /c ""C:\Users\user\AppData\Local\Temp\a.bat" "
C:\Users\user\AppData\Local\Temp\a.bat
"C:\Users\user\AppData\Roaming\Windows\eeclnt.exe" 258
C:\Users\user\AppData\Roaming\Windows\eeclnt.exe 258
C:\Windows\system32\msiexec.exe "259"
C:\Users\user\AppData\Roaming\Windows\eeclnt.exe "260"
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\msiexec.exe "261"
C:\Windows\system32\WerFault.exe -u -p 740 -s 924
C:\Windows\system32\WerFault.exe -u -p 740 -s 896
Global\eeclnt
WanServer
WanServer
WerSvc

PE Information

Image Base 0x00400000
Entry Point 0x00401574
Reported Checksum 0x0003e02b
Actual Checksum 0x0003e02b
Minimum OS Version 5.0
Compile Time 2018-04-16 03:42:10
Import Hash b8b143646d634b8219042f8517118310

Sections

Name Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
.text 0x00001000 0x000065d4 0x00006600 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.61
.rdata 0x00008000 0x00001c4c 0x00001e00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 5.29
.data 0x0000a000 0x0001db1c 0x0001d000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 7.14
.rsrc 0x00028000 0x00010a80 0x00010c00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 3.12
.reloc 0x00039000 0x00000e44 0x00001000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ 3.74

Imports

Library KERNEL32.dll:
0x408000 ExitProcess
0x408004 CreateFileA
0x408008 WriteFile
0x40800c CreateFileW
0x408010 GetTempPathW
0x408014 GetModuleFileNameA
0x408018 CloseHandle
0x40801c GetCommandLineA
0x408020 GetStartupInfoA
0x408024 TerminateProcess
0x408028 GetCurrentProcess
0x408034 IsDebuggerPresent
0x408038 GetModuleHandleW
0x40803c Sleep
0x408040 GetProcAddress
0x408044 GetStdHandle
0x408054 WideCharToMultiByte
0x408058 GetLastError
0x408060 SetHandleCount
0x408064 GetFileType
0x40806c TlsGetValue
0x408070 TlsAlloc
0x408074 TlsSetValue
0x408078 TlsFree
0x408080 SetLastError
0x408084 GetCurrentThreadId
0x40808c HeapCreate
0x408090 VirtualFree
0x408094 HeapFree
0x40809c GetTickCount
0x4080a0 GetCurrentProcessId
0x4080b0 LoadLibraryA
0x4080b8 GetCPInfo
0x4080bc GetACP
0x4080c0 GetOEMCP
0x4080c4 IsValidCodePage
0x4080c8 HeapAlloc
0x4080cc VirtualAlloc
0x4080d0 HeapReAlloc
0x4080d4 RtlUnwind
0x4080d8 HeapSize
0x4080dc GetLocaleInfoA
0x4080e0 LCMapStringA
0x4080e4 MultiByteToWideChar
0x4080e8 LCMapStringW
0x4080ec GetStringTypeA
0x4080f0 GetStringTypeW
Library USER32.dll:
0x408104 wsprintfW
0x408108 wsprintfA
Library SHELL32.dll:
0x4080f8 ShellExecuteA
0x4080fc ShellExecuteW

.text
`.rdata
@.data
.rsrc
@.reloc
D$ Pj
YQPVh
URPQQhPU@
SVWUj
CorExitProcess
runtime error
Microsoft Visual C++ Runtime Library
<program name unknown>
Program:
EncodePointer
DecodePointer
FlsFree
FlsSetValue
FlsGetValue
FlsAlloc
GetProcessWindowStation
GetUserObjectInformationA
GetLastActivePopup
GetActiveWindow
MessageBoxA
USER32.DLL
HH:mm:ss
dddd, MMMM dd, yyyy
MM/dd/yy
December
November
October
September
August
April
March
February
January
Saturday
Friday
Thursday
Wednesday
Tuesday
Monday
Sunday
SunMonTueWedThuFriSat
JanFebMarAprMayJunJulAugSepOctNovDec
ExitProcess
CreateFileA
WriteFile
CreateFileW
GetTempPathW
GetModuleFileNameA
CloseHandle
KERNEL32.dll
wsprintfW
wsprintfA
USER32.dll
ShellExecuteA
ShellExecuteW
SHELL32.dll
GetCommandLineA
GetStartupInfoA
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
GetModuleHandleW
Sleep
GetProcAddress
GetStdHandle
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
WideCharToMultiByte
GetLastError
GetEnvironmentStringsW
SetHandleCount
GetFileType
DeleteCriticalSection
TlsGetValue
TlsAlloc
TlsSetValue
TlsFree
InterlockedIncrement
SetLastError
GetCurrentThreadId
InterlockedDecrement
HeapCreate
VirtualFree
HeapFree
QueryPerformanceCounter
GetTickCount
GetCurrentProcessId
GetSystemTimeAsFileTime
LeaveCriticalSection
EnterCriticalSection
LoadLibraryA
InitializeCriticalSectionAndSpinCount
GetCPInfo
GetACP
GetOEMCP
IsValidCodePage
HeapAlloc
VirtualAlloc
HeapReAlloc
RtlUnwind
HeapSize
GetLocaleInfoA
LCMapStringA
MultiByteToWideChar
LCMapStringW
GetStringTypeA
GetStringTypeW
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
.text
`.rdata
@.data
.rsrc
@.reloc
D$<Pj
D$<Pj
Vh /@
Vh L@
Wh`e@
t%Wh"}@
SHGetPathFromIDListW
SHGetPathFromIDListA
InitializeCriticalSectionAndSpinCount
GetProcessMemoryInfo
SetProcessDEPPolicy
IsUserAnAdmin
CreateEventW
ProcessIdToSessionId
CloseHandle
NtAcceptConnectPort
NtRequestPort
NtRequestWaitReplyPort
NtReplyWaitReceivePort
NtReplyPort
NtImpersonateClientOfPort
NtReadRequestData
NtWriteRequestData
IsWow64Process
RtlInitUnicodeString
NtCreatePort
CreateThread
NtConnectPort
NtCompleteConnectPort
CreateFileMappingW
SetEntriesInAclW
RegQueryValueExA
RegCloseKey
WTSGetActiveConsoleSessionId
IsDebuggerPresent
EncodePointer
DecodePointer
ntdll.dll
VerSetConditionMask
KERNEL32.DLL
VerifyVersionInfoA
Terminal Server
System\CurrentControlSet\Control\ProductOptions
ProductSuite
CueaaaaceeeiiiAAEaAooouuyOUc?Y?faiounNao?????!<>??????????????????????????????????????????????????????????????????????????.??2? 0123456789abcdefH
eeclnt.pdb
GetLastError
lstrlenA
InitializeCriticalSection
GetTickCount
SetEvent
GetCurrentProcessId
WaitForSingleObject
GetCurrentThread
GetCurrentProcess
EnterCriticalSection
LeaveCriticalSection
TerminateThread
ResetEvent
GetCurrentThreadId
DeleteCriticalSection
UnmapViewOfFile
CreateMutexW
MapViewOfFile
VirtualAlloc
ReleaseMutex
OpenFileMappingW
InterlockedIncrement
WaitForMultipleObjects
OpenProcess
DuplicateHandle
OpenMutexW
LocalAlloc
LocalFree
GetVersion
GetModuleHandleA
GetProcAddress
lstrcmpA
GetVersionExW
GetSystemTimeAsFileTime
SetThreadPriority
LoadLibraryW
FreeLibrary
KERNEL32.dll
PeekMessageW
TranslateMessage
DispatchMessageW
MsgWaitForMultipleObjects
USER32.dll
OpenThreadToken
OpenProcessToken
GetTokenInformation
AllocateAndInitializeSid
EqualSid
FreeSid
InitializeSecurityDescriptor
SetSecurityDescriptorDacl
GetSecurityDescriptorDacl
RegOpenKeyA
ADVAPI32.dll
malloc
??3@YAXPAX@Z
??2@YAPAXI@Z
_snwprintf_s
_purecall
srand
MSVCR110.dll
??1type_info@@UAE@XZ
_crt_debugger_hook
__crtUnhandledException
__crtTerminateProcess
_XcptFilter
__crtGetShowWindowMode
_amsg_exit
__wgetmainargs
__set_app_type
_exit
_cexit
_configthreadlocale
__setusermatherr
_initterm_e
_initterm
_wcmdln
_fmode
_commode
_lock
_unlock
_calloc_crt
__dllonexit
_onexit
?terminate@@YAXXZ
__crtSetUnhandledExceptionFilter
_invoke_watson
_controlfp_s
_except_handler4_common
IsProcessorFeaturePresent
QueryPerformanceCounter
memcpy
memset
.?AVtype_info@@
.?AV?$CNodcommClientNt@K@@
.?AV?$CNodcommClientNt@_K@@
.?AV?$CNodcommStructsNt@K@@
.?AV?$CNodcommServerNt@K@@
.?AV?$CNodcommStructsNt@_K@@
.?AVCNodcommCommonNt@@
.?AV?$CNodcommServerNt@_K@@
.?AVINodcommClient@@
.?AVINodcommServer@@
.?AVCNodcommClient9x@@
.?AVCNodcommCommon9x@@
.?AVCNodcommServer9x@@
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo></assembly>
?8?V?[?m?
>#?f?k?}?
8 8$8(8,8084888<8@8D8H8L8P8T8
4$4(4D4H4d4h4
2 2@2
vzBavRich{Bav
.text
`.rdata
@.data
.rsrc
@.reloc
.dath
6Da2aw7#5<)u+=ie
%6e2euiGFfuw3&:?
ExitProcess
CreateFileA
GetFileSize
ReadFile
VirtualAlloc
GetModuleFileNameA
CloseHandle
KERNEL32.dll
wsprintfA
USER32.dll
malloc
MSVCR90.dll
_encode_pointer
_malloc_crt
_encoded_null
_decode_pointer
_initterm
_initterm_e
_amsg_exit
_adjust_fdiv
__CppXcptFilter
_crt_debugger_hook
__clean_type_info_names_internal
_unlock
__dllonexit
_lock
_onexit
_except_handler4_common
InterlockedExchange
Sleep
InterlockedCompareExchange
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
QueryPerformanceCounter
GetTickCount
GetCurrentThreadId
GetCurrentProcessId
GetSystemTimeAsFileTime
??2@YAPAXI@Z
??3@YAXPAX@Z
?terminate@@YAXXZ
_XcptFilter
__set_app_type
__setusermatherr
__wgetmainargs
_calloc_crt
_cexit
_configthreadlocale
_controlfp_s
_exit
_invoke_watson
_purecall
_snwprintf_s
memcpy
memset
srand
?_type_info_dtor_internal_method@type_info@@QAEXXZ
MSVCR110.dll
??1type_info@@UAE@XZ
??2@YAPAXI@Z
??3@YAXPAX@Z
__crtGetShowWindowMode
__crtSetUnhandledExceptionFilter
__crtTerminateProcess
__crtUnhandledException
_wcmdln
?terminate@@YAXXZ
_XcptFilter
__dllonexit
__set_app_type
__setusermatherr
__wgetmainargs
_amsg_exit
_calloc_crt
_cexit
_commode
_configthreadlocale
_controlfp_s
_crt_debugger_hook
_except_handler4_common
_exit
_fmode
_initterm
_initterm_e
_invoke_watson
_lock
_onexit
_purecall
_snwprintf_s
_unlock
malloc
memcpy
memset
srand
</assembly>PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING
= =&=,=2=8=>=D=J=P=V=\=b=h=n=t=
fs4-5
:d&xC
{qfOqV
</assembly>PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING
?W?d?
1 1$1(1@1D1
6,606
mscoree.dll
KERNEL32.DLL
adobe.exe
MSVCR110.dll
MSVCR110.dat
a.bat
shell32.dll
kernel32.dll
psapi.dll
ntdll.dll
advapi32.dll
\BaseNamedObjects\NODCOMM%08XTo%08XCommPort
@NODCOMM%08XTo%08XReceiverMutex
NODCOMM%08XTo%08XCommMutex
NODCOMM%08XTo%08XSendEvent
NODCOMM%08XTo%08XAckEvent
NODCOMM%08XTo%08XSection
@Global\
%sNODCOMM%08XTo%08XBroadcastMutex
%sNODCOMM%08XTo%08XBroadcast
VS_VERSION_INFO
StringFileInfo
040904e4
CompanyName
FileDescription
ESET Elevated Client
FileVersion
8.0.319.0
InternalName
eeclnt.exe
LegalCopyright
Copyright (c) ESET, spol. s r.o. 1992-2015. All rights reserved.
LegalTrademarks
NOD, NOD32, AMON, ESET are registered trademarks of ESET.
OriginalFilename
eeclnt.exe
ProductName
ESET Smart Security
ProductVersion
8.0.319.0
VarFileInfo
Translation
This file is not on VirusTotal.

Process Tree


exe.bin, PID: 828, Parent PID: 2480
Full Path: C:\Users\user\AppData\Local\Temp\exe.bin
Command Line: "C:\Users\user\AppData\Local\Temp\exe.bin"
adobe.exe, PID: 2208, Parent PID: 828
Full Path: C:\Users\user\AppData\Local\Temp\adobe.exe
Command Line: "C:\Users\user\AppData\Local\Temp\adobe.exe"
cmd.exe, PID: 2876, Parent PID: 828
Full Path: C:\Windows\SysWOW64\cmd.exe
Command Line: cmd /c ""C:\Users\user\AppData\Local\Temp\a.bat" "
explorer.exe, PID: 1632, Parent PID: 1496
Full Path: C:\Windows\explorer.exe
Command Line: C:\Windows\Explorer.EXE
eeclnt.exe, PID: 1576, Parent PID: 2208
Full Path: C:\Users\user\AppData\Roaming\Windows\eeclnt.exe
Command Line: "C:\Users\user\AppData\Roaming\Windows\eeclnt.exe" 258
msiexec.exe, PID: 1308, Parent PID: 1576
Full Path: C:\Windows\sysnative\msiexec.exe
Command Line: C:\Windows\system32\msiexec.exe "259"
services.exe, PID: 460, Parent PID: 372
Full Path: C:\Windows\sysnative\services.exe
Command Line: C:\Windows\system32\services.exe
eeclnt.exe, PID: 2316, Parent PID: 460
Full Path: C:\Users\user\AppData\Roaming\Windows\eeclnt.exe
Command Line: C:\Users\user\AppData\Roaming\Windows\eeclnt.exe "260"
msiexec.exe, PID: 740, Parent PID: 2316
Full Path: C:\Windows\sysnative\msiexec.exe
Command Line: C:\Windows\system32\msiexec.exe "261"
svchost.exe, PID: 2908, Parent PID: 460
Full Path: C:\Windows\sysnative\svchost.exe
Command Line: C:\Windows\System32\svchost.exe -k WerSvcGroup
WerFault.exe, PID: 1340, Parent PID: 2908
Full Path: C:\Windows\sysnative\WerFault.exe
Command Line: C:\Windows\system32\WerFault.exe -u -p 740 -s 924
WerFault.exe, PID: 2640, Parent PID: 2908
Full Path: C:\Windows\sysnative\WerFault.exe
Command Line: C:\Windows\system32\WerFault.exe -u -p 740 -s 896

Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
N 153.148.83.172 [VT] Japan

TCP

Source Source Port Destination Destination Port
192.168.35.21 49205 153.148.83.172 news.singmicrosoft.ga 443

UDP

Source Source Port Destination Destination Port
192.168.35.21 58094 8.8.8.8 53

DNS

Name Response Post-Analysis Lookup
news.singmicrosoft.ga [VT] CNAME sinkhole.dynu.net [VT]
A 153.148.83.172 [VT]
CNAME a.sinkhole.yourtrap.com [VT]

HTTP Requests

No HTTP requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

No JA3 hashes found.

File name MSVCR110.dat
Associated Filenames
C:\Users\user\AppData\Local\Temp\MSVCR110.dat
C:\Users\user\AppData\Roaming\Windows\MSVCR110.dat
File Size 38499 bytes
File Type Applesoft BASIC program data
MD5 44d4f0785f7b95ba308bf9154cd03e2c
SHA1 86b621a0bfc07e68cc36dbf169a139753804738e
SHA256 2201c3ac955148a078d366dc1e9f552fca4a872756d3b6da93494cde8d5decd5
CRC32 C1DD715E
Ssdeep 768:6rG+PUoqam8Ho5sGqL1W+WbJe2fhiK/eMxykRPRw1:WGf56o5sZLA3xiK/e8yk8
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name adobe.exe
Associated Filenames
C:\Users\user\AppData\Local\Temp\adobe.exe
C:\Users\user\AppData\Roaming\Windows\eeclnt.exe
File Size 53448 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 b31f492db30ff846c45e79ca269912dd
SHA1 bb328a9ce7db3895633d59a7ad390ce7f557f2f9
SHA256 36d76999e9090c99fae2388cd3476134464807fc597f67c60eebc76e32339683
CRC32 C13CBBF7
Ssdeep 1536:6wSmRm9OYTDgDQe2lrtEbstgNXt8GAlrmw:6Nw0Y92CstYXt8GAlrt
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name MSVCR110.dll
Associated Filenames
C:\Users\user\AppData\Local\Temp\MSVCR110.dll
C:\Users\user\AppData\Roaming\Windows\MSVCR110.dll
File Size 9728 bytes
File Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5 79bef92272c7d1c6236a03c26a0804cc
SHA1 a72a4db4188b49942b442379e1b4f30049d2d2f7
SHA256 d784a12fec628860433c28caa353bb52923f39d072437393629039fa4b2ec8ad
CRC32 EB447848
Ssdeep 192:y14sMryjQUic5kslkhivLqcnlo2+9r3X+EqoIoOLXi/sW6Hr6j:y+1UiK2Ezqc+/9TuVoOTikrO
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name a.bat
Associated Filenames
C:\Users\user\AppData\Local\Temp\a.bat
File Size 115 bytes
File Type ASCII text
MD5 f2ba6abea9c1a8e945b1cbebd908c1f8
SHA1 e60df096d0e7433119595d9a143a0acbb032ea9a
SHA256 087838fa6648a398e50a5fed5ade987c4e8f19ab75dcc9fe361f97f6b2a6aeaa
CRC32 CBFC43E3
Ssdeep 3:mRv9NcpkVkE2J5xAIcAAMZ4MDcpkVkE2J5xAIcAqfKSRn:mRlNOk/23f+G4cOk/23fUlR
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file Display Text
:Repeat
del C:\Users\user\AppData\Local\Temp\exe.bin
if exist C:\Users\user\AppData\Local\Temp\exe.bin goto Repeat
File name exe
Associated Filenames
C:\Users\user\AppData\Local\Temp\exe
File Size 13822 bytes
File Type Microsoft Word 2007+
MD5 70ed4d802f2eb6b22b7a482df7dd722d
SHA1 537a7653c2a48c077b42d7a1b42082d9f262fd8d
SHA256 b4e630fc970052653436fc447cdc9354f7920e691642276c1d7c3e7f593b164f
CRC32 ED64A5A8
Ssdeep 192:IPmxCqWpvvD3zu92UesLgpg45bv/0CEjO3qcf0ztxQMYgL0J4IoCy1Zr3GuuIkG0:IwfWp3DS2U1LgWIsQkw34miZrG2jm
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name MSVCR110.dll
Associated Filenames
C:\Users\user\AppData\Roaming\Windows\MSVCR110.dll
C:\Users\user\AppData\Roaming\Windows\MSVCR110.dat
C:\Users\user\AppData\Roaming\Windows\eeclnt.exe
File Size 0 bytes
File Type empty
MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
CRC32 00000000
Ssdeep 3::
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
Type Extracted Shellcode
Size 69632 bytes
Virtual Address 0x001C0000
Process adobe.exe
PID 2208
Path C:\Users\user\AppData\Local\Temp\adobe.exe
MD5 cb2bce0aea9d53de8f32beb5b04d4009
SHA1 4ef0a89de77546ba764784f9bda0266a164d898b
SHA256 0998c98a2573ca12f862b8c9719d7bad1f905a4c469a077fb895be7abe5cab38
CRC32 66C2ED4F
Ssdeep 768:jRYy7XXw+vL+kWZtZj8TQ1ymJprr9X9Y9rmji6:jn7XXw+z+/44yej
Yara
  • embedded_win_api - A non-Windows executable contains win32 API functions names
  • shellcode_patterns - Matched shellcode byte patterns
CAPE Yara None matched
Download Download ZIP
Type Extracted Shellcode
Size 69632 bytes
Virtual Address 0x00250000
Process eeclnt.exe
PID 1576
Path C:\Users\user\AppData\Roaming\Windows\eeclnt.exe
MD5 ff7f1c2aa07299e7cd55660447cd6fde
SHA1 3d303d9b155a2b800c9f8f235e08f9ae18799a4d
SHA256 790578867e11c96a4299ca7f5594d897a5438e8e59d6e8fb43f9a4ce3d356088
CRC32 B2AAC67D
Ssdeep 768:YzxrqNkIj+Gu+izZtZ6xJqz/iBvUCLoQbc9rmji6:Y1eiIj+d+NHk/ivFj
Yara
  • embedded_win_api - A non-Windows executable contains win32 API functions names
  • shellcode_patterns - Matched shellcode byte patterns
CAPE Yara None matched
Download Download ZIP
Type Extracted Shellcode
Size 69632 bytes
Virtual Address 0x00200000
Process eeclnt.exe
PID 2316
Path C:\Users\user\AppData\Roaming\Windows\eeclnt.exe
MD5 810ebb706b2445f0271e24996674e357
SHA1 2d19c6696321531f12f50fd3b7bc0b5136764ed6
SHA256 8c4fa93e6af3286cd5997d6e466919d561e1c556b417ff31c60899ce194c4d30
CRC32 072D28CD
Ssdeep 768:nZ0yfDk+jv+sSZtZP47AtXOWxlDhbVo9rmji6:nrfDk+L+P0AOuj
Yara
  • embedded_win_api - A non-Windows executable contains win32 API functions names
  • shellcode_patterns - Matched shellcode byte patterns
CAPE Yara None matched
Download Download ZIP
Type Extracted Shellcode
Size 77824 bytes
Virtual Address 0x00000000001F0000
Process msiexec.exe
PID 1308
Path C:\Windows\sysnative\msiexec.exe
MD5 d34f342464991f1df9c2c2f3026864c1
SHA1 30b903675e6916fe5500b6e3f0d8dfd51c9a3409
SHA256 9fe867e2bb4ca67750966ed6a32b9ba2b77d583dfec2018f9eac06b752d5fadc
CRC32 501C065F
Ssdeep 768:fLTwOYZ5tSzl70tYsOR0aibj+4weeudAw6GKjSji6:8EB0qX3jeNAkj
Yara
  • embedded_win_api - A non-Windows executable contains win32 API functions names
CAPE Yara None matched
Download Download ZIP
Process Name exe.bin
PID 828
Dump Size 225792 bytes
Module Path C:\Users\user\AppData\Local\Temp\exe.bin
Type PE image: 32-bit executable
MD5 0424a474b47f3668f785a80f02424cad
SHA1 64444f938c909f48098635ddbaeb30951de76b49
SHA256 966b752e228788e21d737613a9348b22bb770f46351602287c5ebb657839c7c0
CRC32 62335F30
Ssdeep 3072:Ane4pi5ZNw0Y92CstYXt8GAlrs9K1OGof0IspA3Ame8yFye:Ani9CAYXt8GKrsg1OGof0Rvma
ClamAV None
Yara None matched
CAPE Yara None matched
Dump Filename 966b752e228788e21d737613a9348b22bb770f46351602287c5ebb657839c7c0
Process Name cmd.exe
PID 2876
Dump Size 295424 bytes
Module Path C:\Windows\SysWOW64\cmd.exe
Type PE image: 32-bit executable
MD5 963d7528bbe956a13877e79cfd191599
SHA1 9b2e9af76168d960dd6904b378b191c13cc080dc
SHA256 764f2760e43fd1a61e1ca861a0a9afee1c979687f8c0666d3bcff48cfb8c2c92
CRC32 93B8ABEF
Ssdeep 3072:EG+GIe1sk8k8ir/PDuY0dpcJzT/kXrQcMKdM4MQkfjyGe:RzjsLiTruFiJUbQcDLMQkfm
ClamAV None
Yara None matched
CAPE Yara None matched
Dump Filename 764f2760e43fd1a61e1ca861a0a9afee1c979687f8c0666d3bcff48cfb8c2c92
Process Name adobe.exe
PID 2208
Dump Size 40448 bytes
Module Path C:\Users\user\AppData\Local\Temp\adobe.exe
Type PE image: 32-bit executable
MD5 1ebb6637444a69804358b2083b406b13
SHA1 0681207bbb9218fe1bea38e18cf70bee788e8c23
SHA256 be75d93258c081421a984d29ab6d17a2f1c4d57819e166180af52430c96d062e
CRC32 E8AFD37C
Ssdeep 768:jxgRNSSReOuNiY3D4WuBfQKq1Xrjr3HHWMvvjJE3A1Xt8vin/vHE:jxgRNSSReJiY3DEfQKq1/rhtE3UXt8qE
ClamAV None
Yara None matched
CAPE Yara None matched
Dump Filename be75d93258c081421a984d29ab6d17a2f1c4d57819e166180af52430c96d062e
Process Name eeclnt.exe
PID 1576
Dump Size 40448 bytes
Module Path C:\Users\user\AppData\Roaming\Windows\eeclnt.exe
Type PE image: 32-bit executable
MD5 98ab64b8f2ee7c5adbc2b13fdc4078cb
SHA1 63b9c39cec3bb7ea2aa2c60acb46dfac17be48d6
SHA256 72b4c451dd5a8e08bc74f653cceed4762bb06e23c8b058de4d866284fabf8301
CRC32 9961DDD7
Ssdeep 768:1USiReOeNSYnDIGeBPQqd6Z7DrnFKRMS0uX8/xHlXt8vS3Pv3E:1USiReZSYnD0PQa6BrnF6X8xHlXt8a0
ClamAV None
Yara None matched
CAPE Yara None matched
Dump Filename 72b4c451dd5a8e08bc74f653cceed4762bb06e23c8b058de4d866284fabf8301
Process Name eeclnt.exe
PID 2316
Dump Size 40448 bytes
Module Path C:\Users\user\AppData\Roaming\Windows\eeclnt.exe
Type PE image: 32-bit executable
MD5 bd1bd90df9ac26e9162a1722bea7aa39
SHA1 41f2a9c2dc5a5e7752e1a95ad7e2ee8f38e93895
SHA256 9119b9b3749aede16817ddcf37c54bbea357152710b061d4f027413b4e2c2020
CRC32 7AD2FA6B
Ssdeep 768:7P3uSsRqm0F4YlDucs5hc5Jo1S+bcIwJx1r0xkCCzN/7FHdxXt8vaH157tE:7P3uSsRqD4YlDehc5Jo1vbcIK1rXTzNM
ClamAV None
Yara None matched
CAPE Yara None matched
Dump Filename 9119b9b3749aede16817ddcf37c54bbea357152710b061d4f027413b4e2c2020
Process Name msiexec.exe
PID 1308
Dump Size 125952 bytes
Module Path C:\Windows\sysnative\msiexec.exe
Type PE image: 64-bit executable
MD5 e628a4d82de600c0097642bfbfbc8d0d
SHA1 d3168416943710030eba1cbcd5654e3cf697931c
SHA256 4775744fb7896d69f654ff39d84ef1a5826d7442e6736fbd8e1371c32f152f60
CRC32 5CB4A778
Ssdeep 3072:eTO4rVlSfm1XMrW3ydZb/0aIGioLdmQIf:ElcCXAWC3b/0ShmQI
ClamAV None
Yara None matched
CAPE Yara None matched
Dump Filename 4775744fb7896d69f654ff39d84ef1a5826d7442e6736fbd8e1371c32f152f60
Process Name WerFault.exe
PID 1340
Dump Size 415232 bytes
Module Path C:\Windows\sysnative\WerFault.exe
Type PE image: 64-bit executable
MD5 482dc336c1c78efe034fbc0145799e42
SHA1 ae8a013698fec794422a03b36c06c18b042a235d
SHA256 621a0887912750317d9e26b97b8a3b7def3bce04956c6b8a519a0cf8a42067c1
CRC32 A9945C12
Ssdeep 6144:dNSOXavF7/ANUwEnfD1Dk8+pOxwov5J5+5CqS7tIN/VxHQBvVJyB60OHyLC7v:Bqv5ANUleJpOxn5eDSmN9xHKc2Hyw
ClamAV None
Yara None matched
CAPE Yara None matched
Dump Filename 621a0887912750317d9e26b97b8a3b7def3bce04956c6b8a519a0cf8a42067c1
Process Name svchost.exe
PID 2908
Dump Size 26112 bytes
Module Path C:\Windows\sysnative\svchost.exe
Type PE image: 64-bit executable
MD5 2d4baefc1dd60f34516c14b8069fb2fb
SHA1 b7017890bdaa8913d56b56a4608841d746cd4bc9
SHA256 2ff2bd004e80aec13ce0375675c0843ec1c089253a6684eee0421aa9ec1c4cc0
CRC32 92BA6C3D
Ssdeep 384:OZvvWkXZVq+1t5TYGaVeAYMq1n+Rfk4ue//wCE/lWPWSsEsj45RCOvojpPKW9C56:uWkX7q+f5TYvVeZMmn+0C4x/EbvKpPK
ClamAV None
Yara None matched
CAPE Yara None matched
Dump Filename 2ff2bd004e80aec13ce0375675c0843ec1c089253a6684eee0421aa9ec1c4cc0
Process Name explorer.exe
PID 1632
Dump Size 2861568 bytes
Module Path C:\Windows\explorer.exe
Type PE image: 64-bit executable
MD5 ae52283aafe816252050ec32196d87db
SHA1 426f2ae77b34b497284d9a0f37e5d0156352e7e5
SHA256 f6287ed766dd98b7dd8adaf32a16cb8305391e25a05333badb202c46edacb7a3
CRC32 9BCBFD38
Ssdeep 49152:kxrceI/lIRYraisQhFCUuDvYYYYYYYYYYYRYYYYYYYYYYE3iA7/eFUJN9ojoso2W:GrcPlIW6vYYYYYYYYYYYRYYYYYYYYYY4
ClamAV None
Yara None matched
CAPE Yara None matched
Dump Filename f6287ed766dd98b7dd8adaf32a16cb8305391e25a05333badb202c46edacb7a3

Comments



No comments posted

Processing ( 8.101 seconds )

  • 3.397 CAPE
  • 2.738 ProcDump
  • 1.105 BehaviorAnalysis
  • 0.237 Dropped
  • 0.23 TargetInfo
  • 0.181 Static
  • 0.095 TrID
  • 0.089 Deduplicate
  • 0.014 Strings
  • 0.009 NetworkAnalysis
  • 0.005 AnalysisInfo
  • 0.001 Debug

Signatures ( 1.001 seconds )

  • 0.552 antidbg_windows
  • 0.042 NewtWire Behavior
  • 0.041 decoy_document
  • 0.039 api_spamming
  • 0.037 antiav_detectreg
  • 0.031 antivm_vbox_window
  • 0.025 antisandbox_script_timer
  • 0.015 stealth_file
  • 0.014 infostealer_ftp
  • 0.011 antivm_generic_disk
  • 0.009 mimics_filetime
  • 0.009 ransomware_files
  • 0.008 virus
  • 0.008 antianalysis_detectreg
  • 0.008 infostealer_im
  • 0.007 bootkit
  • 0.007 antivm_generic_scsi
  • 0.006 Doppelganging
  • 0.006 antiemu_wine_func
  • 0.006 reads_self
  • 0.006 dynamic_function_loading
  • 0.006 infostealer_mail
  • 0.005 malicious_dynamic_function_loading
  • 0.005 injection_createremotethread
  • 0.005 InjectionCreateRemoteThread
  • 0.005 infostealer_browser_password
  • 0.005 kovter_behavior
  • 0.005 hancitor_behavior
  • 0.004 InjectionInterProcess
  • 0.004 antiav_detectfile
  • 0.004 ransomware_extensions
  • 0.003 exploit_getbasekerneladdress
  • 0.003 recon_programs
  • 0.003 antivm_generic_services
  • 0.003 exploit_gethaldispatchtable
  • 0.003 persistence_autorun
  • 0.003 antivm_vbox_keys
  • 0.003 infostealer_bitcoin
  • 0.002 injection_runpe
  • 0.002 betabot_behavior
  • 0.002 InjectionProcessHollowing
  • 0.002 kibex_behavior
  • 0.002 shifu_behavior
  • 0.002 antivm_vbox_files
  • 0.002 antivm_vmware_keys
  • 0.002 antivm_xen_keys
  • 0.002 geodo_banking_trojan
  • 0.002 browser_security
  • 0.002 masquerade_process_name
  • 0.002 recon_fingerprint
  • 0.001 tinba_behavior
  • 0.001 uac_bypass_eventvwr
  • 0.001 antivm_vbox_libs
  • 0.001 antidebug_guardpages
  • 0.001 rat_nanocore
  • 0.001 antiav_avast_libs
  • 0.001 exploit_heapspray
  • 0.001 stack_pivot
  • 0.001 InjectionSetWindowLong
  • 0.001 vawtrak_behavior
  • 0.001 cerber_behavior
  • 0.001 stealth_timeout
  • 0.001 antianalysis_detectfile
  • 0.001 antivm_generic_diskreg
  • 0.001 antivm_parallels_keys
  • 0.001 antivm_vpc_keys
  • 0.001 ketrican_regkeys
  • 0.001 modify_proxy
  • 0.001 darkcomet_regkeys
  • 0.001 disables_browser_warn
  • 0.001 network_torgateway

Reporting ( 0.038 seconds )

  • 0.03 SubmitCAPE
  • 0.008 CompressResults
Task ID 131454
Mongo ID 5e79a70922fb4f13386d6e23
Cuckoo release 1.3-CAPE
Delete